February 2007 Privacy Update

advertisement
ABA Antitrust Section’s Privacy
and Information Security
Committee: Brown Bag Lunch –
February 13, 2007
Jeffrey D. Neuburger
Kristen J. Mathews
1
Agenda
• New Federal Laws
• New State Laws
• Litigation
• Enforcement
• Newly Introduced Bills – State
• Newly Introduced Bills – Federal
• Other Noteworthy Issues
• Spyware, Adware & Malware
2
New Federal Laws
3
Federal Telephone Pretexting Bill Finally
Signed Into Law
• The Telephone Records and Privacy Protection Act of 2006
(1/12/2007)
•
The Act prohibits:
 Using false or fraudulent means to obtain (or attempt to obtain) confidential
phone records information
 Selling or transferring (or attempting to sell or transfer) confidential phone
records information of a covered entity without the prior authorization of the
customer to whom such information relates; and
 Purchasing or receiving (or attempting to purchase or receive) confidential
phone records information of a covered entity without prior authorization from
the customer to whom such information relates.
4
•
It also exempts covered entities from such restrictions to the extent
authorized by the Communications Act of 1934 (e.g., for billing,
protection of property rights, or for emergency purposes).
•
Violators face fines, imprisonment (of up to 10 years), or both.
New State Laws
5
Michigan Signs Into Law Two Bills
Regarding the Privacy of Medical Records
• Michigan Governor Jennifer Granholm signed into law
the following two bills:
S.B. 465: requires medical/health providers to retain records
for at least seven years, and sets up a system for the disposal
of such records thereafter.
S.B. 468: amends Michigan’s Freedom of Information Act to
exempt from disclosure “protected health information,” as
defined by HIPAA.
6
Michigan Legislature Enacts Breach
Notification Law
• On January 3, 2007, Michigan Gov. Jennifer M. Granholm (D)
signed into law a security breach notification bill (S.B. 309).
 Effective Date: July 2, 2007.
 The law amends Michigan’s Identity Theft Protection Act, and
requires businesses and government agencies to notify state
residents of data breaches involving their unencrypted computerized
personal information (or, if their encrypted information was subject to
unauthorized access along with its encryption key).
 Notification is required only if “the security breach has not or is not
likely to cause substantial loss or injury to, or result in identity theft
with respect to, 1 or more residents…”
 Notice is required to consumer reporting agencies if notice is
required to be provided to more than 1,000 residents.
 Failure to properly notify consumers of a security breach can result in
a fine of up to $750,000.
 The law also includes data disposal requirements, which require
covered entities to completely destroy records containing personal
information, in either paper or electronic form, when they are
disposed of to ensure that they “cannot be read, deciphered, or
reconstructed through generally available means.”
7
New Breach Notice Laws Take Effect
 Arizona (Az. Rev. Stat. § 44-7501) – Effective 1/1/2007
 Hawaii (SB 2290) – Effective 1/1/2007
 New Hampshire (N.H. Rev. Stat. Ann. §359-C:1-21) –
Effective 1/1/2007
 Utah (S.B. 69) – Effective 1/1/2007
 Vermont (V.S.A. § 2430 et seq.) – Effective 1/1/2007
 Maine (Me. Rev. Stat. Ann. tit. 10 §§ 1346-1349) – Revisions
Effective 1/31/2007
• Note: Revisions include a new requirement for covered entities to
notify their particular state regulator, or if none, the Attorney
General, in the event of a data breach.
8
Credit Freeze Laws Take Effect
in 26 States as 2007 Begins
• A number of states will begin to implement credit
freeze laws.
• The laws vary from state to state, but the general common premise is
to allow consumers to block access to, or place a security freeze on,
their consumer credit reports.
• The length of the freeze also varies from state to state as well as the
fee charged to consumers, if any, to implement the freeze.
• Some states require the credit reporting agency to provide a
password or identification number in order for them to authorize the
release of a consumer’s credit information to them.
 Among the states whose laws took effect in January are:
• Pennsylvania (S.B. 180), Rhode Island (H.B. 7148), Oklahoma (S.B.
1748), Hawaii (H.B. 1871), New Hampshire (S.B. 334), Illinois (S.B.
2310), Kansas (S.B. 196), and Wisconsin (A.B. 912).
