ABA Antitrust Section’s Privacy and Information Security Committee: Brown Bag Lunch – February 13, 2007 Jeffrey D. Neuburger Kristen J. Mathews 1 Agenda • New Federal Laws • New State Laws • Litigation • Enforcement • Newly Introduced Bills – State • Newly Introduced Bills – Federal • Other Noteworthy Issues • Spyware, Adware & Malware 2 New Federal Laws 3 Federal Telephone Pretexting Bill Finally Signed Into Law • The Telephone Records and Privacy Protection Act of 2006 (1/12/2007) • The Act prohibits: Using false or fraudulent means to obtain (or attempt to obtain) confidential phone records information Selling or transferring (or attempting to sell or transfer) confidential phone records information of a covered entity without the prior authorization of the customer to whom such information relates; and Purchasing or receiving (or attempting to purchase or receive) confidential phone records information of a covered entity without prior authorization from the customer to whom such information relates. 4 • It also exempts covered entities from such restrictions to the extent authorized by the Communications Act of 1934 (e.g., for billing, protection of property rights, or for emergency purposes). • Violators face fines, imprisonment (of up to 10 years), or both. New State Laws 5 Michigan Signs Into Law Two Bills Regarding the Privacy of Medical Records • Michigan Governor Jennifer Granholm signed into law the following two bills: S.B. 465: requires medical/health providers to retain records for at least seven years, and sets up a system for the disposal of such records thereafter. S.B. 468: amends Michigan’s Freedom of Information Act to exempt from disclosure “protected health information,” as defined by HIPAA. 6 Michigan Legislature Enacts Breach Notification Law • On January 3, 2007, Michigan Gov. Jennifer M. Granholm (D) signed into law a security breach notification bill (S.B. 309). Effective Date: July 2, 2007. The law amends Michigan’s Identity Theft Protection Act, and requires businesses and government agencies to notify state residents of data breaches involving their unencrypted computerized personal information (or, if their encrypted information was subject to unauthorized access along with its encryption key). Notification is required only if “the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents…” Notice is required to consumer reporting agencies if notice is required to be provided to more than 1,000 residents. Failure to properly notify consumers of a security breach can result in a fine of up to $750,000. The law also includes data disposal requirements, which require covered entities to completely destroy records containing personal information, in either paper or electronic form, when they are disposed of to ensure that they “cannot be read, deciphered, or reconstructed through generally available means.” 7 New Breach Notice Laws Take Effect Arizona (Az. Rev. Stat. § 44-7501) – Effective 1/1/2007 Hawaii (SB 2290) – Effective 1/1/2007 New Hampshire (N.H. Rev. Stat. Ann. §359-C:1-21) – Effective 1/1/2007 Utah (S.B. 69) – Effective 1/1/2007 Vermont (V.S.A. § 2430 et seq.) – Effective 1/1/2007 Maine (Me. Rev. Stat. Ann. tit. 10 §§ 1346-1349) – Revisions Effective 1/31/2007 • Note: Revisions include a new requirement for covered entities to notify their particular state regulator, or if none, the Attorney General, in the event of a data breach. 8 Credit Freeze Laws Take Effect in 26 States as 2007 Begins • A number of states will begin to implement credit freeze laws. • The laws vary from state to state, but the general common premise is to allow consumers to block access to, or place a security freeze on, their consumer credit reports. • The length of the freeze also varies from state to state as well as the fee charged to consumers, if any, to implement the freeze. • Some states require the credit reporting agency to provide a password or identification number in order for them to authorize the release of a consumer’s credit information to them. Among the states whose laws took effect in January are: • Pennsylvania (S.B. 180), Rhode Island (H.B. 7148), Oklahoma (S.B. 1748), Hawaii (H.B. 1871), New Hampshire (S.B. 334), Illinois (S.B. 2310), Kansas (S.B. 196), and Wisconsin (A.B. 912). 9 Indiana’s New Junk Fax Law Takes Effect • The new Indiana “do not fax” law became effective on January 1, 2007. The law is similar to laws already in effect in 21 other states, and prohibits unsolicited advertising faxes (unless the sender has a pre-existing or prior business relationship with the recipient). Recipients of such faxes can file a complaint with the Consumer Protection/Telephone Privacy Division of the Indiana Attorney General’s office. • Under the Indiana law, a violation of the federal TCPA constitutes a deceptive act under the new state law. • Excluded from the new law are noncommercial faxes, which include religious and political messages. • The penalty for violating this law is to be determined on a case by case basis, and can range from $500 for an initial violation up to $1,500 for an “egregious” violation. 