1

NetDiligence®

Cyber Risk & PrivacyLiability Forum October 8-9, 2014

2

Big Data & Wrongful Collection

3

Speakers

Lincoln Bandlowmoderator

Partner

Lathrop & Gage LLP

Los Angeles, California

Dominique Shelton

Partner

Alston & Bird LLP

Los Angeles, California

Emily Tabatabai

Privacy Attorney

Orrick, Herrington & Sutcliffe LLP

Washington, D.C.

Christina Tusan

Attorney

Federal Trade Commission

4

Five Big Data Reports in May 2014• May 1, 2014 - White House release Big Data led by John Podesta. See, Executive Office of the President, Big Data:

Seizing Opportunities, Preserving Values (Executive Office of the President, May 1,2014).

• May 1, 2014: White House releases technological feasibility Big Data report. See, President’s Council of Advisors on Science and Technology, Big Data and Privacy: A Technological Perspective (the “PCAST Report).

• May 15, 2014: The Senate released a report on malware. Senate Permanent Subcommittee on Investigations, “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy (May 15, 2014).

• May 21, 2014: CA AG came out with her report on privacy policies See, Att’y Gen. Kamala D. Harris, Making Your Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy, (Cal. Dep’t of Justice, May 21, 2014), available at http://tinyurl.com/CAAGMakingYourPrivacyPractices .

• May 27, 2014: Data Broker report. See, F.T.C., Data Brokers: A Call for Transparency and Accountability (May 27, 2014).

5

May 2014 Reports

6

Takeaways

• The Senate, FTC and CA AG are focused on “Big Data” and behavioral tracking in particular.

• There is a renewed focus on transparency. Regulators are concerned that consumers don’t understand the advertising/data-broker ecosystem (i.e., the number of trackers on websites and mobile apps).

• Use of internal data-tagging can provide a method for companies to access to Big Data within companies.

• New laws will be proposed.• FTC will be using Section 5 of the FTC Act to enforce.

7

Behavioral Tracking Class Actions(Privacy Claims under The Electronic

Communications Privacy, Stored Communications Act and Wiretap Act)

8

How Big are “Do Not Track” Class Actions?

– 195 Do Not Track class actions have been filed in the past 36 months, and 12 mobile app class actions have been filed in the past eight months.

– On June 11, 2013, the largest privacy class action was affirmed by the 7th Circuit – 1 billion exposure based on behavioral tracking.

– The plaintiffs’ bar is focusing on privacy class actions.– The FTC has increased its enforcement activity.– Based upon global and U.S. trends, more focus on privacy and

tracking will occur in 2014.

9

Do Not Track CasesWashington - 3

Montana - 2

California - 108 Arizona - 1

Colorado - 1

Minnesota- 1

Wisconsin - 1

Illinois - 8

Missouri - 4

Arkansas - 17

Louisiana - 1

Texas - 6

Alabama - 2Georgia - 4

Florida - 4

Tennessee - 1

Ohio - 1

N. Carolina - 1

New York - 13Massachusetts - 2

Virginia - 1

Maryland- 1

Delaware - 2

Connecticut - 2

Rhode Island - 1Michigan- 1

New Jersey - 2

Pennsylvania - 1

Puerto Rico - 1

District of Columbia - 2

10

How Many Big Data Companies Have Been Named?

– 121 Companies (62% of the 195 actions) have included Big Data companies – e.g., data analytics, ad networks, exchanges, mobile marketing).

– Software company Carrier IQ (67 class actions).– Analytic Companies: (32 class actions)

• Google (24 class actions)• Other analytic companies(e.g., Kissmetrics, Flurry, Millenial Media, comScore) (8 class

actions) – Ad Networks and Ad Exchanges(21 class actions)

• Quantcast, Clearspring, Mobile Ringleader (no defunct), Traffic Marketplace, Interclick, Mob Clix, quattro, Admob, PulsePoint

– Cloud: Amazon (1) class action.

11

“Do Not Track” Typical Class Action Claims

12

Harris v. comScore

• Plaintiffs alleged tracking based upon downloads of bundled software that did not disclose tracking technologies or comScore’s name.

• Plaintiffs alleged inadequate privacy disclosures.• Sought to certify 10 million user class at $10,000

statutory damages under the stored communications act.

