Self-Regulatory Online Behavioral Advertising Principle No. 4: Data Security

The Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus, recently released its Self-Regulatory Online Behavioral Advertising Principles. When we announced these principles, we also promised to provide you with a bit more detail regarding each of these principles, which are listed below; so here is a brief summary of the fourth – Data Security. For reference, the seven enumerated principles are:

The Data Security principle requires entities to provide reasonable security for, and limited retention of, data collected and used for online behavioral advertising purposes. Consistent with the FTC standard, entities must maintain appropriate physical, electronic and administrative safeguards based upon the sensitivity of the data. Further, data collected and used may not be retained any longer than necessary to fulfill a legitimate business need (e.g., testing and auditing) or as required by law. In addition, the principle sets forth the steps that service providers (e.g., entities that provide Internet service, toolbars, web browsers or comparable desktop applications) must take in connection with data collection and use, including alteration, anonymization or randomization (e.g., hashing) of personally identifiable information; enhanced notice and disclosure at the time the data is collected; and the protection of the non-identifiable nature of data shared with non-affiliates. Under the Data Security principle, service providers will be held accountable for compliance with these principles in connection with their collection and use of data for online behavioral advertising purposes. Thanks to Stacy Marcus for her analysis.

We can now also report to you that yesterday a coalition of 10 consumer and privacy advocacy groups (i.e., Center for Digital DemocracyConsumer Federation of America, Consumers UnionConsumer WatchdogElectronic Frontier FoundationPrivacy LivesPrivacy Rights ClearinghousePrivacy Times, U.S. Public Interest Research Group, and The World Privacy Forum, has released a draft of their own principles, in the form of a Legislative Primer, entitled Online Behavioral Tracking and Targeting Concerns and SolutionsLegal Bytes will have a more detailed report for you on this new development in the next day or two, and in the meantime – or any time – feel free to contact me, Stacy Marcus, or any of the Rimon attorneys with whom you regularly work.  

Identity Theft: Don’t Just Yell ‘Stop Thief.’ Audit Something!

It was 1998 and identity theft had not yet hit the radar screens as heavily as it would during the course of the next decade. Who could predict? So when I received a call from Albert J. Marcella, Jr. Professor of Management in the School of Business and Technology, Department of Management, at Webster University in St. Louis, who said he was putting together an “audit oriented” publication for The Institute of Internal Auditors to guide professionals who were becoming increasingly concerned about online identity theft, I naturally wondered what I could contribute to that effort.

So we spent a great deal of time collaborating about what we knew, speculated about what we did not know, and tried to put the work in context—specifically, guidance for corporate auditors and security management professionals on what they needed to know as sensitive, personally identifiable information migrated online. The result, of which my contribution played only a small part, was a book entitled www.STOPTHIEF.net, Protecting Your Identity on the Web, published in November 1999 by The Institute of Internal Auditors.

Identity theft, not a brand new crime even then, had a new face in our online, digital interconnected world. And, it was growing and pervasive, and its implications—if for no other reason than the sheer magnitude of the potential risks and the speed at which they would materialize on or through the Internet—were unprecedented and were becoming global.

I now know what I could not have known then—that more than 40 states have passed identity theft statutes and that the Privacy Rights Clearinghouse website, which takes pride in cataloging such things, estimates that as of a day or two ago, 263,247,398 records containing sensitive personal information were involved in security breaches in the United States since January 2005—six years after the publication became available.

To appreciate the foresight and to learn about those audit guidelines and benchmarks, you have to buy the book. But to read my personal piece of that collaborative effort—an end-piece summary of the legal implications entitled “Technology, the Internet and Cyberspace: Challenges to National and International Privacy“, you just have to read Legal Bytes.

Data Protection/Breach Disclosure Laws

In the news, yet more breaches of data security and the potential disclosure of personally identifiable, non-public information about you. From Wells Fargo to the Veterans Administration, breaches are becoming almost daily news. In response, more and more states are enacting breach disclosure laws requiring companies to notify consumers if there is an actual or potential breach of security compromising (or potentially compromising) your information. Even Congress is getting into the act of considering legislation at the national level. Although not all the definitions are uniform, nor are the requirements identical, most have common themes—but to understand what they are, how they affect you and what obligations you may have, you have to contact me, or you can simply wait for the next issue of Legal Bytes—stay tuned.

Security Checks Out

OK. You’ve all been reading about the recent security breaches which are exposing sensitive financial and other non-public personally identifiable information to potential disclosure—in some cases actual release and compromise of that information. Well it turns out that in one area—the retailer cases involving Polo (Ralph Lauren), DSW (Shoe Warehouse) and others—are all being traced back to software that merchants use to process credit, charge and debit transactions. The problem, it seems, stems from the fact that the hidden coding that resides on the magnetic strip of our plastic money and that is supposed to authenticate and provide a degree of transactional security in processing payment is being retained by the merchants’ systems, rather than being immediately deleted and cleansed from these systems once the transaction is approved and complete. Hackers, learning of this vulnerability, were quick to attempt to break into these merchant systems and “steal” the codes, in many cases enabling them to create counterfeit plastic and compromise personal information of the cardholder in the process. In one case, BJ’s Wholesale Club is being sued by banks and credit unions because hackers made off with customer’s credit card numbers, and BJ’s has decided to sue IBM, whose software allegedly stored the numbers in computer logs. In legal papers filed in response to the suit, IBM not only claims there is no proof the stolen card numbers came from BJ’s systems, but it also claims that its contract with BJ’s disclaims liability for damages because of security breaches. OK, all of you go check your software contracts. Now.