10 Litigation 11 Fed Ct. Finds that Law Requiring Posting of Contractors’ Kids Names on Web Does Not Pass Constitutional Muster • On January 9, 2007, the U.S. District Court for the District of Connecticut held that parents have a constitutionally protected privacy interest in their children’s names and other personal info that would prohibit, under most circumstances, a state from openly posting that information to the Web (Securities Indus. And Fin. Mkts. Ass’n v. Garfield, D. Conn., No. 3:06cv2005, 1/9/07). Pursuant to a Conn. election reform statute (Conn. Gen. Stat. § 9-333a et seq.), the state elections commission was required to compile a list of individuals to whom the statute applied, which included the dependent children of state contractors’ highest-ranking officers. The list was then posted on the state’s website, with no limitations on access. • The court held that the Fourth Amendment of the U.S. Constitution protects a parent’s privacy interest in a dependent child’s identifying information, and concluded that the publishing of the children’s names on the state’s website is not necessary to further the state’s legitimate interests. The court found that posting the names to the Internet did not serve any real purpose. The court said that a more limited distribution, or even a password-protected site, might cure the overbreadth issue without compromising the statute’s goals. • The court’s conclusions are consistent with the U.S. Supreme Court’s reasoning in Whalen v. Roe, 429 U.S. 589 (1977), in which the Court held that Fourth Amendment privacy protection extends to the interest in avoiding disclosure of personal matters. • The court also found persuasive the Federal Trade Commission’s Children’s Online Privacy Protection rule and the Freedom of Information Act, both of which support a parent’s right to choose how their children’s information will be disclosed to third parties. 12 Enforcement 13 Internet Marketer Settles with FTC Over Charges of Violations of CAN-SPAM and the FTC’s Adult Labeling Rule • On January 30, 2007, the FTC announced a settlement with TJ Web Productions, an Internet marketer, under which TJ Web will pay a $465,000 penalty and face a permanent injunction from further violation of the FTC’s Adult Labeling Rule and the CAN-SPAM Act. (United States v. TJ Web Prods. LLC, D. Nev., No: CV-S-05-0882-RLH-GWF, 12/2/06). • Defendant allegedly violated the FTC’s Rule and the CAN-SPAM Act, which both require commercial e-mailers of sexually-explicit materials to: Use the phrase “SEXUALLY EXPLICIT” in the subject line. Ensure that the initially viewable area of the message does not contain graphic sexual images. For unsolicited commercial e-mail, include an opt-out provision for consumers who do not want to receive future email. Provide a postal address for senders of such messages. • 14 According to the FTC, TJ Web did not send the illegal e-mails directly to consumers, but instead sent them through an “affiliate marketing” program using third party e-mail service providers to send the messages on its behalf. Newly Introduced Bills State 15 New Breach Notice Legislation • New Breach Notification Laws were Introduced in a Host of States, including: Oregon Wyoming South Carolina Alaska Virginia Massachusetts • Montana – considering a bill that would expand its current breach notice law (which applies to businesses), to include notification obligations applicable to the public sector. 16 Oregon Breach Notice Bill Also Requires Registry of Businesses With Personal Data • On Jan. 10, a breach notice bill was introduced into the Oregon House of Representatives (H.B. 2442). The new law would require covered entities that maintain computerized data systems containing personal information to establish a security system to safeguard the personal information using various prescribed measures (including, e.g., antivirus software, firewall configurations that protect data within a corporation’s network from outside access; and access restrictions to individuals within the organization). This bill also charges the state Department of Consumer and Business Services with establishing a registry “of all businesses that own, possess or use personal information.” The bill’s definition of “personal information” includes dates of birth and passport numbers in its list of data elements. Under this bill, an individual can make a written request for a copy of all personal information about them maintained by an entity in the registry which must be honored regardless of whether the covered entity has faced a data breach. This bill also contains new criminal penalties for the misuse of personal information. 