Add to collection(s) Add to saved
  1. Social Science
  2. Law

The Federal Trade Commission

advertisement 
First Quarter
Developments in
the Ever Changing
Landscape of
Privacy and
Data Security
(Tues. April 10, 2012)
First Quarter 2012 Developments:
Today’s Speakers
Jana
Fuchs
Brandon
Pollak
David
Zetoony
Hamburg
49-40-30-33-16-0
Washington, D.C.
202-508-6394
Washington, D.C.
202-508-6030
Jana.Fuchs@bryancave.com
Brandon.Pollak@bryancave.com
David.Zetoony@bryancave.com
2
Gina
Hough
Dan
Rockey
Washington, D.C.
202-508-6387
San Francisco
415-268-1986
Gina.Hough@bryancave.com
Daniel.Rockey@bryancave.com
To submit questions that arise during the presentation which we may be able to answer at a later date,
please e-mail nick.eckelkamp@bryancave.com
First Quarter 2012 Developments:
Outline
1.
2.
3.
4.
5.
3
The Federal Trade Commission
State Attorneys General
Private litigation
Legislation
Europe
First Quarter 2012 Developments:
The Federal Trade Commission
•
Highlights of Q1 FTC Actions:
–
–
–
–
–
–
–
–
–
•
4
David Zetoony
Washington, D.C
202-508-6030
David.Zetoony@bryancave.com
Agreement for Consent Order, In re UPromise (Jan. 5, 2012)
Warning Letter, Everify Inc. (Jan. 25, 2012)
Warning Letter, InfoPay Inc. (Jan. 25, 2012)
Warning Letter, Intelligator, Inc. (Jan. 25, 2012)
FTC Report, “Mobile Apps for Kids: Current Privacy Disclosures are Disappointing”
(Feb. 2012)
FTC Report, “Consumer Sentinel Network DataBook for January – December 2011”
(Feb. 2012)
FTC Report, “Using FACTA Remedies: An FTC Staff Report on a Survey of Identity
Theft Victims” (Mar. 2012)
FTC Report, “Protecting Consumer Privacy In an Era of Rapid Change:
Recommendations for Businesses and Policymakers (Mar. 2012)
Consent Order, US v. RockYou (N.D. Cal. Mar. 26, 2011)
… but what does it all mean?
First Quarter 2012 Developments:
The Federal Trade Commission
•
David Zetoony
Washington, D.C
202-508-6030
David.Zetoony@bryancave.com
Movement in Four Key Areas:
1. How to use “de-identified” data.
2. Changes to the definition of “sensitive data.”
3. Nailing down what is, and is not, “reasonable and appropriate” when
it comes to data security.
4. Increased scrutiny on mobile applications.
5
First Quarter 2012 Developments:
The Federal Trade Commission
•
David Zetoony
Washington, D.C
202-508-6030
David.Zetoony@bryancave.com
Using “De-Identified Data”
– Historical reasons for anonymizing or de-identifying data.
– Trend toward treating anonymous or de-identified data as PII.
– FTC’s current position is that data is not anonymous if it is
“reasonably linked to a person , computer, or device.”
– Data is not “reasonably linked” if the following three elements are
met:
1. Company takes measures to ensure that data is de-identified,
2. Company publicly commits to not try to re-identify, and
3. Company contractually prohibits downstream recipients from trying to
re-identify.
– Steps for limiting liability in connection with anonymous data…
6
First Quarter 2012 Developments:
The Federal Trade Commission
•
David Zetoony
Washington, D.C
202-508-6030
David.Zetoony@bryancave.com
Changes to the Definition of “Sensitive Information”
– Historically term was defined by state laws.
– Trend is toward a more amorphous definition.
– FTC’s current position goes beyond SSN and drivers license and
includes financial, health, child and/or geo-location information.
– Likely impact of FTC’s position on litigation risk, and compliance
risks…
7
First Quarter 2012 Developments:
The Federal Trade Commission
•
David Zetoony
Washington, D.C
202-508-6030
David.Zetoony@bryancave.com
Nailing Down the Elusive “Reasonable and Appropriate”
Security.
– Historically, FTC has taken the position that section 5 requires all
companies to use “reasonable and appropriate” security, but has
refused to define what that term means in specific terms.
– Commission has brought roughly 40 cases for inadequate security;
reading between the lines reveals those practices that the
Commission believes categorically evidence a lack of “reasonable
and appropriate.”
