Expect the unexpected from your Web site privacy policy. In a handful of cases, including two which were recently decided, companies have been thwarted in various, unexpected ways by the commitments made in their online privacy policies.
Continue Reading...The social networking and micro-blogging service Twitter recently agreed to settle charges with the Federal Trade Commission (FTC) regarding its privacy and data security practices. Similar to settlement terms reached with other online merchants, the settlement bars Twitter from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information. Notably, the agreement also requires Twitter to maintain a comprehensive information security program and submit to audits of the program for 10 years. The settlement agreement does not include a monetary penalty. The FTC alleged that despite Twitter’s promises on its website to protect the personal information of its users, Twitter’s practices failed to provide reasonable and appropriate security. Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter does not sell goods online or collect financial information from its users.
Continue Reading...On March 25, 2010, the Federal Trade Commission (“FTC”) announced that it had entered into a settlement with entertainment operator, Dave & Buster’s, Inc., for alleged violations of Section 5(a) of the FTC Act, and for “engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its networks.”
The settlement marks the 27th case brought by the FTC against a company for insufficient data security practices.
Continue Reading...On March 9, 2010, the Federal Trade Commission and 35 state attorneys general announced a negotiated settlement with LifeLock, Inc. and its co-founders, Richard Todd Davis and Robert J. Maynard. The settlement, which will require the identity theft protection services provider to pay $11 million to the FTC and an additional $1 million to the group of participating state attorneys general, resolves charges that LifeLock misrepresented the nature and effectiveness of the identity theft protection services it offers, and made false claims about its own data security practices. Specifically, the FTC alleged that LifeLock promised its customers complete protection against all types of identity theft, but the fraud alerts that LifeLock placed on its customers’ credit files protected only against certain forms of identity theft, which did not include medical identity theft, employment identity theft or the misuse of existing accounts – the most common form of identity theft. Moreover, the FTC alleged that even with respect to new account fraud, the type of identity theft for which fraud alerts are most effective, they do not provide absolute protection. LifeLock therefore deceived consumers by making statements like “LifeLock protects against [identity theft] ever happening to you. Guaranteed.”
In the words of FTC Chairman Jon Leibowitz, “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it.”
Continue Reading...Over the course of the last decade, many companies have become accustomed to notifying consumers of their data collection practices in their online privacy policy. However, in a recent proposed settlement, the FTC indicated that, at least under the facts before them, disclosures that were “buried” in a privacy policy were not sufficient.
On June 4, the FTC reported a proposed settlement with Sears Holding Management Corporation of a complaint that Sears had failed to meaningfully disclose to customers the extent of the information it was collecting through its online market research software. The FTC claimed that this failure to disclose constituted an “unfair or deceptive act” under the Federal Trade Commission Act.
Section 315 of FACTA requires institutions that utilize consumer reports (“users”) to develop and follow certain procedures when notified of an address discrepancy by a national CRA (Equifax, Experian and TransUnion). Under FACTA, national CRAs are required to issue a “notice of address discrepancy” when an address provided by a user requesting a consumer report “substantially differs” from the address the CRA has on file for that consumer. The Address Discrepancy Rule then requires users of consumer reports to develop and implement written policies and procedures to respond to receipt of a discrepancy notice. There are two components to the policies required by the Rule: the first relates to the user’s evaluation of the address discrepancy; the second relates to the user’s potential obligation to report the consumer’s address to the CRA.
Continue Reading...We noted in an earlier post that the FTC determined that the Red Flags Rule applies to retailers who pass credit card applications on to lenders. However, there appears to be strong arguments against this interpretation.
Continue Reading...A U.S. District Court for the Middle District of Florida recently issued a preliminary injunction ordering CyberSpy Software, LLC to stop promoting and selling “RemoteSpy,” a keylogger software program that, once installed on a computer, collects information regarding use of the computer.
Continue Reading...According to a proposed settlement announced by the Federal Trade Commission (“FTC”) on March 27, 2008, discount retailer TJX will be required to implement a comprehensive information security program to remedy deficiencies in protecting sensitive consumer information. If approved, the settlement will resolve allegations that the company engaged in practices that failed to provide reasonable and appropriate security for consumer information. In addition to implementing a comprehensive security program, TJX will be required to obtain periodic security audits to provide reasonable assurances that personal information is being adequately protected.
