first quarter developments in the ever changing landscape of privacy and data security (tues. april...
TRANSCRIPT
First Quarter Developments in the Ever Changing Landscape of Privacy andData Security(Tues. April 10, 2012)
2
First Quarter 2012 Developments: Today’s Speakers
Jana Fuchs
Gina Hough
BrandonPollak
Dan Rockey
David Zetoony
Hamburg49-40-30-33-16-0
Washington, D.C.202-508-6387
Washington, D.C.202-508-6394
San Francisco415-268-1986
Washington, D.C.202-508-6030
To submit questions that arise during the presentation which we may be able to answer at a later date, please e-mail [email protected]
3
First Quarter 2012 Developments: Outline
1. The Federal Trade Commission
2. State Attorneys General
3. Private litigation
4. Legislation
5. Europe
4
First Quarter 2012 Developments: The Federal Trade Commission
• Highlights of Q1 FTC Actions:
– Agreement for Consent Order, In re UPromise (Jan. 5, 2012)– Warning Letter, Everify Inc. (Jan. 25, 2012)– Warning Letter, InfoPay Inc. (Jan. 25, 2012)– Warning Letter, Intelligator, Inc. (Jan. 25, 2012)– FTC Report, “Mobile Apps for Kids: Current Privacy Disclosures are Disappointing”
(Feb. 2012)– FTC Report, “Consumer Sentinel Network DataBook for January – December 2011”
(Feb. 2012)– FTC Report, “Using FACTA Remedies: An FTC Staff Report on a Survey of Identity
Theft Victims” (Mar. 2012) – FTC Report, “Protecting Consumer Privacy In an Era of Rapid Change:
Recommendations for Businesses and Policymakers (Mar. 2012)– Consent Order, US v. RockYou (N.D. Cal. Mar. 26, 2011)
• … but what does it all mean?
David ZetoonyWashington, D.C
202-508-6030David.Zetoony@bryanca
ve.com
5
First Quarter 2012 Developments: The Federal Trade Commission
• Movement in Four Key Areas:1. How to use “de-identified” data.
2. Changes to the definition of “sensitive data.”
3. Nailing down what is, and is not, “reasonable and appropriate” when it comes to data security.
4. Increased scrutiny on mobile applications.
David ZetoonyWashington, D.C
202-508-6030David.Zetoony@bryanca
ve.com
6
First Quarter 2012 Developments: The Federal Trade Commission
• Using “De-Identified Data”– Historical reasons for anonymizing or de-identifying data.– Trend toward treating anonymous or de-identified data as PII.– FTC’s current position is that data is not anonymous if it is
“reasonably linked to a person , computer, or device.”– Data is not “reasonably linked” if the following three elements are
met:1. Company takes measures to ensure that data is de-identified,
2. Company publicly commits to not try to re-identify, and
3. Company contractually prohibits downstream recipients from trying to re-identify.
– Steps for limiting liability in connection with anonymous data…
David ZetoonyWashington, D.C
202-508-6030David.Zetoony@bryanca
ve.com
7
First Quarter 2012 Developments: The Federal Trade Commission
• Changes to the Definition of “Sensitive Information”– Historically term was defined by state laws.– Trend is toward a more amorphous definition.– FTC’s current position goes beyond SSN and drivers license and
includes financial, health, child and/or geo-location information. – Likely impact of FTC’s position on litigation risk, and compliance
risks…
David ZetoonyWashington, D.C
202-508-6030David.Zetoony@bryanca
ve.com
8
First Quarter 2012 Developments: The Federal Trade Commission
• Nailing Down the Elusive “Reasonable and Appropriate” Security.– Historically, FTC has taken the position that section 5 requires all
companies to use “reasonable and appropriate” security, but has refused to define what that term means in specific terms.
– Commission has brought roughly 40 cases for inadequate security; reading between the lines reveals those practices that the Commission believes categorically evidence a lack of “reasonable and appropriate.”
