Identity Theft Again?

Most of you have read about the security issues that have confronted LexisNexis and ChoicePoint, and each day we learn more news about more systems and databases that have been or may have been compromised. Here’s a secret, “Google hacking” is easier. It’s a term used to describe the simple act of using publicly available search engines (no, not only Google) to find information that criminals and wrong-doers can use.

Several months ago, The Wall Street Journal reported that some security experts held a contest to demonstrate how good Google hacking can be—they limited contestants to using only Google’s search engine and in less than one hour they unearthed enough information to perpetrate financial fraud on about 25 million people—including useful combinations of names, birth dates, credit card and social security numbers. In one such experiment, a team of contestants found a directory of more than 70 million social security numbers—all belonging to individuals who are no longer alive.

Yahoo! and Google and similar search engines are not the problem – these folks are continuously refining and fine tuning their search capabilities and adding more information. Why? Because we demand it; we like it; we want it. It is helpful; useful; convenient. So how do we balance the desire to have more and better information more easily available, with the need to protect our people, our customers, our society from abuses and improper use of such information? I don’t know. I do know that Rimon has literally dozens of lawyers who can help you with privacy, information security, terms of use and guidelines; can alert you to regulatory and legal issues; and can provide you with solutions to your problems, even when the simple answers are not always easy to find. Let us help you. Have an information security issue? Privacy compliance problem? Fraud or security breach? Now’s the time—before you are part of the problem.

Security Checks Out

OK. You’ve all been reading about the recent security breaches which are exposing sensitive financial and other non-public personally identifiable information to potential disclosure—in some cases actual release and compromise of that information. Well it turns out that in one area—the retailer cases involving Polo (Ralph Lauren), DSW (Shoe Warehouse) and others—are all being traced back to software that merchants use to process credit, charge and debit transactions. The problem, it seems, stems from the fact that the hidden coding that resides on the magnetic strip of our plastic money and that is supposed to authenticate and provide a degree of transactional security in processing payment is being retained by the merchants’ systems, rather than being immediately deleted and cleansed from these systems once the transaction is approved and complete. Hackers, learning of this vulnerability, were quick to attempt to break into these merchant systems and “steal” the codes, in many cases enabling them to create counterfeit plastic and compromise personal information of the cardholder in the process. In one case, BJ’s Wholesale Club is being sued by banks and credit unions because hackers made off with customer’s credit card numbers, and BJ’s has decided to sue IBM, whose software allegedly stored the numbers in computer logs. In legal papers filed in response to the suit, IBM not only claims there is no proof the stolen card numbers came from BJ’s systems, but it also claims that its contract with BJ’s disclaims liability for damages because of security breaches. OK, all of you go check your software contracts. Now.

While You Were Sleeping

In February, in the Circuit Court in Miller County, Arkansas, some plaintiffs—led by Lane’s Gifts, an Arkansas retailer—sued Google, Yahoo!, Time Warner, Disney, and Ask Jeeves, among other Internet companies, alleging that these companies knowingly overcharged for the advertising they sold and that they conspired with each other in doing so! The plaintiffs now want the suit certified as a class action which relates to the growing problem of “click fraud” a practice our very own litigator and legal guru Peter Raymond knows and has spoken about. Clicking ads or even automating the click-throughs—in some cases by competitors—can illegally run up the advertising charges, and analysts estimate these can increase by more than 15 percent because of such fraud.

Music On Hold—-Capitol Records, Inc. v. Naxos of America, Inc.

In a decision sure to be appealed but hailed as groundbreaking, the New York Court of Appeals, on April 5, 2005, held that rights to performances recorded before 1972 are protected under state common law, even after they have been put on the market. The ruling extends, until 2067, common law copyright protection for recorded music to companies that own rights to pre-1972 recorded performances. They can now prevent others from releasing their own versions. Since Congress did not extend statutory protection to recordings created before February 15, 1972, the court held there is common-law copyright protection in New York for sound recordings made prior to that date (i.e., since sound recordings made before 1972 are not covered by the federal copyright act, common law protection remains in place). In this case, Capitol’s claim against Naxos (who had remastered the recordings and began selling CDs) for infringement of common-law copyright in the original recordings was upheld. Common-law copyright traditionally has protected only unpublished works, but the New York holding concludes that the musical performances were unpublished, even though commercially sold to the public for decades. Go figure.

