In the aftermath of many well publicized data breaches, in the past few years, more than 40 U.S. states have enacted data breach disclosure laws—“identity theft” statutes—which, among other things, require consumers to be notified when personally identifiable information is or may have been compromised in a database. But recent reports citing ineffectiveness of such legislation (e.g., Carnegie Mellon University researchers found notification laws only reduce identity theft by around 2 percent) and a growing sense that notification laws don’t prevent the problem, have caused some states to examine other approaches. At least two states, Nevada and Massachusetts, have enacted different legislation aimed at prevention, and Washington and Michigan are actively considering new measures.
Motion Picture Association of America–Shaken, Not Stirred
In what sounds like a James Bond spy caper, an MPAA executive allegedly paid a hacker $15,000 to break into a server and snatch copies of emails. The hacker accomplished the dirty deed and emailed the MPAA dozens of pages of material—ostensibly for use by the MPAA in its copyright infringement action against a company whose servers were involved in file sharing. The MPAA released a statement that “The information was obtained in a legal manner from a confidential informant who we believe obtained the information legally.”
Now a federal appeals court in California is determining if a lower court ruling should re-define online privacy protection by interpreting “intercept” under the 1968 Wiretap Act. The case, Bunnel v. Motion Picture Association of America, revolves around a ruling a year ago that held the hacker didn’t really “intercept” emails because they were in storage—not technically in transit. The lower court ruled the hacker’s “…actions did not halt the transmission of the messages to their intended recipients. As such, under well-settled case law, as well as a reading of the statute and the ordinary meaning of the word ‘intercept,’ Anderson’s acquisitions of the e-mails did not violate the Wiretap Act.” In other words, “grab copies of emails sitting on your server for a nanosecond” and it’s not wiretapping. Stay tuned!
Italian Authorities Aren’t Loyal to Customer Information Used for Behavioral Marketing
A new provision of the Italian data protection law (Loyalty Cards, issued Feb. 24, 2005), is getting a workout. The Data Protection Authority fined a well-known supermarket chain €54,000 for not giving customers adequate information regarding use of personal data. The retailer issued loyalty cards—for shoppers to obtain discounts and rewards—and gathered customer names, email and cell phone numbers (personally identifiable information) and behavioral marketing information (spending habits and locations). Customer profiles were then evaluated and used to create targeted ad campaigns. The retailer didn’t ask customers for consent for all of these uses—a violation of the data protection law.
In Italy, if customer information is not used solely for operating the loyalty program, but for customer profiling and advertising, the consumer must be told and must give consent. While consent is not needed to carry out contract obligations needed to fulfill the loyalty reward program itself, collecting more information than needed for that purpose or using information for other purposes requires specific consent. Is this true elsewhere? In Europe? The United States? Canada? Latin America? Asia? New Zealand? Call me and find out, or read my bio.
Data Breach. Cause for Alarm or a Big Yawn?
By August 2008, there were more publicly disclosed data breaches among U.S. businesses than for all of 2007. More information is created, flowing and stored by commercial enterprise than ever; more clever schemes are being hatched by criminals for hacking or disrupting information; employees don’t appreciate the value of assets you can’t feel; and consumers are befuddled by a maze of privacy notices, data theft notices, credit report advertisements, and scare tactics launched by advocacy groups—well intentioned though they may be. More than 40 U.S. states have laws requiring disclosure of data breaches. If these were intended to create incentives to prevent data breaches and reduce occurrence, how do we explain the steady rise? Are the laws ineffective? Are businesses accountable beyond some adverse publicity, once they provide legally mandated disclosure? Have we become jaded by news reports, privacy and breach notices as just so much junk mail? In the credit card world, consumers generally have a maximum $50 liability if a card is lost or stolen. In situations where there are no real time approvals, credit card companies take the risk. In that environment, a business decision is made to accept certain loses because the potential revenue generated by the business model yields a greater reward. In the world of consumer privacy and personally identifiable information disclosure, who is taking what risk? Studies for years indicate IT professionals appreciate that digital crime—theft of intellectual property, piracy, theft of trade secrets, customer data or employee information—is a problem. Many companies may not even know their security is breached and others have little incentive to solve the problem. Need more information? Come to my web page, contact me and tell me what you think. Call if you need help with a policy, a position or an understanding of your legal rights and obligations. We can help.
Investigating Online & Interactive Advertising
The U.S. Congress appears determined to investigate online advertising. Early this month, the House Energy and Commerce Committee issued a letter to more than 30 companies, and what began as an inquiry into how Internet service providers use network data to target advertising, has morphed into a fishing expedition into all kinds of interactive advertising. Most notably, and despite urging by the FTC to allow self-regulation to take hold, the Committee does not differentiate between personally identifiable information and non-identifying, anonymous data used for traffic metrics, ad insertion and other common advertising purposes. Lumping different kinds of information together could needlessly undermine marketing as it has been practiced for decades. The “tailoring” of advertising, in the Committee’s words, based on consumers’ behavior and media consumption patterns, has been at the heart of marketing for as long as marketing has been around.