– US v. RockYou, and FTC v. UPromise provide eight specific examples of what is not reasonable and appropriate.
– Strategies for limiting liability in light of the FTC’s position…
David ZetoonyWashington, D.C
202-508-6030David.Zetoony@bryanca
ve.com
9
First Quarter 2012 Developments: The Federal Trade Commission
• Increased Scrutiny on Mobile Apps.– Historically, FTC has indicated that it treats mobile market place the
same as the internet.– Developments in this quarter, show that the FTC is increasingly
scrutinizing privacy practices, and regulatory compliance practices in mobile apps.
– Takeaways:• Little doubt that the FTC will bring more and more COPPA enforcement
actions against mobile app. developers.
• Little doubt that the FTC will look for any FCRA cases.
• Almost certainly more run of the mill privacy and data security cases effecting mobile apps.
David ZetoonyWashington, D.C
202-508-6030David.Zetoony@bryanca
ve.com
10
First Quarter 2012 Developments: The Federal Trade Commission
• Some Additional Areas of FTC Attention…– Attention on deceptive and unfair practices in the context of credit
monitoring services and ID theft products.– Additional thoughts from the FTC concerning when companies can
share with sister entities, parents, and subs.
David ZetoonyWashington, D.C
202-508-6030David.Zetoony@bryanca
ve.com
11
First Quarter 2012 Developments: State AG & Other Agencies
Gina HoughWashington, D.C
202-508-6387Gina.Hough@bryancave.
com
12
First Quarter 2012 Developments: State AG & Other Agencies
• Data privacy Moves to the Top of the List for State Attorneys General– 36 State AGs question Google’s privacy changes; Failure to “opt-
out” cited– Calfornia AG agreement with Amazon, Google, Hewlett-Packard,
RIM sets stage on mobile app. Privacy– Minnesota AG goes after HIPPA Violation– Massachusetts AG pursues Property Management firm; firm pays
civil damages
Gina HoughWashington, D.C
202-508-6387Gina.Hough@bryancave.
com
13
First Quarter 2012 Developments: State AG & Other Agencies
• Cal AG Mobile App Settlement– California AG announced February 22 that reached agreement with
Amazon.com, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion to strengthen privacy protections for smartphone owners who download mobile applications.
– Agreement requires:• privacy policy for mobile apps
• method for users to report violations by app developers
– Violations of privacy policies would be treated as violation of UCL (Cal’s mini-FTC Act)
Gina HoughWashington, D.C
202-508-6387Gina.Hough@bryancave.
com
14
First Quarter 2012 Developments: Private Litigation
Dan RockeySan Francisco415-268-1986
15
First Quarter 2012 Developments: Private Litigation
• Current State of Privacy Litigation– Unprecedented number of filed cases (both data breach and
unauthorized collection/use of PII)– Emergence of a dedicated privacy plaintiffs’ bar
• However– For all the activity, little tangible success for plaintiffs– Cases routinely dismissed at the pleading stage on Article III
standing or inability to meet “actual injury” element of claim – No out-of-pocket damages = No claim
Dan RockeySan Francisco415-268-1986
16
First Quarter 2012 Developments: Private Litigation
• High Profile Defense VictoriesE.g., In re iPhone Application Litigation (2011)
• Plaintiffs alleged that Apple and mobile ad networks unlawfully allowed third party apps to collect personal information without user consent or knowledge.
• Drawing on a long line of decisions, the Court dismissed all claims, finding insufficient plaintiffs’ allegations that they suffered harm in the form of a diminished value for their personal data.
But see
• “It is not obvious that Plaintiffs cannot articulate some actual or imminent injury in fact. It is just that at this point they haven’t offered a coherent and legally supported theory of what that injury might be.”
