Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Indeed, the Facebook settlement signals that the FTC is likely to continue requiring comprehensive privacy programs and enforcing the US-EU Safe Harbor Principles in a substantive manner, two things that the FTC had not done before March 2011. Such enforcement is no surprise, given that the FTC has advocated a “privacy by design” approach since at least December 2010. Specifically, the FTC’s proposed settlement requires Facebook to establish and maintain “a comprehensive privacy program” to “address privacy risks related to the development and management of new and existing products and services for consumers” and “protect the privacy and confidentiality of covered information.” 

In addition, the settlement also requires Facebook, before sharing a user’s nonpublic personal information with a third party in excess of the user’s privacy settings, to “clearly and prominently disclose” (outside of the Facebook privacy policy or other boilerplate) the categories of nonpublic user information that will be disclosed, the identity or specific categories of such third parties, and that such sharing exceeds the restrictions imposed by the users’ privacy settings. Importantly, Facebook must also obtain a user’s affirmative express consent before sharing the user data in the new circumstance. The settlement also imposes a requirement for Facebook to retain an independent third party to biennially assess its privacy practices vis a vis the settlement terms for the next twenty years.

The FTC’s eight-count Complaint that underlies the settlement alleges that numerous Facebook initiatives violated prior representations about the extent to which users’ information was accessible by third parties. For instance, the FTC alleged that Facebook, despite allowing users to restrict access to profile information to specific individuals or groups of people, permitted users’ information to be accessed by third-party applications on the Facebook platform which the users’ friends used. The FTC also alleged that in December 2009, Facebook made public certain information that users had previously designated private and failed to disclose that users could no longer restrict access to certain information or that their existing choices would be overridden.

The FTC also alleged that Facebook’s December 2009 changes were both deceptive (because Facebook failed to adequately disclose the changes) and unfair (because Facebook retroactively applied the changes to personal information that it had previously collected from users, without their informed consent).

According to the FTC, Facebook’s conduct harmed consumers because the alleged violations:

·          Made certain users “subject to the risk of unwelcome contacts;”

·          Exposed “potentially controversial political views or other sensitive information to third parties;”

·          Exposed the user’s list of friends to third parties, “thereby exposing potentially sensitive affiliations;” and

·          Revealed “potentially embarrassing or political images to third parties.”

The FTC’s complaint also alleged other privacy violations by Facebook, including the following:

·          Facebook permitted apps on its platform to access more personal information about the app’s user than was necessary for the app’s purpose

·          Facebook permitted apps to access personal information about a user’s friends even if the friends never granted the app authorization to access their personal information

·          Facebook’s advertising program shared identifiable information with advertisers, contrary to representations it had made to its users

·          A little-used “Facebook Verified App” badge, whereby Facebook, for a fee, would “verify the security of Verified Apps” was deceptive because Facebook did no more to verify applications bearing that badge than it did with any other platform application

·          Facebook retained and continued to make accessible users’ photos and videos, even after users deleted or deactivated their accounts, contrary to Facebook’s prior representations

·          Facebook falsely certified that it had complied with the US-EU Safe Harbor Principles, particularly, the principles of Notice and Choice, when it was not in compliance with them

In settling the FTC’s charges, Facebook did not admit the truth of any of the FTC’s substantive or factual allegations, aside from jurisdictional ones.

This settlement demonstrates the importance of having a comprehensive privacy program in place that ensures that privacy protections are incorporated into web applications from the ground up. Any changes to a website or application should respect users’ prior privacy choices and obtain a users’ affirmative consent before altering or overriding those prior choices. The requirement that Facebook enact a comprehensive privacy program (e.g., “privacy-by-design”) - a settlement term that the FTC first included in Google’s March 2011 settlement—demonstrates that this requirement will likely be a staple of future privacy-related settlements. The settlement also reaffirms the importance of compliance with the US-EU Safe Harbor framework for companies that have opted into this program.

To get online at www.skidekids.com, users must provide personal information such as their name, email address, date of birth and city. The site’s published privacy policy purported to require that child users provide a parent’s valid email address in order to activate their account and to facilitate communications between Skid-e-kids and parents concerning the site and their child’s account. But according to the FTC the site operator never collected any parent’s email address and failed to obtain verifiable parental consent to collect personal information from children under 13. In doing so, the FTC said, the site operator violated both the FTC Act (by misrepresenting its privacy practices in the privacy policy) and the COPPA Rule (by improperly collecting children’s personal information).

For Skid-e-kids, the FTC’s settlement means taking remedial measures such as destroying all of the information collected from children in violation of the COPPA Rule, providing links to online educational material, and retaining an online privacy professional or joining an approved COPPA safe harbor program to oversee applicable COPPA-covered websites; an injunction against future violations of COPPA and misrepresentations about the collection of children’s information; and a $100,000 civil penalty (all but $1,000 of which may be suspended if the operator demonstrates an inability to pay).