NY Pursues Spy and Adware—Deceptive Practices At Issue

On April 28, 2005, New York’s Attorney General sued Intermix Media—a major Internet marketer based in Los Angeles, claiming “spyware” and “adware” were secretly installed, which, among other things, can redirect browsers to unwanted websites, can add toolbar functions and icons, and distribute ads that pop up on your monitor. The suit alleges violation of New York State General Business Law provisions against false advertising and deceptive business practices, and also alleges trespass under New York common law. Intermix’ software would download, install and then direct advertising to computers based on user activity—often without notice and without an uninstall application—when a user visited a website, played a game or downloaded a screen saver. The Attorney General’s office claims that the lengthy licensing agreement purporting to seek permission, even when used, is misleading or inaccurate.

What’s in a Game? Promotions and Advertising on the ‘Net (Part 2 of 2)

As we mentioned in last month’s issue, sweepstakes, contests and promotions are primarily regulated by state law, although federal statutes and regulations must be considered. Jurisdiction and eligibility across borders, language, currency restrictions, licensing and export of technology, liability, billing and payment, whether a deposit to play might be construed an account for banking purposes, or whether gathering non-public, personally identifiable information about contestants may have privacy implications, are just a few of the issues that transcend the “gaming” aspects of any legal analysis.

On the U.S. federal level, although the FTC can take regulatory action and sue advertisers for deceptive or unfair acts and practices, it relies heavily on the states to regulate the industry. The FTC has, however, promulgated rules that do have significant impact on promotions. For example, the Children’s Online Privacy Protection Act (“COPPA”) was enacted to protect children from marketers who collect or use personal information obtained online from under-age children without parental permission, and authorized the FTC to develop a rule that requires “verifiable parental consent.” Because contests are extremely popular for Internet marketing, online advertisers must be cognizant of COPPA if a portion of their online traffic is, or is likely to be, children under the age of 13.

To illustrate the maze of legal and regulatory issues, let’s use an example: Joe’s Airline, Widget and Screen Door Company wants to conduct a contest on the Internet in which participants are charged $2 to play successive rounds of chess, with prizes at various levels and a grand prize of a million dollars. Our promotion is really a unilateral offer to enter into a contract, subject to terms and conditions (e.g., rules) agreed upon through some manifestation of acceptance. Participants accept the offer by performing a required act—registering, paying, selecting an “I ACCEPT” link—and a binding contract is formed. Point number 1: if Joe fails to adequately disclose the rules upon which the offer is made, the promotion could be construed as an illegal lottery, rather than a contest. Point number 2: Joe better get the rules right and disclose them properly because there are cases which indicate once a participant enters (“accepts”), Joe cannot change the rules (i.e., unilaterally amend the contract). Something to think about: Could each chess game be viewed as a new contest, permitting amendments prospectively?

In general, to qualify as a contest, skill, and not chance, must determine the outcome, and chance may not determine the winner or prize amount. Most, but not all, state laws distinguish games of skill from games of chance, although states do not use a uniform standard to differentiate between the two. While some states prohibit requiring consideration to engage in a promotion where a prize is awarded, most states do not prohibit the payment of money if the promotion is a bona fide contest of skill. What constitutes skill? Good question. The decision is often a question of fact, and when the Internet is involved, evidence can be complex and technology-based, straining judges and juries. Two criminal courts in New York judging the legality of a shell game and a card game reached opposite conclusions.

A number of states have disclosure statutes which apply. Some (e.g., California) arguably apply to skill-based contests, while others do not. Many prize notification statutes were not intended to apply to skill contests, but are worded broadly to include any promotion requiring an entry fee or a purchase. Joe should also be aware that some state gambling laws do not limit their application to games of chance, but focus on whether players are asked to risk or wager something of value. In those states, a skill-based contest that involves betting or offers prizes dependent on the number of entries or the amount of entry fees should be reviewed carefully against state gambling laws. Remember the three elements that constitute an illegal lottery? A prize, consideration and chance. By including an equal and alternate means of entry in which there is “no purchase necessary” to enter or win, and by avoiding a payment (i.e., consideration), Joe can introduce the element of chance in the determination of the winner and not be in violation of federal or state law.
Maybe!

Did Anyone at ChoicePoint Read the February ’04 Issue of Legal Bytes?

