Consumer Protection Archives - Page 13 of 24

Consumer Protection

Kentucky Becomes 47th State with a Data Breach Notification Law

by McDermott Will & Emery | Apr 15, 2014 | Consumer Protection, Cybersecurity, Data Privacy

On April 10, 2014, Kentucky became the 47th state to enact breach notification legislation. Under the new law, companies that conduct business in Kentucky and hold consumer data of Kentucky residents will now be required to disclose data breaches involving the unauthorized acquisition of unencrypted computerized data of Kentucky residents. Companies must disclose the breach in the “most expedient time possible” and “without unreasonable delay” to any state resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The Kentucky law is similar to many other state breach notification laws. For example, the Kentucky law defines “personal information” as an individual’s first name or first initial and last name in combination with either their Social Security number; driver’s license number; or account, credit or debit card number in combination with any required security or access code. In addition, the legislation permits companies to provide notification in written or electronic form, through email, through major statewide media or by posting an alert on their website, and allows for the delay of notification if a law enforcement agency determines the action will impede its criminal investigation.

Notably, the law does not require notification to the state attorney general, but does require that notification be given to consumer reporting agencies and credit bureaus if the breach affects more than 1,000 individuals.

Now that Kentucky has a data breach notification law, just Alabama, New Mexico and South Dakota remain as the three states that still do not have a comprehensive notification law outside of the public sector.

Take Action to Stop the Bleeding: Follow These Steps

by David Quinn Gacioch and Edward G. Zacharias | Apr 14, 2014 | Consumer Protection, Cybersecurity, Data Privacy, General Interest

“Heartbleed” has been all over the news, and companies have been scrambling to respond. What sounds like a nasty medical condition is actually a recently discovered flaw in popular encryption software called OpenSSL. It has been widely reported in the news outlets that approximately 60 percent of all web servers use OpenSSL. According to the Federal Trade Commission, the flaw can permit a hacker to unlock the encryption and “monitor all communication to and from a server—including usernames, passwords, and credit card information—or create a fake version of a trusted site that would fool browsers and users, alike.”

So how can companies stop the bleeding?

Figure out if any websites, systems (like e-mail) or applications (like virtual private network [VPN] endpoints, load balancers or database management software) use OpenSSL. More information about how internal information technology (IT) teams can find and fix the flaw can be found on heartbleed.com.
A comprehensive review of systems is important because, according to security firm Coalfire, OpenSSL is a program that is not just used on externally facing websites. It also is frequently used on internal applications, management consoles, “appliances” and legacy systems, which will remain vulnerable until patched. This is especially critical for systems that contain sensitive information, such as protected health information, financial information, Social Security numbers and other highly confidential items. A firm like Coalfire can scan corporate systems to discover the vulnerability at a relatively modest cost.
Update to the latest version of OpenSSL to fix the flaw. After updating, companies need to generate a new encryption key (most IT teams know how to do this) and obtain a new SSL Certificate from a trusted authority, which will signal to browsers that the website is secure. Generating the new key is critical—otherwise a company’s server and data could still be at risk.
Confirm that vendors, business partners and contractors that provide technical services or support to company systems have addressed any OpenSSL flaws in their systems.

But what about the blood that’s already spilled?

After taking these steps to stop the bleeding by fixing OpenSSL flaws, a critical next step is for companies to conduct an assessment of data and actions previously thought to be encrypted.

Companies should consider evaluating with counsel how and when to communicate with customers and employees about changing log-in credentials and taking any other appropriate steps in light of the particular situation addressed by the company.

In addition, given the publicity and attention to this issue, customer service lines might see an increase in calls inquiring whether a company’s website is secure and whether log-in credentials should be changed. Convening the right internal resources to prepare clear, concise talking points will help those customer service teams convey accurate, consistent information in a way that minimizes harm to consumers and brand.

Even if companies are confident that their own sites have been fixed, they should consider whether employees may have used corporate log-in credentials on mobile devices or over connections, such as remote access VPN [...]

Continue Reading

Settlement on the Horizon in Massachusetts ZIP Code Litigation

by McDermott Will & Emery | Mar 6, 2014 | Advertising & Marketing, Consumer Protection, Data Privacy

A recent proposed settlement in Massachusetts may signal readiness on the part of retailers to end so-called “ZIP code” litigation. In 2011, customers of the arts and crafts retailer Michaels Stores Inc. filed a proposed class action in Massachusetts federal district court stemming from the company’s collection of customers’ ZIP codes during point of sale transactions. The complaint alleged that Michaels used the ZIP codes that it collected to acquire customers’ addresses and telephone numbers and then used that information for direct marketing purposes.