17 New Credit Freeze Legislation • Many states have introduced credit freeze legislation, including: 18 Montana Alaska Indiana Tennessee Wyoming South Carolina Alaska Virginia District of Columbia (passed, awaiting approval by Congress) Michigan Massachusetts Arizona Georgia North Dakota Maryland Mississippi Nebraska Bills to Ban E-Mail Harvesting and Unauthorized Spyware Distribution are Introduced in New York • On Jan 3, 2007, two bills were introduced on the first day of the New York Legislature’s 2007-2008 session, which seek to limit the unauthorized use of personal information and regulate spyware. (1) The first bill (A.216) aims to prohibit the sale, lease, or exchange of a person’s e-mail address or other personal identifying information without consent. • This bill would require that those intending to use an individual’s personal information, including their e-mail address, Social Security number, address, date of birth and mother’s maiden name, must provide a “clear and conspicuous notice” of the collection and provide the individual with the opportunity to opt-out of the use of their personal information. • AG Enforcement: AG would be authorized to seek a court ordered injunction against the prohibited activity and seek a civil penalty of not more than $1,000 per violation. (2) The second bill (A.340) seeks to criminalize the dissemination of spyware without prior authorization. 19 • This bill defines spyware as “an executable computer program, including but not limited to a keylogging program, that employs a computer user’s Internet connection without the computer user’s knowledge or explicit authorization and such computer program gathers and transmits personal information or data of a computer user.” • This bill would classify the unlawful dissemination of spyware as a Class A misdemeanor (but, if the person convicted is a previous offender of the same crime within the last five years, then the crime would become a Class E felony). Other States Introduce Spyware Bills • Legislation aimed at prohibiting the use of spyware was also introduced in: Mississippi Massachusetts 20 States Focus on Privacy: Virginia Governor Proposes “Do Not Sell” List; NY & SC Propose “Do Not E-mail” Lists • Virginia’s Governor, Tim Kaine, is proposing a Do Not Sell List initiative which, similar in concept to a “Do Not Call” List, would block companies or agencies from selling personal information about those who put their names on the list. This new initiative would make people aware that their information may be sold, and would give them an option as to whether they want to participate or not. Kaine has assembled a panel to study the idea, which should report back to him by the end of the year. Additionally, the VA governor is directing his own administration to monitor how it protects private, sensitive information, and test the success of its own existing security standards. • Proposed legislation in New York (A 2520) and South Carolina (H 3280) would enable individuals to prevent unwanted commercial e-mails and other communications. NY’s bill would create a “do not mail/e-mail” registry applicable to all entities doing business in NY. (Note: The NY bill would also apply to postal mail.) The SC bill would require e-mail service providers to create a database of “no e-mail” residential subscribers. 21 Maine Rejects the Real ID Act of 2005 • On January 25, Maine became the first state to officially decline to comply with the federal Real ID Act of 2005. The Real ID Act requires states to replace their driver’s licenses by a May 2008 deadline with forgery-proof scannable cards embedded with certain private information, which information would be stored in a nationwide database, accessible by federal, state and local government employees. The private information subject to such storage would include: Social Security numbers, birth dates, photo identification, residency information, and biometric identifier (like a fingerprint). Other states have similarly balked at the program (e.g., NH), but Maine is the first to officially announce that it will not participate. Since Maine passed its resolution, Georgia, Massachusetts, New Mexico, Vermont and Washington are reportedly aiming to also pass laws or adopt resolutions by which they will similarly refuse to participate. 22 Other Privacy Related State Legislative Activity • Arkansas: New AG announced a “legislative package” focusing on consumer protection which targets, in particular, ID theft (including increased criminal penalties for ID theft). • New Hampshire: Considering a “privacy amendment” to the State constitution (which would include, for example, a measure excluding NH from complying with the federal Real ID Act, a ban on “pretexting,” and a right for consumers to opt out of cell phone directories). • Georgia: The Georgia Senate is considering a bill (SB 24) that would make “phishing” illegal. 