First Quarter Developments in the Ever Changing Landscape of Privacy and Data Security (Tues. April...

First Quarter Developments in the Ever Changing Landscape of Privacy andData Security(Tues. April 10, 2012)

2

First Quarter 2012 Developments: Today’s Speakers

Jana Fuchs

Gina Hough

BrandonPollak

Dan Rockey

David Zetoony

Hamburg49-40-30-33-16-0

[email protected]

Washington, D.C.202-508-6387

[email protected]


[email protected]

San Francisco415-268-1986

[email protected]


[email protected]

To submit questions that arise during the presentation which we may be able to answer at a later date, please e-mail [email protected]

mailto:[email protected]






3

First Quarter 2012 Developments: Outline

1. The Federal Trade Commission

2. State Attorneys General

3. Private litigation

4. Legislation

5. Europe

4

First Quarter 2012 Developments: The Federal Trade Commission

• Highlights of Q1 FTC Actions:

– Agreement for Consent Order, In re UPromise (Jan. 5, 2012)– Warning Letter, Everify Inc. (Jan. 25, 2012)– Warning Letter, InfoPay Inc. (Jan. 25, 2012)– Warning Letter, Intelligator, Inc. (Jan. 25, 2012)– FTC Report, “Mobile Apps for Kids: Current Privacy Disclosures are Disappointing”

(Feb. 2012)– FTC Report, “Consumer Sentinel Network DataBook for January – December 2011”

(Feb. 2012)– FTC Report, “Using FACTA Remedies: An FTC Staff Report on a Survey of Identity

Theft Victims” (Mar. 2012) – FTC Report, “Protecting Consumer Privacy In an Era of Rapid Change:

Recommendations for Businesses and Policymakers (Mar. 2012)– Consent Order, US v. RockYou (N.D. Cal. Mar. 26, 2011)

• … but what does it all mean?

David ZetoonyWashington, D.C

202-508-6030David.Zetoony@bryanca

ve.com

5


• Movement in Four Key Areas:1. How to use “de-identified” data.

2. Changes to the definition of “sensitive data.”

3. Nailing down what is, and is not, “reasonable and appropriate” when it comes to data security.

4. Increased scrutiny on mobile applications.



ve.com

6


• Using “De-Identified Data”– Historical reasons for anonymizing or de-identifying data.– Trend toward treating anonymous or de-identified data as PII.– FTC’s current position is that data is not anonymous if it is

“reasonably linked to a person , computer, or device.”– Data is not “reasonably linked” if the following three elements are

met:1. Company takes measures to ensure that data is de-identified,

2. Company publicly commits to not try to re-identify, and

3. Company contractually prohibits downstream recipients from trying to re-identify.

– Steps for limiting liability in connection with anonymous data…



ve.com

7


• Changes to the Definition of “Sensitive Information”– Historically term was defined by state laws.– Trend is toward a more amorphous definition.– FTC’s current position goes beyond SSN and drivers license and

includes financial, health, child and/or geo-location information. – Likely impact of FTC’s position on litigation risk, and compliance

risks…



ve.com

8


• Nailing Down the Elusive “Reasonable and Appropriate” Security.– Historically, FTC has taken the position that section 5 requires all

companies to use “reasonable and appropriate” security, but has refused to define what that term means in specific terms.

– Commission has brought roughly 40 cases for inadequate security; reading between the lines reveals those practices that the Commission believes categorically evidence a lack of “reasonable and appropriate.”

– US v. RockYou, and FTC v. UPromise provide eight specific examples of what is not reasonable and appropriate.

– Strategies for limiting liability in light of the FTC’s position…



ve.com

9


• Increased Scrutiny on Mobile Apps.– Historically, FTC has indicated that it treats mobile market place the

same as the internet.– Developments in this quarter, show that the FTC is increasingly

scrutinizing privacy practices, and regulatory compliance practices in mobile apps.

– Takeaways:• Little doubt that the FTC will bring more and more COPPA enforcement

actions against mobile app. developers.

• Little doubt that the FTC will look for any FCRA cases.

• Almost certainly more run of the mill privacy and data security cases effecting mobile apps.



ve.com

10


• Some Additional Areas of FTC Attention…– Attention on deceptive and unfair practices in the context of credit

monitoring services and ID theft products.– Additional thoughts from the FTC concerning when companies can

share with sister entities, parents, and subs.



ve.com

11

First Quarter 2012 Developments: State AG & Other Agencies

Gina HoughWashington, D.C

202-508-6387Gina.Hough@bryancave.

com

12


• Data privacy Moves to the Top of the List for State Attorneys General– 36 State AGs question Google’s privacy changes; Failure to “opt-

out” cited– Calfornia AG agreement with Amazon, Google, Hewlett-Packard,

RIM sets stage on mobile app. Privacy– Minnesota AG goes after HIPPA Violation– Massachusetts AG pursues Property Management firm; firm pays

civil damages



com

13


• Cal AG Mobile App Settlement– California AG announced February 22 that reached agreement with

Amazon.com, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion to strengthen privacy protections for smartphone owners who download mobile applications.

