Ad Law Access : Washington D.C. Advertising Lawyer & Attorney : Kelley Drye & Warren Law Firm : New York, Chicago, Connecticut, New Jersey, Brussels

Evolving threats to payment card data security and recent payment card data compromises have prompted Visa to issue a set of best practices for payment application companies to help mitigate security issues that lead to data compromises. Visa has recommended that acquirers, merchants, and agents should review Visa’s best practices and insist that their payment application vendors, integrators, and resellers fully adopt the new standards. Visa’s best practices recommend that payment application companies:

• Perform background checks on new employees and contractors prior to hire, including conducting investigations regarding previous employment history, academic history, credit history, and reference checks;
• Maintain an internal and external software security training and certification curriculum;
• Adhere to industry guidelines for data field encryption, tokenization, and PAN elimination across payment applications that use these technologies to help reduce risks to cardholder data;
• Adhere to a common software development life cycle based on ISO 12207 across payment applications to ensure that software is being properly developed and managed;
• Ensure that newly released payment application programs are compliant with the Payment Application Data Security Standard (“PA-DSS”); and
• Conduct application vulnerability detection tests and code reviews against common vulnerabilities and weaknesses prior to sale or distribution of payment application products to help companies identify and fix problems before the product release.

Visa noted that it has provided these standards to increase awareness of the payment application industry’s best practices and stressed that all payment system participants should maintain compliance with the Payment Card Industry Data Security Standards (“PCI DSS”). The full list of Visa’s best practices can be found here.
 

• Email This
• Print
• Share Link

On August 19, 2010, FTC staff closed an investigation into Limewire, LLC.  Limewire provides both a free and purchasable version of P2P software.  Based on the staff's closing letter, available here, the investigation focused on a security vulnerability in legacy versions of the P2P software that put users at risk of inadvertently sharing sensitive information stored on their computers.

FTC staff decided to voluntarily close the investigation. Among the factors considered as part of closing the investigation were:

• Limewire's incorporation of safeguards into the updated software's user interface to help users avoid the inadvertent sharing of sensitive documents;
• the high attrition rate for legacy versions of the software;
• Limewire's inability to force users to update to a newer software version; and
• users of some of the older software versions may have been able to avoid disclosure of sensitive PII (noting that an act/practice is not "unfair" under Section 5 unless it causes consumer injury that is not reasonably avoidable by consumers).

Given the staff's ongoing concern that consumers using the legacy software may remain at risk of PII disclosures, the staff stated its expectation that Limewire would continue to advise consumers to upgrade the software and participate in industry efforts to inform consumers about how best to avoid inadvertent sharing of sensitive documents.

This closing follows the FTC's press release earlier this year that it had notified nearly 100 organizations that their sensitive PII records were on P2P networks, and that it was investigating several organizations whose customer or employee information had been exposed on P2P networks. That press release is available here.
 

• Email This
• Print
• Share Link

This post was written by Alysa Hutnik and Megan Olsen. 

On August 10, 2010, Illinois enacted H.B. 4658, the Employee Credit Privacy Act, which governs the use of credit information for employment purposes. The new law makes it an unlawful employment practice for an employer to:

• Fail to hire or recruit, discharge, or otherwise discriminate against an individual because of the individual’s credit history;
• Inquire about an applicant’s or employee’s credit history; or
• Obtain an applicant’s or employee’s credit report from a consumer reporting agency.

Employers may still use credit history for employment decisions if satisfactory credit history is an established bona fide occupational requirement. Significantly, this exception includes situations where the employee has access to confidential information (e.g., personal or financial information), as well as where state or federal law requires bonding or other security cover an individual holding the position, the individual has unsupervised access to business assets valued over a certain amount, or the position is a managerial position that involves setting the direction or control of the company. The new law also allows employers to continue to conduct background investigations on employees or potential employees as long as that investigation does not involve information on credit history. 