For the rest of us, the settlement is a good reminder that the FTC is staunchly committed to protecting children’s privacy. So when it comes to collecting personal information from children online, it’s important to do it right . . . or not at all.

It is worthy to note that Playdom took ownership of the websites when it acquired Acclaim Games, Inc. in May 2010 and Disney subsequently acquired Playdom in August 2010. Although most of the violations occurred when Acclaim Games was operating independently, its acquirers ended up getting stuck with the tab. 

As background, the Telemarketing Sales Rule allows a company to call a consumer on the Do Not Call Registry if the company has an “established business relationship” with the consumer and the consumer has not otherwise opted out of receiving calls from the company. What Rascal Scooters failed to consider, however, was that an “established business relationship” does not arise from the submission of a sweepstakes entry form. Rather, an “established business relationship” only exists if a consumer has purchased a company’s goods or services within the 18 month period immediately preceding the call or if a consumer inquires or submits an application regarding a company product or service within the 3 month period immediately preceding the date of the call. 

In addition to the $100,000 penalty, Rascal Scooters is only allowed to call consumers if it has their consent in writing or if there is an actual “established business relationship” and is subject to ongoing monitoring and reporting requirements to ensure its compliance with the settlement order.

It is important to note that the penalty imposed could have been (and can be) much greater than $100,000. Pursuant to the settlement order, Rascal Scooters is subject to a $2 million penalty that is currently suspended due to its inability to pay.   The $2 million will become due immediately if it is revealed that the company misrepresented its inability to pay.

According to the Attorney General, the Final Judgment “works to ensure that steps have been taken to protect consumer information moving forward.” Although the Commonwealth’s stringent data security regulations (see our post about 201 CMR 17.00 here) did not become effective until after the April 2009 breach, the Attorney General used the regulations as a reference point for identifying deficiencies in the company’s approach to information security. In its complaint against Briar Group, the Attorney General alleged, among other things, that the company (i) failed to change default usernames and passwords for its point-of-sale system, (ii) allowed employees to share passwords, (iii) did not appropriately limit the number of employees with administrative access to company systems, and (iv) stored payment card information in clear text on its servers. Taken together, these deficiencies allowed the breach of Briar Group’s systems to continue unabated until approximately December 2009.

In her announcement of the Final Judgment, Massachusetts Attorney General Martha Coakley explained that her office “will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers.” With this in mind, and 201 CMR 17.00 now firmly entrenched, companies handling personal information about Massachusetts residents should be prepared. Hint: That means have a WISP and follow it!

The lengthy delay between discovery of the lost hard drive and individual notifications was not the only thing Sorrell found to be wrong with HealthNet’s response to the May 2009 breach, however. Vermont’s Attorney General also claimed that HealthNet violated the federal Health Insurance Portability and Accountability Act (“HIPAA”) by failing to secure protected health information and the state’s Consumer Fraud Act by misrepresenting, in its letters to individuals, the risk posed by the breach. In those letters, HealthNet told individuals that the risk of harm to them was “low” because the files were saved in a format that could not be easily accessed when, in reality, the files were saved in the relatively easily viewable TIF format.

The Vermont Attorney General’s settlement with HealthNet, which the U.S. District Court for the District of Vermont approved on January 21, 2011, requires the company to pay $55,000 to the State, submit to a data-security audit, and file reports with the State regarding the company’s information security programs for the next two years.

The HealthNet settlement is an important reminder that the unpleasantness of a security breach is only compounded by a poor response. If you have not already done so, the time for establishing a comprehensive breach response plan is now!

In addition to the HHS resolution agreement, Rite Aid has entered into a separate, but related settlement with the FTC to resolve the FTC’s allegations that the company failed to live up to promises made in its privacy policy that it would protect customers’ sensitive medical information. The FTC settlement will require Rite Aid to implement a comprehensive information security program and obtain independent audits of the program for twenty years.

The Rite Aid settlement marks the second time HHS and the FTC have joined forces for an investigation into alleged violations of individuals’ information privacy. The agencies began investigating Rite Aid after news media captured footage of employees at a number of pharmacies, not limited to Rite Aid, tossing sensitive medical information into insecure trash containers. According to HHS and the FTC, this practice demonstrated Rite Aid’s failure to implement, teach and enforce appropriate policies regarding the disposal of sensitive information.

So will [insert name of your pharmacy here] be the agencies’ next target? We hope not!