– Agreement requires:• privacy policy for mobile apps

• method for users to report violations by app developers

– Violations of privacy policies would be treated as violation of UCL (Cal’s mini-FTC Act)



com

14

First Quarter 2012 Developments: Private Litigation

Dan RockeySan Francisco415-268-1986

[email protected]

15


• Current State of Privacy Litigation– Unprecedented number of filed cases (both data breach and

unauthorized collection/use of PII)– Emergence of a dedicated privacy plaintiffs’ bar

• However– For all the activity, little tangible success for plaintiffs– Cases routinely dismissed at the pleading stage on Article III

standing or inability to meet “actual injury” element of claim – No out-of-pocket damages = No claim


[email protected]

16


• High Profile Defense VictoriesE.g., In re iPhone Application Litigation (2011)

• Plaintiffs alleged that Apple and mobile ad networks unlawfully allowed third party apps to collect personal information without user consent or knowledge.

• Drawing on a long line of decisions, the Court dismissed all claims, finding insufficient plaintiffs’ allegations that they suffered harm in the form of a diminished value for their personal data.

But see

• “It is not obvious that Plaintiffs cannot articulate some actual or imminent injury in fact. It is just that at this point they haven’t offered a coherent and legally supported theory of what that injury might be.”


[email protected]

17


• Is the Tide Turning?Claridge v. RockYou, Inc. (N.D. Cal. 2011)

• Defendant failed to secure user data, allowing hacker to have access to 32 million usernames and passwords

– Plaintiffs:• FTC → “Personal information is . . . Currency. The monetary value of

personal data is large and still growing . . . .”• Academic studies → social networking credentials worth up to $35 on

black market

– Court: • Plaintiff has “sufficiently alleged a general basis for harm by alleging that

the breach of his PII has caused him to lose some ascertainable but unidentified ‘value’ and/or property right inherent in the PII.’’


[email protected]

18


• Is the Tide Turning?Fraley v. Facebook (N.D. Cal., Dec. 19, 2011)

• Plaintiffs alleged that Facebook unlawfully appropriated its user’s data through its Sponsored Stories marketing program

– Plaintiffs:• Facebook executives → trusted referrals are “Holy Grail of Marketing”

and were 2-3 times more valuable than standard Facebook ads

– Court: • Plaintiffs sufficiently alleged that their personal endorsements had

‘‘concrete, provable value in the economy at large, which can be measured by the additional profit Facebook earns from selling Sponsored Stories compared to its sale of regular advertisements.’’


[email protected]

19


• Is the Tide Turning?Villegas v. Google (complaint filed Feb. 28, 2012)

• Plaintiffs allege that Google and Point Roll were exploiting a gap in the Safari and IE browsers to circumvent a user's cookie settings

• Asserts claims under and asserts violations of the CFAA, ECPA, Cal. Penal 502, UCL, CLRA

– Damages? • Plaintiffs allege, inter alia, that Google allowed “toxic” cookies to be

placed on their computers, requiring costly “toxic cookie clean up” costing potentially thousands of dollars (i.e., batch delete not reasonable mitigation)


[email protected]

20


• Statutory Violation = Actual Harm?Gaos v. Google (N.D. Cal. Mar. 29, 2012)– Plaintiff alleged:

• Google allows website owners (and third parties) to see user-submitted search terms, which can be linked to user through re-identification

– Court: • Dismissed state law claims but permitted Stored Communications Act

claim to proceed

• Plaintiff does not need to allege any actual injury other than a violation of the statute: “injury required by Article III . . . can exist solely by virtue of ‘statutes creating legal rights, the invasion of which creates standing.”


[email protected]

21


• Statutory Violation = Actual Harm?Edwards v. First American (9th Cir. 2010)

• Case involves alleged kickbacks between Title Company and Title Insurance Agency

• RESPA makes violators liable for 3x any charges paid for settlement services

– Court, following Third and Sixth Circuits, held that statutory violation supplies actual injury sufficient to establish Article III standing

– SCOTUS granted review; decision expected this summer


[email protected]

22


• Plaintiffs are beginning to crack the code. Companies should not get complacent.

• Embrace Privacy By Design, evaluating privacy impact of new initiatives at the outset

• When the inevitable breach or mishap occurs, consider response carefully with an eye to potential litigation (e.g., by offering free credit monitoring, “voluntary” notifications)

• Be careful what you say about your customer’s data – it may come back to haunt you


[email protected]

23

First Quarter 2012 Developments: Federal Legislation

Brandon PollakWashington, D.C.

202-508-6394Brandon.Pollak@bryanca

ve.com

24


• “The Cybersecurity Act of 2012”– On Tuesday, February 14, 2012, Senators Lieberman, Collins, Rockefeller

and Feinstein introduced S. 2105, The Cybersecurity Act of 2012.