13

Harris v. comScore

• Key takeaways:– Court held common questions of fact and law

predominated.– Plaintiffs could self-identify to become members of the

class – Note: This is highly unusual and rarely permitted.– Emails contained in comScore’s records were considered

sufficient to ascertain class members.Harris v. comScore, Inc., 292 F.R.D. 579 (N.D. Ill. 2013).

14

Harris v. comScore: June 11, 2013,7th Cir. Affirms Certification of -1 Billion Class

15

Harris v. comScore $1 billion exposuresettled May 30, 2014 for $14 million

16

In re Zynga Privacy Litig.,2014 U.S. App. Lexis 8662 (9th Cir. May 8, 2014)

• The Ninth Circuit affirmed the Northern District of California’s dismissal of two putative class actions alleging Facebook Inc. and Zynga Game Network Inc. improperly shared consumers' personal information with advertisers, finding the social network giant and the gaming company didn’t disclose the contents of communications.

• Plaintiffs claimed that Facebook and Zynga claims violated the Wiretap Act and Stored Communications Act by sharing referer headings (that included user ids and the web pages viewed by the user with advertisers and other web analytic companies).

• The Stored Communications Act says that a service provider may divulge records and other information pertaining to a customer, but may not divulge the contents of communications, the opinion said. Customer record information including the customer’s name, address and subscriber number, does not qualify as contents under the federal law.

• The Ninth Circuit upheld the dismissal of the two class actions that alleged violations of the Wiretap Act and the Stored Communications Act — sections of the Electronic Communications Privacy Act — ruling that the plaintiffs failed to state a claim because they didn’t allege that either Facebook or Zynga disclosed the “contents” of a communication, a necessary element of their ECPA claims, according to the opinion.

• Takeaway: No liability under ECPA for sharing referer headers alone with third parties.

17

Find Out What Data You Are CollectingBecause the Plaintiff’s Bar Is!

Consider a tool like Ghostery - basic license is free

18

Video Privacy Protection Act (“VPPA”)

19

VPPA Background• The VPPA prohibits disclosure of personally

identifiable information (“PII”), including information identifying a person as requesting or obtaining specific video material. 18 U.S.C. § 2710, et seq.

• The VPPA does not define PII directly, stating that it “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. § 2710(a)(3). This includes information shared with vendors, including subject matter categories. Some vendors argue that generic categories (e.g., “likes sports”) are not PII.

20

VPPA Background

• VPPA defines “video tape service provider” to mean “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials…” 18 U.S.C. § 2710(a)(4).

• VPPA defines the term “consumer” to mean“any renter, purchaser, or subscriber ofgoods or services from a video tapeservice provider.” 18 U.S.C. § 2710(a)(1).

21

2012 VPPA Amendment• The VPPA was amended in December 2012 to allow video service providers to obtain consent

electronically over the internet for a 2-year advance period with certain requirements. It requires a separate consent (outside of a Terms of Use and Privacy Policy).

• Section 2710(b)(2)(B) was amended to permit electronic consent. Video Service Providers can share information with the user’s informed consent as follows:

– written consent that• Is in a form distinct and separate from any form setting forth other legal or financial

obligations of the consumer;• At the election of the consumer;• Is given at the time the disclosure is sought; or• Is given in advance for a set period of time, not to exceed 2 years or until consent is

withdrawn by the consumer, whichever is sooner and– the video tape service provider has provided an opportunity, in a clear and conspicuous

manner, for the consumer to withdraw on a case-by-case basis or to withdraw from ongoing disclosures, at the consumer's election.

22

In re Hulu Privacy Litigation Background

• Case filed in 2011.• August 2012: Two motions to dismiss based on lack of

harm and other statutory defenses failed.• December 2013: Hulu’s motion for summary judgment

based upon lack of harm failed.• April 28, 2014: Hulu’s motion for summary judgment re: no

disclosures of PII under the VPPA granted as to comScore claims, denied as to Facebook.