Last year, after the plaintiffs had filed their complaint, the Massachusetts Supreme Judicial Court held that under a 1991 Massachusetts law, ZIP codes are considered “personal identification information” and retailers are prohibited from collecting such information during credit card transactions. The court also gave plaintiffs an opening to overcome the sometimes difficult harm threshold for consumer class actions: it found that a retailer’s subsequent use of personal identification information for direct marketing purposes constituted sufficient harm to the consumer to subject the retailer to liability. The court’s holding left Michaels with few defenses under the statute, which states that merchants accepting credit cards shall not “write, cause to be written or require that a credit card holder write personal information, not required by the credit card issuer, on the credit card transaction form.”

The district court recently gave preliminary approval to a settlement of the claims against Michaels. The proposed settlement, totaling nearly $875,000, covers all customers from whom Michaels requested and recorded personal identification information in conjunction with a credit card or debit card transaction in a Massachusetts retail store after May 23, 2007. The settlement divides customers into two subclasses depending on how Michaels used the information it collected. The first sub-class includes approximately 15,000 customers for whom Michaels was able to obtain a mailing address using the ZIP codes collected. The second subclass, numbering approximately 4,300, includes customers whose addresses Michaels obtained using a source other than the collected ZIP codes.

Under the settlement, members of the two subclasses are to receive vouchers of $25 and $10, respectively, for total payments to the class of approximately $418,000. The proposed settlement also calls for Michaels to pay attorneys’ fees of up to $425,000. A final fairness hearing is set for May 20.

Whether the Michaels settlement will have an effect on other class action litigation is an open question. The language of the Massachusetts statute differs in key respects from similar laws of other states. For example, California’s Beverly Song Credit Card Act imposes liability only where the merchant requests or requires personal identification information “as a condition of accepting credit card payment.” This language in the California law has been used to defeat class certification on the basis that the customers’ beliefs as to whether providing personal identification information was a condition of using a credit card was a necessary element of liability that could not be decided on a class wide basis. It is unclear a similar argument could prevail under the [...]

Continue Reading

New Mexico Moves One Step Closer to Becoming the 47th State with a Breach Notification Law

by McDermott Will & Emery | Feb 28, 2014 | Consumer Protection, Cybersecurity, Data Privacy

46 states plus Washington, D.C. have data breach notification laws. Alabama, Kentucky, New Mexico and South Dakota still do not have a comprehensive notification law outside of the public sector. That may change soon though, because the New Mexico House of Representatives unanimously passed a bill on February 17, 2014, that would require companies to notify state residents of a breach of their unencrypted personal information. The bill appears to resemble many existing state breach notification laws, and contains a number of exceptions under which companies would not be required to provide notice of a breach.

The definition of personal information is the standard definition we see in many state breach notification laws – defined as name plus another data element that could lead to identity theft or financial fraud: social security number; driver’s license number; government-issued ID; or account number, credit card number or debit card number, in combination with any required code or password that would permit access to a person’s financial account.

If the bill passes, New Mexico will join the handful of other states with specific timing provisions for notification—if the breach involves 1,000 or more residents, companies would be required to notify affected individuals within 45 days of discovering the breach, and the state attorney general (AG) within 14 days (like Vermont).

Companies can avoid notification to affected residents if there is no “significant risk of identity theft or fraud,” but when the incident involves 1,000 or more individuals, the company still must notify the state AG with a written explanation of its risk of harm analysis. Like many other states, the bill also contains a “deemed in compliance” provision stating that companies in compliance with the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act would be deemed to be in compliance with the proposed law.

At the federal level, there have been increased demands for Congress to establish a national data breach notification standard, and several bills have been introduced that would create such a standard. Most recently, on February 4, 2014, U.S. Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced the Personal Data Protection and Breach Accountability Act, which seeks to establish a federal breach notification standard and impose minimum data security requirements for companies, like the approach taken in Massachusetts with 201 C.M.R. 17.00, et seq. We will be watching these bills closely and reporting on any further developments.

McDermott To De-Mystify CalOPPA Compliance During February 25 Webinar

by McDermott Will & Emery | Feb 24, 2014 | Consumer Protection, Data Privacy, Mobile Apps

As we have previously discussed, California Governor Brown signed into law amendments to the California Online Privacy Protection Act (CalOPPA), the 2004 law that requires commercial websites, mobile apps and digital service providers to “conspicuously” post a “privacy policy” if the site or service collects personally identifiable information about California residents. The amendments to CalOPPA add two new disclosure requirements for privacy policies required by CalOPPA:

The privacy policy must explain how the website “responds to ‘Do Not Track’ signals from web browsers or other mechanisms that provide California residents the ability to “exercise choice” about collection of their personally identifiable information.
The privacy policy must disclose whether third parties use or may use the website to track (i.e., collect personally identifiable information about) individual California residents “over time and across third-party websites.”

