Presenters. Practical Tips for Avoiding Privacy Enforcement and Lawsuits

Transcription

1 Practical Tips for Avoiding Privacy Enforcement and Lawsuits Sheila A. Millar Partner Keller and Heckman LLP 1001 G Street, N.W. Washington, DC millar@khlaw.com July 14, 2011 Tracy P. Marshall Partner Keller and Heckman LLP 1001 G Street, N.W. Washington, DC marshall@khlaw.com Washington, D.C. Brussels San Francisco Shanghai Douglas J. Behr Partner Keller and Heckman LLP 1001 G Street, N.W. Washington, DC behr@khlaw.com Presenters Sheila A. Millar is a Partner at Keller and Heckman and counsels corporate and association clients on a range of consumer protection regulatory and public policy matters. Ms. Millar advises clients on privacy and security policies and programs, data breach responses, data transfers and cloud computing. She also counsels clients on privacy and regulatory compliance aspects of promotions, social media policies, website terms and online sales. Noted for her expertise on children's issues, Ms. Millar has participated in Federal Trade Commission (FTC) workshops on children's privacy and advertising literacy. 2 1

2 Presenters Tracy P. Marshall is a Partner at Keller and Heckman LLP. She assists for-profit and nonprofit clients with a range of business and regulatory matters. In the Internet, privacy, and advertising areas, Ms. Marshall provides counsel on e-commerce transactions and online promotions, privacy and data security policies and programs, and data breach management. 3 Presenters Douglas Behr practices civil litigation and white collar criminal defense. Mr. Behr represents business, trade associations, and individuals before federal and state trial and appellate courts, regulatory bodies, and licensing forums with a concentration on Lanham Act false advertising, contract disputes, white collar crime defense, product liability, and trade regulation controversies. He also advises members of the business community on litigation avoidance. 4 2

3 Preliminary Word This presentation provides information about the law. Legal information is not the same as legal advice, which involves the application of law to an individual's specific circumstances. The interpretation and application of the law to an individual s specific circumstance depend on many factors. This presentation is not intended to provide legal advice. The information provided in this presentation is drawn entirely from public information. The views expressed in this presentation are the authors alone and not those of the authors clients. 5 Upcoming Webinars July Toward Privacy by Design: Smart Grid and Other Technologies 6 3

4 The Issues Privacy related enforcement and litigation is on the rise Many class action suits Many actions based on data breaches, collection of data related to web browsing activities, unfair or deceptive acts/ practices Major settlements have been reached Cases set precedents 7 Agenda Overview of Federal and State Laws FTC and State Enforcement Class Action Lawsuits Best Practices 8 4

5 OVERVIEW OF RELEVANT LAWS 9 Federal Privacy Laws Electronic Communications Privacy Act (ECPA) Computer Fraud and Abuse Act (CFAA) Video Privacy Protection Act (VPPA) Gramm-Leach-Bliley Act (GLBA) Fair Credit Reporting Act (FCRA); Fair and Accurate Credit Transactions Act of 2003 (FACTA); FTC Red Flags Rule Health Information Portability and Accountability Act (HIPAA) CAN SPAM Act Telemarketing Laws Children s Online Privacy Protection Act (COPPA) FTC Act 10 5

6 State Statutory Claims Data Breach Notification Data Security Social Security Numbers Records Destruction Mini-FTC Acts State Analogues to ECPA and CFAA 11 State Common Law Claims Negligence Breach of Contract Trespass to Chattels Invasion of Privacy Unjust Enrichment 12 6

7 Who Can Bring an Action Federal Trade Commission Department of Health and Human Services Department of Justice State Attorneys General Private Plaintiffs 13 Common Remedies Civil penalties Injunctive relief Attorney s fees Training Implementation of programs (e.g., information security, privacy programs) Periodic audits 14 7