More disturbing are presumptions that “privacy” rights are being violated by any and all forms of behavioral or targeted marketing. Advocacy groups opposed to commercial communication seek to promote an implicit, yet fundamental redefinition of personal privacy—i.e., anything that derives from peoples’ activities, no matter how distanced or anonymous. Taken to logical conclusion, any academic, commercial or journalistic observation of consumer activity could fall under regulatory restrictions under such a framework. Not surprisingly, the FTC—with its long history of regulation of advertising practices—has argued before Congress that self-regulation is likely to be an effective means of protecting consumers’ real privacy interests. According to testimony by FTC Consumer Protection Bureau Director Lydia Parnes before the Senate Committee on Commerce, Science, and Transportation this July, the FTC is “cautiously optimistic that the privacy concerns raised by behavioral advertising can be addressed by industry self-regulation.” Nevertheless, in the letter released this month and in three previous inquiries over the past few months, both the House and the Senate seem to be searching for a rationale to regulate. Stay tuned.
Ad Blocking is in Vogue – Privacy is to Blame (Again)
Ad-blocking programs are getting attention these days, spawned by the proliferation of plug-ins, configurational ad-ons, and announced features in upcoming browser releases. These enable the blocking of ads (or content that “looks” like advertising) by browsers, automating the removal or blocking of some or all content from being viewed on web pages. There has always been a balance (and some would add “tension”) between a consumer’s right to privacy and the marketer’s desire to know more and reach the right customer. The direct intersection of these issues resulting from the rise of consumer and commercial use of the Internet and its complexity, have spawned a degree of heat over these issues, never before seen in history.
From the earliest days of ad-supported radio and television broadcasting there has been a balance between the delivery of cost-effective programming and content and the right of the viewer (today, the end-user) to determine what, when and in what form ads are displayed. Advertising plays a major role in subsidizing delivery of programming. Indeed, while technology may give the individual the ability to skip advertising, there are no legal prohibitions on newspapers, television or radio serving ads along with content. There is also little question that without advertising, the price of content would rise significantly or its availability would diminish, or both.
Continue reading “Ad Blocking is in Vogue – Privacy is to Blame (Again)”
Coping With COPPA
The Children’s Advertising Review Unit recently held that screening for age to avoid collecting personal information from children under 13 was not enough. In Bandai America (the website is Bandai’s Wireless.com site), CARU found that although Bandai’s website had a screening mechanism that asked for a date of birth, there was no tracking once a child put in a birth date. Thus, anyone under 13 could come back and enter a different (inaccurate) date of birth to get by the screen. CARU’s COPPA compliance guidelines require that not only must interactive sites have an age screening mechanism, but there also must be some reasonably effective means of tracking so children can’t get around the screening process. Forewarned is forearmed.
Who Pays For the Data Security Breach?
Have you received one of those “data security breach” letters? Quick, call the credit bureau and bank. Change the checking, credit card and license numbers. Most financial institutions have absorbed the cost of reissuing payment cards or providing new checks, even when these financial institutions had nothing to do with the security breach. When B.J.’s Wholesale Club disclosed that a theft of credit card information had occurred, two financial institutions sued to recover the costs that resulted from that breach. The institutions claimed B.J.’s breached its legal obligation to maintain the security of the financial institution and should be liable for the damages. Those claims were initially rejected, but have now been revived by the U.S. Court of Appeals for the Third Circuit, which has issued a decision holding these financial institutions were intended third-party beneficiaries of the contract among the retailer, its merchant bank, and the payment card industry, to keep customer data safe. If the retailer breached data protection rules imposed by the payment card industry and the financial institutions were third-party beneficiaries of that agreement, then any damage and loss could be recovered based on contract law claims. Stay tuned.
You Would Think They Would Know Better
Cyber-Ark Software, a U.S.-based information security company, surveyed information technology professionals at the Infosecurity Europe Expo 2008 in London this past April. They asked 300 senior IT folks attending the Expo about abuses relating to information access, and guess what they found? First, about one-third of all IT professionals surveyed abused their own company’s information access rights policies to view information unrelated to their job (e.g., spying on employees or looking at confidential information). The survey report noted that passwords of IT and systems oversight staff often aren’t required to be changed as often as user passwords—or sometimes not at all. In most cases, IT administrators have free reign to use or abuse access privileges—which apparently happens too often.
The notion of “internal firewalls” is highlighted by this report. While companies often take great pains to protect themselves from external threats, as history has shown us in the physical world, the biggest dangers are from “inside jobs.” Without protections that apply internally, snooping, economic espionage, sabotage, spying and data security risks will remain a looming threat to the information assets of a business enterprise.
Data, Data Everywhere, But Hackers Drop into Secure Websites
Criminals stole customer information from the Hannaford Bros. and Sweetbay grocery chains’ computer networks. As shoppers swiped cards at checkout and their information was routed to transaction processors using state-of-the-art, fiber-optic, hard-wired cable for transmissions, malicious software intercepted the information and transmitted it to an ISP off-shore. Experts are still trying to figure out how the code got into the systems in the first place.
Continue reading “Data, Data Everywhere, But Hackers Drop into Secure Websites”