33
ATLANTA BRUSSELS CINCINNATI CLEVELAND COLUMBUS DAYTON NEW YORK WASHINGTON, D.C. Recent Developments in Privacy and Information Security Presented by Tom Zych, Michelle Cohen, and Michele Kryszak November 14, 2006 ABA Antitrust Section Privacy and Information Security Committee

November 2006 Privacy Update

Embed Size (px)

Citation preview

Page 1: November 2006 Privacy Update

ATLANTA BRUSSELS CINCINNATI CLEVELAND COLUMBUS DAYTON NEW YORK WASHINGTON, D.C.

Recent Developments in Privacy and Information Security

Presented by Tom Zych, Michelle Cohen, and Michele KryszakNovember 14, 2006

ABA Antitrust SectionPrivacy and Information

Security Committee

Page 2: November 2006 Privacy Update

2

Agenda

Data Losses and Security Breaches Legislation

Domestic International

Enforcement Litigation Regulatory Developments Hot Topics

Page 3: November 2006 Privacy Update

3

Data Losses & Security Breaches(plus ca change, plus c’est la meme chose)

Page 4: November 2006 Privacy Update

4

Starbucks: Get it while it’s hot!

Four laptops containing personal information of 60,000 employees in the U.S. and Canada were discovered missing on Sept. 6.

The company announced the theft on Nov. 4, but stated that there were no reports of identity theft related to the data stored on the stolen computers.

The data included names and Social Security numbers. Starbucks is notifying the affected individuals and has offered free credit monitoring and a toll-free hotline to answer questions.

Source: consumeraffairs.com

Page 5: November 2006 Privacy Update

5

CEO Is Charged With Stealing Identities

A prominent Westchester businessman has been charged with stealing his employees' identities to obtain more than $1 million in bank loans and credit card charges

He is accused of using the names, addresses and Social Security numbers of his employees to secure the bank loans between 2001 and 2006. He also is accused of running up $100,000 in credit card charges using their identities.

Ironically, the executive and his company were inducted this year into the Hall of Fame by the Business Council of Westchester.

Source: The New York Times

Page 6: November 2006 Privacy Update

6

Social Security Administration Plagued by Phishing Scam

E-mails asked for bank account numbers and other personal information.

Information from a real Social Security Administration announcement about cost of living increases was copied, and stated that if recipients did not supply personal information, they could risk having Social Security payments suspended.

The Inspector General’s office of the Social Security Administration is investigating.

Page 7: November 2006 Privacy Update

7

Cost of data breaches escalating

Average data breach costs companies $5 million, with stolen hardware as the main culprit for data loss.

Companies spent nearly $5 million on average, and 30 percent more, this year than in 2005, to respond to loss or theft of corporate data, according to a new study from the Ponemon Institute.

Source: www.computerworld.com

Page 8: November 2006 Privacy Update

8

Legislation(In your own backyard and across the pond…)

Page 9: November 2006 Privacy Update

9

EU Considering Security Breach Notification

EU commissioners are considering breach notification rules that would require some companies to notify affected customers and regulators upon a security breach.

Most experts believe it was time for Europe to follow the US lead.

Some experts, however, believe that EU proposal won't go far enough because it only covers ISPs and network operators.

Source: www.itpro.co.uk

Page 10: November 2006 Privacy Update

10

New York Enacted Three Identity Theft Laws on November 1 The Security Freeze Law: Allows consumers, who are either identity

theft victims or are concerned that they might be at risk of having their identities stolen, to cut off an identity thief's access to credit, loans, leases, goods and services by placing a "freeze" on their consumer credit report.

The Disposal of Personal Records Law: Requires any business to properly dispose of records containing personal information or risk a civil penalty of up to $5,000.

The Anti-Phishing Act of 2006: Prohibits the deceptive solicitation of personal information through electronic communications, including sending e-mails to Internet users, falsely claiming to be a legitimate enterprise in an attempt to scam the user into surrendering private information.

