practical tips for avoiding privacy enforcement and lawsuits tips for... · 2011. 9. 7. · actions...

www.khlaw.comWashington, D.C. ● Brussels ● San Francisco ● Shanghai

Tracy P. MarshallPartner

Keller and Heckman LLP1001 G Street, N.W.

Washington, DC 20001202-434-4234

[email protected]

Practical Tips for Avoiding Privacy Enforcement and Lawsuits

July 14, 2011Sheila A. Millar

PartnerKeller and Heckman LLP

1001 G Street, N.W.Washington, DC 20001

[email protected]

Douglas J. BehrPartner


Washington, DC 20001202-434-4213

[email protected]

│ www.khlaw.com │ KELLER AND HECKMAN LLP Copyright © 20112

PresentersSheila A. Millar is a Partner at Keller and Heckman and counsels corporate and association clients on a range of consumer protection regulatory and public policy matters. Ms. Millar advises clients on privacy and security policies and programs, data breach responses, data transfers and cloud computing. She also counsels clients on privacy and regulatory compliance aspects of promotions, social media policies, website terms and online sales. Noted for her expertise on children's issues, Ms. Millar has participated in Federal Trade Commission (FTC) workshops on children's privacy and advertising literacy.

1


Presenters

Tracy P. Marshall is a Partner at Keller and Heckman LLP. She assists for-profit and non-profit clients with a range of business and regulatory matters. In the Internet, privacy, and advertising areas, Ms. Marshall provides counsel on e-commerce transactions and online promotions, privacy and data security policies and programs, and data breach management.


Presenters

Douglas Behr practices civil litigation and white collar criminal defense. Mr. Behr represents business, trade associations, and individuals before federal and state trial and appellate courts, regulatory bodies, and licensing forums with a concentration on Lanham Act false advertising, contract disputes, white collar crime defense, product liability, and trade regulation controversies. He also advises members of the business community on litigation avoidance.

2


Preliminary Word

This presentation provides information about the law. Legal information is not the same as legal advice, which involves the application of law to an individual's specific circumstances. The interpretation and application of the law to an individual’s specific circumstance depend on many factors. This presentation is not intended to provide legal advice. The information provided in this presentation is drawn entirely from public information. The views expressed in this presentation are the authors’ alone and not those of the authors’clients.


Upcoming Webinars

July 28 -- Toward Privacy by Design: Smart Grid and Other Technologies

3


The Issues

Privacy related enforcement and litigation is on the riseMany class action suitsMany actions based on data breaches, collection of data related to web browsing activities, unfair or deceptive acts/ practicesMajor settlements have been reachedCases set precedents


Agenda

Overview of Federal and State LawsFTC and State EnforcementClass Action LawsuitsBest Practices

4


OVERVIEW OF RELEVANT LAWS


Federal Privacy Laws

Electronic Communications Privacy Act (ECPA)Computer Fraud and Abuse Act (CFAA)Video Privacy Protection Act (VPPA)Gramm-Leach-Bliley Act (GLBA)Fair Credit Reporting Act (FCRA); Fair and Accurate Credit Transactions Act of 2003 (FACTA); FTC Red Flags RuleHealth Information Portability and Accountability Act (HIPAA) CAN SPAM ActTelemarketing LawsChildren’s Online Privacy Protection Act (COPPA)FTC Act

5


State Statutory Claims

Data Breach NotificationData SecuritySocial Security NumbersRecords Destruction“Mini-FTC Acts”State Analogues to ECPA and CFAA


State Common Law Claims

NegligenceBreach of ContractTrespass to ChattelsInvasion of PrivacyUnjust Enrichment

6


Who Can Bring an Action

Federal Trade CommissionDepartment of Health and Human ServicesDepartment of JusticeState Attorneys GeneralPrivate Plaintiffs


Common Remedies

Civil penaltiesInjunctive reliefAttorney’s feesTrainingImplementation of programs (e.g., information security, privacy programs)Periodic audits

7


FEDERAL AND STATE AGENCY ENFORCEMENT


FTC OverviewBureau of Consumer Protection Division of Privacy and Identity Protection enforces Section 5 of the FTC Act, FCRA, GLB Act, COPPA, CAN SPAM, Do-Not-Call, etc.