9
Indiana’s New Junk Fax Law Takes
Effect
• The new Indiana “do not fax” law became effective on January 1,
2007. The law is similar to laws already in effect in 21 other
states, and prohibits unsolicited advertising faxes (unless the
sender has a pre-existing or prior business relationship with the
recipient).
 Recipients of such faxes can file a complaint with the Consumer
Protection/Telephone Privacy Division of the Indiana Attorney
General’s office.
• Under the Indiana law, a violation of the federal TCPA constitutes
a deceptive act under the new state law.
• Excluded from the new law are noncommercial faxes, which
include religious and political messages.
• The penalty for violating this law is to be determined on a case by
case basis, and can range from $500 for an initial violation up to
$1,500 for an “egregious” violation.
10
Litigation
11
Fed Ct. Finds that Law Requiring Posting of
Contractors’ Kids Names on Web Does Not Pass
Constitutional Muster
• On January 9, 2007, the U.S. District Court for the District of Connecticut held that parents
have a constitutionally protected privacy interest in their children’s names and other personal
info that would prohibit, under most circumstances, a state from openly posting that
information to the Web (Securities Indus. And Fin. Mkts. Ass’n v. Garfield, D. Conn., No.
3:06cv2005, 1/9/07).

Pursuant to a Conn. election reform statute (Conn. Gen. Stat. § 9-333a et seq.), the state elections
commission was required to compile a list of individuals to whom the statute applied, which included the
dependent children of state contractors’ highest-ranking officers. The list was then posted on the state’s
website, with no limitations on access.
• The court held that the Fourth Amendment of the U.S. Constitution protects a parent’s privacy
interest in a dependent child’s identifying information, and concluded that the publishing of the
children’s names on the state’s website is not necessary to further the state’s legitimate
interests.

The court found that posting the names to the Internet did not serve any real purpose. The court said
that a more limited distribution, or even a password-protected site, might cure the overbreadth issue
without compromising the statute’s goals.
• The court’s conclusions are consistent with the U.S. Supreme Court’s reasoning in Whalen v.
Roe, 429 U.S. 589 (1977), in which the Court held that Fourth Amendment privacy protection
extends to the interest in avoiding disclosure of personal matters.
• The court also found persuasive the Federal Trade Commission’s Children’s Online Privacy
Protection rule and the Freedom of Information Act, both of which support a parent’s right to
choose how their children’s information will be disclosed to third parties.
12
Enforcement
13
Internet Marketer Settles with FTC Over
Charges of Violations of CAN-SPAM and
the FTC’s Adult Labeling Rule
•
On January 30, 2007, the FTC announced a settlement with TJ Web
Productions, an Internet marketer, under which TJ Web will pay a
$465,000 penalty and face a permanent injunction from further violation
of the FTC’s Adult Labeling Rule and the CAN-SPAM Act. (United States
v. TJ Web Prods. LLC, D. Nev., No: CV-S-05-0882-RLH-GWF, 12/2/06).
•
Defendant allegedly violated the FTC’s Rule and the CAN-SPAM Act,
which both require commercial e-mailers of sexually-explicit materials to:
 Use the phrase “SEXUALLY EXPLICIT” in the subject line.
 Ensure that the initially viewable area of the message does not contain
graphic sexual images.
 For unsolicited commercial e-mail, include an opt-out provision for consumers
who do not want to receive future email.
 Provide a postal address for senders of such messages.
•
14
According to the FTC, TJ Web did not send the illegal e-mails directly to
consumers, but instead sent them through an “affiliate marketing”
program using third party e-mail service providers to send the messages
on its behalf.
Newly Introduced Bills
State
15
New Breach Notice Legislation
• New Breach Notification Laws were Introduced in a
Host of States, including:






Oregon
Wyoming
South Carolina
Alaska
Virginia
Massachusetts
• Montana – considering a bill that would expand its
current breach notice law (which applies to
businesses), to include notification obligations
applicable to the public sector.
16
Oregon Breach Notice Bill Also Requires
Registry of Businesses With Personal Data
• On Jan. 10, a breach notice bill was introduced into the Oregon
House of Representatives (H.B. 2442).
 The new law would require covered entities that maintain computerized data systems
containing personal information to establish a security system to safeguard the personal
information using various prescribed measures (including, e.g., antivirus software, firewall
configurations that protect data within a corporation’s network from outside access; and
access restrictions to individuals within the organization).