Source: www.govtech.net

Page 11: November 2006 Privacy Update

11

Australian, New Zealand Privacy Chiefs Collaborate on Privacy The Australian and New Zealand Privacy Commissioners have

signed an agreement to allow for cooperation between their offices on privacy-related issues, including cross-border complaints and joint investigations. This agreement fosters cooperative agreements as set forth in the APEC Privacy Framework, OECD Guidelines Governing the Protection and Transborder Flows of Personal Data, and the Asia Pacific Privacy Authorities Forum.

"The agreement will cement the already close ties between our Offices and tackling emerging privacy challenges and will enhance the management of cross-border cases," said Karen Curtis, Australian Privacy Commissioner.

Marie Shroff, New Zealand Privacy Commissioner, added, "The agreement will provide our Offices with a broader framework and base of resources, affording Australians and New Zealanders an ongoing high level of privacy protection."

Page 12: November 2006 Privacy Update

12

Litigation(The civil suits are flowing in…lawsuits that is…)

Page 13: November 2006 Privacy Update

13

Verizon Steps Up Text Spam Suits Verizon Wireless is stepping up efforts to protect its customers from spam

specifically regarding unsolicited text messaging. Over the past four months, the company has filed three lawsuits, all in District Court

in Trenton, N.J. June: 1.1 million messages mostly sent to Verizon subscribers in New Jersey that

advertised discount prescription medication. The Web site from which they were sent, located in Poland, has since been shut down.

September: 550,000 text message promoting penny stocks. Most recipients of the text messages had New York City area codes.

October: 30,000 texts sent promoting certain stocks or medications. Much like their similar e-mail counterparts, the actual message includes text that does not make sense.

The company also has introduced a feature in its system that would allow its subscribers to change their text message delivery settings. Users would be able to block text messages sent from the Web, or designate certain addresses to block.

Source: www.betanews.com

Page 14: November 2006 Privacy Update

14

New Appellate Court Ruling May Foster HIPAA Litigation As privacy advocates, class action lawyers, interested

consumers and others struggle to find means of enforcing privacy obligations in the courts, judges grapple with the question of whether entities that violate privacy laws properly face private damages liability. Because most national privacy rules (notably HIPAA and Gramm-Leach-Bliley) contain no private cause of action, plaintiffs struggle to find creative ways to sue over such privacy and security violations. For "injured" victims, finding an appropriate legal theory may be a critical threshold requirement to securing monetary damages. For companies facing privacy obligations, understanding these challenges is critical to appropriately assessing litigation risks.

Source: International Association of Privacy Professionals, www.privacyassocation.org, “New Appellate Court Ruling May Foster HIPAA Litigation” by Kirk Nahra

Page 15: November 2006 Privacy Update

15

Enforcement

Page 16: November 2006 Privacy Update

16

FTC issues TRO shutting down distributor of malware FTC announced that a U.S. District Court in Nevada had issued a

temporary restraining order, shutting down an operation involving secret downloads of "malevolent software programs."

FTC charged ERG Ventures, LLC and an affiliate with tricking consumers into downloading software by hiding the program with innocuous free software, including screensavers, and video files.

The "malware" installed by the Media Motor program harmed consumers' computers by, among other things: changing consumers' home pages tracking consumers' Internet activity generating disruptive and occasionally sexually explicit pop-up ads degrading computer performance attacking and disabling consumers' anti-spyware and anti-virus software making it nearly impossible for consumers to remove the malware from

their computers

Page 17: November 2006 Privacy Update

17

FTC charged that ERG Ventures and its affiliate violated the FTC Act by failing to disclosed to consumers that the free software was bundled with malware, among other charges

FTC press release notes that the case was brought with assistance from Microsoft

U.S. Attorney's Office engaged in a parallel criminal investigation of the defendants

Court also ordered asset freeze and an accounting of assets FTC has asked the court to order a permanent halt to these

deceptive and unfair downloads and to order ERG Ventures to give up its ill-gotten gains

FTC issues TRO shutting down distributor of malware

Page 18: November 2006 Privacy Update

18

Yesmail Inc. Agrees To Settle Charges With FTC On Monday, the FTC announced an agreement with

Yesmail. Yesmail will pay a $50,717 civil penalty for allegedly violating the CAN-SPAM Act by failing to honor consumers' unsubscribe requests.

