Intermix Media has reportedly agreed to pay $7.5 million to settle a lawsuit filed by the New York Attorney General, and if true, this represents the largest fine in a consumer online privacy action to date. In addition to agreeing to hire a Chief Privacy Officer, Intermix must agree to stop distributing its adware/spyware and redirect programs which the NYAG alleged were downloaded to consumers’ personal computers with inadequate notice, and then hidden to make it difficult to remove. Besides the annoyance which consumers rail about, often such hidden programs can be part of more elaborate identity theft and security breaches, sometimes without the knowledge of the company that created them. The lawsuit’s primary claims were false advertising and deceptive business practices under New York’s General Business Law statutes.
OK. You’ve all been reading about the recent security breaches which are exposing sensitive financial and other non-public personally identifiable information to potential disclosure—in some cases actual release and compromise of that information. Well it turns out that in one area—the retailer cases involving Polo (Ralph Lauren), DSW (Shoe Warehouse) and others—are all being traced back to software that merchants use to process credit, charge and debit transactions. The problem, it seems, stems from the fact that the hidden coding that resides on the magnetic strip of our plastic money and that is supposed to authenticate and provide a degree of transactional security in processing payment is being retained by the merchants’ systems, rather than being immediately deleted and cleansed from these systems once the transaction is approved and complete. Hackers, learning of this vulnerability, were quick to attempt to break into these merchant systems and “steal” the codes, in many cases enabling them to create counterfeit plastic and compromise personal information of the cardholder in the process. In one case, BJ’s Wholesale Club is being sued by banks and credit unions because hackers made off with customer’s credit card numbers, and BJ’s has decided to sue IBM, whose software allegedly stored the numbers in computer logs. In legal papers filed in response to the suit, IBM not only claims there is no proof the stolen card numbers came from BJ’s systems, but it also claims that its contract with BJ’s disclaims liability for damages because of security breaches. OK, all of you go check your software contracts. Now.
Shareholders are suing ChoicePoint and its executives after learning that criminals posing as bona fide businesses were given access to personal data. ChoicePoint maintains databases of background information on almost every citizen in the United States—billions of records. A class-action lawsuit has been filed in California charging that executives withheld information to avoid having the stock price fall when and if the news broke: the share price has since fallen more than 20 percent in a month. The suit claims the executives knew their data protection was inadequate; knew or should have known ChoicePoint was selling data to illegal businesses; and that security breaches had occurred previously, exposing even more people to identity theft.
The security breach was uncovered last October, when law enforcement first contacted ChoicePoint investigating an identity theft. Suspects, posing as a ChoicePoint client, gained access to its consumer databases. As if the class action and drop in share price were not trouble enough, ChoicePoint is under investigation by the FTC inquiring into its compliance with information security laws; is under investigation by the SEC for possible violations by certain executives of the insider trading regulations; and is facing lawsuits arising from violations of the Fair Credit Reporting Act and California state law. Will someone please pick up and read the February 2004 issue of Legal Bytes!?!
No longer merely the source of new fashion trends or technology movements (or McDonald’s), California is quickly becoming the thought leader in protecting consumer privacy. Two new laws, one which deals with personal information given to third parties for marketing (SB27) and another which obligates businesses to adhere to certain security requirements for using and storing personal information, both came into effect January 1, 2005. The new law requires businesses with 20 or more employees to give consumers detailed disclosures about not only what customer information they have shared with third parties, but also the contact information for and descriptions of those parties. Want to avoid the disclosure obligations? Simple. Allow your customers a free opt-out election from having their personal information shared. That said, you will still have to let your customers know how and to whom they can inquire about these requirements – even if your business offers the opt-out choice to consumers. By the way, if you are already subject to the stricter requirements of California’s financial privacy act, you are exempt. While there are some additional exemptions, they are narrow, and anyone doing business in California shouldn’t be too quick to conclude they are exempt without consulting legal counsel. California’s Office of Privacy Protection has drafted a set of recommended practices which attempts to harmonize the requirements of this new act with the California online privacy act, the state’s financial privacy provisions, the federal Gramm-Leach-Bliley Act, HIPAA, and European Union privacy directives. Good luck.
Do you or your contractors have sensitive personal information (e.g., names and addresses in combination with social security numbers and PIN numbers) that could lead to identity or financial theft if compromised? What about medical information about a person’s diagnosis and treatment? Start ensuring you have “reasonable” practices to protect that information from unauthorized access, use, modification and disclosure—and it doesn’t matter if the information is on paper or in electronic form. Both are covered. While the legislative history makes it clear that no one particular standard is “the standard” for “reasonable” security, a company will need to designate a specific individual who is responsible for the company’s security program, and will need to establish a security task force—including a compliance officer and legal counsel. To avoid running afoul of the standards, not only must practices and a task force be implemented, but companies will also have to demonstrate they periodically test and monitor how the security measures are working, make risk assessment, and fine-tune their security measures to keep them updated appropriately. Need employee training? Need help implementing background checks, confidentiality agreements, encryption and record retention/destruction requirements, and disciplinary measures? Call the lawyers at Rimon. We can help.
Remember California’s security breach notification law (we told you about this and you get another prize if you can identify the back-issue in which we did so)? That law requires businesses to disclose security lapses. This new law creates a new duty and standard of care. Lawsuits arising from breaches in security (you remember California’s Business and Professions Code section 17200) can now use AB1950 as a discovery prod to determine if your business has used and effectively maintains reasonable security measures.
Consider this: California has already passed more than a dozen laws to protect privacy—many of which have now spawned federal legislation, some already passed and others in process. SB186 bans unsolicited e-mail and AB1769 bans text messaging advertisements to cell phones and pagers. AB1733 mandates consent from customers before a wireless carrier can list their phone numbers in a 411 directory, and SB1436 restricts keystroke monitoring software, website tracking software, and software that attempts to control personal computers.
In last month’s issue, we mentioned (in “Gnu & Gnoteworthy”) the F.D.I.C. released a report entitled “Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks”. Well, privacy issues are popping up all over the place again.
California Financial Privacy Act
The California Financial Privacy Act of 2003 became effective July 1st and requires banks to give customers the right to opt out of sharing information with bank affiliates with separately regulated lines of business and requires banks to get permission from customers to share information with outside companies. After the law was enacted, the American Bankers Association, Consumer Banking Association and Financial Services Roundtable filed suit claiming the Fair Credit Reporting Act—the federal law regulating sharing of information among affiliates—preempted state law and thus the part of the statute attempting to limit sharing of information among affiliates is invalid. Not so, said the Judge—to the surprise of bankers scrambling to comply—a recent notice from the California Department of Financial Institutions indicated it would begin enforcing the law immediately!
The Judge ruled that since the FCRA only applied to the sharing of “credit reports,” the California law covering a broader range of customer information was not preempted by federal law. Will the ruling be appealed? Will other states follow suit?
California has done it again! The nation’s toughest anti-spam law, the first database security breach notification law, and now the first state to require commercial website owners and online service providers to adopt and communicate privacy policies, ensure policies satisfy certain minimum standards, and pay penalties if they fail to conform.