– US v. RockYou, and FTC v. UPromise provide eight specific
examples of what is not reasonable and appropriate.
– Strategies for limiting liability in light of the FTC’s position…
8
First Quarter 2012 Developments:
The Federal Trade Commission
•
David Zetoony
Washington, D.C
202-508-6030
David.Zetoony@bryancave.com
Increased Scrutiny on Mobile Apps.
– Historically, FTC has indicated that it treats mobile market place the
same as the internet.
– Developments in this quarter, show that the FTC is increasingly
scrutinizing privacy practices, and regulatory compliance practices
in mobile apps.
– Takeaways:
•
•
•
9
Little doubt that the FTC will bring more and more COPPA enforcement
actions against mobile app. developers.
Little doubt that the FTC will look for any FCRA cases.
Almost certainly more run of the mill privacy and data security cases
effecting mobile apps.
First Quarter 2012 Developments:
The Federal Trade Commission
•
David Zetoony
Washington, D.C
202-508-6030
David.Zetoony@bryancave.com
Some Additional Areas of FTC Attention…
– Attention on deceptive and unfair practices in the context of credit
monitoring services and ID theft products.
– Additional thoughts from the FTC concerning when companies can
share with sister entities, parents, and subs.
10
Gina Hough
First Quarter 2012 Developments:
Washington, D.C
202-508-6387
Gina.Hough@bryancave.com
State AG & Other Agencies
11
Gina Hough
First Quarter 2012 Developments:
Washington, D.C
202-508-6387
Gina.Hough@bryancave.com
State AG & Other Agencies
• Data privacy Moves to the Top of the List for State Attorneys
General
– 36 State AGs question Google’s privacy changes; Failure to “opt-out”
cited
– Calfornia AG agreement with Amazon, Google, Hewlett-Packard,
RIM sets stage on mobile app. Privacy
– Minnesota AG goes after HIPPA Violation
– Massachusetts AG pursues Property Management firm; firm pays
civil damages
12
Gina Hough
First Quarter 2012 Developments:
Washington, D.C
202-508-6387
Gina.Hough@bryancave.com
State AG & Other Agencies
• Cal AG Mobile App Settlement
– California AG announced February 22 that reached agreement with
Amazon.com, Apple, Google, Hewlett-Packard, Microsoft and
Research in Motion to strengthen privacy protections for smartphone
owners who download mobile applications.
– Agreement requires:
• privacy policy for mobile apps
• method for users to report violations by app developers
– Violations of privacy policies would be treated as violation of UCL
(Cal’s mini-FTC Act)
13
Dan Rockey
First Quarter 2012 Developments:
San Francisco
415-268-1986
Private Litigation
Dan.Rockey@bryancave.com
14
Dan Rockey
First Quarter 2012 Developments:
San Francisco
415-268-1986
Private Litigation
Dan.Rockey@bryancave.com
• Current State of Privacy Litigation
– Unprecedented number of filed cases (both data breach and
unauthorized collection/use of PII)
– Emergence of a dedicated privacy plaintiffs’ bar
• However
– For all the activity, little tangible success for plaintiffs
– Cases routinely dismissed at the pleading stage on Article III
standing or inability to meet “actual injury” element of claim
– No out-of-pocket damages = No claim
15
Dan Rockey
First Quarter 2012 Developments:
San Francisco
415-268-1986
Private Litigation
Dan.Rockey@bryancave.com
• High Profile Defense Victories
E.g., In re iPhone Application Litigation (2011)
• Plaintiffs alleged that Apple and mobile ad networks unlawfully allowed
third party apps to collect personal information without user consent or
knowledge.
• Drawing on a long line of decisions, the Court dismissed all claims,
finding insufficient plaintiffs’ allegations that they suffered harm in the
form of a diminished value for their personal data.
But see
• “It is not obvious that Plaintiffs cannot articulate some actual or imminent
injury in fact. It is just that at this point they haven’t offered a coherent
and legally supported theory of what that injury might be.”
16
Dan Rockey
First Quarter 2012 Developments:
San Francisco
415-268-1986
Private Litigation
Dan.Rockey@bryancave.com
• Is the Tide Turning?
Claridge v. RockYou, Inc. (N.D. Cal. 2011)
• Defendant failed to secure user data, allowing hacker to have access to
32 million usernames and passwords
– Plaintiffs:
• FTC → “Personal information is . . . Currency. The monetary value of
personal data is large and still growing . . . .”