8 FEDERAL AND STATE AGENCY ENFORCEMENT 15 FTC Overview Bureau of Consumer Protection Division of Privacy and Identity Protection enforces Section 5 of the FTC Act, FCRA, GLB Act, COPPA, CAN SPAM, Do-Not-Call, etc. In the last 15 years, the FTC has brought 97 CAN SPAM cases ($5.7 million in civil penalties) 86 FCRA cases ($21 million in civil penalties) 64 Do-Not-Call cases ($60 million in civil penalties) 34 data security cases 16 COPPA cases ($6.2 million in civil penalties) 15 spyware (or nuisance adware) cases Where the FTC does not have authority to seek civil penalties (e.g., for data security and spyware violations), it has sought authority from Congress 16 8

9 FTC Act Section 5 governs unfair and deceptive acts/ practices Actions for violations of privacy or security promises (e.g., statements in online privacy policies) Actions for breaches of data security under unfairness authority FTC enforcement activities sometimes coordinated with state Attorneys General acting under their little FTC acts 17 FTC Complaint: Ceridian Corporation, FTC Docket No. C-4325 Customers enter employees PI on Powerpay website to compute payroll amounts and process payroll checks and direct deposits Claims on website: Our comprehensive security program is designed in accordance with ISO series standards, industry best practices and federal, state and local regulatory requirements Contract covenants: [Ceridian] shall use the same degree of care as it uses to protect its own confidential information of like nature, but no less than a reasonable degree of care, to maintain in confidence the confidential information of the [customer] Ceridian failed to provide reasonable and appropriate security for PI Hackers initiated SQL injection attack and exported information of at least 28,000 individuals, including bank account numbers, SSNs, and DOBs The acts and practices constitute unfair or deceptive acts or practices in violation of Section 5(a) of the FTC Act 18 9

10 Ceridian s Failure to Provide Reasonable and Appropriate Security for PI Stored PI in clear, readable text Stored PI indefinitely without a business need Did not adequately assess the vulnerability of web applications and network to commonly known or reasonably foreseeable attacks, such as SQL attacks Did not implement readily available, free or lowcost defenses to such attacks Failed to employ reasonable measures to detect and prevent unauthorized access to PI 19 FTC Complaint: Lookout Services, Inc., FTC Docket No. C-4326 I-9 Solution web-based computer product collects and stores information from or about its customers employees Statements in marketing materials: your data will be encoded and transmitted over secured lines to Lookout Services server. This FTP interface will protect your data from interception, as well as, keep the data secure from unauthorized access. Lookout failed to provide reasonable and appropriate security for PI Weak authentication practices and web application vulnerabilities enabled a customer s employee to gain access to PI for > 37,000 consumers 20 10

11 Lookout s Failure to Provide Reasonable and Appropriate Security for PI Failed to establish or enforce rules sufficient to make user IDs and passwords hard to guess Failed to require periodic changes of user credentials, e.g., every 90 days, for customers and employees with access to sensitive personal information Failed to suspend user credentials after a number of unsuccessful login attempts Did not adequately assess and address the vulnerability of the web application to widely-known security flaws Allowed users to bypass authentication procedures on website when they typed in a specific URL Failed to detect and prevent unauthorized access to computer networks, e.g., by employing an intrusion detection system and monitoring system logs Created an unnecessary risk to PI by storing passwords used to access the I-9 database in clear text 21 FTC Complaint: Twitter, Inc., FTC Docket No. C-4316 Most employees authorized to exercise administrative control of the system, including the ability to reset passwords, view nonpublic tweets and nonpublic user information, and send tweets on behalf of a user Employees entered administrative credentials into the same webpage where users logged in Employees instructed to use personal account for company business, and s from Twitter employees displayed the employee s personal address Twitter privacy policy: Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access. Twitter failed to prevent unauthorized control of the system 22 11

12 Twitter s Failure to Prevent Unauthorized Administrative Control of the System Twitter failed to Require use of hard-to-guess administrative passwords not used for other programs, websites, or networks Prohibit employees from storing passwords in plain text within personal accounts Suspend or disable administrative passwords after a number of unsuccessful login attempts Provide administrative login webpage for authorized persons separate from login page for users Enforce periodic changes of administrative passwords Restrict access to administrative controls to employees whose jobs required it 23 FTC Complaint: Google, Inc., FTC File No Draft Complaint and Consent Order Gmail Privacy Policy: When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use. Company used information collected from Gmail users to generate and populate Google Buzz social network without obtaining prior consent, in contravention of Google s privacy policy Google maintained a U.S.-EU Safe Harbor self-certification, but did not adhere to the Safe Harbor Principles of Notice and Choice 24 12