 This bill also charges the state Department of Consumer and Business Services with
establishing a registry “of all businesses that own, possess or use personal information.”
 The bill’s definition of “personal information” includes dates of birth and passport numbers
in its list of data elements.
 Under this bill, an individual can make a written request for a copy of all personal
information about them maintained by an entity in the registry which must be honored
regardless of whether the covered entity has faced a data breach.
 This bill also contains new criminal penalties for the misuse of personal information.
17
New Credit Freeze Legislation
• Many states have introduced credit freeze legislation,
including:

















18
Montana
Alaska
Indiana
Tennessee
Wyoming
South Carolina
Alaska
Virginia
District of Columbia (passed, awaiting approval by Congress)
Michigan
Massachusetts
Arizona
Georgia
North Dakota
Maryland
Mississippi
Nebraska
Bills to Ban E-Mail Harvesting and
Unauthorized Spyware Distribution are
Introduced in New York
•
On Jan 3, 2007, two bills were introduced on the first day of the New York
Legislature’s 2007-2008 session, which seek to limit the unauthorized use of
personal information and regulate spyware.
 (1) The first bill (A.216) aims to prohibit the sale, lease, or exchange of a person’s e-mail
address or other personal identifying information without consent.
•
This bill would require that those intending to use an individual’s personal information, including
their e-mail address, Social Security number, address, date of birth and mother’s maiden name,
must provide a “clear and conspicuous notice” of the collection and provide the individual with the
opportunity to opt-out of the use of their personal information.
•
AG Enforcement: AG would be authorized to seek a court ordered injunction against the prohibited
activity and seek a civil penalty of not more than $1,000 per violation.
 (2) The second bill (A.340) seeks to criminalize the dissemination of spyware without
prior authorization.
19
•
This bill defines spyware as “an executable computer program, including but not limited to a
keylogging program, that employs a computer user’s Internet connection without the computer
user’s knowledge or explicit authorization and such computer program gathers and transmits
personal information or data of a computer user.”
•
This bill would classify the unlawful dissemination of spyware as a Class A misdemeanor (but, if the
person convicted is a previous offender of the same crime within the last five years, then the crime
would become a Class E felony).
Other States Introduce
Spyware Bills
• Legislation aimed at prohibiting the use
of spyware was also introduced in:
 Mississippi
 Massachusetts
20
States Focus on Privacy:
Virginia Governor Proposes “Do Not Sell” List;
NY & SC Propose “Do Not E-mail” Lists
•
Virginia’s Governor, Tim Kaine, is proposing a Do Not Sell List initiative
which, similar in concept to a “Do Not Call” List, would block companies
or agencies from selling personal information about those who put their
names on the list.
 This new initiative would make people aware that their information may be sold, and
would give them an option as to whether they want to participate or not.
 Kaine has assembled a panel to study the idea, which should report back to him by the
end of the year.
 Additionally, the VA governor is directing his own administration to monitor how it protects
private, sensitive information, and test the success of its own existing security standards.
•
Proposed legislation in New York (A 2520) and South Carolina (H 3280)
would enable individuals to prevent unwanted commercial e-mails and
other communications.
 NY’s bill would create a “do not mail/e-mail” registry applicable to all entities doing
business in NY. (Note: The NY bill would also apply to postal mail.)
 The SC bill would require e-mail service providers to create a database of “no e-mail”
residential subscribers.
21
Maine Rejects the Real ID Act of 2005
• On January 25, Maine became the first state to officially decline
to comply with the federal Real ID Act of 2005.
 The Real ID Act requires states to replace their driver’s licenses by a
May 2008 deadline with forgery-proof scannable cards embedded
with certain private information, which information would be stored in
a nationwide database, accessible by federal, state and local
government employees.
 The private information subject to such storage would include: Social
Security numbers, birth dates, photo identification, residency
information, and biometric identifier (like a fingerprint).
 Other states have similarly balked at the program (e.g., NH), but
Maine is the first to officially announce that it will not participate.
 Since Maine passed its resolution, Georgia, Massachusetts, New
Mexico, Vermont and Washington are reportedly aiming to also pass
laws or adopt resolutions by which they will similarly refuse to
participate.