Illinois’s law will go into effect on January 1, 2011, making it the fourth state to restrict employer’s use of an individual’s credit history for hiring decisions (Oregon enacted a law earlier this year, and Hawaii and Washington had previously enacted similar laws in 2009 and 2007 respectively).
 

• Email This
• Print
• Share Link

The FTC has announced proposed revisions to its model notices for consumers, users, and furnishers of information under the Fair Credit Reporting Act (FCRA). The changes are designed to reflect new rules promulgated under the Fair and Accurate Credit Transactions Act of 2003 (FACTA) and to make the notices more useful to recipients. Revisions have been proposed for: 1) the Summary of Rights for consumers; 2) the Notice of Furnisher Responsibilities; and 3) the Notice to Users. The FTC is accepting public comment on the proposed changes until September 21, 2010. The FTC’s news release, proposed notices, and Federal Register notice are available at: http://www.ftc.gov/opa/2010/08/fcra.shtm.

• Email This
• Print
• Share Link

On Thursday, August 12, 2010, the Payment Card Industry Security Standards Council (PCI SSC) released a document highlighting proposed revisions to the PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS).  These revisions will not include significant changes to the current standards, but seek to:

• Provide clarity on the requirements, scoping, and reporting;
• Improve flexibility for merchants to comply with the requirements;
• Address new and evolving risks;
• Incorporate industry best practices; and
• Eliminate redundancies.

The PCI SSC expects to provide a detailed summary of the changes and pre-release versions of the standards to internal participants in early September.  PCI DSS 2.0 and PA-DSS 2.0 should be released to the public on October 28, 2010, and will become effective on January 1, 2011.

Merchants, payment card processors, and payment application developers should continue to watch these developments to ensure that their services remain compliant with the standards.

• Email This
• Print
• Share Link

The emergence of privacy legislation from several committees in both chambers of Congress in the past months, combined with the ongoing FTC scrutiny of existing privacy practices of companies during the past year, reflect a growing concern for consumer privacy that may well lead to the establishment of standardized data security and data privacy regulations in the United States.

On Thursday, July 22, 2010, the House Energy and Commerce Committee’s Subcommittee on Commerce, Trade, and Consumer Protection, chaired by Representative Bobby Rush (D-IL), conducted a hearing to discuss the Chairman’s recently introduced H.R. 5777 – “Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act” (The Best Practices Act). Witnesses included key stakeholders on privacy policy – representatives from privacy advocacy organizations and private industry, and notably, David Vladeck, Director of the FTC’s Bureau of Consumer Protection.

The Senate Committee on Commerce, Science, and Transportation held their hearing regarding online privacy practices and the future of consumer privacy protection on Tuesday, July 27, 2010,. Witnesses included FTC Chairman Jon Leibowitz, FCC Chairman Julius Genachowski, as well as representatives from Google, Apple, and Facebook.

Click here to read more about the new direction of privacy regulation in the Kelley Drye client advisory.

• Email This
• Print
• Share Link

On April 27, Visa announced a new rule to expressly restrict online marketers from sharing cardholder information to other companies without the consumer’s knowledge or active consent – a practice referred to as “data pass.” And on May 19, Senate Commerce Committee Chairman, Jay Rockefeller (D-W.Va.), proposed legislation (S. 3386), entitled “The Restore Online Shoppers’ Confidence Act,” which would prohibit companies from enrolling consumers in paid-subscription programs unless the consumers separately provided full payment card numbers to each company presenting an offer and affirmatively agreed to each offer. An article in the most recent BNA Privacy & Security Law Report, “Scrutiny on Payment Card Data Pass: Raising the Profile of Personal Information Sharing Among Marketers,” discusses the new restrictions on payment card data pass, and the areas of risk going forward for companies that continue to engage in the same or similar personal data sharing practices with third parties for marketing purposes when the practice is not clearly disclosed and agreed to by consumers.

• Email This
• Print
• Share Link

This post was written by Dana B. Rosenfeld and Megan L. Olsen.