In the last 15 years, the FTC has brought• 97 CAN SPAM cases ($5.7 million in civil penalties)• 86 FCRA cases ($21 million in civil penalties)• 64 Do-Not-Call cases ($60 million in civil penalties)• 34 data security cases• 16 COPPA cases ($6.2 million in civil penalties)• 15 spyware (or nuisance adware) cases

Where the FTC does not have authority to seek civil penalties (e.g., for data security and spyware violations), it has sought authority from Congress

8


FTC Act

Section 5 governs unfair and deceptive acts/ practicesActions for violations of privacy or security “promises” (e.g., statements in online privacy policies)Actions for breaches of data security under unfairness authorityFTC enforcement activities sometimes coordinated with state Attorneys General acting under their “little FTC” acts


FTC Complaint: Ceridian Corporation, FTC Docket No. C-4325

Customers enter employees’ PI on Powerpay website to compute payroll amounts and process payroll checks and direct deposits

Claims on website: “Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements”

Contract covenants: “[Ceridian] shall use the same degree of care as it uses to protect its own confidential information of like nature, but no less than a reasonable degree of care, to maintain in confidence the confidential information of the [customer]”

Ceridian failed to provide reasonable and appropriate security for PI

Hackers initiated SQL injection attack and exported information of at least 28,000 individuals, including bank account numbers, SSNs, and DOBs

The acts and practices constitute unfair or deceptive acts or practices in violation of Section 5(a) of the FTC Act

9


Ceridian’s Failure to Provide Reasonable and Appropriate Security for PI

Stored PI in clear, readable textStored PI indefinitely without a business needDid not adequately assess the vulnerability of web applications and network to commonlyknown or reasonably foreseeable attacks, such as SQL attacksDid not implement readily available, free or low-cost defenses to such attacksFailed to employ reasonable measures to detect and prevent unauthorized access to PI


FTC Complaint: Lookout Services, Inc., FTC Docket No. C-4326

I-9 Solution web-based computer product collects and stores information from or about its customers’ employees

Statements in marketing materials: “your data will be encoded and transmitted over secured lines to Lookout Services server. This FTP interface will protect your data from interception, as well as, keep the data secure from unauthorized access.”

Lookout failed to provide reasonable and appropriate security for PI

Weak authentication practices and web application vulnerabilities enabled a customer’s employee to gain access to PI for > 37,000 consumers

10


Lookout’s Failure to Provide Reasonable and Appropriate Security for PI

Failed to establish or enforce rules sufficient to make user IDs and passwords hard to guess

Failed to require periodic changes of user credentials, e.g., every 90 days, forcustomers and employees with access to sensitive personal information

Failed to suspend user credentials after a number of unsuccessful login attempts

Did not adequately assess and address the vulnerability of the web application to widely-known security flaws

Allowed users to bypass authentication procedures on website when they typed in a specific URL

Failed to detect and prevent unauthorized access to computer networks, e.g., by employing an intrusion detection system and monitoring system logs

Created an unnecessary risk to PI by storing passwords used to access the I-9 database in clear text


FTC Complaint: Twitter, Inc., FTC Docket No. C-4316

Most employees authorized to exercise administrative control of the system, including the ability to reset passwords, view nonpublic tweets and nonpublic user information, and send tweets on behalf of a user

Employees entered administrative credentials into the same webpage where users logged in

Employees instructed to use personal email account for company business, and emails from Twitter employees displayed the employee’s personal email address

Twitter privacy policy: “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”

Twitter failed to prevent unauthorized control of the system

11


Twitter’s Failure to Prevent Unauthorized Administrative Control of the System

Twitter failed to• Require use of hard-to-guess administrative passwords not used

for other programs, websites, or networks

• Prohibit employees from storing passwords in plain text within personal e-mail accounts

• Suspend or disable administrative passwords after a number of unsuccessful login attempts

• Provide administrative login webpage for authorized persons separate from login page for users

• Enforce periodic changes of administrative passwords

• Restrict access to administrative controls to employees whose jobs required it


FTC Complaint: Google, Inc., FTC File No. 102 3136

Draft Complaint and Consent Order

Gmail Privacy Policy: “When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose forwhich it was collected, then we will ask for your consent prior tosuch use.”