23 Newly Introduced Bills Federal 24 New Federal Legislation: Bills to Extend No-Call to Political Messages and Ban Caller Identification Spoofing Introduced • On Jan. 5, 2007, two federal bills were introduced in the House which would expand the scope of the “do-not-call” registry to restrict recorded political telephone calls and ban the disguising of caller identification. The “Robo Calls Off Phones (Robo COP) Act” (H.R. 248), introduced by Rep. Virginia Foxx (R-N.C.), would prohibit “politically oriented” recorded messages to individuals who have registered their phone numbers on the DNC registry maintained by the Federal Trade Commission. • This bill defines politically oriented messages as those “whose purpose is to promote, advertise, campaign, or solicit donations, for or against any political candidate or regarding any political issue, or uses in the recorded message any political candidate’s name.” • H.R. 248 would direct the FTC to amend the do-not-call registry provisions of the Telemarketing Sales Rule (TSR) to include these types of messages (despite an existing exemption for non-profit organizations, which includes most political groups) within 180 days of enactment. The “Truth in Caller ID Act” (H.R. 251) seeks to prohibit callers from altering or disguising their telephone numbers to prevent their proper identification on caller ID devices (also known as “caller-ID spoofing”). • 25 H.R. 251 would amend the federal Communications Act to make it illegal for individuals to transmit misleading or inaccurate caller ID information. Legislation of the 110th Congress S. 239 – Notification of Risk to Personal Data Act of 2007 • • Re-introduced by Senator Feinstein (D. Calif.) on 1/10/07 Would require federal agencies and business entities engaged in interstate commerce, who use, access, transmit, store, dispose of or collect sensitive personally identifiable information, to notify individuals of a security breach involving their personal data. Required to notify the owner or licensee of the information following discovery of a security breach. Relieved of the obligation if notice is provided by some other third party. • • 26 Notification must be made without unreasonable delay to: Individuals, in writing, by telephone, or email (with consent) Consumer reporting agencies, if number of affected individuals exceeds 1,000. Media, if number of residents affected exceeds 5,000. U.S. Secret Service, if affected individuals exceeds 10,000. Notifications must include description of the categories of sensitive information compromised, as well as a toll-free number to contact the agency or business entity and credit agencies Legislation of the 110th Congress S. 239 – Notification of Risk to Personal Data Act of 2007 (cont.) 27 • Exemptions to Notification Requirements • Safe Harbor • Financial Fraud Prevention Exemption • Enforcement by the Attorney General (state attorneys general could bring civil actions to enforce the law). Must certify, in writing, that notification would damage national security or hinder a law enforcement investigation. Risk assessment concludes there is no significant risk of harm to individuals as a result of the breach. If notice of risk assessment decision given to Secret Service in writing and Secret Service does not indicate within 10 days thereafter that notice should be given. Utilization or participation in security program designed to block use of personally identifiable information to initiate unauthorized financial transactions before charged to the individual’s account Security program that provides for notice to affected individuals after security breach results in fraud or unauthorized transactions Legislation of the 110th Congress S. 238 – Social Security Number Misuse Prevention Act • Also re-introduced by Senator Feinstein on 1/10/07 • Amends 18 U.S.C. 47 to limit the misuse of Social Security numbers, to establish criminal penalties for such misuse, and for other purposes. • Prohibits the sale, display or purchase of an individual’s Social Security number without consent. Prohibition applicable to checks issued for payment by government agencies. Individuals must be informed of general purpose for use. Express consent must be received from the individual in writing or electronically. 