23

April 28, 2014, Hulu Court dismisses Plaintiff’s comScore claims but denies MSJ as to Facebook

• Takeaways:– Unique identifiers plus specific titles to data analytics firm – not a

disclosure of PII under the VPPA– Facebook ID + specific video titles may be PII if Hulu knew that cookies

provided this data before user hit the “Like” button.– Metrics and advertising not “incident to the ordinary course of

business”– Dicta: Unique identifiers depending on context could be PII under VPPA

– just not in this case.

24

In re Hulu Privacy Litigation: Motion for ClassCertification Denied (June 17, 2014)

• Plaintiffs sought to certify a Facebook class:– All Hulu and Facebook users that involved disclosures of Facebook’s

c_user cookie (i.e., Facebook cookie that relays information to Facebook for users that have checked the box to always stay logged into Facebook and use the same browser to access Hulu).

• Court denied class, without prejudice. Class not ascertainable.

25

In re Nickelodeon Consumer Privacy Litig.,(D.N.J. July 2, 2014) (granting motion to dismiss)

• The claims were against Google and Viacom for data collected through the Nickelodeon and other Viacom Apps. Google not a VTSP – all claims dismissed.

• Viacom only disclosed “anonymous information” ( e.g., “anonymous username; IP address; browser setting; ‘unique device identifier’; operating system; screen resolution; browser version). Not PII under the VPPA.

• Leave to amend granted for VPPA claim and intrusion upon seclusion against Viacom. Wiretap and SCA claims dismissed with prejudice.

26

More VPPA Case to Come• Six VPPA Class Action Lawsuits were filed in February –September 2014:

– February 17, 2014: Perry v. Cable News Network, Inc. et al., No. 1:14-cv-1194 (N.D. Ill.): On August 25, 2014, the United States District Court for the Northern District of Illinois entered an order transferring this case to the United States District Court for the Northern District of Georgia based upon the stipulation of the parties. The order was executed on September 12, 2014.

– February 19, 2014: Ellis v. The Cartoon Network Inc., No. 1:14-cv-00484,(N.D. Ga): On June 6, 2014, The Cartoon Network filed a motion to dismiss on the grounds that (1) the disclosure of a serial number for a machine alone is not PII under the VPPA; (2) the VPPA does not apply because the plaintiff is not a “consumer” as defined by the VPPA; and (3) the plaintiff did not allege that he has suffered any injury. The motion is fully briefed, but a hearing has not yet been set.

– March 13, 2014: Locklear v. Dow Jones, No. Case 1:14-mi-99999-UNA (N.D. Ga): On June 23, 2014, Dow Jones filed a motion to dismiss, on the grounds that (1) the disclosure of a serial number for a machine alone is not PII under the VPPA; (2) the VPPA does not apply because the plaintiff is not a “consumer” as defined by the VPPA; and (3) the plaintiff did not allege that he has suffered any injury. The motion is fully briefed, but a hearing has not yet been set.

27

More VPPA Case to Come

– March 28, 2014: Eichenberger v. ESPN, No. 2:14-cv-00463 (W.D. Washington): On July 31, 2014, ESPN filed a motion to dismiss, on the grounds that (1) plaintiff failed to allege any disclosure of PII and (2) that plaintiff is not a “consumer” under the VPPA. The motion is fully briefed, but a hearing has not yet been set.

– June 9, 2014: Robinson v. Disney, No. 14-cv-4146 (S.D. N.Y.): On August 23, 2014, plaintiffs filed an amended complaint to properly name the Disney entity sued. On September 12, 2014, Disney filed a motion to dismiss, on the grounds that (1) plaintiff failed to allege any disclosure of PII and (2) that plaintiff is not a “consumer” under the VPPA. Disney has requested oral argument, but a hearing has not yet been set.

– August 22, 2014: Austin-Spearman v. AMC Network Entertainment LLC, No. 14-cv-6840 (S.D. N.Y.): On September 15, 2014, the court entered an order extending the time for AMC to answer or move to dismiss the complaint until October 23, 2014.

28

VPPA Cases Filed in February – September 2014

VPPA Compliance: Degrees of RiskKeep video titles in referrer headers and use plugins that have tracking capabilities.

Use a landing page similar to Netflix to obtain user consent electronically.

Use subject matter of video in referrer headers (e.g., engineering, transport, shipping).

Obtain “informed written consent” per the VPPA.

Do not use titles of videos in referrer headers.