• Academic studies → social networking credentials worth up to $35 on
black market
– Court:
• Plaintiff has “sufficiently alleged a general basis for harm by alleging that
the breach of his PII has caused him to lose some ascertainable but
unidentified ‘value’ and/or property right inherent in the PII.’’
17
Dan Rockey
First Quarter 2012 Developments:
San Francisco
415-268-1986
Private Litigation
Dan.Rockey@bryancave.com
• Is the Tide Turning?
Fraley v. Facebook (N.D. Cal., Dec. 19, 2011)
• Plaintiffs alleged that Facebook unlawfully appropriated its user’s data
through its Sponsored Stories marketing program
– Plaintiffs:
• Facebook executives → trusted referrals are “Holy Grail of Marketing”
and were 2-3 times more valuable than standard Facebook ads
– Court:
• Plaintiffs sufficiently alleged that their personal endorsements had
‘‘concrete, provable value in the economy at large, which can be
measured by the additional profit Facebook earns from selling
Sponsored Stories compared to its sale of regular advertisements.’’
18
Dan Rockey
First Quarter 2012 Developments:
San Francisco
415-268-1986
Private Litigation
Dan.Rockey@bryancave.com
• Is the Tide Turning?
Villegas v. Google (complaint filed Feb. 28, 2012)
• Plaintiffs allege that Google and Point Roll were exploiting a gap in the
Safari and IE browsers to circumvent a user's cookie settings
• Asserts claims under and asserts violations of the CFAA, ECPA, Cal.
Penal 502, UCL, CLRA
– Damages?
• Plaintiffs allege, inter alia, that Google allowed “toxic” cookies to be
placed on their computers, requiring costly “toxic cookie clean up”
costing potentially thousands of dollars (i.e., batch delete not reasonable
mitigation)
19
Dan Rockey
First Quarter 2012 Developments:
San Francisco
415-268-1986
Private Litigation
Dan.Rockey@bryancave.com
• Statutory Violation = Actual Harm?
Gaos v. Google (N.D. Cal. Mar. 29, 2012)
– Plaintiff alleged:
• Google allows website owners (and third parties) to see user-submitted
search terms, which can be linked to user through re-identification
– Court:
• Dismissed state law claims but permitted Stored Communications Act
claim to proceed
• Plaintiff does not need to allege any actual injury other than a violation of
the statute: “injury required by Article III . . . can exist solely by virtue of
‘statutes creating legal rights, the invasion of which creates standing.”
20
Dan Rockey
First Quarter 2012 Developments:
San Francisco
415-268-1986
Private Litigation
Dan.Rockey@bryancave.com
• Statutory Violation = Actual Harm?
Edwards v. First American (9th Cir. 2010)
• Case involves alleged kickbacks between Title Company and Title
Insurance Agency
• RESPA makes violators liable for 3x any charges paid for settlement
services
– Court, following Third and Sixth Circuits, held that statutory violation
supplies actual injury sufficient to establish Article III standing
– SCOTUS granted review; decision expected this summer
21
Dan Rockey
First Quarter 2012 Developments:
San Francisco
415-268-1986
Private Litigation
Dan.Rockey@bryancave.com
• Plaintiffs are beginning to crack the code. Companies
should not get complacent.
• Embrace Privacy By Design, evaluating privacy impact of
new initiatives at the outset
• When the inevitable breach or mishap occurs, consider
response carefully with an eye to potential litigation (e.g., by
offering free credit monitoring, “voluntary” notifications)
• Be careful what you say about your customer’s data – it
may come back to haunt you
22
Brandon Pollak
First Quarter 2012 Developments:
Washington, D.C.
202-508-6394
Brandon.Pollak@bryancave.com
Federal Legislation
23
Brandon Pollak
First Quarter 2012 Developments:
Washington, D.C.
202-508-6394
Brandon.Pollak@bryancave.com
Federal Legislation
• “The Cybersecurity Act of 2012”
– On Tuesday, February 14, 2012, Senators Lieberman, Collins, Rockefeller
and Feinstein introduced S. 2105, The Cybersecurity Act of 2012.
– S. 2105 addresses several critical areas:
•
•
•
•
•
•
•
•
•
24
Title I: Critical Infrastructure
Title II: FISMA Reform
Title III: Clarifies the roles of Federal Agencies
Title IV: Workforce Development
Title V: Research and Development
Title VI: Federal Acquisition Risk Management Strategy
Title VII: Information Sharing
Title VIII: Public Awareness Reports
Title IX: International Cooperation
Brandon Pollak
First Quarter 2012 Developments:
Washington, D.C.