28 • Also prohibits fed, state and local government agencies from displaying SSNs on public records posted on the Internet or otherwise publicly available on electronic media. • Places limitations on when business can ask customers for SSNs. Legislation of the 110th Congress S. 238 – Social Security Number Misuse Prevention Act (cont.) • Public Records Exception No retroactivity for government public records on Internet or in electronic form before enactment. No exception for Social Security numbers harvested from other public records. • Enforcement Concurrent enforcement by FTC and FCC. Private right of action for providers to recover actual monetary loss or $11,000 per violation. Private right of action for consumers for injuries with damages up to $11,000 per violation. Treble damages for willful and knowing violations. • Enforcement by the Attorney General Provides civil penalties up to $50,000. Establishes criminal penalties under the Social Security Act. 29 Legislation of the 110th Congress H.R. 220 – Identity Theft Prevention Act of 2007 • Introduced by Representative Paul on 1/4/07 • Amends Title II of the Social Security Act to protect the integrity and confidentiality of Social Security account numbers. Prohibits Social Security Administration from divulging the social security number of any individual to any agency or individual. Prohibits government-wide uniform identifying numbers and governmentestablished identifiers. • Exceptions Use of the Social Security number as an identifying number pursuant to section 6109 (d) of the Internal Revenue code of 1986 (relating to use of the Social Security number for social security and related purposes). 30 Other Noteworthy Issues 31 TJX Data Security Breach: May Be Biggest Yet In U.S. • Tens of millions of credit and debit cards may have been among the private information compromised by a computer security breach at the retailer that operates T.J. Maxx and Marshall’s stores (and other stores) in what could become the biggest case of stolen consumer data in the United States. TJX announced the breach to the public on January 17, 2007, but reportedly discovered the breach in “mid-December 2006” (if not earlier than that, as some report). The number of affected accounts, which belong to all major credit card companies, could exceed 40 million, which would make it the largest breach of its kind in the U.S., bigger than that which occurred in 2005 at CardSystems Solutions (the largest breach to-date). The unauthorized intrusion into TJX’s computer systems could go back at least four years (including credit card transactions made in 2003) and may have occurred in a series of waves involving computer hacking into checkout terminals and unencrypted information left on computers. The information compromised may have included credit and debit card information, other customer information, including driver’s licenses, and checking accounts linked to transactions for returned merchandise. Fifth Third Bank of Cincinnati has been identified as the sponsoring bank that handled TJX’s accounts, which makes it responsible for ensuring that the retailer met the industry’s security standards (i.e., PCI DSS). 32 TJX Security Breach Class Action Suits Filed • Class Action Lawsuits have been filed, both by consumers and financial institutions. 33 • Class Action Lawsuit - Consumers • Class Action Lawsuit – Financial Institutions January 29, 2007: Filed by consumers in the US District Court in Boston. Cause of Action: Negligence (for failing to maintain adequate security of customer credit/debit card data, and for not disclosing the breach for over a month). The plaintiff class is seeking credit monitoring services, and any other damages that affected individuals may incur. NOTE: In these types of lawsuits, courts have typically not found in favor of plaintiffs unless there is actual damage and injury. January 29, 2007: Another class action lawsuit was filed in the U.S. District Court in Boston, by AmeriFirst Bank of Union Springs, Alabama. AmeriFirst’s lawyers reportedly estimate that thousands of financial institutions will join the suit. Names as Defendants TJX, as well as Fifth Third Bank of Ohio (the company that processed debit and credit transactions for TJX). Cause of Action: Negligence (for failing to adequately safeguard the private information it possessed, and also for delaying the notification of the breach) and Breach of Contract, and alleged violations of the Gramm Leach Bliley Act. Plaintiffs are seeking to recover the costs of replacing compromised cards, as well as for dealing with fraudulent charges made with the compromised cards. Visa Offers Banks New Financial Incentives for PCI Compliance, But Also Threatens New Fines • In December of 2006, as the credit card industry continues to struggle with the PCI Data Security Standard, Visa USA announced that it would pledge to commit $20 million to offer financial incentives to banks that process credit card transactions, if they can demonstrate that the merchants for whom they process such transactions are in compliance with the Payment Card Industry Data Security Standard (PCI DSS). The incentives include: financial payments for banks that validate PCI DSS merchant compliance • Eligibility for such payments rests on whether they have been involved in a data breach. • Banks also have