On May 4, 2010, Rep. Rick Boucher (D-VA), the House Energy and Commerce Communications, Technology, and the Internet Subcommittee Chairman, and Rep. Cliff Stearns (R-FL), the Ranking Member of the Subcommittee, released a discussion draft of a privacy bill intended to address concerns about online behavioral advertising and place limits on how consumer personal information is collected, used, and disclosed. The bill would require organizations that collect consumer information to (1) clearly and conspicuously disclose privacy policies; (2) allow consumers to opt out of information collection and sharing and, in some instances, require the consumers’ express affirmative consent to the information practices; and (3) allow the FTC to adopt rules to implement and enforce the bill’s requirements.

The release of the draft bill follows increased legislative and regulatory scrutiny over consumer privacy protection measures—a topic that was extensively explored in recent House Energy and Commerce Committee hearings, in the Federal Trade Commission’s (FTC) recent series of privacy roundtables (see our previous posts here, here, and here), and addressed, at least partially, in the FTC’s April 26, 2010, announcement (see previous post) that it intends to develop Internet privacy guidelines. All of these efforts underscore that regulation of business practices concerning consumer information will likely remain at the forefront for the near future. A more detailed analysis of the Boucher/Stearns bill will be available through Kelley Drye and Warren's Advertising practice client advisories.

• Email This
• Print
• Share Link

This post was written by Christopher M. Loeffler and Alysa Z. Hutnik.

On Tuesday, April 26, 2010, the Federal Trade Commission (FTC) announced that it intends to develop Internet privacy guidelines. The guidelines will examine social networking sites' data handling practices and create a framework to guide social networks and others going forward. Given the FTC's recently concluded Privacy Roundtables (see our posts here, here and here) and pending action items from the roundtables, the guidelines for social networks may provide a foundation for further FTC privacy guidance for businesses down the road.

The FTC's recent announcement follows complaints by US and international lawmakers and regulators regarding the privacy practices of several online companies. Senators Schumer (D-NY), Franken (D-MN), Bennet (D-CO), and Begich (D-AK) sent a letter to Facebook, expressing concern about the changes Facebook made to its privacy policy that make more user information publicly available, permit third parties to store users' information indefinitely, and allow for Facebook technology to be integrated with other websites. The Senators also called on the FTC to issue rules or guidance in this area. As noted previously, international regulators also recently sent a letter to Google expressing concern about its privacy practices.

While privacy laws have been in flux for some time, these events underscore how rapidly the regulatory environment for online businesses is changing, and a close watch on the FTC's actions and guidance will be critical to navigate the compliance road ahead.

• Email This
• Print
• Share Link

 This post was written by Christopher M. Loeffler and Alysa Zeltzer Hutnik.

On April 19, 2010, data protection authorities from Canada, France, Germany, Ireland, Israel, Italy, Netherlands, New Zealand, Spain, and the United Kingdom sent a letter to Google indicating their disappointment and concern related to Google's privacy practices.  The letter called out the Google Buzz social networking application stating that it "violated the fundamental principle that individuals should be able to control the use of their personal information," and noted that privacy concerns were previously raised with the launch of Google Street View.

The groups commented: "Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world."  Lastly, the groups urged Google to incorporate fundamental privacy principles into the design of its online services including:

• Collect and process only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
• Provide clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
• Create and apply default settings that are privacy-protective;
• Ensure that privacy control settings are prominent and easy to use;
• Ensure that all personal data is adequately protected, and
• Provide simple procedures to delete accounts and honor these requests in a timely manner.

Members from Canada, France, Israel, Netherlands, and Spain will hold a press conference in Washington, D.C. today to address the initiative.   As a practical matter, businesses should consider these concerns and recommendations when launching new online services and applications.

• Email This
• Print
• Share Link

In a post last month, we wrote that a Maine legislative committee had voted to repeal a recently-enacted online marketing law and predicted that the full legislature would soon repeal the law. Since then, Maine Governor John Baldacci signed an emergency measure to repeal the law.

