Facebook recently agreed to settle charges by the Federal Trade Commission (FTC) that Facebook violated the FTC Act. The FTC-Facebook settlement, which is still subject to final FTC approval, prohibits Facebook from making misrepresentations about the privacy or security of its users’ personal information, requires Facebook to obtain users’ affirmative consent before enacting changes that override the users’ privacy preferences, and requires Facebook to prevent anyone from accessing material posted by a user more than 30 days after such user deleted his or her account. Similar to the March 2011 FTC-Google settlement, the Facebook settlement requires that Facebook enact a comprehensive privacy program and not misrepresent its compliance with the US-EU Safe Harbor Principles. As we previously reported, these two requirements are relatively new FTC settlement terms, which were first used in March 2011.
The Federal Trade Commission recently announced its settlement with the operator of www.skidekids.com concerning allegations that the operator violated the Children’s Online Privacy Protection Act Rule (“COPPA Rule”) by collecting personal information about children without obtaining parental consent. For Skid-e-kids, the FTC’s settlement means taking remedial measures; an injunction; and a $100,000 civil penalty. For the rest of us, the settlement is a good reminder that the FTC is staunchly committed to protecting children’s privacy. So when it comes to collecting personal information from children online, it’s important to do it right . . . or not at all.
Playdom, Inc., an online game company owned by Disney, and Playdom’s CEO, Howard Marks, agreed to pay $3 million to settle charges brought by the FTC that they violated COPPA by collecting, using and disclosing the personal information of children under the age of 13 without their parents’ prior, verifiable consent. The $3 million settlement is the largest civil penalty ever for a COPPA violation.
The maker of Rascal Scooters agreed to pay $100,000 as a civil penalty to settle a complaint filed by the FTC alleging that Rascal Scooters violated the FTC Act and the FTC’s Telemarketing Sales Rule.
On March 28, 2011, the Massachusetts Superior Court issued a Final Judgment by Consent between the Commonwealth and Briar Group, LLC that resolves allegations that Briar Group failed to take measures to protect consumer credit and debit card information. Pursuant to the Final Judgment, Briar Group must pay $110,000 to the Commonwealth, establish a written information security program (“WISP”), and implement a number of other information security measures to help protect customer data.
On January 18, 2011, Vermont Attorney General William Sorrell announced a settlement with HealthNet, Inc. and Health Net of the Northeast, Inc. over allegations that the company violated the state’s data breach notification law when the company waited over six months to notify state residents of the loss of a portable hard drive that contained their unencrypted personal information. The Attorney General’s settlement is an important reminder that the unpleasantness of a security breach is only compounded by a poor response. If you have not already done so, the time for establishing a comprehensive breach response plan is now!
The social networking and micro-blogging service Twitter recently agreed to settle charges with the Federal Trade Commission (FTC) regarding its privacy and data security practices. Similar to settlement terms reached with other online merchants, the settlement bars Twitter for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information. Notably, the agreement also requires Twitter to maintain a comprehensive information security program and submit to audits of the program for 10 years. The settlement agreement does not include a monetary penalty. The FTC alleged that despite Twitter’s promises on its website to protect the personal information of its users, Twitter’s practices failed to provide reasonable and appropriate security. Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter does not sell goods online or collect financial information from its users.
Heartland Payment Systems, Inc. reached a settlement with MasterCard on May 19, 2010 for losses resulting from Heartland’s massive 2008 data security breach.
On April 27, 2010, the Federal Trade Commission announced separate settlements with women’s clothing retailer Talbots and its telemarketer SmartReply, Inc. for violations of the Telemarketing Sales Rule (“TSR”). The FTC alleged that SmartReply’s robocalls for Talbots did not allow consumers to opt out of future calls until they had listened to almost all of the prerecorded solicitation or failed to provide opt out instructions; did not immediately disconnect consumers that chose to opt out; and failed to notify live call recipients of their right to opt out at any time during the call.
On March 9, 2010, the Federal Trade Commission and 35 state attorneys general announced a negotiated settlement with LifeLock, Inc. which resolves charges that LifeLock misrepresented the nature and effectiveness of the identity theft protection services it offers, and made false claims about its own data security practices. In the words of FTC Chairman Jon Leibowitz, “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it.”
On February 3, 2010, the U.S. District Court for the Western District of Pennsylvania preliminarily approved a class action settlement between Aramark Sports, LLC and a class of approximately 5,000 customers who made credit or debit card purchases from stores at PNC Park in Pittsburgh, Pennsylvania. If approved, the proposed settlement would resolve allegations made by the plaintiffs that Aramark violated the Fair and Accurate Credit Transactions Act’s (“FACTA”) truncation requirements by electronically printing receipts that contained (a) more than the last 5 digits of the plaintiffs’ credit or debit card numbers and/or (b) the expiration date of such cards.
A typical corporate data security policy classifies consumer contact information as confidential, but not “highly confidential” or “sensitive.” Should mere contact information be afforded greater protection? One case on point has dragged on since late 2007, when Ameritrade reported that a database of its customers’ contact information (including names, physical addresses, email addresses and phone… Continue Reading
According to a proposed settlement announced by the Federal Trade Commission (“FTC”) on March 27, 2008, discount retailer TJX will be required to implement a comprehensive information security program to remedy deficiencies in protecting sensitive consumer information. If approved, the settlement will resolve allegations that the company engaged in practices that failed to provide reasonable and… Continue Reading
On December 18, the FTC announced a settlement in its 15th case (and its first in 13 months) addressing the data security practices of companies handling sensitive consumer information. American United Mortgage Company agreed to pay a $50,000 penalty for failing to implement reasonable safeguards to protect customer information and failing to provide customers with privacy notices.