to comply with certain PIN security standards to be eligible for the financial payments. Those banks that validate full PCI DSS compliance by merchants by March 31, 2007, may receive a one-time payment for each compliant merchant. Those banks that validate compliance of merchants from March 31, 2007, through August 31, 2007, may receive a one-time reduced payment for each compliant merchant. • 34 Also under this new program, Visa will impose new fines on banks who fail to confirm merchants’ compliance, as well as for the occurrence of any data breach involving merchants for whom they process transactions. Pretexting: Feds Charge Investigator in HP Spying Scandal • Brian Wagner, a private investigator, was charged in federal court, with federal identify theft and conspiracy charges in connection with the Hewlett-Packard boardroom spying scandal, whereby he allegedly accessed a reporter’s private phone records over the internet. According to the prosecutors’ filings, he is being accused of using a journalist’s SSN to register a fake account with a telephone company and illegally access his phone logs. He also allegedly conspired to illegally obtain and transmit personal information about HP board directors, employees and journalists to discover news leaks about company matters. • Many of the other individuals involved in and charged in connection with the scandal (including HP’s ethics chief and two other investigators) have pled not guilty. (People v. Dunn, Cal. Super. Ct., No. 06-1027481, 1/29/07). On January 29, 2007, it was reported that the judge in the state action dropped the state charges against Wagner due to his guilty plea in connection with the federal charges. • 35 In December of 2006, in connection with the HP scandal, HP reached a $14.5 million settlement with California’s AG, which funds will be used to establish a “Privacy and Piracy Fund” for law enforcement activities related to privacy and intellectual property rights. Pretexting: FCC Rules Protecting Personal Phone Records Expected Soon • The Federal Communications Commission is expected (any day now) to issue new rules that will protect personal phone records from unauthorized disclosure. • The FCC rules include requirements applicable to land-line and wireless phone carriers to, among other things: Require that customers use a password to immediately obtain their calling records from a representative by phone. Customers also could obtain their records without a password by asking phone companies to send the information to their home addresses, or having a phone company representative call them back at their home or cell phone number of record. Customers trying to obtain their records online would also be required to use a password. 36 Department of Defense Settles with NYCLU and Agrees to Change its Student Recruiting Practices • On January 9, 2007, the Department of Defense agreed to settle a lawsuit brought against it by the NYCLU, under which it agreed to change its military recruitment efforts to better protect the privacy of about 30 million names currently in its database. (Hanson et al. v. Rumsfeld et al., S.D.N.Y (filed, April 24, 2006) The NYCLU filed the lawsuit after the DoD’s “Joint Advertising and Market Research Studies” (JAMRS) military recruitment program began collecting, maintaining and distributing the personal and private information of millions of high school students in a database. Currently, the database contains information on high school students aged 16-18, and contains information such as Social Security Numbers, gender and race. The information is stored by the DOD for 5 years, and is being shared with law enforcement and other agencies. • Under the settlement, the government agreed that: It will no longer disseminate student information to law enforcement, intelligence and other agencies, and will stop collecting student Social Security numbers; It will limit to 3 years (from the current 5 years), the amount of time it retains the student information; and It will clarify procedures by which students can block the military from entering information about them in the database (i.e., the students will have an opportunity to “optout” of participating in the database). 37 N.J. Court Recognizes State Right of Privacy in ISP Subscriber Information • State v. Reid, No. A-3424-05T5 (N.J. Super. Ct. App. Div. Jan. 22, 2007) On January 22, 2007, a New Jersey appellate court upheld the suppression of evidence obtained by a local police department via a subpoena issued by a municipal court to the defendant's Internet Service Provider (Comcast). The court held that a computer user whose screen name hid her identity had a “legitimate and substantial interest in anonymity.” All federal courts that have adjudicated this issue have held that Internet subscribers have no right of privacy under the Fourth Amendment with respect to identifying information on file with their ISPs. However, according to the N.J. court, “the right to privacy of New Jersey citizens under our State Constitution has been expanded to areas not afforded such protection under the Fourth Amendment.” NJ law enforcement officers will need to obtain valid subpoenas or search warrants to obtain such information. 