13 Ceridian, Lookout, Twitter, and Google FTC Consent Orders Do not misrepresent the extent to which the company maintains and protects the privacy, confidentiality, or integrity of PI Establish, implement, and maintain a comprehensive written information security program Designate employees Identify risks to PI Design and implement reasonable safeguards to control the risks Regularly test or monitor the effectiveness of the safeguards Select service providers capable of safeguarding PI and require service providers by contract to implement and maintain appropriate safeguards Evaluate and adjust the program as necessary Obtain independent, third party security audits Set forth administrative, technical, and physical safeguards Explain how the safeguards are appropriate to the company s size and complexity, nature and scope of activities, and sensitivity of PI Explain how the safeguards meet or exceed the protections required Certify that the company s security program is effective to provide reasonable assurance that PI is protected Ceridian, Lookout, and Google: Every 2 years for 20 years Twitter: Every 2 years for 10 years 25 Additional Terms in Google Consent Order Prior to any new/ additional sharing of a user s information with a third party that is different from practices in effect at the time the information was collected, Google must disclose: That the user s information will be disclosed to one or more third parties Identity or specific categories of third parties Purpose(s) for sharing, and Google must obtain express affirmative consent to sharing Google must not misrepresent its affiliation with the U.S.-EU Safe Harbor Framework or any other compliance program sponsored by the government or a third party 26 13

14 HHS HIPAA Enforcement: Cignet Investigation by HHS Office for Civil Rights (OCR) for HIPPA violations Cignet denied 41 patients access to their medical records upon request, and patients filed complaints with OCR, initiating investigations Cignet refused to respond to OCR s demands to produce records and failed to cooperate with OCR s investigations OCR filed petition to enforce subpoena in U.S. District Court and obtained a default judgment; Cignet produced the records, but made no effort to resolve the complaints informally Notice of Final Determination: $4.3 million penalty (February 2011) $1.3 million for violation of HIPAA Privacy Rule $3 million for failure to cooperate with OCR/ willful neglect to comply with Privacy Rule Penalty is the first issued by HHS for HIPAA Privacy Rule violations 27 Joint HHS/FTC Enforcement: Rite Aid Corporation Joint investigation by HHS OCR (violations of HIPPA Privacy Rule) and FTC (violations of Section 5 of the FTC Act) Pharmacies disposed of prescriptions and labeled pill bottles containing individuals protected health information in trash bins accessible to the public HHS Resolution Agreement (June 2010) Physical and administrative safeguards not adequately designed to appropriate and reasonably safeguard the PHI No training or sanctions policy for employees who failed to comply Each RAC entity must pay $1 million and implement a corrective action program for 3 years FTC Complaint (November 2010) RAC failed to implement policies and procedures to dispose securely of PI, adequately train employees, assess compliance with its policies and procedures, and employ a reasonable process for discovering and remedying risks to PI RAC made falsely represented that it implemented reasonable and appropriate measures to protect PI and failed to employ reasonable and appropriate security measures Practice is an unfair or deceptive act or practice, in violation of Section 5(a) of the FTC Act FTC Consent Order (November 2010) Same terms as Ceridian and Lookout 28 14

15 MA Data Breach Settlement First enforcement of MA data security regulations Attorney General settlement with the Briar Group, LLC over breach of credit card information for tens of thousands of consumers Hackers accessed the Briar Group s computer systems in April 2009 and misappropriated data; malcode not removed until December 2009 Settlement Terms Pay $110,000 in civil penalties Comply with MA data security regulations Comply with Payment Card Industry Data Security Standards Establish and maintain an enhanced network security system 29 IN Data Breach Settlement Attorney General settlement with WellPoint Inc. over company s failure to notify customers and the AG s office without unreasonable delay following a data breach affecting > 32,000 residents Applications for insurance policies containing SSNs, financial information and health records were accessible through an unsecured website for at least 137 days WellPoint was notified in February 2010 and March 2010 that records were accessible, but did not notify customers until June 2010 Settlement Terms Pay $100,000 to State for Consumer Assistance Fund Comply with IN security breach law Admit the breach and failure to properly notify Provide up to 2 years of credit monitoring and identity theft protection services to affected consumers Reimburse consumers up to $50,000 for any ID theft losses due to the breach 30 15