22
Other Privacy Related State
Legislative Activity
• Arkansas: New AG announced a “legislative package” focusing
on consumer protection which targets, in particular, ID theft
(including increased criminal penalties for ID theft).
• New Hampshire: Considering a “privacy amendment” to the State
constitution (which would include, for example, a measure
excluding NH from complying with the federal Real ID Act, a ban
on “pretexting,” and a right for consumers to opt out of cell phone
directories).
• Georgia: The Georgia Senate is considering a bill (SB 24) that
would make “phishing” illegal.
23
Newly Introduced Bills
Federal
24
New Federal Legislation:
Bills to Extend No-Call to Political Messages
and Ban Caller Identification Spoofing
Introduced
•
On Jan. 5, 2007, two federal bills were introduced in the House which would
expand the scope of the “do-not-call” registry to restrict recorded political
telephone calls and ban the disguising of caller identification.
 The “Robo Calls Off Phones (Robo COP) Act” (H.R. 248), introduced by Rep. Virginia
Foxx (R-N.C.), would prohibit “politically oriented” recorded messages to individuals who
have registered their phone numbers on the DNC registry maintained by the Federal
Trade Commission.
•
This bill defines politically oriented messages as those “whose purpose is to promote, advertise,
campaign, or solicit donations, for or against any political candidate or regarding any political issue,
or uses in the recorded message any political candidate’s name.”
•
H.R. 248 would direct the FTC to amend the do-not-call registry provisions of the Telemarketing
Sales Rule (TSR) to include these types of messages (despite an existing exemption for non-profit
organizations, which includes most political groups) within 180 days of enactment.
 The “Truth in Caller ID Act” (H.R. 251) seeks to prohibit callers from altering or disguising
their telephone numbers to prevent their proper identification on caller ID devices (also
known as “caller-ID spoofing”).
•
25
H.R. 251 would amend the federal Communications Act to make it illegal for individuals to transmit
misleading or inaccurate caller ID information.
Legislation of the 110th Congress
S. 239 – Notification of Risk to Personal Data Act of 2007
•
•
Re-introduced by Senator Feinstein (D. Calif.) on 1/10/07
Would require federal agencies and business entities engaged in interstate
commerce, who use, access, transmit, store, dispose of or collect sensitive
personally identifiable information, to notify individuals of a security breach
involving their personal data.
 Required to notify the owner or licensee of the information following discovery of a
security breach.
 Relieved of the obligation if notice is provided by some other third party.
•
•
26
Notification must be made without unreasonable delay to:




Individuals, in writing, by telephone, or email (with consent)
Consumer reporting agencies, if number of affected individuals exceeds 1,000.
Media, if number of residents affected exceeds 5,000.
U.S. Secret Service, if affected individuals exceeds 10,000.
Notifications must include description of the categories of sensitive information
compromised, as well as a toll-free number to contact the agency or business
entity and credit agencies
Legislation of the 110th Congress
S. 239 – Notification of Risk to Personal Data Act of 2007 (cont.)
27
•
Exemptions to Notification Requirements
•
Safe Harbor
•
Financial Fraud Prevention Exemption
•
Enforcement by the Attorney General (state attorneys general could bring civil
actions to enforce the law).
 Must certify, in writing, that notification would damage national security or hinder a law
enforcement investigation.
 Risk assessment concludes there is no significant risk of harm to individuals as a result of
the breach.
 If notice of risk assessment decision given to Secret Service in writing and Secret Service
does not indicate within 10 days thereafter that notice should be given.
 Utilization or participation in security program designed to block use of personally
identifiable information to initiate unauthorized financial transactions before charged to
the individual’s account
 Security program that provides for notice to affected individuals after security breach
results in fraud or unauthorized transactions
Legislation of the 110th Congress
S. 238 – Social Security Number Misuse Prevention Act
•
Also re-introduced by Senator Feinstein on 1/10/07
•
Amends 18 U.S.C. 47 to limit the misuse of Social Security numbers, to
establish criminal penalties for such misuse, and for other purposes.
•
Prohibits the sale, display or purchase of an individual’s Social Security
number without consent.
 Prohibition applicable to checks issued for payment by government agencies.
 Individuals must be informed of general purpose for use.
 Express consent must be received from the individual in writing or electronically.
28
•
Also prohibits fed, state and local government agencies from displaying
SSNs on public records posted on the Internet or otherwise publicly
available on electronic media.