202-508-6394
Brandon.Pollak@bryancave.com
Federal Legislation
• “The Cybersecurity Act of 2012”
– Senate Majority Leader Harry Reid placed S. 2105 onto the Senate
Calendar and he has expressed his intention to bring the bill to the
Senate Floor during the current legislative work period.
– Several Senate Republicans, led by Senators John McCain and Kay
Bailey Hutchinson, have sharply criticized the legislative process that
produced S. 2105.
– Eight Senate Republicans, led by Senator McCain, introduced an
alternative cybersecurity bill called the SECURE IT Act (S. 2151) on
March 1st.
25
Brandon Pollak
First Quarter 2012 Developments:
Washington, D.C.
202-508-6394
Brandon.Pollak@bryancave.com
Federal Legislation
• The U.S. House of Representatives
– Rep. Mary Bono Mack (R-CA) and Rep. Marsha Blackburn (R-TN)
introduced the House version of the SECURE IT Act (H.R. 4263) on
March 27th.
– Key components of the legislation include: (1) Authorizing
Information Sharing; (2) Securing Federal Networks; (3)
Prosecuting Cybercrime; and (4) Prioritizing Cybersecurity
Research
– The House of Representatives is still ironing out the final details of
its cybersecurity package, leaders are expected to put four bills on
the floor separately this work period, and then use a procedural
maneuver to combine them before they are sent to the Senate.
26
Brandon Pollak
First Quarter 2012 Developments:
Washington, D.C.
202-508-6394
Brandon.Pollak@bryancave.com
Federal Legislation
• White House Privacy “White Paper”
– The White House released a “white paper” proposing a policy
framework for consumer privacy, Consumer Data Privacy In a
Networked World: A Framework for Protecting Privacy and
Promoting Innovation in the Global Digital Economy.
– Four major elements: (1) Consumer Privacy Bill of Rights; (2)
Market and industry Codes of Conduct; (3) Enforcement,
primarily by the FTC but also by state Attorneys General; and
(4) International Cooperation, primarily between the U.S. and
European countries.
– The paper suggests that Congress enact new privacy legislation.
27
Brandon Pollak
First Quarter 2012 Developments:
Washington, D.C.
202-508-6394
Brandon.Pollak@bryancave.com
Federal Legislation
• FTC Privacy Report
– The final privacy report expands on a preliminary staff report the
FTC issued in December 2010. The final report calls on companies
handling consumer data to implement recommendations for
protecting privacy, including: (1) Privacy by Design; (2) Simplified
Choice for Businesses and Consumers; and (3) Greater
Transparency
– FTC staff to focus on five main action items: (1) Do-Not-Track; (2)
Mobile; (3) Data Brokers; (4) Large Platform Providers; (5)
Promoting Enforceable Self-Regulatory Codes
– FTC recommends that Congress consider enacting general privacy
legislation, data security and breach notification legislation, and data
broker legislation.