16 Responding to an Agency Action Similar processes for federal agencies and state Attorneys General Institute a litigation hold Open dialogue immediately Get the facts Respond promptly Form alliances, where appropriate and available Recognize failings 31 CLASS ACTION LAWSUITS 32 16

17 Common Causes of Action Use of cookies, flash cookies, and other technologies to track online consumer behavior Alleged violations of CFAA, ECPA, VPPA, state computer crime laws, state invasion of privacy laws, unjust enrichment Data breaches Alleged breach of warranty, breach of contract, negligence, and violations of state security requirements 33 Major Class Action Settlements Clearspring and Quantcast Alleged violations of CFAA, ECPA, VPPA, CA computer crime law, CA Invasion of Privacy Act, unjust enrichment $2.4 million Paid to non-profit organizations dedicated to promoting consumer privacy awareness Facebook Beacon Alleged violations of CFAA, ECPA, VPPA, CA computer crime law $9.5 million Lawyers received about 30% Remainder deposited in online privacy fund Google Buzz Alleged violations of CFAA $8.5 million Lawyers received about 30% Remainder deposited in online privacy fund 34 17

18 Flash Cookies: Clearspring and Quantcast In Re Clearspring Flash Cookie Litigation, No. cv-05948; In Re Quantcast Advertising Cookie Litigation, No. cv $2.4 million settlement reached in December 2010 Class action brought against Quantcast and Clearspring and their flash cookie affiliates (publishers) Companies stored flash cookies on users computers to collect information from and about them In some cases, if users deleted third party cookies, the companies used information stored in flash cookies to respawn the information stored in the deleted cookies Companies must refrain from using flash cookies to Respawn browser cookies Serve as an alternative to browser cookies for tracking user activities unrelated to the delivery of content through the Flash Player without adequate disclosure Otherwise counteract a user's decision to delete previously created HTTP cookies 35 La Court v. Specific Media, Inc. Case No. cv (C.D. Cal. 2010) Similar to Quantcast and Clearspring Complaint alleged that Specific Media violated consumer privacy by using flash cookies to capture online behavioral information Court granted Motion to Dismiss in April 2011 Plaintiffs did not have standing to sue because they did not allege or show actual injury 36 18

19 History Sniffing Several lawsuits filed in 2010 against InterClick, McDonald s, adult websites and others Pitner et. al. v. Midstream Media Int l, N.V., No. 8:10-cv (C.D. Cal. Dec. 6, 2010) California residents filed suit against the adult website, YouPorn, alleging that the website violated cybercrime and consumerprotection laws by using technology to harvest information about what websites users had visited Bose v. InterClick, Inc., 10 CV 9183 (S.D.N.Y.) Suit alleges that InterClick invaded Plaintiff's privacy, misappropriated her personal information, and interfered with the operability of her computer when using Flash cookies and history-sniffing techniques to stop her attempts to prevent online tracking 37 Issues and Possible Defenses Examine how flash cookies and data obtained through the use of flash cookies is used by the company and third party service providers Confirm the data being collected, by whom and for what purpose, how it remains anonymous, whether there is any linkage with personal information, and applicable retention periods Describe use of cookies and other technologies to collect data in website privacy policy so that users are on notice and could be deemed to have consented based on the privacy policy Plaintiffs must have legal standing to sue, i.e., a sufficient injury-in-fact Certain laws, such as CFAA and computer trespass statutes, require damages (e.g., lost profits) New developing arguments, such as individuals property rights in their personal data, are designed to overcome this problem No unjust enrichment if flash cookies are used to collect data, especially if data is not shared with third parties or used for any commercial purpose 38 19