•
Places limitations on when business can ask customers for SSNs.
Legislation of the 110th Congress
S. 238 – Social Security Number Misuse Prevention
Act (cont.)
• Public Records Exception
 No retroactivity for government public records on Internet or in electronic form
before enactment.
 No exception for Social Security numbers harvested from other public
records.
• Enforcement
 Concurrent enforcement by FTC and FCC.
 Private right of action for providers to recover actual monetary loss or $11,000
per violation.
 Private right of action for consumers for injuries with damages up to $11,000
per violation.
 Treble damages for willful and knowing violations.
• Enforcement by the Attorney General
 Provides civil penalties up to $50,000.
 Establishes criminal penalties under the Social Security Act.
29
Legislation of the 110th Congress
H.R. 220 – Identity Theft Prevention Act of 2007
• Introduced by Representative Paul on 1/4/07
• Amends Title II of the Social Security Act to protect the integrity
and confidentiality of Social Security account numbers.
 Prohibits Social Security Administration from divulging the social security
number of any individual to any agency or individual.
 Prohibits government-wide uniform identifying numbers and governmentestablished identifiers.
• Exceptions
 Use of the Social Security number as an identifying number pursuant to
section 6109 (d) of the Internal Revenue code of 1986 (relating to use of the
Social Security number for social security and related purposes).
30
Other Noteworthy Issues
31
TJX Data Security Breach:
May Be Biggest Yet In U.S.
•
Tens of millions of credit and debit cards may have been among the private
information compromised by a computer security breach at the retailer that
operates T.J. Maxx and Marshall’s stores (and other stores) in what could
become the biggest case of stolen consumer data in the United States.
 TJX announced the breach to the public on January 17, 2007, but reportedly discovered the
breach in “mid-December 2006” (if not earlier than that, as some report).
 The number of affected accounts, which belong to all major credit card companies, could
exceed 40 million, which would make it the largest breach of its kind in the U.S., bigger than
that which occurred in 2005 at CardSystems Solutions (the largest breach to-date).
 The unauthorized intrusion into TJX’s computer systems could go back at least four years
(including credit card transactions made in 2003) and may have occurred in a series of waves
involving computer hacking into checkout terminals and unencrypted information left on
computers.
 The information compromised may have included credit and debit card information, other
customer information, including driver’s licenses, and checking accounts linked to transactions
for returned merchandise.
 Fifth Third Bank of Cincinnati has been identified as the sponsoring bank that handled TJX’s
accounts, which makes it responsible for ensuring that the retailer met the industry’s security
standards (i.e., PCI DSS).
32
TJX Security Breach
Class Action Suits Filed
• Class Action Lawsuits have been filed, both by consumers and
financial institutions.
33
•
Class Action Lawsuit - Consumers
•
Class Action Lawsuit – Financial Institutions
 January 29, 2007: Filed by consumers in the US District Court in Boston.
 Cause of Action: Negligence (for failing to maintain adequate security of customer
credit/debit card data, and for not disclosing the breach for over a month).
 The plaintiff class is seeking credit monitoring services, and any other damages that
affected individuals may incur.
 NOTE: In these types of lawsuits, courts have typically not found in favor of plaintiffs
unless there is actual damage and injury.
 January 29, 2007: Another class action lawsuit was filed in the U.S. District Court in
Boston, by AmeriFirst Bank of Union Springs, Alabama. AmeriFirst’s lawyers reportedly
estimate that thousands of financial institutions will join the suit.
 Names as Defendants TJX, as well as Fifth Third Bank of Ohio (the company that
processed debit and credit transactions for TJX).
 Cause of Action: Negligence (for failing to adequately safeguard the private information it
possessed, and also for delaying the notification of the breach) and Breach of Contract,
and alleged violations of the Gramm Leach Bliley Act.
 Plaintiffs are seeking to recover the costs of replacing compromised cards, as well as for
dealing with fraudulent charges made with the compromised cards.
Visa Offers Banks New Financial Incentives
for PCI Compliance, But Also Threatens New
Fines
•
In December of 2006, as the credit card industry continues to struggle with the
PCI Data Security Standard, Visa USA announced that it would pledge to commit
$20 million to offer financial incentives to banks that process credit card
transactions, if they can demonstrate that the merchants for whom they process
such transactions are in compliance with the Payment Card Industry Data
Security Standard (PCI DSS).
