Privacy Law Blog : February 2009

Home > February 2009

2008 Study: Cost of Data Breaches Continues to Rise

Posted on February 25, 2009 by S. Montaye Sigmon

A new benchmark study released by the Ponemon Institute indicates that the costs associated with data breaches in the U.S. continue to rise. The Fourth Annual U.S. Cost of Data Breach Study (“Study”) found that the average cost of a data breach has risen to $202 per customer record lost or stolen, up from $138 per customer record lost of stolen in 2005, the first year that the study was conducted. According to the Privacy Rights Clearinghouse, since 2005, more than 250 million customer records containing confidential personal information have been lost or stolen.

The Study surveyed 43 U.S. companies that experienced a breach involving the loss or theft of customer or consumer data over the past year. The surveyed companies experienced breach events involving loss or theft of 4,200 to 113,000 records. The cost of individual breach incidents ranged from a minimum of $613,000 to a maximum of $32 million, and averaged $6.65 million per company. The Study concluded that the cost of a breach is proportional to the size of a breach in terms of the number of customer/consumer records lost or stolen.

Tags: Data Breaches, Ponemon, Privacy Rights Clearinghouse, breach notification, cost of data breach, security breach, survey

UK Data Protection Authority Publishes Draft Guidelines for Implementing Privacy Policies

Posted on February 19, 2009 by Cecile Martin

The UK Information Commissioner Office ("ICO", the UK data privacy agency) has recently issued an informative code of practice to assist companies collecting personal data so that they can better draft clear privacy notices to data subjects about how the company intends to use personal data, and especially when such data is considered to be of a confidential or sensitive nature. The published guidelines are subject to a consultation period and will be finalized after the consultation period ends, on April 3, 2009.

In issuing the guidelines, the ICO made clear that privacy polices were essential to reassure companies’ potential and existing customers that that the privacy of their data is taken seriously.

The principal purpose of the guidelines is to remind companies that they must inform all data subjects about:

the transfer of data to other companies and overseas;
the duration of storage;
the measures taken to ensure the security of the personal data;
the possibility to object to direct marketing;
who to contact if there is a complaint.

In promulgating the guidelines, the ICO reminded the companies of their obligations under the EU Data Protection Directive of 1995, which provides that all personal data must be processed "fairly and lawfully."

At a time when data breaches and online marketing have become increasingly common, it is essential that UK companies issue transparent policies about the collection, use, sharing, and security of personal data.

Jeremy Mittman in Proskauer's Los Angeles office contributed to this post.

Tags: Data Privacy Laws, data privacy, data protection

FTC Provides Last Clear Chance for Industry to Self-Police in a Target-Rich Environment

Posted on February 17, 2009 by Proskauer Rose LLP

On February 12, 2009, the FTC issued its long-anticipated Staff Report on Self-Regulatory Principles for Online Behavioral Advertising. The revised Self-Regulatory Principles are the result of a year of study of the more than 60 comments provided by industry, advocacy organizations, academics, and individual consumers in response to the FTC’s proposed self-regulatory principles issued in late 2007. For more on the history, see our prior posts on the history here, here, here, and here.

Not surprisingly, the FTC made clear that “these Principles are guidelines for self-regulation and do not affect the obligation of any company (whether or not covered by the Principles) to comply with all applicable federal and state laws.” And the Principles themselves, set forth below, largely reflect existing FTC law in this area. For example, it is well established that a company may not unilaterally alter its policies and use previously collected data in a manner that materially differs from the terms under which the data was originally collected. See In the Matter of Gateway Learning Corp., FTC Docket No. C-4120 (Sept. 10, 2004).

Massachusetts Regulators Postpone Compliance Deadline and Issue Revised ID Theft Regulations

Posted on February 13, 2009 by Brendon Tavelli

On Thursday, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) revised and postponed -- for the second time -- its comprehensive data security regulations. The new deadline for all covered entities to achieve full compliance with the Massachusetts regulations is January 1, 2010. This fixed deadline replaces a tiered-compliance schedule established by OCABR in November 2008 that would have given covered entities until May 1, 2009 to install certain data security safeguards, including encrypting personal information on laptops, and until January 1, 2010 to implement more aggressive security measures. (See our prior post here.)

Tags: 201 CMR 17.00, Data Privacy Laws, Massachusetts, OCABR, Regulation, data security, encryption, personal information

Florida Cases Remind Retailers that Printing Expiration Dates after Enactment of the Receipt Clarification Act Violates FACTA

Posted on February 6, 2009 by Brendon Tavelli

The Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act prohibit, among other things, the printing of expiration dates on receipts presented to credit or debit card holders. Two recent cases from the U.S. District Court for the Southern District of Florida, Smith v. Zazzle.com, Inc. (see our blog post here) and Smith v. Under Armour, Inc., reject prior holdings that the term “print” is broad enough to encompass the information included when a seller electronically transmits a receipt. These cases also make clear, as we stated in our June 18, 2008 post, that businesses printing expiration dates after the June 3, 2008 enactment of the Credit and Debit Card Receipt Clarification Act of 2007 (“Clarification Act”) are violating FACTA’s truncation requirements. In fact, the Zazzle.com case specifically mentions that the Clarification Act does not apply because the conduct complained of occurred after the Act’s enactment.

The Clarification Act, which shielded from a finding of willful noncompliance with FACTA any business that printed an expiration date on a cardholder receipt between December 4, 2004 and the enactment of the Clarification Act, did not completely eliminate the statutory requirement to not print expiration dates on cardholder receipts. Accordingly, businesses that print expiration dates on such receipts after June 3, 2008, even when card numbers are properly truncated, may incur liability under FACTA.

Tags: Credit and Debit Card Receipt Clarification Act, FACTA, FCRA, Fair and Accurate Credit Transactions Act, Financial Privacy, credit card, debit card, expiration date, print, receipt, truncation

Google Execs Face Privacy-Related and Other Criminal Charges for Taunting Video

Posted on February 4, 2009 by Brendon Tavelli

Several Google executives, including the Company’s global privacy counsel, Peter Fleischer, will face criminal charges in Italian court stemming from Italian authorities’ two-year investigation of a video posted on Google Video showing a disabled teen being taunted by classmates. The video, posted in 2006, depicts four high school boys in a Turin classroom taunting a classmate with Down syndrome and ultimately hitting the young man over the head with a box of tissues. Google removed the video on November 7, 2006, less than twenty-four hours after receiving multiple complaints about the video. Nonetheless, Fleischer and his Google colleagues face criminal charges of defamation and failure to exercise control over personal information that carry a maximum sentence of three (3) years.