In an article just published by the Washington Legal Foundation, we review the requirements of the Massachusetts law and Regulations, including the required written information security program, constraints on third-party providers and vendors, and enforcement mechanisms, among other topics.  "The Bay State Raises the Bar on Personal Data Security: Are You in Compliance?," by Jeffrey D. Neuburger and Natalie Newman is available here.
 

The settlement marks the 27th case brought by the FTC against a company for insufficient data security practices.

The FTC’s complaint states that, upon its discovery of the data security breach, Dave and Buster’s notified law enforcement officials and credit card companies, and took remedial steps to prevent further unauthorized access by the intruder. However, the FTC’s complaint also alleges that it was Dave and Buster’s “failure to employ reasonable and appropriate security measures to protect personal information” that enabled the unauthorized access that caused the data breach. Among the failures cited by the FTC, Dave and Buster’s allegedly failed to employ an intrusion detection system, failed to monitor system logs, failed to use firewalls to limit access between in-store networks, failed to isolate the payment card system from the rest of the corporate network and failed to use other readily available security measures, such as limiting access to its computer networks through wireless access points on such networks.

The settlement agreement entered into between the FTC and Dave and Buster’s requires Dave and Buster’s, among other things, to establish, implement and maintain a comprehensive, written data security program that contains administrative, technical and physical safeguards designed to protect the security, confidentiality and integrity of personal consumer information. In additional Dave and Buster’s is required to obtain and endure an initial and biennial assessments (for a period of 10 years from the date of the order) from a qualified third-party regarding its implementation and maintenance of its program and safeguards in compliance with the settlement agreement.

The FTC’s news release announcing the settlement, along with the FTC’s complaint and the settlement agreement containing the consent order, can be accessed by clicking here.

Overall, as with previous years, the study found that U.S. organizations continue to experience increased costs associated with the data breaches they experience.

This year’s study revealed that the average per-record cost of the data breaches experienced by the surveyed organizations was in 2009 $204, which is just $2 more than the average per-record cost in 2008 (click here for the Privacy Blog’s posting on the Ponemon Institute’s 2008 Study), but represented a $66 dollar overall increase since 2005, the first year the Ponemon Institute conducted this same study, when the average per-record cost was $138.  

The costs of a data breach include both direct costs (such as communications costs, investigations and forensics costs and legal costs) and indirect costs (such as lost business, public relations costs and new customer acquisition costs), and the study found that some industries experience a higher customer churn rate (i.e., lost business) than others. The industries with the highest customer churn rates in 2009 were the pharmaceutical, healthcare, communications, financial services and services industries.

The study also revealed a variety of primary causes of data breaches experienced by the surveyed companies, including, for example, that:

• 42% of all breaches studied involved errors made by, or compromises otherwise incurred while a company’s data is in the possession or control of, a third party. 
• 36% of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices. Interestingly, the study found that the per-record cost of a data breach involving a stolen laptop or mobile device was just over $224, whereas the per-record cost of a data breach not involving a stolen laptop or mobile device was only around $192.
• 24% of all breaches studied involved some sort of criminal or other malicious attack or act (as opposed to mere negligence).
• 82% of all breaches studied involved organizations that had experienced more than one data breach involving the compromise of more than 1,000 records containing personal information.

This study can serve as an incredibly useful tool for companies to understand the full scope of potential costs of a data breach (including both direct and indirect costs) and in performing a cost-benefit analysis of the costs of implementing pre-breach, prophylactic measures (such as policies, training, encryption of sensitive information and other security), versus the potential costs of experiencing and dealing with the aftermath of a breach that could have been avoided, or at least mitigated.

Plaintiffs argue this disclosure constitutes a sever invasion of their privacy by Netflix, which violates, among other things, the Video Privacy Protection Act of 1988 (18 U.S.C. 2710 (2002)). Additionally, the lead plaintiff in this case, Jane Doe, claims that Netflix’s disclosure of her movie rental history and ratings has and/or will “identify or permit inference of her sexual orientation… [which… ] would negatively affect her ability to pursue her livelihood and support her family, and would hinder her and her children’ ability to live peaceful lives within Plaintiff Doe’s community.”

The Video Privacy Protection Act (the “Act”) was originally enacted in 1998 (in response to a public disclosure of a Supreme Court nominee, Robert Bork’s, video rental history), and, according to the Electronic Privacy Information Center, while not often invoked, the Act “stands as one of the strongest protections of consumer privacy against a specific form of data collection.”

The Act prohibits, with certain exceptions, any “video tape service provider” from “knowingly disclosing the personally identifiable information concerning any customer of such provider” (18 U.S.C. 2710(b)). The Act defines a “video tape service provider” as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials…” and “personally identifiable information” as including “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider” (18 U.S.C. 2710(a)). 

In addition to violating this prohibition on the disclosure of personally identifiable information, the Plaintiffs in Doe v. Netflix also allege that Netflix violated another provision of the Act, which requires that a video tape service provider “destroy personally identifiable information as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected” (18 U.S.C. 2710(e)). 