 The incentives include: financial payments for banks that validate PCI DSS
merchant compliance
•
Eligibility for such payments rests on whether they have been involved in a data
breach.
• Banks also have to comply with certain PIN security standards to be eligible for the
financial payments.
 Those banks that validate full PCI DSS compliance by merchants by March
31, 2007, may receive a one-time payment for each compliant merchant.
 Those banks that validate compliance of merchants from March 31, 2007,
through August 31, 2007, may receive a one-time reduced payment for each
compliant merchant.
•
34
Also under this new program, Visa will impose new fines on banks who fail to
confirm merchants’ compliance, as well as for the occurrence of any data breach
involving merchants for whom they process transactions.
Pretexting:
Feds Charge Investigator in HP
Spying Scandal
•
Brian Wagner, a private investigator, was charged in federal court, with federal
identify theft and conspiracy charges in connection with the Hewlett-Packard
boardroom spying scandal, whereby he allegedly accessed a reporter’s private
phone records over the internet.
 According to the prosecutors’ filings, he is being accused of using a journalist’s SSN to
register a fake account with a telephone company and illegally access his phone logs.
He also allegedly conspired to illegally obtain and transmit personal information about HP
board directors, employees and journalists to discover news leaks about company
matters.
•
Many of the other individuals involved in and charged in connection with the
scandal (including HP’s ethics chief and two other investigators) have pled not
guilty. (People v. Dunn, Cal. Super. Ct., No. 06-1027481, 1/29/07).
 On January 29, 2007, it was reported that the judge in the state action dropped the state
charges against Wagner due to his guilty plea in connection with the federal charges.
•
35
In December of 2006, in connection with the HP scandal, HP reached a $14.5
million settlement with California’s AG, which funds will be used to establish a
“Privacy and Piracy Fund” for law enforcement activities related to privacy and
intellectual property rights.
Pretexting:
FCC Rules Protecting Personal Phone
Records Expected Soon
• The Federal Communications Commission is expected (any day
now) to issue new rules that will protect personal phone records
from unauthorized disclosure.
• The FCC rules include requirements applicable to land-line and
wireless phone carriers to, among other things:
 Require that customers use a password to immediately obtain their
calling records from a representative by phone.
 Customers also could obtain their records without a password by
asking phone companies to send the information to their home
addresses, or having a phone company representative call them
back at their home or cell phone number of record.
 Customers trying to obtain their records online would also be
required to use a password.
36
Department of Defense Settles with NYCLU
and Agrees to Change its Student Recruiting
Practices
•
On January 9, 2007, the Department of Defense agreed to settle a lawsuit
brought against it by the NYCLU, under which it agreed to change its military
recruitment efforts to better protect the privacy of about 30 million names
currently in its database. (Hanson et al. v. Rumsfeld et al., S.D.N.Y (filed, April 24,
2006)
 The NYCLU filed the lawsuit after the DoD’s “Joint Advertising and Market Research
Studies” (JAMRS) military recruitment program began collecting, maintaining and
distributing the personal and private information of millions of high school students in a
database.
 Currently, the database contains information on high school students aged 16-18, and
contains information such as Social Security Numbers, gender and race.
 The information is stored by the DOD for 5 years, and is being shared with law
enforcement and other agencies.
•
Under the settlement, the government agreed that:
 It will no longer disseminate student information to law enforcement, intelligence and
other agencies, and will stop collecting student Social Security numbers;
 It will limit to 3 years (from the current 5 years), the amount of time it retains the student
information; and
 It will clarify procedures by which students can block the military from entering
information about them in the database (i.e., the students will have an opportunity to “optout” of participating in the database).
37
N.J. Court Recognizes State Right of
Privacy in ISP Subscriber Information
• State v. Reid, No. A-3424-05T5 (N.J. Super. Ct. App.
Div. Jan. 22, 2007)
 On January 22, 2007, a New Jersey appellate court upheld the
suppression of evidence obtained by a local police department via a
subpoena issued by a municipal court to the defendant's Internet
Service Provider (Comcast).
 The court held that a computer user whose screen name hid her
identity had a “legitimate and substantial interest in anonymity.”
 All federal courts that have adjudicated this issue have held that
Internet subscribers have no right of privacy under the Fourth
Amendment with respect to identifying information on file with their
ISPs.