Company used information collected from Gmail users to generate and populate Google Buzz social network without obtaining prior consent, in contravention of Google’s privacy policy

Google maintained a U.S.-EU Safe Harbor self-certification, but did not adhere to the Safe Harbor Principles of Notice and Choice

12


Ceridian, Lookout, Twitter, and GoogleFTC Consent Orders

Do not misrepresent the extent to which the company maintains and protects the privacy, confidentiality, or integrity of PI

Establish, implement, and maintain a comprehensive written information security program

• Designate employees• Identify risks to PI• Design and implement reasonable

safeguards to control the risks • Regularly test or monitor the

effectiveness of the safeguards• Select service providers capable of

safeguarding PI and require service providers by contract to implement and maintain appropriate safeguards

• Evaluate and adjust the program as necessary

Obtain independent, third party security audits

• Set forth administrative, technical, and physical safeguards

• Explain how the safeguards are appropriate to the company’s size andcomplexity, nature and scope of activities, and sensitivity of PI

• Explain how the safeguards meet or exceed the protections required

• Certify that the company’s security program is effective to provide reasonable assurance that PI is protected

Ceridian, Lookout, and Google: Every 2 years for 20 years

Twitter: Every 2 years for 10 years


Additional Terms in Google Consent Order

Prior to any new/ additional sharing of a user’s information with a third party that is different from practices in effect at the time the information was collected, Google must disclose:• That the user’s information will be disclosed to one or more third parties• Identity or specific categories of third parties• Purpose(s) for sharing, and Google must obtain express affirmative

consent to sharing

Google must not misrepresent its affiliation with the U.S.-EU Safe Harbor Framework or any other compliance program sponsored by the government or athird party

13


HHS HIPAA Enforcement: Cignet

Investigation by HHS Office for Civil Rights (OCR) for HIPPA violations

Cignet denied 41 patients access to their medical records upon request, and patients filed complaints with OCR, initiating investigations

Cignet refused to respond to OCR’s demands to produce records and failed to cooperate with OCR’s investigations

OCR filed petition to enforce subpoena in U.S. District Court and obtained a default judgment; Cignet produced the records, but made no effort to resolve the complaints informally

Notice of Final Determination: $4.3 million penalty (February 2011)• $1.3 million for violation of HIPAA Privacy Rule• $3 million for failure to cooperate with OCR/ willful neglect to comply with Privacy Rule• Penalty is the first issued by HHS for HIPAA Privacy Rule violations


Joint HHS/FTC Enforcement: Rite Aid Corporation

Joint investigation by HHS OCR (violations of HIPPA Privacy Rule) and FTC (violations of Section 5 of the FTC Act)

Pharmacies disposed of prescriptions and labeled pill bottles containing individuals’protected health information in trash bins accessible to the public

HHS Resolution Agreement (June 2010)• Physical and administrative safeguards not adequately designed to appropriate and

reasonably safeguard the PHI• No training or sanctions policy for employees who failed to comply• Each RAC entity must pay $1 million and implement a corrective action program for 3 years

FTC Complaint (November 2010)• RAC failed to implement policies and procedures to dispose securely of PI, adequately train

employees, assess compliance with its policies and procedures, and employ a reasonable process for discovering and remedying risks to PI

• RAC made falsely represented that it implemented reasonable and appropriate measures to protect PI and failed to employ reasonable and appropriate security measures

• Practice is an unfair or deceptive act or practice, in violation of Section 5(a) of the FTC Act

FTC Consent Order (November 2010)• Same terms as Ceridian and Lookout

14


MA Data Breach Settlement

First enforcement of MA data security regulations

Attorney General settlement with the Briar Group, LLC over breach of credit card information for tens of thousands of consumers

Hackers accessed the Briar Group’s computer systems in April 2009 and misappropriated data; malcode not removed until December 2009

Settlement Terms• Pay $110,000 in civil penalties• Comply with MA data security regulations• Comply with Payment Card Industry Data Security Standards• Establish and maintain an enhanced network security system


IN Data Breach Settlement

Attorney General settlement with WellPoint Inc. over company’s failure to notify customers and the AG’s office “without unreasonable delay” following a data breach affecting > 32,000 residents

Applications for insurance policies containing SSNs, financial information and health records were accessible through an unsecured website for at least 137 days

WellPoint was notified in February 2010 and March 2010 that records were accessible, but did not notify customers until June 2010