Shareholders are suing ChoicePoint and its executives after learning that criminals posing as bona fide businesses were given access to personal data. ChoicePoint maintains databases of background information on almost every citizen in the United States—billions of records. A class-action lawsuit has been filed in California charging that executives withheld information to avoid having the stock price fall when and if the news broke: the share price has since fallen more than 20 percent in a month. The suit claims the executives knew their data protection was inadequate; knew or should have known ChoicePoint was selling data to illegal businesses; and that security breaches had occurred previously, exposing even more people to identity theft.

The security breach was uncovered last October, when law enforcement first contacted ChoicePoint investigating an identity theft. Suspects, posing as a ChoicePoint client, gained access to its consumer databases. As if the class action and drop in share price were not trouble enough, ChoicePoint is under investigation by the FTC inquiring into its compliance with information security laws; is under investigation by the SEC for possible violations by certain executives of the insider trading regulations; and is facing lawsuits arising from violations of the Fair Credit Reporting Act and California state law. Will someone please pick up and read the February 2004 issue of Legal Bytes!?!

What’s in a Game? Promotions and Advertising on the ‘Net (Part 1 of 2)

Marketing and promotional experts already know that with rare exceptions (e.g., the government), lotteries are illegal. An illegal lottery is a game or contest in which the outcome is determined by chance, the entry requires some form of consideration, and the winner is awarded a prize. Over the years, these three elements have been the subject of scrutiny, regulatory opinion and judicial decision. Although interpretive rules are not cast in concrete, a prize can be nominal in value; consideration can take the form of visiting a store or filling out a lengthy customer survey; and, if chance plays a material factor in determining the outcome, no amount of skill in any of the other elements of the promotion will save the day.

Marketing and promotional experts use “no purchase necessary” or “free alternate means of entry” as tools to avoid consideration—in general, promotions with a freely available alternate means to enter may be based on chance and may have a prize. Some promotions involve skill—eliminating chance. Shooting a hole in one at golf or solving a mathematical puzzle are examples of skill-based contests. Of course, the skill must be bona fide—guessing the number of beans in a jar is not a real skill, no matter how good one becomes at guessing.

Against this backdrop, advertisers, eager to get their message in front of consumers, are finding life increasingly difficult. Have you noticed increased advertising in movie theatres, outdoor signage or on uniforms of your favorite sports figures? Distribution technology and storage and recording media have given us the ability to fast-forward or avoid viewing messages that previously required you to physically leave the room or change the channel! Hmmm…so people are spending more time on the Internet—browsing, surfing—how about advertising there?

Well things seemed to be looking up for advertisers—cookies, pop-up ads, banners, above and below the fold advertising, mass commercial e-mail. Seemed like technology was coming to the rescue. But, enter their legal and technical counterparts—cookie disablers, pop-up blockers, spy-ware and ad-ware detection programs, SPAM and other filters, coupled with legislation and regulation over intrusive technologies or programs that invade privacy or transmit information without consent. Getting the message across is still getting tougher.

One approach is the increased use of “product placement”—insertion of branded products into actual programming “content.” Branded products become part of the action—someone is drinking a beverage, driving a car, using a computer—all branded. One of the most interesting developments in the world of product placement is taking place in interactive gaming. Interactive games require players to sit, often for hours, staring at a screen, paying close attention to the game. Background, backdrop, even music, contribute to making games realistic and become music to the ears of advertisers targeting a captive audience.

Can interactive, Internet-based games require a participant to pay to enter and participate—online “pay-to-play” games—and provide the winner cash or prizes? Here’s how such a game is typically structured: the participant downloads licensed programming for installation on his or her computer—the platform from which instructions and controls are transmitted. When combined with instructions and controls from team members or opposing players, the programming allows the game to be played. To enhance the gaming experience (and also to bolster the argument these are predominantly skill-based, not based on chance) many gaming platforms have sophisticated mechanisms to rate players and provide “matches” of comparable skill. Assuming games are skill-based, many (but not all) jurisdictions permit the payment of cash to play and the award of a prize. In some jurisdictions (but not all), the prize can even be derived from the number of players and the amounts paid by the participants. Check with Rimon before making any assumptions.