 However, according to the N.J. court, “the right to privacy of New
Jersey citizens under our State Constitution has been expanded to
areas not afforded such protection under the Fourth Amendment.”
 NJ law enforcement officers will need to obtain valid subpoenas or
search warrants to obtain such information.
38
Additional Miscellaneous Items
• In late December, 2006, Bush signed into law a VA Breach Notice Law, the “Veterans
Benefits, Health Care, and Information Technology Act of 2006” (S. 3421), imposing
various breach notification obligations onto the VA.
• Also in late December, 2006, the same day that Bush signed the VA breach notice law, Bush
signed the U.S. SAFE WEB Act, which authorizes the FTC to share information with foreign
agencies that treat consumer fraud and deception as a criminal law enforcement issue, and
which expands the FTC’s powers with respect to investigating and taking action against
Internet fraud and deception.
• The Postal Accountability and Enhancement Act (H.R. 6407) and President Bush’s
accompanying signing statement in late December, 2006, prompted a group of concerned
bipartisan Senators, who, on January 10, 2007, sought a resolution reaffirming that the
privacy of the U.S. mail will be protected.
• On January 29, 2007, a case was filed in the US District Court in Concord, N.H., in an effort to
challenge a NH law (HB 1346) that bans the commercial use of information on what drugs
physicians prescribe. (Some states, including California, have already considered and
rejected such laws.)
• The Federal Agency Data Privacy Protection Act (H.R. 516), which was introduced in the
U.S. House of Representatives this month, would require the Federal government to (among
other security measures) encrypt all sensitive data that it maintains.
• The Federal Agency Data Mining Reporting Act (S. 236), which was introduced into the
U.S. Senate this month, would require (among other things) federal agencies and
departments to report to Congress all data mining activities.
39
Spyware, Adware & Malware
40
Sony BMG Settles FTC Charges
•
According to an FTC Press Release, on January 30, 2007, Sony BMG
Music Entertainment agreed to settle FTC charges that it violated federal
law when it sold CDs without notifying consumers that the CDs
contained certain DRM software that “secretly” installed itself onto
consumers’ computers, thereby “[exposing] consumers to significant
security risks and was unreasonably difficult to uninstall.”
•
The FTC stated that hiding the software from consumers and failing to
provide a practicable means to uninstall the software = unfair trade
practices, in violation of Federal law.
•
The settlement agreement includes (among other things) requirements
that Sony BMG:






•
41
Clearly disclose the limitations on consumers’ use of the music CDs;
Not use the software to collect information for marketing;
Not install software without consumer consent;
Provide a reasonable means of uninstalling the software;
Allow consumers to exchange the CDs through June 31, 2007; and
Reimburse consumers for up to $150 to repair damage to their computers caused by the
attempted uninstallation of the software.
The FTC settlement comes on the heels of Sony BMG’s $4+ million
settlement with 40 U.S. states, as well as its separate settlements with
both California and Texas.
NY AG Settles with Priceline, Travelocity
and Cingular
•
The January 29, 2007 settlements stemmed from the NY AG’s recent
investigations into the activities of DirectRevenue, LLC, which allegedly
“installed adware programs onto millions of computers worldwide to
deliver advertisements, monitor Web sites and collect data typed into
web forms.” (Priceline, Travelocity and Cingular had all used the
services of DirectRevenue, LLC.)
 The adware programs were allegedly installed onto consumers’ computers
without adequate notice, and were difficult for consumers to remove and
uninstall.
 Priceline and Cingular both settled for $35,000, and Travelocity settled for
$30,000.
 Priceline, Travelocity and Cingular agreed to:
•
•
•
•
•
•
•
42
Fully disclose to consumers the name of the applicable adware program and bundled
software;
Brand each advertisement with a prominent and easily identifiable brand name or
icon;
Fully describe the adware and obtain consumer consent to both download and run
the adware;
Make it practicable for consumers to remove the adware from their computers;
Obtain consent to continue serving ads to legacy users;
Require their affiliates to meet all of these same requirements; and
Conduct due diligence when engaging adware providers (both prior to contracting
with a company to deliver their ads and quarterly thereafter).
Thank You!
Jeffrey D. Neuburger
jneuburger@thelen.com
(212) 603-2196
Kristen J. Mathews
kmathews@thelen.com
(212) 603-6587
Confidential
Download