The FTC’s complaint alleged that between January and May 2009, intruders twice obtained control of Twitter administrative accounts because of deficient password security policies. In January 2009, an intruder gained control of Twitter by using a “brute force” automated password-guessing tool that attempted to login to Twitter thousands of times until it guessed the correct password. The password was a weak, lowercase, letter-only common dictionary word. In April 2009, an intruder compromised a Twitter employee’s personal email account by unspecified means. The intruder was able to guess the Twitter employee’s administrative password based on two similar passwords that were stored in the employee’s email in plain text for at least six months before the security incident. With administrative access, the intruders were capable of accessing nonpublic user information and nonpublic tweets from any Twitter user and resetting Twitter users’ passwords. The first intruder reset certain user passwords and posted tweets from the compromised accounts.

According the FTC, Twitter was vulnerable to these attacks because it failed to prevent unauthorized administrative control of its system. The FTC claimed that Twitter failed to take reasonable steps to:

• Require employees to use hard-to-guess passwords that were not used for other purposes;
• Prohibit employees from storing administrative passwords in plain-text within their personal e-mail accounts;
• Suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
• Provide an administrative login page that is separate from the ordinary user login page and whose location is known only to authorized users;
• Enforce periodic changes of administrative passwords;
• Restrict access to administrative controls to employees whose jobs required it; and
• Impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Pursuant to the agreement, Twitter is required to engage in a number of actions to address its security practices, most notably:

• Identifying reasonably-foreseeable, material risks that could result in unauthorized disclosure of nonpublic consumer information or unauthorized administrative control of the Twitter system; and
• Implementing reasonable safeguards to address the identified risks.

The agreement also includes provisions requiring Twitter to designate an employee or employees to coordinate and be accountable for the information security program. Additionally, the agreement includes provisions addressing Twitter’s use of service providers and requiring Twitter to evaluate and adjust its information security to address material changes to its business or other events that might materially impact the effectiveness of its security program. 

The FTC’s pursuit of, and subsequent agreement with, Twitter is significant because it demonstrates that the FTC’s concern regarding the protection of personal information is not limited to personal financial information and identity theft. Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter is not an online merchant and does not collect financial information from its users. Nevertheless, a Twitter user’s account may contain other personally identifiable information and may contain private tweets. The FTC’s pursuit of Twitter demonstrates that the FTC is interested in holding companies to their representations regarding their security practices. The FTC’s allegations regarding Twitter’s security practices may also prove useful to companies, as the allegations signal several behaviors that the FTC considers being inconsistent with reasonable security.

According to the terms of the settlement, MasterCard issuers that filed timely claims for accounts that were affected by the breach will be eligible to receive a specified dollar amount at some point during the third quarter of 2010, provided that MasterCard issuing financial institutions that represent at least 80% of the claimed-upon accounts accept the settlement agreement by June 25, 2010. In addition, the claimed-upon accounts must waive rights to any other recovery from Heartland arising from the breach. 

With the dust from the breach beginning to settle, the financial damage to Heartland is becoming evident. Should the MasterCard settlement be approved, Heartland could, in total, be on the hook for well over $100 million in breach-related settlement payments. 

As part of their proposed final settlements, filed concurrently with the complaints in Massachusetts and California, both Talbots and SmartReply agreed to orders that prohibit further violations of the TSR. As we previously wrote, according to regulations that became effective on September 1, 2009, this includes delivering prerecorded messages without consumers’ written authorization. In addition, the companies each are subject to a $112,000 civil penalty, although all but $49,000 of SmartReply’s penalty has been stayed due to its inability to pay. The proposed final settlements, which continue the FTC’s recent work in this area, are an important reminder to consult applicable laws and regulations before deploying new marketing strategies or technologies.

The FTC further alleged that LifeLock misrepresented the company’s data security practices to its customers. Among other things, LifeLock claimed that “only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis” and promised that “all stored personal data is electronically encrypted.” In reality, according to the FTC, data was not encrypted and was not shared only on a “need to know” basis. Consequently, sensitive personal information about LifeLock customers was susceptible to exploitation by those seeking access to customer information.

In addition to carrying a hefty penalty, LifeLock’s settlement with the FTC and state attorneys general prohibits the company and its co-founders from making deceptive claims, misrepresenting the “means, methods, procedures, effects, effectiveness, coverage, or scope of any identity theft protection service,” or misrepresenting the risk of identity theft or the manner and extent to which the company’s services protect against this risk. LifeLock also agreed to implement a comprehensive information security program to protect customer information, obtain independent audits of the program every other year for the next twenty years and comply with certain record-keeping obligations. The FTC will use the settlement funds to provide refunds to LifeLock customers.