28
First Quarter 2012 Developments:
European Union
29
Jana Fuchs
Hamburg
49-40-30-33-16-0
Jana.Fuchs@bryancave.com
First Quarter 2012 Developments:
European Union
Jana Fuchs
Hamburg
49-40-30-33-16-0
Jana.Fuchs@bryancave.com
• Revision of Data Protection Rules
– In January the EU Commission published the long-awaited reform
proposal for EU data privacy rules
– Existing legislation is based on an EU Directive drafted in 1995
– Currently all EU member states have implemented their own national
rules based on the existing EU Directive, which are not fully
harmonized
– The Commission’s reform proposal is now set out as an EU
Regulation, which means it will be directly enforceable in all member
states leading to a full harmonization of rules within the EU
30
First Quarter 2012 Developments:
European Union
Jana Fuchs
Hamburg
49-40-30-33-16-0
Jana.Fuchs@bryancave.com
• Reform Proposal
– Proposed changes leading to further compliance obligations are e.g.:
•
•
•
•
•
•
31
Foreign Application of the Regulation
One-Stop Shop
Explicit Consent
Breach Notification
Mandatory Data Protection Official
Higher Penalties
First Quarter 2012 Developments:
European Union
Jana Fuchs
Hamburg
49-40-30-33-16-0
Jana.Fuchs@bryancave.com
• Foreign Application
– EU Regulation will apply even if personal data is processed abroad
– It would apply to data processing companies that are active in the
EU market (e.g. offering goods or services to EU data subjects)
32
First Quarter 2012 Developments:
European Union
Jana Fuchs
Hamburg
49-40-30-33-16-0
Jana.Fuchs@bryancave.com
• One-Stop Shop
– Only one data protection authority – the national authority of the
Member State in which the company has its main establishment shall be responsible
– This 'one-stop-shop' for data protection will greatly simplify
compliance efforts. Currently, businesses are supervised by different
authorities in each Member State they are established
33
First Quarter 2012 Developments:
European Union
Jana Fuchs
Hamburg
202-508-6387
Jana.Fuchs@bryancave.com
• Explicit Consent
– Opt-In consent is strengthened
– Whenever an individual’s consent is required for its data to be
processed, such consent would have to be express (i.e., not implied)
34
First Quarter 2012 Developments:
European Union
Jana Fuchs
Hamburg
49-40-30-33-16-0
Jana.Fuchs@bryancave.com
• Breach Notification
– Companies would be required to notify the national supervisory
authority of serious data breaches as soon as possible (if feasible,
within 24 hours)
– The individuals whose personal data could be adversely affected by
the breach would also have to be notified without undue delay
35
First Quarter 2012 Developments:
European Union
Jana Fuchs
Hamburg
49-40-30-33-16-0
Jana.Fuchs@bryancave.com
• Data Protection Official
– For companies employing 250 persons or more, the Regulation
would require that they employ an internal data protection officer
(DPO)
– DPO has to be sufficiently qualified and if employed is subject to
termination protection
36
First Quarter 2012 Developments:
European Union
Jana Fuchs
Hamburg
49-40-30-33-16-0
Jana.Fuchs@bryancave.com
• Penalties
– For first offences, the national supervisory authorities may send a
warning letter
– For serious violations supervisory authorities could impose penalties
of up to €1 million ($1.3 million) or up to 2% of the global annual
turnover of a company
– For less serious offences fines could start out at €250,000
($330,000) or up to 0.5% of the worldwide turnover
37
First Quarter 2012 Developments:
European Union
Jana Fuchs
Hamburg
49-40-30-33-16-0
Jana.Fuchs@bryancave.com
• Next Steps – From Proposal to Regulation
– The reform proposal has been passed to the European Parliament
and all EU Member States for discussion and potential amendment
– Although it is difficult to estimate how long it might take the proposal
to be considered, typically proposals of this significance are
considered for approx. two years before being adopted
– The Regulation will be enforceable in all Member States two years
after it has been adopted
38
First Quarter 2012 Developments:
European Union
Jana Fuchs
Hamburg
49-40-30-33-16-0
Jana.Fuchs@bryancave.com
• Reform Proposal Reactions & Reality Check
– Points of discussion are e.g.:
• Conflicts resulting from foreign application of the regulation, e,g. Patriot
Act
• Missing rules for the enforcement of foreign application
• Missing regulation for cloud computing, in particular for non-EU clouds
• Data transfer regulation is not part of the reform proposal
• Explicit consent requirements as obstacles to business operations
39
First Quarter 2012 Developments:
Contact Information
Jana
Fuchs
Brandon
Pollak
David
Zetoony
Hamburg
49-40-30-33-16-0
Washington, D.C.
202-508-6394
Washington, D.C.
202-508-6030
Jana.Fuchs@bryancave.com
Brandon.Pollak@bryancave.com
David.Zetoony@bryancave.com
40
Gina
Hough
Dan
Rockey
Washington, D.C.
202-508-6387
San Francisco
415-268-1986
Gina.Hough@bryancave.com
Daniel.Rockey@bryancave.com
Related documents
PE Leadership - Reflection Paper Outline
PE Leadership - Reflection Paper Outline
Bryan Cave LLP Named Innovative Law Firm of the Year by the
Bryan Cave LLP Named Innovative Law Firm of the Year by the
Second/Third Quarter Reflection
Second/Third Quarter Reflection
Spelling Lists by Quarter - Tanque Verde Unified School District
Spelling Lists by Quarter - Tanque Verde Unified School District
How to Use TritonLink
How to Use TritonLink
Game * Start of the grid
Game * Start of the grid
Each quarter I have learned something new in my senior English class
Each quarter I have learned something new in my senior English class
Download
advertisement