Do not use social networking plug-ins.

29

30

Takeaways

• Plaintiffs’ bar are attracted to privacy claims that carry statutory damages.

• They have been able to overcome motions to dismiss based on lack of Article III standing by alleging statutory violations.

• More litigation is likely to follow.

31

Text Messaging Campaigns

Telephone Consumer Protection Act Risks and Mini-State TCPAs

32

FCC New Regulations Effective October 16, 2013

• Prior express written consent is needed before commercial telemarketing texts may be sent.– User must agree to receive autodialed text messages and

evidence understanding that agreement is not a condition of using the service. 47 C.F.R. 64.1200

– TCPA Class actions were up 70% last year. According to InsideARM 785 TCPA cases filed in 2012; 1385 filed in 2013.

33

Mobile

Privacy Disclosures and Security

34

Regulatory Initiatives Regarding Mobile Apps

35

Regulatory Initiatives Regarding Mobile AppsCA AG, FTC and EU Article 29 Working Group Guidance

36

Regulatory Initiatives Regarding Mobile AppsFive Mobile Guidances Were Released in 2013:

All Call for Just in Time/Short Form Notice

• CA AG Guidance – issued 1/10/2013• FTC Guidance – issued 2/1/2013• Article 29 Working Group – issued 3/2013• NTIA Guidance – issued 7/ 2013• DAA Guidance – issued 7/2013

• Just in Time/Short Form Notice: Notice for collection of sensitive data must be “Just in Time,” in short form, above and beyond the privacy policy.

• PII: includes unique identifiers.

37

In re Fandango(FTC Announced Settlement March 28, 2014)

• Failure to secure mobile app credit card information.• Alleged unreasonable security for failure to

– Validate Secured Socket Layer (SSL) to prevent intervention by hackers when users used open networks.

– Provide sufficient protection for data while at rest.

38

Practice Pointer: Focus on “Readability”

• Use icons – California AG and FTC recommend it. – See e.g., CA AG Making Your Privacy Practices

Public at p. 10– See also,

• CA AG Privacy on the Go at p. 11 (“Graphics or icons can help users to easily recognize privacy practices and settings”);

• FTC, Mobile Privacy Disclosures at p. 17 (“Consider developing icons to depict the transmission of user data”) ; and

• FTC Protecting Consumer Privacy in an Era of Rapid Change at p. 62 (“… icons … show promise as tools to give consumers the ability to compare privacy practices among different companies)

39

EU “Cookie” Directive

More than just cookies

40

EU Cookie Rules

• A separate EU directive governs the collection and use of personal data through the use of cookies and similar technologies

• Like the data protection national laws, the cookie national laws are broadly similar across the EU, although there are some divergences

• The EU cookie rules require website operators to:– provide clear notice about cookies and their purposes; and– obtain users’ consent to cookies,

before any cookies are set

41

EU ePrivacy Directive• Not limited to cookies!

• No distinction between types of technologies used to store or retrieve information on users’ devices (e.g., cookies, web beacons, flash cookies, GIFs)

– No distinction between different types of cookies (e.g., functionality, performance, targeting), with the exception of cookies deemed “strictly necessary”

42

Cookie Categories

43

Prominent Pop-Up Notices• A pop-up notice that explains that cookies are used and provides a link to more

information.• May (or may not) request that the user consents to the website’s use of cookies.

(source: Everything Everywhere)

44

Banner Notices• A banner that informs users that cookies are used, and provides a link to further

information on those cookies. (source: NatWest)

45

• Local Terms• Global Terms• Managing Consent

AuditGovernance Security Train regarding

your policiesInvolve All Related Players

Repeat

Managing Compliance

♦ How is Big Data being used?