Among other things, the Act To Prevent Predatory Marketing Practices Against Minors had prohibited companies from knowingly collecting personal information information from minors under 18 without parental consent. Although the Maine Attorney General had opined that the law might be unconstitutional and committed not to enforce the law, there had been a threat that private plaintiffs would use the law to challenge companies. Now that the law has been repealed, however, that threat is no longer present.

• Email This
• Print
• Share Link

This post was written by Christopher M. Loeffler and Alysa Zeltzer Hutnik.

• Email This
• Print
• Share Link

On March 17, 2010, the Federal Trade Commission (FTC) held its third and final discussion from its roundtable series-Exploring Privacy. Panel topics focused on Internet Architecture and Privacy, Health Information, Addressing Sensitive Information, and Lessons Learned and Looking Forward.

The FTC intends to use the information gathered from these roundtables to restructure and guide its privacy agenda. Next steps for the FTC may include extending the application of fair information practices, increasing enforcement of unfair and deceptive privacy practices, and developing privacy models and frameworks to address new technologies and business models. FTC officials have stressed, however, that the Commission will review and analyze the information received through the roundtables and other channels before adopting any specific policies or initiatives.

• Email This
• Print
• Share Link

This month, a Maine legislative committee voted to repeal a controversial online marketing law that was enacted just last year. Among other things, the law, entitled “An Act To Prevent Predatory Marketing Practices Against Minors,” prohibits companies from knowingly collecting personal information or health-related information from minors under 18 without parental consent.

Shortly after the law was enacted, a group of plaintiffs filed suit arguing that the law was unconstitutional. Maine Attorney General Janet Mills acknowledged that the law was “not presently enforceable” and the case was later dismissed. In the court order, the judge wrote the Attorney General had "acknowledged her concerns over the substantial overbreadth of the statute and the implications of [the law] on the exercise of First Amendment rights, and accordingly has committed not to enforce it."

The Maine legislature must still vote on the repeal in order to make it effective. But given the constitutional problems with the law and the inevitable challenges that would be filed against the law should it be enforced, we expect the law to be repealed within the coming weeks.

• Email This
• Print
• Share Link

Washington has enacted a statute, which we first discussed in a prior blog post, to provide financial institutions with a cause of action against certain entities involved in payment card transactions that fail to take reasonable care to guard against unauthorized access to account information where that failure is found to be the proximate cause of the breach. The law goes into effect on July 1, 2010.

For more information about how the new law applies to businesses, processors and vendors, please reference the Kelley Drye Client Advisory.

• Email This
• Print
• Share Link

Earlier this month, the Senate and House of Representatives in Washington passed a new PCI bill, HB 1149. The bill now awaits the Governor’s signature but, if signed into law, will provide financial institutions with a cause of action against businesses or payment processors that fail to take reasonable care to guard against unauthorized access to account information where that failure is found to be the proximate cause of the breach. This new cause of action in Washington is similar to the existing statute in Minnesota and shows that payment card industry data security standards (“PCI DSS”) compliance continues to be codified on a state by state basis. If the bill is signed, the law will go into effect July 1, 2010.

Under the bill, account information is defined as: (i) the full, unencrypted magnetic stripe of a credit card or debit card; (ii) the full, unencrypted account information contained on an identification device (an “identification device" is defined as an item that uses radio frequency identification technology or facial recognition technology”); or (iii) the unencrypted primary account number on a credit card or debit card or identification device in combination with an unencrypted cardholder name, expiration date, or service code. The bill also provides that a processor or business suffering a data breach of its account information may now be liable to a financial institution for “reimbursement of reasonable actual costs related to the reissuance of credit and debit cards” incurred by the financial institution as part of efforts to mitigate current or future damages to its cardholders.