The Plaintiffs are demanding relief in the form of (among other things) statutory damages, actual damages, punitive damages, injunctive relief, disgorgement of wrongfully obtained profits and revenues, and attorneys’ fees.

In addition to the Act, a number of states, including California, have also enacted similar video privacy laws. In addition to the Act and other laws, the Complaint alleges that Netflix has violated the California Customer Records Act (CA Civil Code 1798.80).

Originally proposed on March 28, 2008, the DOE published a notice which proposed various changes to FERPA and its implementing regulations “to implement various statutory changes made to FERPA to implement two recent US Supreme Court decisions, to respond to changes in information technology, and to address other issues identified through the Department’s experience in administering FERPA.”  (73 FR 74806).  According to the DOE, approximately 121 parties submitted comments in response to the March, 2008 NPRM.  The Final Rules become effective January 8, 2009.

Originally proposed on March 28, 2008, the DOE published a notice which proposed various changes to FERPA and its implementing regulations “to implement various statutory changes made to FERPA to implement two recent US Supreme Court decisions, to respond to changes in information technology, and to address other issues identified through the Department’s experience in administering FERPA.”  (73 FR 74806).  According to the DOE, approximately 121 parties submitted comments in response to the March, 2008 NPRM.  The Final Rules become effective January 8, 2009.

Some of the significant changes brought about by the Final Rules include the following:

·         Amending several key definitions, including the definition of “directory information,” which expressly excludes therefrom a student’s Social Security number or student identification number (except where a student ID is “used by the student for purposes of accessing or communicating in electronic systems, but only if the identifier cannot be used to gain access to education records” without one or more additional authentication factors, such as a PIN number or password).

·         Revising the definition of “personally identifiable information” to, among other things, add a definition of “biometric record.”

·         Expanding the circumstances under which prior consent is not required to disclose personally identifiable information from education records, including, for example, disclosures to “a contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions… .”  

·         Amending the exception that allows educational institutions and agencies to disclose information from education records, without consent, to organizations conducting studies for or on behalf of the agency or institutions for purposes of testing, student aid and improvement of instruction. (Specifically, the Final Rules added a requirement to this exception, that the educational agency or institution enter into a written agreement containing specific provisions with the organization conducting the study.)

·         Clarifying an educational agency or institution’s obligations with respect to the handling of opt-out requests to the disclosure of directory information.

·         Requiring an educational agency or institution that discloses information without consent under the health and safety emergency exception to record “the articulable and significant threat to the health or safety of a student or other individuals that formed the basis for the disclosure; and the parties to whom the agency or institution disclosed the information.”

·         Implementing the provisions of the USA Patriot Act that amend FERPA to provide that an educational agency or institution may disclose, without consent, information from education records pursuant to and in accordance with an ex parte court order issued under the USA Patriot Act.

·         Implementing the provisions of the Campus Sex Crimes Prevention Act (CSCPA), which amend FERPA to allow educational agencies or institutions to disclose, without consent, information concerning registered sex offenders provided to the agency or institution under the federal statute, the Violent Crime Control and Law Enforcement Act of 1994.

Additionally, in the preamble to the Final Rule, the DOE republishes, “for the administrative convenience of educational agencies and institutions and other parties,” certain information and recommendations regarding the safeguarding of educational records.  These “Department Recommendations for Safeguarding Education Records” include suggested steps to take in the event of an unauthorized release or disclosure, or other breach or compromise involving, education records.

FERPA seeks to protect the privacy of education records of students, and applies to all educational institutions and agencies that receive federal funding under a federal education program. FERPA provides to parents of children under the age of 18 (and “eligible students” over the age of 18) certain rights with respect to their education records maintained by an educational institution or agency, including the right to access and copy education records.  Additionally, with certain exceptions, FERPA prohibits educational institutions and agencies from disclosing personally identifiable information (not including “directory information,” however) from education records without prior consent.  Under FERPA, “directory information” means “information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.” FERPA sets forth a non-exhaustive list of data elements that would be considered part of such definition.  Thus, FERPA permits an educational institution or agency to disclose “directory information” without consent, provided that such institution or agency give notice to parents and the ability to opt out of such disclosures.

For a copy of the Federal Register notice containing the Final Rules, click here.  For the Federal Register notice containing the NPRM, click here.

On November 7, 2007, the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the National Credit Union Administration issued a joint final rule (along with the Federal Trade Commission (FTC) and the Securities and Exchange Commission(SEC), which separately adopted and proposed, respectively, similar regulations) under the amended Act (the “Affiliate Marketing Rule” or “Final Rule,” codified at 12 C.F.R. Parts 41, 222, 334, 571 and 717) governing the use of specific consumer information obtained by covered entities from their affiliates for certain marketing purposes. 

The Affiliate Marketing Rule became effective on January 1, 2008, and compliance by covered entities is required by October 1, 2008.