Settlement Terms• Pay $100,000 to State for Consumer Assistance Fund• Comply with IN security breach law• Admit the breach and failure to properly notify • Provide up to 2 years of credit monitoring and identity theft protection services to

affected consumers• Reimburse consumers up to $50,000 for any ID theft losses due to the breach

15


Responding to an Agency Action

Similar processes for federal agencies and state Attorneys GeneralInstitute a litigation holdOpen dialogue immediatelyGet the factsRespond promptlyForm alliances, where appropriate and availableRecognize failings


CLASS ACTION LAWSUITS

16


Common Causes of Action

Use of cookies, flash cookies, and other technologies to track online consumer behavior• Alleged violations of CFAA, ECPA, VPPA,

state computer crime laws, state invasion of privacy laws, unjust enrichment

Data breaches• Alleged breach of warranty, breach of

contract, negligence, and violations of state security requirements


Major Class Action Settlements

Clearspring and Quantcast• Alleged violations of CFAA, ECPA, VPPA, CA computer crime law, CA

Invasion of Privacy Act, unjust enrichment• $2.4 million

– Paid to non-profit organizations dedicated to promoting consumer privacy awareness

Facebook Beacon• Alleged violations of CFAA, ECPA, VPPA, CA computer crime law• $9.5 million

– Lawyers received about 30%– Remainder deposited in online privacy fund

Google Buzz• Alleged violations of CFAA• $8.5 million

– Lawyers received about 30% – Remainder deposited in online privacy fund

17


Flash Cookies: Clearspring and Quantcast

In Re Clearspring Flash Cookie Litigation, No. cv-05948; In Re Quantcast Advertising Cookie Litigation, No. cv-05484

$2.4 million settlement reached in December 2010

Class action brought against Quantcast and Clearspring and their “flash cookie affiliates”(publishers)

Companies stored flash cookies on users’ computers to collect information from and about them

In some cases, if users deleted third party cookies, the companies used information stored in flash cookies to “respawn” the information stored in the deleted cookies

Companies must refrain from using flash cookies to• Respawn browser cookies• Serve as an alternative to browser cookies for tracking user activities unrelated to the delivery of

content through the Flash Player without adequate disclosure• Otherwise counteract a user's decision to delete previously created HTTP cookies


La Court v. Specific Media, Inc.

Case No. cv-10-1256 (C.D. Cal. 2010)Similar to Quantcast and ClearspringComplaint alleged that Specific Media violated consumer privacy by using flash cookies to capture online behavioral informationCourt granted Motion to Dismiss in April 2011• Plaintiffs did not have standing to sue because they

did not allege or show actual injury

18


History Sniffing

Several lawsuits filed in 2010 against InterClick, McDonald’s, adult websites and othersPitner et. al. v. Midstream Media Int’l, N.V., No. 8:10-cv-01850 (C.D. Cal. Dec. 6, 2010) • California residents filed suit against the adult website, YouPorn,

alleging that the website violated cybercrime and consumer-protection laws by using technology to harvest information aboutwhat websites users had visited

Bose v. InterClick, Inc., 10 CV 9183 (S.D.N.Y.)• Suit alleges that InterClick invaded Plaintiff's privacy,

misappropriated her personal information, and interfered with the operability of her computer when using Flash cookies and history-sniffing techniques to stop her attempts to prevent online tracking


Issues and Possible DefensesExamine how flash cookies and data obtained through the use of flash cookies is used by the company and third party service providers

Confirm the data being collected, by whom and for what purpose, how it remains anonymous, whether there is any linkage with personal information, and applicable retention periods

Describe use of cookies and other technologies to collect data in website privacy policy so that users are on notice and could be deemed to have consented based on the privacy policy

Plaintiffs must have legal standing to sue, i.e., a sufficient “injury-in-fact”

Certain laws, such as CFAA and computer trespass statutes, require damages (e.g., lost profits)

• New developing arguments, such as individuals’ property rights in their personal data, are designed to overcome this problem

No “unjust enrichment” if flash cookies are used to collect data, especially if data is not shared with third parties or used for any commercial purpose