Notably, the bill exempts processors, businesses, and vendors from liability if the account information was encrypted at the time of the breach or if the business was “certified compliant with the payment card industry data security standards” in effect at the time of the breach. A business is considered compliant if its PCI DSS compliance was validated by an annual security assessment conducted no more than one year prior to the breach. If signed into law, the bill will represent another incentive for companies to become PCI DSS compliant and another area of potential liability in the absence of such certification.
 

• Email This
• Print
• Share Link

On February 24, 2010, an Italian court convicted three Google executives for violation of Italy's privacy laws resulting from a video that was posted to Google Video showing a group of teenagers bullying another teenager with disabilities. Judge Oscar Magi sentenced Google Global Privacy Counsel Peter Fleischer, Chief Legal Officer David Drummond, and former Google CFO and board member George Reyes to six-month suspended jail sentences and fines. The executives were acquitted of criminal defamation charges. This appears to be one of the first cases in which a privacy executive is held personally liable for the actions of a site's users

The prosecutors alleged that the executives did not take sufficient actions to keep the video off of Google's site, despite the fact that Google received only two complaints about the video, and it was taken down less than 24 hours after being posted.  Prosecutors stated that Google should have obtained consent from each party involved before permitting the video to be posted.  European law provides a safe harbor for ISPs and does not hold them liable for third party content, provided the ISP takes down any content that someone complains about and is considered offensive.

Members of the technology and privacy communities have described the decision as "terrible," "astonishing," and "troubling."  One commenter stated: "It is like prosecuting the post office for hate mail that is sent in the post."

If upheld on appeal, this decision could dramatically affect internet freedom.  It appears to continue Italy's strong consumer protection stance and attempted regulation of social media. In a previous post, we noted the recent draft decree issued by the Italian government that would require social media sites to screen all posted content that may be harmful to minors.

Although the Google executives will appeal the conviction, the case demonstrates that the Internet makes it easy to take actions globally, but what is permitted in the U.S. does not always work everywhere.

• Email This
• Print
• Share Link

This post was written by Dana B. Rosenfeld and Christopher M. Loeffler.

On February 22, 2010, the Federal Trade Commission (“FTC”) announced that it notified nearly 100 organizations that personal information about the organizations’ customers or employees is available on peer-to-peer (“P2P”) file sharing networks. [1] Most recently, it notified nearly 100 businesses and governmental entities through an Internet-wide sweep, the FTC discovered that sensitive data such as health-related information, financial records, drivers’ license numbers, and Social Security numbers have been shared from organizations’ computer networks and are susceptible to those who may use the data for illegal practices such as fraud or identity theft. The Commission has not publicly identified which organizations were notified, but it stated that letters were sent to large and small private and public entities including schools and local governments.

• Email This
• Print
• Share Link

This post was written by Kristin A. Hird and Dana B. Rosenfeld.

A broad coalition of advertising associations has agreed on a standard icon – a white “i” surrounded by a circle on a blue background dubbed the “Power I” – which will be added to websites and will link consumers to a page explaining how the advertiser uses their demographics and behavioral data to send certain ads. Developing the new symbol is part of self-regulatory principles agreed to by major advertising groups including the American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in an effort to address the FTC’s concerns about the behavioral advertising industry’s activities.

There is no legal requirement that the groups’ members adopt the icon but the advertising coalition expects that most of its members, including many major online retailers, will begin running it by midsummer. It is anticipated that the icon will initially appear with phrases such as “Why did I get this ad?” and the Interactive Advertising Bureau has started an online advertising campaign to explain the icon to consumers. The idea is to establish an immediately recognizable and trusted symbol as well as provide a link to information.

It’s yet to be seen how widespread implementation of the self-regulatory principles will be by the coalition’s members, much less whether the coalition’s steps will be sufficient to ward off regulation by the FTC. But keep an eye out for the little blue icon appearing on websites this summer.
 

