Privacy Lawyer & Attorney : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

The settlement is particularly noteworthy for its resulting “new model” to protect children. As set forth in the settlement agreement and settlement terms, Facebook will:

• Disclose the newly implemented safety procedures on its website as specified by the agreement and ensure that all other public statements made by Facebook about safety are consistent with the specified language.

• Accept complaints about nudity or pornography, harassment or unwelcome contact confidentially via hyperlinks placed throughout Facebook’s website as well as via an independent email to abuse@facebook.com.

• Respond to and begin addressing complaints about nudity or pornography, harassment or unwelcome contact within 24 hours.

• Report to the complainant the steps it has taken to address the complaint within 72 hours where the complaint has been submitted via an independent email to abuse@facebook.com.

• Allow Facebook’s complaint review process to be examined by an Independent Safety and Security Examiner (ISSE), a third party approved by the New York State Attorney General’s Office, to report on Facebook’s compliance with the agreement.

• Provide a prominent and easily accessible hyperlink to allow a Facebook user or their parent/guardian to give feedback to the Independent Safety and Security Examiner (ISSE) about Facebook’s performance in responding to complaints. 

• Submit to the Office reports prepared by the Independent Safety and Security Examiner (ISSE) evaluating Facebook’s performance in responding to complaints. The Examiner will report bi-annually and may recommend additional safety measures concerning complaint handling, as appropriate.

Both Attorney General Cuomo and Facebook are touting the agreement as setting new industry standards to protect children. Notably, Connecticut Attorney General Richard Blumenthal, co-chair of the national social networking task force of all 50 state Attorneys General, issued a press release stating the settlement terms were not strong enough. He is urging social networking sites to increase the use of filtering technology and monitors to screen content, identity and age verification for anyone 18 and older, parental consent for anyone under 18, the hiding of children’s profiles from adults, certain restrictions on advertising to children, and other measures. In light of the settlement, the likely continued interest by law enforcement, and the potential dangers to children, social networking sites should consider assessing their security practices and policies.           

New York’s security breach notification law, like other such laws, requires a business that maintains private information that it does not own to notify the data’s owner when this information may be compromised. The data owner must then notify potentially affected consumers. New York’s law also requires notice to the state’s Attorney General, Consumer Protection Board, and Office of Cyber Security. The timing of the notification is a particularly important aspect of many states’ security breach notification laws, including New York. Subject to law enforcement needs, New York requires notice to data owners “immediately following discovery” and to affected consumers “in the most expedient time possible and without unreasonable delay.”   

CS STARS first noticed that a computer containing the names, addresses, and Social Security numbers of New York consumers was missing on May 9, 2006. However, CS STARS did not notify New York Special Funds Conservation Committee (“NYSFCC”), the data owner, of the potential breach until June 29, 2006. The company notified the FBI that same day, and the following day notified the proper state agencies. Notices to potentially affected consumers, however, did not begin mailing until July 18, 2006 pursuant to the FBI’s request and N.Y. Gen. Bus. Law § 899-aa(4), which explicitly allows a business to delay notification if a law enforcement agency determines that such notification will impede a criminal investigation.

The FBI recovered the missing computer, which had been taken by an employee of a cleaning contractor, on July 26, 2006. No consumers’ information was improperly accessed. Nonetheless, Attorney General Cuomo felt that the lengthy delay between discovering the theft and issuing the proper notifications “would have been ample time [for identity thieves] to victimize hundreds of thousands of consumers.” 

CS STARS’ settlement requires the company to implement precautionary measures to safeguard private information, comply with the state’s notification law in the event of any future breach, and pay $60,000 to cover costs related to the investigation. CS STARS did not admit to any violation of law.