20 Dispute Resolution Address dispute resolution in website terms and conditions Require arbitration of disputes Limit right to individual disputes/ bar class actions AT&T Mobility LLC v. Concepcion, 563 U. S. (April 27, 2011) U.S. Supreme Court upheld AT&T s contract clause prohibiting class-wide arbitration 39 Anatomy of Two Data Breaches: Epsilon and Sony April 1, 2011 Epsilon data breach Acquisition of names and addresses for > 60 million of Epsilon business clients customers April 6, 2011 Epsilon notified consumers of breach April 19, 2011 Sony Playstation data breach Acquisition of names, addresses, addresses, passwords, and birthdates of > 77 million consumers April 26, Sony notified consumers of breach April 27, 2011 First class action lawsuit filed against Sony May 2, 2011 Another data breach affecting Sony Online Entertainment Acquisition of names, addresses, addresses, birth dates, passwords, and logins for > 30 million consumers May 4, 2011 House Subcommittee on Commerce, Manufacturing, and Trade hearing on The Threat of Data Theft to American Consumers. June 2, 2011 House Subcommittee on Commerce, Manufacturing, and Trade hearing on Sony and Epsilon: Lessons for Data Security Legislation 40 20

21 Sony Data Breach Lawsuits First lawsuit filed 1 day after notice of breach; dozens of lawsuits filed in U.S. federal courts Alleged that Sony failed to take reasonable care to protect, encrypt, and secure data and delayed breach notifications to consumers Claims for breach of warranty, breach of contract, negligence, and violations of state security requirements Seeking monetary compensation, equitable relief (replacement and/or recall of defective PlayStation consoles), attorney s fees Seeking class action status Cortorreal et al v. Sony Corporation Inc. et al, No (S.D.Cal. June 20, 2011) Alleged that Sony laid off several employees in network security unit just weeks before the breach and that the company protected corporate data, but not consumer data Alleged violations of CA Consumer Legal Remedies Act and Unfair Competition Law, ECPA, negligence, breach of contract, breach of fiduciary duty Seeking monetary compensation, equitable relief, credit monitoring, attorney s fees Seeking class action status 41 Implications Several federal data breach notification laws introduced FTC supports federal law Major issues Data security measures Timing of notifications Federal preemption Privacy right of action 42 21

22 Best Practices 43 FTC Guidance A Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (Dec. 1, 2010) Build in Privacy by Design Give consumers choice Be transparent about practices Educate consumers about privacy Protecting Personal Information: A Guide For Business Take stock: Know what personal information you have in your files and on your computers Scale down: Keep only what you need for your business Lock it: Protect the information Pitch it: Properly dispose of what you no longer need Plan ahead: Create a data breach response plan 44 22

23 Know, Say, Do Approach Know what you do Know what information is collected, through what technologies, and how it is used Determine whether the data is personal/ nonpersonal; linkage to personal data; necessity of the information Say what you do Review and update privacy polices Do what you say Periodic reviews essential to make sure that new technologies, marketing initiatives do not involve data collection or practices that violate policies 45 Compliance Tools Adopt written plans Build privacy and security awareness Use checklists Perform audits (internal/external) Review and update privacy policies Determine root cause, take corrective actions in response to breach Monitor enforcement actions, litigation to benchmark your practices Update your plan 46 23

24 Agencies and Service Providers Review third party s data security practices and compare with company s Build requirements into contracts Implement and maintain appropriate privacy and security measures Require notification in the event of any contractor incident 47 Be Proactive! Maintaining a proactive stance on privacy and security will protect your reputation and save money in the long term Institute a litigation hold Launch a factual investigation Arrange for experts Review contracts with suppliers and look for indemnification provisions Review insurance policies for coverage Anticipate costs 48 24

25 Questions? Washington, D.C. Brussels San Francisco Shanghai Upcoming Webinars July Toward Privacy by Design: Smart Grid and Other Technologies All webinars will be held from 11:00 a.m. 12:30 p.m. ET 50 25

26 Thank you! Sheila A. Millar Partner Keller and Heckman LLP 1001 G Street, N.W. Washington, DC millar@khlaw.com Tracy P. Marshall Partner Keller and Heckman LLP 1001 G Street, N.W. Washington, DC marshall@khlaw.com Washington, D.C. Brussels San Francisco Shanghai Douglas J. Behr Partner Keller and Heckman LLP 1001 G Street, N.W. Washington, DC behr@khlaw.com 26