• Email This
• Print
• Share Link

On January 28, 2010, the Federal Trade Commission (FTC) held its second consumer privacy roundtable, focusing on technology’s effect on consumer privacy and its potential to both weaken and strengthen privacy protection. Similar to the first roundtable, the FTC’s second roundtable featured discussions by industry leaders, consumer groups, academics, and government representatives. The discussion continued to focus on whether the FTC’s current privacy paradigm, particularly the notice and choice model, sufficiently protects consumers and allows them to understand and control how personal information is collected and used.

• Email This
• Print
• Share Link

On Tuesday, January 19, 2010, the Electronic Privacy Information Center (EPIC) publicly posted a copy of a letter from the Federal Trade Commission (FTC) that responds to a complaint filed by 10 privacy rights organizations regarding Facebook's changes to its privacy settings.  In the letter, David Vladeck, director or the FTC's Bureau of Consumer Protection, noted that the "complaint raises issues of particular interest for us at this time," and referenced the privacy roundtables that the FTC is hosting to explore consumer privacy protection challenges, existing fair information practices, and the creation of a new privacy regulatory framework.  A summary of the first privacy roundtable is available here.

While there is no indication as to whether the FTC is currently investigating Facebook, as any investigation would remain non-public until the FTC files a complaint or closes the investigation, this is not the first time Facebook has come under fire for its privacy practices.  In 2008, a class action complaint was filed against Facebook alleging violations of various federal privacy and computer fraud laws, as well as California consumer protection and computer crimes laws, arising out of Facebook's Beacon program.  It was alleged that under the Beacon program, information about Facebook users' online purchases with Facebook's partners was shared with the users' network without the users' consent and used in targeted advertising.  A $9.5 million settlement agreement is pending approval by the court.

If your company maintains information about your customers, check with your legal counsel before adjusting privacy practices that could result in new or different customer information being shared.

• Email This
• Print
• Share Link

New privacy and data security laws took effect in Nevada and New Hampshire on January 1, 2010, continuing the trend of state governments acting to strengthen data security laws. Nevada’s law makes it the first state to mandate compliance with the entire Payment Card Industry Data Security Standard (PCI DSS) and imposes a requirement on businesses and government agencies to encrypt sensitive data transmitted or carried outside of the premises of the business or agency. New Hampshire’s law first sets forth restrictions regarding the use and disclosure of personal health information for marketing or fundraising purposes and then sets forth a disclosure requirement if there is unauthorized use or disclosure of protected health information in violation of New Hampshire law, even if the use or disclosure is allowed under federal law.

• Email This
• Print
• Share Link

On December 7, 2009, the Federal Trade Commission ("Commission" or "FTC") hosted a privacy forum, "Exploring Privacy: A Roundtable Series," addressing consumer privacy protection challenges, existing fair information practices, and the creation of a new privacy regulatory framework.  December's roundtable, held in Washington, D.C., was the first of three roundtables organized by the FTC focusing on consumer privacy protection.

Panelists in the first roundtable discussed a broad range of privacy-related issues, including emerging technologies' impact on consumer privacy, consumer expectations and knowledge of privacy protection, online behavioral advertising, regulation of information brokers, existing privacy regulatory frameworks, and privacy protection measures moving forward.

• Email This
• Print
• Share Link

On November 17, 2009, Kelley Drye & Warren hosted a seminar and webcast, “Privacy Law Paradigm Shift: Policymakers Respond to Rapidly Evolving Technologies,” addressing new developments in privacy and information security law, regulation, and enforcement. Kelley Drye Partner Tom Cohen, and Of Counsel Jodie Bernstein, opened the seminar with an overview of privacy law and a history of the Federal Trade Commission’s enforcement priorities. Nine experts from the government and private sector spoke during three different panel sessions, The New Privacy Paradigm, Developments in Data Security, and Privacy and New Technologies. This advisory provides an overview of the key take-aways from each panel.

A webcast recording is also available to view online.

• Email This
• Print
• Share Link