♦ Risk Avoidance and Mitigation ♦ Protocols♦ Policies ♦ Procedures

♦ Compliance with laws and companies best practices

♦ Technological♦ Policy

1 2 3 4 5

Practical Guidance

46

Big Data Risks

• Alienating customer / brand degradation– 89% of internet users have stopped using a website over privacy concerns– “creepy”– data collection is unexpected or depth of analysis is unanticipated

• “Personalization” of content can lead to discrimination• Aggregated data may not be anonymous after all

47

Big Data Quality Risks

• Working with stale data– location data gets stale quickly– data point may be relevant only for small period of time

• Algorithms are not infallible– you may be relying on inaccurate conclusions

• Data cannot be verified by data subject– data subjects may not be able to confirm, modify, review or even access data

48

Legal Risks of Big Data

• Transparency and notice– Difficulty of providing effective notice– Companies often collect data before they have real understanding of how they will use it– Onward transfers; first party versus third party

• Consent and choice– Data subjects lack understanding of the implications of consent– May have no opportunity to opt-out

• Security

49

Risks of Collecting Sensitive Data

• Loss of data could trigger state data breach notification laws– Credit card, bank account, Social Security Numbers, driver’s license numbers

• Children’s data– COPPA– FERPA– State laws re: marketing to children

• Health data

50

Industry-Specific Risks• Educational technology sector

– 36 states introduced legislation to curb collection of student data this year

• Financial institutions– GLBA

• Credit and employment screening– FCRA

51

FTC Background

• Who are we?

• What is data security?

52

FTC Act Fundamentals• Section 5 of the Federal Trade Commission Act broadly prohibits “unfair

or deceptive acts or practices in or affecting commerce.”– Deception a material representation or omission that is likely to mislead

consumers acting reasonably under the circumstances

– Unfairness practices that cause or are likely to cause substantial injury to consumers not reasonably outweighed by countervailing benefits to consumers or competition.

• Flexible law that can be applied to many different situations, entities, and technologies

53

FTC Act

• To comply, you should:

– Handle consumer information in a way that's consistent with your promises.

– Avoid practices that create an unreasonable risk of harm to consumer data.

54

FTC Background: Authority

Safeguards Rule (implements Gramm-Leach-Bliley Act)

“Financial Institutions” must ensure the security and confidentiality of sensitive customer information.

Fair Credit Reporting Act (FCRA)

Requires specific handling and reporting when using data for certain purposes (e.g., offering credit, hiring)

Red Flags Rule Financial institutions/certain creditors must implement program to detect identity theft “red flags.”

Children’s Online Privacy Protection Act (COPPA)

Requires reasonable security for information collected from children online.

Other statutes and rules apply in particular circumstances:

55

FTC Data SecurityLaw Enforcement

56

57

Law Enforcement: Guiding Principles

• Security must be reasonable and appropriate in light of the circumstances.

• Breach doesn’t necessarily = lack of reasonable security.

• BUT no breach doesn’t necessarily = reasonable security.

• Data security is an ongoing process.

58

Some Common Privacy Failures

• Rolling out a new service or feature that increases sharing without adequate notice and consent

• Misrepresenting with whom data is being shared

• Misrepresentations about tracking and opting out of tracking

• Presenting false choices

59

Law Enforcement: Section 5 Deception

• Fandango and Credit Karma (2014): mobile security

• GeneWize (2013): oversight of service providers

• PLS Financial Services Inc. (2012): proper disposal and training

• Goal Financial LLC (2008): data security policies

60

Law Enforcement: Section 5 Unfairness

• GMR Transcription Services (2014): oversight of service providers

• Accretive Health Inc. (2013): laptop security; improper access

• Ceridian Corporation (2011): service providers liable

61

Recent Settlement: Accretive Health (2013)

• Alleged that respondent failed to take reasonable and appropriate measures to prevent against unauthorized access.

• Among other things:– Transported laptops containing PII in manner that made them

vulnerable to theft/misappropriation;– Not adequately restrict access to PII based on employee's need for info.;– Didn't ensure that employees removed PII from computers for which no

longer had business need;– Used consumers' PII in training sessions without ensuring that this PII

was removed from employees' computers after training.

62

Recent Settlement: Trendnet (2013)

• Alleged that respondent failed to provide reasonable security to prevent unauthorized access to the live feeds from its IP cameras, which respondent offered to consumers for the purpose of monitoring and securing private areas of their homes and businesses.

• Among other things:– Transmitted user login credentials in readable text, even though have free software that can

secure such transmissions.– Stored login credentials in readable text on user's mobile device, even though have free

software to secure these credentials.– Failed to implement process to monitor security vulnerability reports from third-party

researchers, etc. – Failed to employ reasonable and appropriate security in design/testing of IP software. Failed

to: (i) perform security review/testing of software at key points; (ii) implement reasonable guidance/training for any employees responsible for security.