38 Additional Miscellaneous Items • In late December, 2006, Bush signed into law a VA Breach Notice Law, the “Veterans Benefits, Health Care, and Information Technology Act of 2006” (S. 3421), imposing various breach notification obligations onto the VA. • Also in late December, 2006, the same day that Bush signed the VA breach notice law, Bush signed the U.S. SAFE WEB Act, which authorizes the FTC to share information with foreign agencies that treat consumer fraud and deception as a criminal law enforcement issue, and which expands the FTC’s powers with respect to investigating and taking action against Internet fraud and deception. • The Postal Accountability and Enhancement Act (H.R. 6407) and President Bush’s accompanying signing statement in late December, 2006, prompted a group of concerned bipartisan Senators, who, on January 10, 2007, sought a resolution reaffirming that the privacy of the U.S. mail will be protected. • On January 29, 2007, a case was filed in the US District Court in Concord, N.H., in an effort to challenge a NH law (HB 1346) that bans the commercial use of information on what drugs physicians prescribe. (Some states, including California, have already considered and rejected such laws.) • The Federal Agency Data Privacy Protection Act (H.R. 516), which was introduced in the U.S. House of Representatives this month, would require the Federal government to (among other security measures) encrypt all sensitive data that it maintains. • The Federal Agency Data Mining Reporting Act (S. 236), which was introduced into the U.S. Senate this month, would require (among other things) federal agencies and departments to report to Congress all data mining activities. 39 Spyware, Adware & Malware 40 Sony BMG Settles FTC Charges • According to an FTC Press Release, on January 30, 2007, Sony BMG Music Entertainment agreed to settle FTC charges that it violated federal law when it sold CDs without notifying consumers that the CDs contained certain DRM software that “secretly” installed itself onto consumers’ computers, thereby “[exposing] consumers to significant security risks and was unreasonably difficult to uninstall.” • The FTC stated that hiding the software from consumers and failing to provide a practicable means to uninstall the software = unfair trade practices, in violation of Federal law. • The settlement agreement includes (among other things) requirements that Sony BMG: • 41 Clearly disclose the limitations on consumers’ use of the music CDs; Not use the software to collect information for marketing; Not install software without consumer consent; Provide a reasonable means of uninstalling the software; Allow consumers to exchange the CDs through June 31, 2007; and Reimburse consumers for up to $150 to repair damage to their computers caused by the attempted uninstallation of the software. The FTC settlement comes on the heels of Sony BMG’s $4+ million settlement with 40 U.S. states, as well as its separate settlements with both California and Texas. NY AG Settles with Priceline, Travelocity and Cingular • The January 29, 2007 settlements stemmed from the NY AG’s recent investigations into the activities of DirectRevenue, LLC, which allegedly “installed adware programs onto millions of computers worldwide to deliver advertisements, monitor Web sites and collect data typed into web forms.” (Priceline, Travelocity and Cingular had all used the services of DirectRevenue, LLC.) The adware programs were allegedly installed onto consumers’ computers without adequate notice, and were difficult for consumers to remove and uninstall. Priceline and Cingular both settled for $35,000, and Travelocity settled for $30,000. Priceline, Travelocity and Cingular agreed to: • • • • • • • 42 Fully disclose to consumers the name of the applicable adware program and bundled software; Brand each advertisement with a prominent and easily identifiable brand name or icon; Fully describe the adware and obtain consumer consent to both download and run the adware; Make it practicable for consumers to remove the adware from their computers; Obtain consent to continue serving ads to legacy users; Require their affiliates to meet all of these same requirements; and Conduct due diligence when engaging adware providers (both prior to contracting with a company to deliver their ads and quarterly thereafter). Thank You! Jeffrey D. Neuburger jneuburger@thelen.com (212) 603-2196 Kristen J. Mathews kmathews@thelen.com (212) 603-6587 Confidential