Page 19: November 2006 Privacy Update

19

Zango, Inc. Settles FTC Charges

Will Give Up $3 Million in Ill-Gotten Gains for Unfair and Deceptive Adware Downloads

Zango, Inc., formerly known as 180solutions, Inc., one of the world’s largest distributors of adware, and two of its principals have agreed to settle Federal Trade Commission charges that they used unfair and deceptive methods to download adware and obstruct consumers from removing it, in violation of federal law. The settlement bars future downloads of Zango’s adware without consumers’ consent, requires Zango to provide a way for consumers to remove the adware, and requires them to give up $3 million in ill-gotten gains.

Page 20: November 2006 Privacy Update

20

FBI nabs phishers in U.S., Eastern Europe The FBI is seeking the arrest of at least 16 individuals in

connection with a global cybercrime investigation. More than 20 FBI offices participated in the probe into a

series of phishing attacks against a "major financial institution" that occurred in 2004 between August and October, according to materials provided by the FBI ahead of the announcement. Agents conducted investigations inside the U.S. and other countries to identify a ring of identity thieves who were acquiring and trading stolen credit and debit card numbers through an online forum.

Source: Cnet

Page 21: November 2006 Privacy Update

21

FTC Stops Illegal Mortgage Services Phone Calls

USA First Investment Group Inc., USA Home Loans Inc. and their principals have agreed to settle Federal Trade Commission charges that they violated the FTC’s Telemarketing Sales Rule (TSR) by calling telephone numbers listed on the National Do Not Call Registry and failing to pay the required fee for access to numbers listed on the Registry.

Page 22: November 2006 Privacy Update

22

Do Not Call is 3 years old The FTC reported that it filed six cases in FY 2005 alleging violation of the

National Do-Not-Call Registry. Several of the actions included claims that the defendant had failed to pay

the required fee to access the list before making the calls. Perhaps the most significant recent trend in Do-Not-Call list enforcement is

a series of cases in which the FTC has successfully prosecuted companies that had relied on their telemarketing service companies to comply with the list. The FTC fined DirecTV nearly $5.4 million for making numerous calls to

numbers contained in the national registry. The FTC recently settled charges against one of the telemarketers for $75,000,

an amount tempered by the defendant's inability to pay, but with a substantial additional penalty of more than $400,000 if the defendant later is found to have misrepresented its financial condition.

The FTC brought similar claims against Executive Financial Home Loan, a mortgage broker based in California. Although that case settled for a far smaller amount - $50,000 - the Executive Financial Home Loan decision builds on the DirecTV decision by reaffirming that businesses engaged in telemarketing promotional campaigns cannot delegate the responsibility for compliance to their service companies.

Page 23: November 2006 Privacy Update

23

Regulatory Developments

Page 24: November 2006 Privacy Update

24

Prerecorded Telemarketing Calls -- FTC Does Its Own Thing FTC rejected a petition that asked it to conform its rules to similar

FCC rules to permit prerecorded telemarketing calls when there is an "existing business relationship." 

FCC permits prerecorded telemarketing calls where there is an existing business relationship or prior consent -- unless called party has made a company-specific do not call request.

FTC takes position that unless there is prior express consent, prerecorded telemarketing calls (even in existing business relationships) violate the FTC's call abandonment rule. 

FTC recognizes it is out of synch with FCC long-established rules, but declines to follow FCC, creating inconsistent federal system.

Page 25: November 2006 Privacy Update

25

Prerecorded Telemarketing Calls -- FTC Does Its Own Thing (Cont’d) Earlier, the FTC said it would not enforce the prohibition during the

review of the petition. FTC states it will begin enforcing pre-existing prohibition on Jan 2, 2007. Industry asked for additional time to provide comment and the FTC recently

extended the comment period through December 18, 2006. FTC indicated that the record contained thousands of consumer comments

stating that they did not wish to receive such calls, and industry could not agree on a prompt opt out mechanism at the beginning of a call.

Industry may promote the changes in technology that permit a prompt opt out at the beginning of a call, in lieu of facing a prohibition.