Under the terms of the proposed settlement, each class member will be offered a settlement relief voucher good for any one of the following: (a) $50 off a purchase of $100 or more, (b) a “classy” tee shirt with a suggested retail value of up to $40 or (c) a hooded sweatshirt (“hoodie”) with a suggested retail value of approximately $55. The voucher will be redeemable at any store in PNC Park, the home of Major League Baseball’s Pittsburgh Pirates. Aramark has agreed that, if the settlement is approved, it will distribute not just those settlement relief vouchers claimed by members of the class, but a total of 4,773 vouchers – one for each electronically printed receipt alleged to have violated FACTA. To effectuate this requirement, beginning fifteen days after in-store notices to class members are removed, Aramark will distribute unclaimed vouchers to every customer who makes a purchase using a credit or debit card at PNC Park. Aramark will also be responsible for the costs of notifying class members regarding the settlement and paying class counsel’s fees of $105,000.

While coupon or voucher settlements are generally frowned upon by courts, Judge Lancaster acknowledged that such relief “appears well suited to the [FACTA] violations alleged, especially in light of the lack of actual damages.” The court’s acknowledgement lends credence to the denial of class certification, in, for example, Soualian v. International Coffee & Tea LLC, No. 07-cv-502 (RGK) (C.D. Cal. June 11, 2007), on account of the damages sought being disproportionate to the actual harm suffered by the class.

The rejected settlement would have required Ameritrade to:

• Post notices on its Web site warning customers about “stock touting spam”
• Retain independent experts to conduct biannual penetration tests on its systems
• Seed its email address databases with monitored email addresses for the purpose of detecting data compromises
• Offer to pay for one year’s worth of a spam or virus filtering service for each of the 6 million customers whose email addresses were compromised
• Retain an analytics specialist to perform analyses of whether the compromised data has been used to commit identity theft
• If identity theft is detected, offer class members identity theft remediation services
• Donate $55,000 to two anti spam projects
• Pay plaintiffs’ counsel $1.9M in attorney’s fees

Since these settlement terms did not satisfy the judge, the parties will reconvene at a hearing on December 10, 2009.

The Ameritrade case has served as a reminder that companies should not ignore the importance of keeping contact information secure while focusing primarily on more sensitive information such as Social Security Numbers and financial account numbers. However, applicable laws that require companies to protect the security of individuals’ information generally do not apply to mere contact information. For that reason, it is still appropriate to classify contact information as “confidential” as long as your policies provide for reasonable protections for such information. As an example, since customer databases compile all customer contact information into one place, and are an attractive target for hackers, such databases should be afforded greater protection than individual documents that contain just one customer’s name and contact information. Similarly, when disposing of paper files containing customer contact information in mass, it would be a best practice, although not required by U.S. law, to shred such documents upon disposal.

In the FTC’s action against TJX, the Commission alleged that TJX failed to prevent unauthorized access to personal information on its computer networks. These failures allowed a hacker to exploit vulnerabilities and obtain tens of millions of credit and debit payment cards used at the retailer’s stores along with personal information about approximately 455,000 consumers that returned merchandise without receipts. The FTC alleged that TJX:

• Created an unnecessary risk to personal information by storing it on and transmitting it between various computer networks in clear text;
• Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
• Did not require the use of strong passwords or different passwords to access different programs, computers, and networks;
• Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
• Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software. 

The FTC’s settlement with TJX requires the retailer to implement and maintain a comprehensive information security program that is designed to protect the security, confidentiality and integrity of personal information collected from or about consumers. The program must include certain administrative, technical and physical safeguards that are appropriate to the company’s size, the nature of its activities, and the sensitivity of the personal information it collects. In particular, TJX must:

• Designate an employee or employees to coordinate the information security program;
• Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place;
• Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness;
• Develop reasonable steps to select and oversee service providers that handle the personal information they receive from the companies; and
• Evaluate and adjust their information security programs to reflect the results of monitoring, any material changes to their operations, or other circumstances that may impact the effectiveness of their security programs.

In addition, TJX must retain an independent, third party security auditor to assess the sufficiency of its information security program at least once every two years for the next 20 years. This security auditor will be required to certify that the company’s security program satisfies the requirements of the consent agreement and is operating with sufficient effectiveness to provide reasonable assurance that consumers’ personal information is being protected. The FTC is not seeking any financial penalty to resolve the charges.

The proposed agreement is subject to public comment until April 28, 2008, after which the FTC will decide whether to make it final.

In addition to the fine, the stipulated judgment and order requires American United to obtain an immediate third-party audit of its privacy safeguards and ongoing audits every two years for a decade. American United is also permanently enjoined from further violations of the FACTA Safeguards, Disposal, and Privacy rules.

The Disposal Rule, 16 C.F.R. 682, requires that any company collecting consumer information for a business purpose must dispose of that information in a way that prevents unauthorized access and misuse of the data. "Disposal" includes any discarding, abandonment, sale, donation or transfer of information.