Dan RockeySan Francisco415-268-1986
17
First Quarter 2012 Developments: Private Litigation
• Is the Tide Turning?Claridge v. RockYou, Inc. (N.D. Cal. 2011)
• Defendant failed to secure user data, allowing hacker to have access to 32 million usernames and passwords
– Plaintiffs:• FTC → “Personal information is . . . Currency. The monetary value of
personal data is large and still growing . . . .”• Academic studies → social networking credentials worth up to $35 on
black market
– Court: • Plaintiff has “sufficiently alleged a general basis for harm by alleging that
the breach of his PII has caused him to lose some ascertainable but unidentified ‘value’ and/or property right inherent in the PII.’’
Dan RockeySan Francisco415-268-1986
18
First Quarter 2012 Developments: Private Litigation
• Is the Tide Turning?Fraley v. Facebook (N.D. Cal., Dec. 19, 2011)
• Plaintiffs alleged that Facebook unlawfully appropriated its user’s data through its Sponsored Stories marketing program
– Plaintiffs:• Facebook executives → trusted referrals are “Holy Grail of Marketing”
and were 2-3 times more valuable than standard Facebook ads
– Court: • Plaintiffs sufficiently alleged that their personal endorsements had
‘‘concrete, provable value in the economy at large, which can be measured by the additional profit Facebook earns from selling Sponsored Stories compared to its sale of regular advertisements.’’
Dan RockeySan Francisco415-268-1986
19
First Quarter 2012 Developments: Private Litigation
• Is the Tide Turning?Villegas v. Google (complaint filed Feb. 28, 2012)
• Plaintiffs allege that Google and Point Roll were exploiting a gap in the Safari and IE browsers to circumvent a user's cookie settings
• Asserts claims under and asserts violations of the CFAA, ECPA, Cal. Penal 502, UCL, CLRA
– Damages? • Plaintiffs allege, inter alia, that Google allowed “toxic” cookies to be
placed on their computers, requiring costly “toxic cookie clean up” costing potentially thousands of dollars (i.e., batch delete not reasonable mitigation)
Dan RockeySan Francisco415-268-1986
20
First Quarter 2012 Developments: Private Litigation
• Statutory Violation = Actual Harm?Gaos v. Google (N.D. Cal. Mar. 29, 2012)– Plaintiff alleged:
• Google allows website owners (and third parties) to see user-submitted search terms, which can be linked to user through re-identification
– Court: • Dismissed state law claims but permitted Stored Communications Act
claim to proceed
• Plaintiff does not need to allege any actual injury other than a violation of the statute: “injury required by Article III . . . can exist solely by virtue of ‘statutes creating legal rights, the invasion of which creates standing.”
Dan RockeySan Francisco415-268-1986
21
First Quarter 2012 Developments: Private Litigation
• Statutory Violation = Actual Harm?Edwards v. First American (9th Cir. 2010)
• Case involves alleged kickbacks between Title Company and Title Insurance Agency
• RESPA makes violators liable for 3x any charges paid for settlement services
– Court, following Third and Sixth Circuits, held that statutory violation supplies actual injury sufficient to establish Article III standing
– SCOTUS granted review; decision expected this summer
Dan RockeySan Francisco415-268-1986
22
First Quarter 2012 Developments: Private Litigation
• Plaintiffs are beginning to crack the code. Companies should not get complacent.
• Embrace Privacy By Design, evaluating privacy impact of new initiatives at the outset
• When the inevitable breach or mishap occurs, consider response carefully with an eye to potential litigation (e.g., by offering free credit monitoring, “voluntary” notifications)
• Be careful what you say about your customer’s data – it may come back to haunt you
Dan RockeySan Francisco415-268-1986
23
First Quarter 2012 Developments: Federal Legislation
Brandon PollakWashington, D.C.
202-508-6394Brandon.Pollak@bryanca
ve.com
24
First Quarter 2012 Developments: Federal Legislation
• “The Cybersecurity Act of 2012”– On Tuesday, February 14, 2012, Senators Lieberman, Collins, Rockefeller
and Feinstein introduced S. 2105, The Cybersecurity Act of 2012.