Under amended CalOPPA, websites, mobile apps and digital service providers should have updated their privacy policies to include the new disclosure requirements by January 1, 2014. But, due to confusion about (among other things) what “Do Not Track” really means, many consumer-facing website operators and service providers in the digital and mobile space have not yet made the needed policy updates.

To learn more about CalOPPA and tips for complying with the new amendments, join Of Digital Interest’s editors Heather Egan Sussman and Julia Jacobson tomorrow (February 25th) at the 90-minute Track Me, Track Me Not: Complying with California’s Do Not Track Disclosure Requirements live webinar.

For details and to register, visit https://www.lorman.com/live-webinar/393528.

The FTC Means It: Another Safe Harbor Enforcement Action

by McDermott Will & Emery | Feb 13, 2014 | Consumer Protection, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield

No doubt about it: the U.S. Federal Trade Commission (FTC) is serious about taking action against companies that misrepresent their U.S.-EU Safe Harbor certification status. On February 11, 2014, the FTC announced that children’s online entertainment company Fantage.com agreed to settle charges that it deceptively represented, through statements in its online privacy policy, that it held a current certification under the U.S.-EU Safe Harbor framework. The Fantage.com settlement follows on the heels of the FTC’s settlements (announced on January 21, 2014) with 12 companies that made representations about Safe Harbor compliance when in fact their certifications had lapsed. These 13 settlements, announced within in the first six weeks of 2014 and added to the 10 settlements reached for similar actions from 2009 to 2012, indicate the FTC’s commitment to ensuring that the Safe Harbor Program remains a vital and effective compliance mechanism for U.S.-based multinational companies.

The Allegations and Order

According to this recent FTC complaint, Fantage.com failed to complete its annual recertification of Safe Harbor compliance but continued to make publically-available statements about its compliance with the U.S.-EU Safe Harbor Framework. From June 2011 (when the company made its initial self-certification) to January 2014 (when the company renewed its self-certification), the FTC examined the company’s privacy policies and online statements for representations concerning its Safe Harbor status.

In its complaint, the FTC alleged that the company, “…expressly or by implication…” misrepresented that it was a current participant in the Safe Harbor Framework when, from June 2012 until January 2014, its certification had lapsed. The FTC cited the following statement made on the company’s website as an example of the false and misleading representations:

“When we collect personal information from residents of the European Union, we follow the privacy principles of the U.S.-EU Safe Harbor Framework, which covers the transfer, collection, use, and retention of personal data from the European Union.”

While the FTC does not allege substantive violations of the Safe Harbor Framework, the sanctions that follow place compliance obligations on the company. The Settlement Agreement Containing Consent Order:

enjoins Fantage.com from misrepresenting its compliance with any governmental or self-regulatory data privacy program for 20 years; and
imposes on Fantage.com detailed record-keeping requirements for five years, including maintenance of records (i) for all advertisements or other statements containing representations about privacy program participation; (ii) all materials that form the basis for preparing such representations; and (iii) all materials that call into question the company’s compliance with the Order.

If Fantage.com violates the settlement agreement, the FTC is empowered to assess up to $11,000 per day in monetary penalties.

Compliance Tips

Based on these enforcement actions, any company that self-certifies under the U.S,-EU Safe Harbor Framework should immediately:

check its certification status to ensure that it is marked “current” on the Department of Commerce website: https://safeharbor.export.gov/list.aspx;
review any privacy policies and online statements referencing the Safe Harbor program to ensure that they properly reflect the status of their certification;
institute a systemic [...]

Continue Reading

In with the New, Part III: 2014 Privacy, Advertising and Digital Media Predictions

by David Quinn Gacioch | Jan 31, 2014 | Advertising & Marketing, Consumer Protection, Cybersecurity, Data Privacy, Email/Spam, Social Media, Text Messaging

Boston-based litigation partner Matt Turnell shares his predictions about class action litigation under the Telephone Consumer Protection Act (TCPA) and Electronic Communications Privacy Act (ECPA) in 2014 and Boston-based white-collar criminal defense and government investigations partner David Gacioch shares his predictions about government responses to data breaches.

Class Action Litigation Predictions

2014 is already shaping up to be an explosive year for privacy- and data-security-related class actions. Last December’s data breach at Target has already led to more than 70 putative class actions being filed against the retailer. With recently disclosed data breaches at Neiman Marcus and Michaels Stores—and possibly more to come at other major retailers—court dockets will be flooded with these suits this year. And consumers are not the only ones filing class actions; banks that have incurred extra costs as a result of the data breaches are headed to court as well, with at least two putative class actions on behalf of banks filed so far against Target.