Did Anyone at ChoicePoint Read the February ’04 Issue of Legal Bytes?

Shareholders are suing ChoicePoint and its executives after learning that criminals posing as bona fide businesses were given access to personal data. ChoicePoint maintains databases of background information on almost every citizen in the United States—billions of records. A class-action lawsuit has been filed in California charging that executives withheld information to avoid having the stock price fall when and if the news broke: the share price has since fallen more than 20 percent in a month. The suit claims the executives knew their data protection was inadequate; knew or should have known ChoicePoint was selling data to illegal businesses; and that security breaches had occurred previously, exposing even more people to identity theft.

The security breach was uncovered last October, when law enforcement first contacted ChoicePoint investigating an identity theft. Suspects, posing as a ChoicePoint client, gained access to its consumer databases. As if the class action and drop in share price were not trouble enough, ChoicePoint is under investigation by the FTC inquiring into its compliance with information security laws; is under investigation by the SEC for possible violations by certain executives of the insider trading regulations; and is facing lawsuits arising from violations of the Fair Credit Reporting Act and California state law. Will someone please pick up and read the February 2004 issue of Legal Bytes!?!

Avoiding a Legal Disaster: Déjà Vu All Over Again

In April 1995, Datapro Reports on Information Security published a Disaster Avoidance brief (IS38-200-101) entitled “Avoiding a Legal Disaster: Business Continuity Planning for Multinationals.” In that paper, the author analogizes a famous 1932 “technology” case decided by the Second Circuit Court of Appeals in the United States, to the growing potential liability of users in managing their technology and information security resources. Specifically, the article states that “In 1932, a famous case entitled The T.J. Hooper (60 F.2d 737; 2nd Circuit, 1932) held that the failure to take advantage of existing and available technology—even though it was not in widespread or common use—was not evidence that the defendant’s duty to take reasonable care had been fulfilled. By analogy, when a disaster occurs, it will not be a defense to argue that a recovery or security system or preventive measure is not commonly in use, especially if using it would have averted the disaster or minimized the loss.”

The article, which focuses on what organizations can do to minimize risk, goes on to note that, “The more reliant business and operations become on technology, the more available preventive and risk management tools become, the less excusable a failure to implement meaningful measures and exercise due diligence over company assets will become to government, employees, customers, suppliers, and shareholders—all potential plaintiffs.”

Now this fact and the author would probably be relegated to obscurity but for an interesting article on I.T. Litigation that has just appeared in the February 1, 2004 issue of CIO Magazine, entitled “Courts Make Users Liable for Security Glitches.” The author notes that an interesting turning point arose in the wake of 9/11 when, in October 2001, Hartford Insurance removed computer damages from its general commercial liability policy coverage. The article goes on to cite three recent cases which are beginning to look a lot like a legal trend in this area. First, a case in which Verizon asked a court to order the State of Maine to refund money because Verizon wasn’t using Maine’s network while Verizon was “down” because of the “Slammer” worm. Verizon had not implemented a Slammer patch and last April the Court ruled that while one may not be able to control a worm attack, they are foreseeable—no refund (Maine Public Utilities Commission v. Verizon).

In Cobell v. Norton, the U.S. Department of the Interior’s website and computer security became an issue in a case involving benefits allegedly and to American Indians. The Court was sufficiently irritated by the Department’s conduct related to security audits, that the Judge actually commenced contempt proceedings! Finally, in the last case cited by the article, the American Civil Liberties Union hoped to avoid liability for accidentally publishing donor information by pleading it had outsourced its security to a third-party vendor. Although the case settled, it is doubtful such a defense would have worked and it is almost certain regulated companies will not be able to escape accountability for compliance by outsourcing regulated activities—the responsibility will remain theirs!

There appears to be an increasing, and not-so-subtle, shift away from the notion that programming errors related to security breaches, computer viruses, worms, logic bombs and other malicious code or hacker and denial of service attacks are somehow equivalent to unpredictable natural disasters like earthquakes or fires—thus not subject to a “fault” analysis, but more appropriately covered by ‘accident’ insurance. Indeed, these and other cases arising in the courts treat breaches of security as fair game for negligence lawsuits—especially where damage has been done to a consumer (e.g., identity theft) or where the assets of a company—tangible or intellectual property—have been compromised. As noted in the 1995 article, liability for failure to implement available security is likely to increasingly hold both providers and users of technology liable where negligence can be shown—or even reckless disregard where safety or the protection of assets are concerned. You can read the CIO Magazine article here and, by the way, the obscure author of the 1995 Datapro article can be reached at joseph.rosenbaum@rimonlaw.com should anyone wish to see a copy or discuss the issues raised—then or now!