63

Recent Settlement: HTC (2013)

• Alleged that respondent failed to employ reasonable and appropriate security practices in the design or customization of the software on its mobile devices.

• Among other things:– Failed to implement adequate program to assess the security of products it shipped to

consumers. – Failed to implement adequate privacy and security guidelines/training for its engineering

staff.– Failed to conduct assessments, etc. to identify potential security vulnerabilities in its

mobile devices.– Failed to follow well-known and commonly-accepted secure programming practices.– Failed to implement a process for receiving and addressing security vulnerability reports

from third-party researchers, etc.

64

Deceptive Privacy & Security Claims

• The FTC has brought cases against companies that misrepresented their privacy & security procedures.

• Companies claimed to have strong procedures in place to protect the information they collected. In fact, the companies failed to anticipate or address substantial and well-known security risks.

65

Deceptive Privacy & Security Promises

• Google

– Deceived consumers by using info collected from Gmail users to generate and populate a new social network, Google Buzz, despite claims to the contrary

– FTC charged that Gmail users’ associations with their frequent email contacts became public without the users’ consent

– Order requires Google to implement a comprehensive privacy program and conduct biennial audits for the next 20 years; provide affirmative express consent for any change to a product or service that makes consumer info more widely available

66

Deceptive Privacy & Security Promises

• Twitter

– Provided privacy controls to users to keep private “tweets” and nonpublic user info – including mobile phone numbers – private

– However, because of serious lapses in security, hackers obtained unauthorized administrative control of Twitter, accessed private info, and took over user accounts

– Order prohibits misrepresentations about the extent to which Twitter protects the privacy of communications, requires reasonable security, and mandates independent, comprehensive security audits

67

Fair Credit Reporting Act (FCRA)

• Credit transactions are extremely common in the U.S.

• Consumer reporting agencies collect public record info (judgments, tax liens, criminal records), credit info, employment info--both positive and negative

• The information is sensitive and subject to strict privacy protections under the FCRA

68

Fair Credit Reporting Act (FCRA)

• Allows sharing of consumer information by consumer reporting agency only if such sharing serves a permissible purpose.

• Permissible purpose generally– Credit transaction– Insurance– Employment (with consent)– Other uses with written consent of consumer

• Requires CRAs to maintain reasonable procedures to ensure that users have a permissible purpose

69

Fair Credit Reporting Act (FCRA)

• Truncation rule: Requires that electronically printed credit and debit card receipts must shorten -- or truncate -- the account information. You may include no more than the last five digits of the card number, and you must delete the card’s expiration date.

70

Fair Credit Reporting Act (FCRA)

• Disposal rule: Requires anyone who obtains consumer report information to use "reasonable" measures when disposing of it.

• Burn, pulverize, or shred papers and destroy or erase electronic files or media containing consumer report information so they cannot be read or reconstructed

• Service Providers/Third Parties:– Contracts with record owners– Direct liability as record owners through provision of service directly to a

person subject to the Rule.– Contracting with legitimate document destruction companies, outside records

retention managers.– Due diligence

71

Case Example: ChoicePoint, Inc.

• The FTC alleged that ChoicePoint failed to use reasonable procedures to screen prospective subscribers and monitor their access to sensitive consumer data

• These failures allowed identity thieves posing as legitimate businesses to obtain access to the personal information of many consumers

• At least 800 cases of identity theft arose out of these incidents.

72

Case Example: ChoicePoint, Inc.

• Record $10 million civil penalty for violations of the FCRA

• $5 million in consumer redress for identity theft victims

• Significant injunctive provisions

73

Case Example: Spokeo

• Spokeo collected personal information about consumers from hundreds of online and offline data sources, including social networks. It merges the data to create detailed personal profiles of consumers.

• The FTC alleged that Spokeo operated as a consumer reporting agency and violated the FCRA by failing to make sure that the information it sold would be used only for legally permissible purposes; failing to ensure the information was accurate; and failing to tell users of its consumer reports about their obligation under the FCRA, including the requirement to notify consumers if the user took an adverse action against the consumer based on information contained in the consumer report.