Regulation of Internet contests in the United States falls into four broad legal categories: (a) regulation of sweepstakes, contests and prizes; (b) regulation of unfair and deceptive trade practices; (c) regulation of gambling; and (d) consumer protection. We will turn to a more comprehensive legal review in next month’s issue, but we will tell you that if your game attracts children, you had better ensure there are mechanisms enabling you to comply with special regulations that apply. These are not limited to issues involving the age of majority and the ability of participants to legally enter into binding contracts (e.g., Alabama and Nebraska = 19; Mississippi and Puerto Rico = 21). Compliance with the Children’s Online Privacy Protection Act (“COPPA,” not to be confused with COPA or Copacabana—anyone still reading?), considerations of parental consent, propriety of content and a host of other regulations and legal considerations, come to mind.

Stay tuned for next month’s issue to find out more about these legal issues.

Judge Awards $1 Billion in Spam Suit

In what may be the largest judgment in a suit against spammers so far, a company that offers subscribers an e-mail service in Iowa has been awarded more than a billion dollars by a federal judge; the allegations were that the company’s servers were inundated with as many as 10 million spam e-mails a day. The judgments were obtained under the Federal Racketeer Influenced and Corrupt Organizations Act (“RICO”) and the Iowa Ongoing Criminal Conduct Act. Iowa law allows damage claims of $10 per spam message and were tripled under RICO. Not particularly surprising, no attorneys for the defendants were present during a bench trial in November and the judgments were entered by default.
 

California’s a Trendsetter—-This Time it’s Privacy

No longer merely the source of new fashion trends or technology movements (or McDonald’s), California is quickly becoming the thought leader in protecting consumer privacy. Two new laws, one which deals with personal information given to third parties for marketing (SB27) and another which obligates businesses to adhere to certain security requirements for using and storing personal information, both came into effect January 1, 2005. The new law requires businesses with 20 or more employees to give consumers detailed disclosures about not only what customer information they have shared with third parties, but also the contact information for and descriptions of those parties. Want to avoid the disclosure obligations? Simple. Allow your customers a free opt-out election from having their personal information shared. That said, you will still have to let your customers know how and to whom they can inquire about these requirements – even if your business offers the opt-out choice to consumers. By the way, if you are already subject to the stricter requirements of California’s financial privacy act, you are exempt. While there are some additional exemptions, they are narrow, and anyone doing business in California shouldn’t be too quick to conclude they are exempt without consulting legal counsel. California’s Office of Privacy Protection has drafted a set of recommended practices which attempts to harmonize the requirements of this new act with the California online privacy act, the state’s financial privacy provisions, the federal Gramm-Leach-Bliley Act, HIPAA, and European Union privacy directives. Good luck.

Do you or your contractors have sensitive personal information (e.g., names and addresses in combination with social security numbers and PIN numbers) that could lead to identity or financial theft if compromised? What about medical information about a person’s diagnosis and treatment? Start ensuring you have “reasonable” practices to protect that information from unauthorized access, use, modification and disclosure—and it doesn’t matter if the information is on paper or in electronic form. Both are covered. While the legislative history makes it clear that no one particular standard is “the standard” for “reasonable” security, a company will need to designate a specific individual who is responsible for the company’s security program, and will need to establish a security task force—including a compliance officer and legal counsel. To avoid running afoul of the standards, not only must practices and a task force be implemented, but companies will also have to demonstrate they periodically test and monitor how the security measures are working, make risk assessment, and fine-tune their security measures to keep them updated appropriately. Need employee training? Need help implementing background checks, confidentiality agreements, encryption and record retention/destruction requirements, and disciplinary measures? Call the lawyers at Rimon. We can help.

Remember California’s security breach notification law (we told you about this and you get another prize if you can identify the back-issue in which we did so)? That law requires businesses to disclose security lapses. This new law creates a new duty and standard of care. Lawsuits arising from breaches in security (you remember California’s Business and Professions Code section 17200) can now use AB1950 as a discovery prod to determine if your business has used and effectively maintains reasonable security measures.

Consider this: California has already passed more than a dozen laws to protect privacy—many of which have now spawned federal legislation, some already passed and others in process. SB186 bans unsolicited e-mail and AB1769 bans text messaging advertisements to cell phones and pagers. AB1733 mandates consent from customers before a wireless carrier can list their phone numbers in a 411 directory, and SB1436 restricts keystroke monitoring software, website tracking software, and software that attempts to control personal computers.