Continue Reading...On March 4 the FTC announced that a consent agreement has been reached in its 17th case challenging data security practices by a company handling sensitive consumer information. Goal Financial, LLC, a San Diego-based student loan company, has agreed to implement a comprehensive information security program, avoid future misrepresentations about its data security practices, and receive independent, third-party audits of its data security program every two years for the next 10 years. The consent order does not provide for a civil fine.
According to the FTC's Complaint, Goal Financial "failed to provide reasonable and appropriate security for consumers' sensitive personal information" starting no later than September 1, 2004. The company's faulty security practices allowed employees to transfer over 7000 consumer files containing personally identifying information and financial histories to third parties. Additionally, in 2006 a Goal Financial employee allegedly sold company hard drives containing sensitive personal information of approximately 34,000 consumers in readable text.
Continue Reading...The Federal Trade Commission announced on January 17, 2008 that it has agreed in principle to a consent order with Life is good, Inc. and Life is good Retail, Inc. (collectively “Life is good”) resolving allegations that the apparel company collected sensitive information from consumers and failed to secure it in compliance with its own privacy and security policies. The consent order against Life is good, among other things, prohibits future deceptive privacy and security claims and requires the company to implement a comprehensive information security program that includes biennial audits by an independent security professional for the next twenty years.
Continue Reading...On December 18, the FTC announced a settlement in its 15th case (and its first in 13 months) addressing the data security practices of companies handling sensitive consumer information. American United Mortgage Company agreed to pay a $50,000 penalty for failing to implement reasonable safeguards to protect customer information and failing to provide customers with privacy notices.
American United is the first FTC action taken pursuant to the Disposal Rule, promulgated in 2005, of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. The complaint filed in the Northern District of Illinois in mid-December, asserted that the Northbrook, Illinois-based mortgage company disposed of several dozen consumers’ personally identifying information by leaving intact hundreds of documents in a nearby unsecured dumpster, in some cases in open trash bags. Indeed, even after the FTC provided written notice to American United that disposal of documents containing consumers’ personal information in this manner created a risk of unauthorized access, "on at least two occasions, additional intact American United documents containing consumers’ personal information were found in and around the same dumpster adjacent to American United’s office."
Continue Reading...
Kristen J. Mathews is head of the Privacy and Data Security Group and a member of the Technology, Media and Communications Group. Kri...More...
Jeff Neuburger is a partner in the New York office and Co-Chair of the Technology, Media and Communications Practice Group at Proskau...More...
Clifford S. Davidson is an Associate in the Litigation & Dispute Resolution Department, resident in the Los Angeles office. Although...More...
Scott J. Carpenter is an associate in the Litigation and Dispute Resolution Department of Proskauer Rose LLP’s Washington, DC office....More...
Amy Crafts is an associate in the Litigation Department, and focuses on commercial litigation, including intellectual property, anti-...More...
Nolan M. Goldberg is an IP & Technology Counsel in Proskauer's Litigation & Dispute Resolution Department and a member of the Patent...More...
Andrew L. Hoffman is an Associate in the Litigation & Dispute Resolution Department, resident in the Boca Raton office. Andrew has wo...More...
Sara Krauss practices with the Health Care Department at Proskauer Rose LLP. She has represented not-for-profit hospitals, physician...More...
Charley Lozada is an Associate in the Corporate Department of Proskauer Rose LLP's New York office and a member of the Privacy and Da...More...
Cécile Martin is an associate in the Labor and Employment Law Department in the Paris office of the Firm. She has experience in all e...More...
Jeremy Mittman is an associate in the Los Angeles office of Proskauer Rose LLP. Prior to joining the Los Angeles office in October 20...More...
Natalie Newman is an associate in Proskauer Rose LLP’s Corporate Department and is a member of the Intellectual Property and Privacy...More...
Brendon Tavelli is an associate in the Litigation and Dispute Resolution Department and a member of the firm’s Privacy and Data Secur...More...
Robert D. Forbes is an Associate in the Litigation & Dispute Resolution Department in the Los Angeles office. He has experience in a...More...Interested in regularly receiving this blog?
You may add this blog to your feeds by clicking here. 
Or to subscribe by email, enter your email address in the grey box below and hit "GO."