• The FTC alleged that Spokeo deceptively posted endorsements of their service on news and technology websites and blogs, portraying the endorsements as independent when in reality they were created by Spokeo's own employees.

74

Case Example: Spokeo

• Settlement imposed an $800,000 civil penalty

• Settlement bars Spokeo from future violations of the FCRA, and bars the company from making misrepresentations about its endorsements or failing to disclose a material connection with endorsers

75

Case Example: T-J-Maxx• Stored personal information on, and transmitted it between and within, in-

store and corporate networks in clear text.• Did not limit wireless access to its networks, allowing an intruder to

connect wirelessly to in-store networks without authorization.• Did not require network administrators and others to use strong

passwords.• Failed to limit access among computers and the internet, such as by using

a firewall to isolate card authorization computers.• Failed to detect and prevent unauthorized access to computer networks or

to conduct security investigations, such as by patching or updating anti-virus software or following up on security warnings and intrusion alerts.

76

Some Common Remedies

• Injunction against misrepresentations;

• Comprehensive data security or privacy program appropriate to the company’s size, nature of activities, and information collected;

• Third party assessments of these programs for up to 20 years;

• FTC monitoring of compliance

• Other specific requirements, e.g., disclosures, privacy choices, data deletion, or software updates; and

• Civil penalties for rule and order violations.

77

Best Data SecurityPractices for Businesses

78

Information Security:Four Points that Guide the FTC’s Enforcement

• Information security is an ongoing process.• A company’s security procedures must be reasonable and appropriate in

light of the circumstances.• A breach does not necessarily show that a company failed to have

reasonable security measures – there is no such thing as perfect security.• Practices may be unreasonable and subject to FTC enforcement even

without a known security breach.

79

Protecting Personal Information:A Guide for Businesses

5 key principles:

1. Take stock. Know what personal information you have in your files and on your computers. Know who has physical and electronic access to your files.

2. Scale down. Keep only what you need for your business.

3. Lock it. Protect the information that you keep.

4. Pitch it. Properly dispose of what you no longer need.

5. Plan ahead. Create a plan to respond to security incidents. Implement a plan to for physical security, electronic security, employee training and oversight of service providers.

80

Prioritizing Computer System Risks

• Check expert consensus lists that identify and offer defenses for the commonly exploited vulnerabilities that pose the greatest risk of harm to your information systems.

– The 20 Most Critical Internet Security Vulnerabilities (www.sans.org/top20) Describes vulnerabilities in Windows and UNIX. Has links to scanning tools and services at www.sans.org/top20/tools.pdf.

– The 10 Most Critical Web Application Security Vulnerabilities (www.owasp.org) Describes common vulnerabilities for web apps and databases and the most effective ways to address them. These vulnerabilities are as important as network issues.

• For more FTC tips, see Security Check: Reducing Risks to Your Computer Systems, http://business.ftc.gov/documents/bus58-security-check-reducing-risks-your-computer-systems.

81

Protecting Personal Information:Tips on General Network Security Part 1 of 3

• Identify computers or servers where sensitive personal information is stored.

• Identify all connections to these computers (e.g., Internet, electronic cash registers, computers at your branch offices, computers used by service providers to support your network, digital copiers, and wireless devices like smartphones, tablets, or inventory scanners).

• Assess the vulnerability of each connection to commonly known or reasonably foreseeable attacks.

82

Protecting Personal Information:Tips on General Network Security Part 2 of 3

• Don’t store sensitive consumer data on a computer with an Internet connection unless it’s essential for your business.

• Encrypt sensitive data that you send to third parties over public networks (like the Internet), and consider encrypting sensitive data stored on your network or on portable storage devices. Consider encrypting emails within your business that contain personally identifying information.

• Regularly run up-to-date anti-virus and anti-spyware programs on your network.

83

Protecting Personal Information:Tips on General Network Security Part 3 of 3

• Check expert websites (e.g., www.sans.org) and software vendor websites regularly, and implement policies for installing vendor-approved patches.

• Consider restricting employees’ ability to download unauthorized software.

• Scan computers on your network to identify and profile the operating system and open network services. Disable services that you don’t need.