Industry concerned about the freeze on productive commercial speech that could result -- e.g., "your subscription is about to expire," but would not let the message allow you to press a button to renew, etc. 

Page 26: November 2006 Privacy Update

26

FTC Launched Blog Related to Tech-Ade Hearings

The public hearings examined how evolving technology will shape and change the habits, opportunities and challenges of consumers and businesses in the coming decade, and featured experts from the business, government and technology sectors, consumer advocates, academicians, and law enforcement officials.

Page 27: November 2006 Privacy Update

27

Tech-Ade: FTC: Focus Will Shift To Advertisers In the wake of a $3 million settlement with Zango over

allegations that the company used unfair and deceptive practices to distribute adware, an FTC commissioner said the agency plans to notify advertisers that their ads may have been distributed through Zango's adware.

Commisisoner Jon Liebowitz said during the FTC's public hearings this week on "Protecting Consumers in The Next Tech-ade" that the agency will take the next step beyond actions against adware firms by focusing on advertisers.“

Source: www.clickz.com

Page 28: November 2006 Privacy Update

28

FACTA Red Flags The federal financial institution regulatory agencies released the

Identity Theft Red Flags and Address Discrepancies under the FACT Act and the comment period closed in September.

The proposed regulations require each financial institution to implement a written Identity Theft Prevention Program with reasonable policies and procedures to address the risk of identity theft.

Responsibility is placed at the highest level of the institution, and a report must be made no less than annually by the staff members who have implementation and compliance duties.

Substantial preparation will be needed to achieve compliance with the new requirements.

Page 29: November 2006 Privacy Update

29

Hot Topics

Page 30: November 2006 Privacy Update

30

Microsoft Issues Privacy Guidelines for Developing Software Products and Services Published on October 16, 2006. The document offers very precise and practical guidance for

creating notice and consent experiences, providing sufficient data security, maintaining data integrity, offering customer access, and supplying controls when developing software products and Web sites.

The document relies on many of Microsoft's internal practices and is designed to assist organizations in meeting, and exceeding, customer expectations regarding privacy.

Creating and maintaining consumer TRUST is the highest priority and objective of the document.

Page 31: November 2006 Privacy Update

31

Privacy Pitfalls in No-Swipe Credit Cards Despite assurances from the card companies, researchers Tom

Heydt-Benjamin and Kevin Fu were easily able to retrieve data from the new cards. From the article:

"They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150. They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. 'Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?' Mr. Heydt-Benjamin, a graduate student, asked.”

Source: The New York Times

Page 32: November 2006 Privacy Update

32

Prerecorded Political Calls a Hot Topic During Political Season Democrats have criticized Republicans’ purported use of recorded telephone

messages – also known as “robocalls” in the weeks and days leading up to the recent elections.

Reportedly, the robo-calls were sent to voters several times a day and repeated the name of the Democratic opponent over and over again so that the called party would think that the caller was the Democratic opponent and get annoyed with the calls.

Democratic Congressional Committee Chairman Rahm Emanuel claims the robocalls were even sent in the middle of the night to Democratic voters in an effort to annoy voters.

National Republican Congressional Committee states that it never places phone calls past 8pm.

Rutland Herald reports that Reps. Conyers and Dingell sent letters to the U.S. Department of Justice, the Federal Communications Commission and the Federal Election Commission, saying the calls are unethical and could be illegal.

A Maryland attorney recently filed suit in state court against Governor Ehrlich and others claiming that the political calls violate federal and state communications laws which require the identification of a caller at the beginning of a prerecorded message. The attorney hopes that the law is changed to make political calls subject to the “do not call” requirements (they currently are exempt).

Other sources: abcnews.go.com (Nov.6, 2006)

Page 33: November 2006 Privacy Update

33

Michelle Cohen, Partnerhttp://www.thompsonhine.com/lawyer/MichelleCohen/

[email protected]

Tom Zych, Partnerhttp://www.thompsonhine.com/lawyer/ThomasZych/

[email protected]

Michele Kryszak, Associatehttp://www.thompsonhine.com/lawyer/MicheleKryszak/

[email protected]