– S. 2105 addresses several critical areas:• Title I: Critical Infrastructure• Title II: FISMA Reform• Title III: Clarifies the roles of Federal Agencies• Title IV: Workforce Development• Title V: Research and Development• Title VI: Federal Acquisition Risk Management Strategy• Title VII: Information Sharing• Title VIII: Public Awareness Reports• Title IX: International Cooperation
Brandon PollakWashington, D.C.
202-508-6394Brandon.Pollak@bryanca
ve.com
25
First Quarter 2012 Developments: Federal Legislation
• “The Cybersecurity Act of 2012”– Senate Majority Leader Harry Reid placed S. 2105 onto the Senate
Calendar and he has expressed his intention to bring the bill to the Senate Floor during the current legislative work period.
– Several Senate Republicans, led by Senators John McCain and Kay Bailey Hutchinson, have sharply criticized the legislative process that produced S. 2105.
– Eight Senate Republicans, led by Senator McCain, introduced an alternative cybersecurity bill called the SECURE IT Act (S. 2151) on March 1st.
Brandon PollakWashington, D.C.
202-508-6394Brandon.Pollak@bryanca
ve.com
26
First Quarter 2012 Developments: Federal Legislation
• The U.S. House of Representatives
– Rep. Mary Bono Mack (R-CA) and Rep. Marsha Blackburn (R-TN) introduced the House version of the SECURE IT Act (H.R. 4263) on March 27th.
– Key components of the legislation include: (1) Authorizing Information Sharing; (2) Securing Federal Networks; (3) Prosecuting Cybercrime; and (4) Prioritizing Cybersecurity Research
– The House of Representatives is still ironing out the final details of its cybersecurity package, leaders are expected to put four bills on the floor separately this work period, and then use a procedural maneuver to combine them before they are sent to the Senate.
Brandon PollakWashington, D.C.
202-508-6394Brandon.Pollak@bryanca
ve.com
27
First Quarter 2012 Developments: Federal Legislation
• White House Privacy “White Paper”
– The White House released a “white paper” proposing a policy framework for consumer privacy, Consumer Data Privacy In a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.
– Four major elements: (1) Consumer Privacy Bill of Rights; (2) Market and industry Codes of Conduct; (3) Enforcement, primarily by the FTC but also by state Attorneys General; and (4) International Cooperation, primarily between the U.S. and European countries.
– The paper suggests that Congress enact new privacy legislation.
Brandon PollakWashington, D.C.
202-508-6394Brandon.Pollak@bryanca
ve.com
28
First Quarter 2012 Developments: Federal Legislation
• FTC Privacy Report– The final privacy report expands on a preliminary staff report the
FTC issued in December 2010. The final report calls on companies handling consumer data to implement recommendations for protecting privacy, including: (1) Privacy by Design; (2) Simplified Choice for Businesses and Consumers; and (3) Greater Transparency
– FTC staff to focus on five main action items: (1) Do-Not-Track; (2) Mobile; (3) Data Brokers; (4) Large Platform Providers; (5) Promoting Enforceable Self-Regulatory Codes
– FTC recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation.
Brandon PollakWashington, D.C.
202-508-6394Brandon.Pollak@bryanca
ve.com
29
First Quarter 2012 Developments: European Union
Jana FuchsHamburg
49-40-30-33-16-0Jana.Fuchs@bryancave.
com
30
First Quarter 2012 Developments: European Union
• Revision of Data Protection Rules– In January the EU Commission published the long-awaited reform
proposal for EU data privacy rules– Existing legislation is based on an EU Directive drafted in 1995– Currently all EU member states have implemented their own
national rules based on the existing EU Directive, which are not fully harmonized
– The Commission’s reform proposal is now set out as an EU Regulation, which means it will be directly enforceable in all member states leading to a full harmonization of rules within the EU
Jana FuchsHamburg
49-40-30-33-16-0Jana.Fuchs@bryancave.