• When you receive or transmit credit card or other sensitive financial data, use Secure Sockets Layer (SSL) or another secure connection to protect it in transit.

84

Contractors and Service Providers

• Before you outsource a business function (payroll, web hosting, data processing, etc.) investigate the company’s data security practices and compare their standards to yours. If possible, visit their facilities.

• Address security issues for the type of data your service providers handle in your contract with them.

• Insist that your service providers notify you of any security incidents they experience, even if the incidents may not have led to an actual compromise of your data.

85

Incident Response Plans

• Have a plan to respond to security incidents. Designate a senior staff member to coordinate and implement the plan.

• If a computer is compromised, disconnect it immediately from your network. • Investigate security incidents immediately and take steps to close off existing

vulnerabilities or threats to personal information. • Consider whom to notify in the event of an incident, both inside and outside your

organization. You may need to notify consumers, law enforcement, customers, credit bureaus, and other businesses that may be affected by the breach. In addition, many states and the federal bank regulatory agencies have laws or guidelines addressing data breaches. Consult your attorney.

86

Outsourcing

• Businesses subject to U.S. laws that outsource personal information retain responsibility for ensuring that there are reasonable procedures in place to safeguard that information.

– This responsibility is the same whether the service provider is located within the U.S. or offshore.

87

Data Brokers and the FTC Report

• FTC issued a report analyzing data from nine data brokers

• Data Brokers Collect Consumer Data from Numerous Sources, Largely Without Consumers’ Knowledge, and Collect and Store Billions of Data Elements on Nearly Every U.S. Consumer

• The Data Broker Industry is Complex, with Multiple Layers of Data Brokers Providing Data to Each Other

• Data Brokers Combine and Analyze Data About Consumers to Make Inferences About Them, Including Potentially Sensitive Inferences, and Combine Online and Offline Data to Market to Consumers Online

• To the Extent Data Brokers Offer Consumers Choices About Their Data, the Choices are Largely Invisible and Incomplete

88

Findings from Data Broker Report

• Data brokers collect consumer data from extensive online and offline sources, largely without consumers’ knowledge, ranging from consumer purchase data, social media activity, warranty registrations, magazine subscriptions, religious and political affiliations, and other details of consumers’ everyday lives.

• Consumer data often passes through multiple layers of data brokers sharing data with each other. In fact, seven of the nine data brokers in the Commission study had shared information with another data broker in the study.

• Data brokers combine online and offline data to market to consumers online.• Data brokers combine and analyze data about consumers to make inferences about them, including

potentially sensitive inferences such as those related to ethnicity, income, religion, political leanings, age, and health conditions. Potentially sensitive categories from the study are “Urban Scramble” and “Mobile Mixers,” both of which include a high concentration of Latinos and African-Americans with low incomes. The category “Rural Everlasting” includes single men and women over age 66 with “low educational attainment and low net worths.” Other potentially sensitive categories include health-related topics or conditions, such as pregnancy, diabetes, and high cholesterol.

89

Findings from Data Broker Report

• Many of the purposes for which data brokers collect and use data pose risks to consumers, such as unanticipated uses of the data. For example, a category like “Biker Enthusiasts” could be used to offer discounts on motorcycles to a consumer, but could also be used by an insurance provider as a sign of risky behavior.

• Some data brokers unnecessarily store data about consumers indefinitely, which may create security risks.

• To the extent data brokers currently offer consumers choices about their data, the choices are largely invisible and incomplete.

90

91

FTC GuidanceGeneral Information

Visit www.business.ftc.gov for more informationMobile

Mobile App Developers: Start with Security http://www.business.ftc.gov/documents/bus83-mobile-app-developers-start-security

Marketing Your Mobile App: Get It Right from the Starthttp://www.business.ftc.gov/documents/bus81-marketing-your-mobile-app

Mobile Privacy Disclosures Staff Report: Building Trust Through Transparencyhttp://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf

Children’s Online Privacy Protection Act (COPPA)COPPA: A Six-Step Compliance Plan for Your Businesshttp://www.business.ftc.gov/documents/bus84-childrens-online-privacy-protection-rule-six-step-compliance-plan-your-business

Complying with COPPA: Frequently Asked Questionshttp://www.business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions

92

Thank you.