19


Dispute Resolution

Address dispute resolution in website terms and conditions • Require arbitration of disputes• Limit right to individual disputes/ bar class

actionsAT&T Mobility LLC v. Concepcion, 563 U. S. ____ (April 27, 2011)• U.S. Supreme Court upheld AT&T’s contract

clause prohibiting class-wide arbitration


Anatomy of Two Data Breaches: Epsilon and Sony

April 1, 2011 – Epsilon data breach• Acquisition of names and email addresses for > 60 million of Epsilon business

clients’ customersApril 6, 2011 – Epsilon notified consumers of breachApril 19, 2011 – Sony Playstation data breach• Acquisition of names, email addresses, addresses, passwords, and birthdates

of > 77 million consumersApril 26, 2011 - Sony notified consumers of breachApril 27, 2011 – First class action lawsuit filed against SonyMay 2, 2011 – Another data breach affecting Sony Online Entertainment• Acquisition of names, addresses, email addresses, birth dates, passwords,

and logins for > 30 million consumersMay 4, 2011 – House Subcommittee on Commerce, Manufacturing, and Trade hearing on “The Threat of Data Theft to American Consumers.”June 2, 2011 – House Subcommittee on Commerce, Manufacturing, and Trade hearing on “Sony and Epsilon: Lessons for Data Security Legislation”

20


Sony Data Breach LawsuitsFirst lawsuit filed 1 day after notice of breach; dozens of lawsuits filed in U.S. federal courts

• Alleged that Sony failed to take reasonable care to protect, encrypt, and secure data and delayed breach notifications to consumers

• Claims for breach of warranty, breach of contract, negligence, and violations of state security requirements

• Seeking monetary compensation, equitable relief (replacement and/or recall of defective PlayStation consoles), attorney’s fees

• Seeking class action status

Cortorreal et al v. Sony Corporation Inc. et al, No. 11-1369 (S.D.Cal. June 20, 2011)

• Alleged that Sony laid off several employees in network security unit just weeks before the breach and that the company protected corporate data, but not consumer data

• Alleged violations of CA Consumer Legal Remedies Act and Unfair Competition Law, ECPA, negligence, breach of contract, breach of fiduciary duty

• Seeking monetary compensation, equitable relief, credit monitoring, attorney’s fees

• Seeking class action status


ImplicationsSeveral federal data breach notification laws introducedFTC supports federal lawMajor issues

– Data security measures– Timing of notifications– Federal preemption– Privacy right of action

21


Best Practices


FTC Guidance

A Preliminary FTC Staff Report on Protecting Consumer Privacy inan Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (Dec. 1, 2010)• Build in Privacy by Design• Give consumers choice• Be transparent about practices • Educate consumers about privacy

Protecting Personal Information: A Guide For Business• Take stock: Know what personal information you have in your files

and on your computers• Scale down: Keep only what you need for your business• Lock it: Protect the information • Pitch it: Properly dispose of what you no longer need• Plan ahead: Create a data breach response plan

22


“Know, Say, Do” Approach

Know what you do• Know what information is collected, through what

technologies, and how it is used• Determine whether the data is personal/ non-

personal; linkage to personal data; necessity of the information

Say what you do• Review and update privacy polices

Do what you say• Periodic reviews essential to make sure that new

technologies, marketing initiatives do not involve data collection or practices that violate policies


Compliance Tools

Adopt written plansBuild privacy and security awarenessUse checklistsPerform audits (internal/external)Review and update privacy policiesDetermine root cause, take corrective actions in response to breachMonitor enforcement actions, litigation to benchmark your practicesUpdate your plan

23


Agencies and Service Providers

Review third party’s data security practices and compare with company’sBuild requirements into contracts• Implement and maintain appropriate privacy

and security measures• Require notification in the event of any

contractor incident


Be Proactive!

Maintaining a proactive stance on privacy and security will protect your reputation and save money in the long termInstitute a litigation holdLaunch a factual investigationArrange for expertsReview contracts with suppliers and look for indemnification provisionsReview insurance policies for coverageAnticipate costs

24


Questions?


Upcoming Webinars

July 28 -- Toward Privacy by Design: Smart Grid and Other Technologies

All webinars will be held from 11:00 a.m. – 12:30 p.m. ET

25


Thank you!

Tracy P. MarshallPartner


Washington, DC 20001202-434-4234

[email protected]

Sheila A. MillarPartner


Washington, DC 20001202-434-4143

[email protected]

Douglas J. BehrPartner


Washington, DC 20001202-434-4213

[email protected]

26

practical tips for avoiding privacy enforcement and lawsuits tips for... · 2011. 9. 7. · actions...

Documents