com
31
First Quarter 2012 Developments: European Union
• Reform Proposal– Proposed changes leading to further compliance obligations are
e.g.:• Foreign Application of the Regulation
• One-Stop Shop
• Explicit Consent
• Breach Notification
• Mandatory Data Protection Official
• Higher Penalties
Jana FuchsHamburg
49-40-30-33-16-0Jana.Fuchs@bryancave.
com
32
First Quarter 2012 Developments: European Union
• Foreign Application– EU Regulation will apply even if personal data is processed abroad– It would apply to data processing companies that are active in the
EU market (e.g. offering goods or services to EU data subjects)
Jana FuchsHamburg
49-40-30-33-16-0Jana.Fuchs@bryancave.
com
33
First Quarter 2012 Developments: European Union
• One-Stop Shop– Only one data protection authority – the national authority of the
Member State in which the company has its main establishment - shall be responsible
– This 'one-stop-shop' for data protection will greatly simplify compliance efforts. Currently, businesses are supervised by different authorities in each Member State they are established
Jana FuchsHamburg
49-40-30-33-16-0Jana.Fuchs@bryancave.
com
34
First Quarter 2012 Developments: European Union
• Explicit Consent– Opt-In consent is strengthened– Whenever an individual’s consent is required for its data to be
processed, such consent would have to be express (i.e., not implied)
Jana FuchsHamburg
202-508-6387Jana.Fuchs@bryancave.
com
35
First Quarter 2012 Developments: European Union
• Breach Notification – Companies would be required to notify the national supervisory
authority of serious data breaches as soon as possible (if feasible, within 24 hours)
– The individuals whose personal data could be adversely affected by the breach would also have to be notified without undue delay
Jana FuchsHamburg
49-40-30-33-16-0Jana.Fuchs@bryancave.
com
36
First Quarter 2012 Developments: European Union
• Data Protection Official– For companies employing 250 persons or more, the Regulation
would require that they employ an internal data protection officer (DPO)
– DPO has to be sufficiently qualified and if employed is subject to termination protection
Jana FuchsHamburg
49-40-30-33-16-0Jana.Fuchs@bryancave.
com
37
First Quarter 2012 Developments: European Union
• Penalties– For first offences, the national supervisory authorities may send a
warning letter– For serious violations supervisory authorities could impose penalties
of up to €1 million ($1.3 million) or up to 2% of the global annual turnover of a company
– For less serious offences fines could start out at €250,000 ($330,000) or up to 0.5% of the worldwide turnover
Jana FuchsHamburg
49-40-30-33-16-0Jana.Fuchs@bryancave.
com
38
First Quarter 2012 Developments: European Union
• Next Steps – From Proposal to Regulation– The reform proposal has been passed to the European Parliament
and all EU Member States for discussion and potential amendment – Although it is difficult to estimate how long it might take the proposal
to be considered, typically proposals of this significance are considered for approx. two years before being adopted
– The Regulation will be enforceable in all Member States two years after it has been adopted
Jana FuchsHamburg
49-40-30-33-16-0Jana.Fuchs@bryancave.
com
39
First Quarter 2012 Developments: European Union
• Reform Proposal Reactions & Reality Check– Points of discussion are e.g.:
• Conflicts resulting from foreign application of the regulation, e,g. Patriot Act
• Missing rules for the enforcement of foreign application
• Missing regulation for cloud computing, in particular for non-EU clouds
• Data transfer regulation is not part of the reform proposal
• Explicit consent requirements as obstacles to business operations
Jana FuchsHamburg
49-40-30-33-16-0Jana.Fuchs@bryancave.
com
40
First Quarter 2012 Developments: Contact Information
Jana Fuchs
Gina Hough
BrandonPollak
Dan Rockey
David Zetoony
Hamburg49-40-30-33-16-0
Washington, D.C.202-508-6387
Washington, D.C.202-508-6394
San Francisco415-268-1986
Washington, D.C.202-508-6030