That volume of litigation related to the Target data breaches likely will be matched by a steady stream of class actions filed under the TCPA. 2013 was a busy year for the TCPA docket and I expect that the Federal Communications Commission’s (FCC) stricter rules requiring express prior written consent from the called party, which took effect in October 2013, means that 2014 will be just as busy since the majority of TCPA class actions seek statutory damages for companies’ failure to obtain consent before making autodialed or prerecorded voice calls or sending unsolicited text messages or faxes.

In 2014, I expect to see key decisions under the ECPA related to social media platforms and email providers capturing and using content from customers’ emails and other messages for targeted advertising or other purposes. One district court has already denied a motion to dismiss an ECPA claim challenging this conduct and I predict that other decisions are forthcoming this year. Needless to say, decisions in favor of class-action plaintiffs in this area could have major implications for how social media sites and email providers do business.

– Matt Turnell, Partner

Government Responses to Data Breaches

As significant data breaches continue to dominate the news, public awareness of data privacy and security issues will increase, as will their political appeal. I expect to see in 2014:

Record numbers of breach reports to state and federal regulators, as awareness of reporting obligations spreads further and further across data owner, licensee, broker and transmitter groups;
More states committing more enforcement resources to data privacy and security, including budget dollars and dedicated attorney general’s office units;
More state/federal and multi-state coordination of investigations, leading to increased settlement leverage by enforcement authorities vis-à-vis firms under investigation; and
Greater numbers and dollar values of settlements by the Federal Trade Commission (FTC) and state attorneys general than ever before.

Similarly, with the HIPAA Omnibus Final Rule going into effect on September 23, 2013, coupled with the late-2013 Department of Health and Human Services [...]

Continue Reading

In with the New, Part II: 2014 Privacy, Advertising and Digital Media Predictions

by McDermott Will & Emery | Jan 30, 2014 | Consumer Protection, Cybersecurity, Data Privacy

On the heels of 2014 predictions from the U.S.-based Of Digital Interest (ODI) editorial team, following are some predictions from our London-based editor, Rohan Massey:

Security breaches

Recent security breaches concerning consumer data in the retail industry have demonstrated the damage breaches of this kind can have on a business’ brand, with potential impact on share price. Such breaches highlight the pressing need for robust data security measures, and the commercial importance these issues can have on an organization’s brand value. It is likely that, as with intellectual property assets 25 years ago, we will begin to see a push, driven by shareholders and proactive management for data assets to be listed as an accounting line item in corporate accounts in the coming year.

Europe

The draft report of Rapporteur Jan Philipp Albrecht on the proposed Data Protection Regulations recently discussed by the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament has indicated that the Commission and the Rapporteur strongly support radical changes to the current data protection regime. As we enter the next stage of negotiations for the draft Regulation, this report could have a significant impact, with reforms not anticipated to be finalized until 2015. Within the next 12 months, a roadmap of terms and timelines for the new regime will likely be delivered. We can expect larger penalty capacity and a streamlined, if broader, regulatory framework, but as we know the devil remains in the detail.

Data Privacy Day 2014

by McDermott Will & Emery, David Quinn Gacioch and Edward G. Zacharias | Jan 29, 2014 | Advertising & Marketing, Consumer Protection, Cybersecurity, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, Electronic Contracting, Mobile Apps, Social Media, Text Messaging

In Boston, we celebrated Data Privacy Day (January 28) by presenting “U.S. Privacy and Data Protection: 2013 Year In Review and a Prediction of What’s to Come in 2014” for participants in an IAPP KnowledgeNet. Our panel of speakers discussed significant U.S. data privacy and protection events from 2013 and shared thoughts about what’s ahead for 2014 in U.S. data privacy and protection. You may download the presentation slides here.

We hope you find our presentation materials informative. Of course, please do not hesitate to contact any member of the Of Digital Interest editorial team with questions or comments.

Full Speed Ahead for EU Data Protection Reform

by McDermott Will & Emery | Jan 28, 2014 | Consumer Protection, Data Privacy

Data Protection Day 2014 (January 28) aims to raise awareness around what kind of data is collected about individuals, how it is used and why.

In marking this year’s Data Protection Day, Vice-President Viviane Reding, the EU Justice Commissioner, is calling for “a new data protection compact for Europe.” Reding continues to focus on EU data protection reform, with the objective of the swift adoption of the current draft Regulation and believes it should be “full speed on data protection in 2014.” If adopted, the European Commission proposals will serve as a comprehensive reform of the EU 1995 Data Protection Directive, with the aim of strengthening data privacy and thereby boosting Europe’s digital economy.

To become law, the draft Regulation must be adopted by the European Parliament, which is expected to adopt the proposals in first reading in the April 2014 plenary session, the Council of the EU and the European Council. This is followed by Jan Philipp Albrecht, the member (MEP) in charge of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee), who has said that the current timetable targets scoping a mandate for negotiations during June with inter-institutional negotiations taking place in July.

So perhaps it will be full speed ahead for 2014 after all…