In general, the Affiliate Marketing Rule prohibits a “person” from using consumer “eligibility information” received from a corporate “affiliate” for making marketing “solicitations” to the consumer, unless:  

• the consumer is first given a clear, conspicuous, concise and written notice explaining that the person may use eligibility information about that consumer received from an affiliate to make solicitations for marketing purposes;
• the consumer is first given a reasonable opportunity and a reasonable and simple method to “opt out,” or prohibit the use of the eligibility information to make solicitations for marketing purposes; and
• the consumer has not opted out thereof. 

Opt-Out Requirements

The opt-out notice must be delivered “so that each consumer can be reasonably expected to receive actual notice.” Examples of delivery methods that can be reasonably expected to provide actual notice include hand-delivery, mailing a printed copy of the notice to the consumer’s last known address, e-mail to consumers who have agreed to receive electronic disclosures from the affiliate providing notice, and posting the notice on a website at which the consumer obtained a product or service electronically and requires the consumer to acknowledge receipt of the notice. 

Once notice has been delivered, a consumer must be given a reasonable opportunity to opt out, and the reasonable opportunity to opt out must be accompanied by a “reasonable and simple” method for exercising the opt-out right, such as a conspicuous check box, a reply form and a self-addressed envelope with the opt-out notice, a toll-free telephone number, and an electronic opt out.

Consumer opt outs must be honored for 5 years, and a renewal notice must be sent to the consumer before the expiration of the initial 5-year opt-out period, giving the consumer an opportunity to extend the opt-out for an additional 5 years. The Final Rule includes model forms that may be used to comply with the Final Rule’s requirements.

Key Definitions

Under the Final Rule, “affiliates” are companies that are related by common ownership or common corporate control with one another. A “solicitation” means the marketing of a product or service initiated by a person to a particular consumer that is based on eligibility information communicated to that person by its affiliate and intended to encourage the consumer to purchase or obtain such product or service. (Communications aimed at the general public such as television or billboard advertisements are not “solicitations,” but marketing emails, telemarketing calls and direct mailings aimed at particular consumers are considered “solicitations.”) 

“Eligibility information,” as defined by the Rule, encompasses any information that, if communicated, would constitute a “consumer report” (as such term is defined by the Act) but for specific statutory exclusions. “Eligibility information” might include, for example, a person’s own transaction or experience information and information from consumer reports or applications, but does not, however, include aggregate or blind data that does not contain personal identifiers. 

Exceptions

The provisions of the Affiliate Marketing Rule do not apply to certain uses of eligibility information obtained from an affiliate in certain situations, including:

o       to make a marketing solicitation to a consumer with whom the person has a “pre-existing business relationship” as that term is defined in the Rule;

o       to facilitate certain communications to a consumer for whose benefit the company has provided employee benefits or other services;

o       to perform services on behalf of an affiliate, except that this does not permit a person to send solicitations on behalf of an affiliate if the affiliate would not be permitted to send the solicitation on its own behalf due to the consumer’s opt-out election;

o       in response to a communication initiated by the consumer;

o       in response to a consumer’s authorization or request to receive a solicitation; and

o       if compliance with the Final Rule would prevent the person from complying with state insurance laws relating to unfair discrimination.

As the compliance deadline quickly approaches, it is important for covered entities to understand that the potential consequences of non-compliance with the Final Rule’s requirements not only could include enforcement by the applicable federal banking agency or the FTC (if the FTC has jurisdiction over such covered entity), but also could result in civil liability to affected consumers (including punitive damages for certain willful actions, as well as attorneys’ fees).

Under the Act, merchants who accept credit cards as a form of payment may not request or require as a condition to accepting payment by credit card the personal information of a cardholder, which information the merchant causes to be recorded upon a credit card transaction form or otherwise (such as a receipt, etc.). 

In the Absher case, plaintiff Dave Absher (who, when returning merchandise purchased from Autozone, was required to put his name and telephone number on a voucher in order to process the refund), claimed that Autozone’s practices violated the Act. In the trial court, Autozone moved for summary judgment arguing that the statute does not apply to return transactions. The trial court granted Autozone’s motion and the Court of Appeal affirmed the dismissal of plaintiff’s cause of action, holding that the Act’s restrictions are limited to initial purchase transactions and not return transactions. In particular, the court held that the legislative history behind the Act, as well as a policy interest in providing retailers with a reasonable means to safeguard against potential abuses in connection with the return of merchandise, weighed in favor of its interpretation that the Act does not apply where a merchant’s request for personal information is in connection with a refund for the return of merchandise purchased by credit card.

The outcome in this most recent case is not surprising given the court’s other recent decision, on May 22, 2008, which case involved The TJX Companies, Inc., T.J. Maxx of CA, LLC, Marshalls of CA, LLC, Marshalls of MA, Inc. and Marmaxx (collectively, “TJX”), and in which case the California Court of Appeal also narrowed the scope of claims available under the Act in ruling that the statute does not apply to merchandise returns.

Kathryn Conroy, a Summer Associated in Proskauer’s Los Angeles office, contributed to this post.