– S. 2105 addresses several critical areas:• Title I: Critical Infrastructure• Title II: FISMA Reform• Title III: Clarifies the roles of Federal Agencies• Title IV: Workforce Development• Title V: Research and Development• Title VI: Federal Acquisition Risk Management Strategy• Title VII: Information Sharing• Title VIII: Public Awareness Reports• Title IX: International Cooperation



ve.com

25


• “The Cybersecurity Act of 2012”– Senate Majority Leader Harry Reid placed S. 2105 onto the Senate

Calendar and he has expressed his intention to bring the bill to the Senate Floor during the current legislative work period.

– Several Senate Republicans, led by Senators John McCain and Kay Bailey Hutchinson, have sharply criticized the legislative process that produced S. 2105.

– Eight Senate Republicans, led by Senator McCain, introduced an alternative cybersecurity bill called the SECURE IT Act (S. 2151) on March 1st.



ve.com

26


• The U.S. House of Representatives

– Rep. Mary Bono Mack (R-CA) and Rep. Marsha Blackburn (R-TN) introduced the House version of the SECURE IT Act (H.R. 4263) on March 27th.

– Key components of the legislation include: (1) Authorizing Information Sharing; (2) Securing Federal Networks; (3) Prosecuting Cybercrime; and (4) Prioritizing Cybersecurity Research

– The House of Representatives is still ironing out the final details of its cybersecurity package, leaders are expected to put four bills on the floor separately this work period, and then use a procedural maneuver to combine them before they are sent to the Senate.



ve.com

27


• White House Privacy “White Paper”

– The White House released a “white paper” proposing a policy framework for consumer privacy, Consumer Data Privacy In a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.

– Four major elements: (1) Consumer Privacy Bill of Rights; (2) Market and industry Codes of Conduct; (3) Enforcement, primarily by the FTC but also by state Attorneys General; and (4) International Cooperation, primarily between the U.S. and European countries.

– The paper suggests that Congress enact new privacy legislation.



ve.com

28


• FTC Privacy Report– The final privacy report expands on a preliminary staff report the

FTC issued in December 2010. The final report calls on companies handling consumer data to implement recommendations for protecting privacy, including: (1) Privacy by Design; (2) Simplified Choice for Businesses and Consumers; and (3) Greater Transparency

– FTC staff to focus on five main action items: (1) Do-Not-Track; (2) Mobile; (3) Data Brokers; (4) Large Platform Providers; (5) Promoting Enforceable Self-Regulatory Codes

– FTC recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation.



ve.com

29

First Quarter 2012 Developments: European Union

Jana FuchsHamburg

49-40-30-33-16-0Jana.Fuchs@bryancave.

com

30


• Revision of Data Protection Rules– In January the EU Commission published the long-awaited reform

proposal for EU data privacy rules– Existing legislation is based on an EU Directive drafted in 1995– Currently all EU member states have implemented their own

national rules based on the existing EU Directive, which are not fully harmonized

– The Commission’s reform proposal is now set out as an EU Regulation, which means it will be directly enforceable in all member states leading to a full harmonization of rules within the EU

Jana FuchsHamburg


com

31


• Reform Proposal– Proposed changes leading to further compliance obligations are

e.g.:• Foreign Application of the Regulation

• One-Stop Shop

• Explicit Consent

• Breach Notification

• Mandatory Data Protection Official

• Higher Penalties

Jana FuchsHamburg


com

32


• Foreign Application– EU Regulation will apply even if personal data is processed abroad– It would apply to data processing companies that are active in the

EU market (e.g. offering goods or services to EU data subjects)

Jana FuchsHamburg


com

33


• One-Stop Shop– Only one data protection authority – the national authority of the

Member State in which the company has its main establishment - shall be responsible

– This 'one-stop-shop' for data protection will greatly simplify compliance efforts. Currently, businesses are supervised by different authorities in each Member State they are established

Jana FuchsHamburg


com

34


• Explicit Consent– Opt-In consent is strengthened– Whenever an individual’s consent is required for its data to be

processed, such consent would have to be express (i.e., not implied)

Jana FuchsHamburg

202-508-6387Jana.Fuchs@bryancave.

com

35


• Breach Notification – Companies would be required to notify the national supervisory

authority of serious data breaches as soon as possible (if feasible, within 24 hours)

– The individuals whose personal data could be adversely affected by the breach would also have to be notified without undue delay

Jana FuchsHamburg


com

36


• Data Protection Official– For companies employing 250 persons or more, the Regulation

would require that they employ an internal data protection officer (DPO)

– DPO has to be sufficiently qualified and if employed is subject to termination protection

Jana FuchsHamburg


com

37


• Penalties– For first offences, the national supervisory authorities may send a

warning letter– For serious violations supervisory authorities could impose penalties

of up to €1 million ($1.3 million) or up to 2% of the global annual turnover of a company

– For less serious offences fines could start out at €250,000 ($330,000) or up to 0.5% of the worldwide turnover

Jana FuchsHamburg


com

38


• Next Steps – From Proposal to Regulation– The reform proposal has been passed to the European Parliament

and all EU Member States for discussion and potential amendment – Although it is difficult to estimate how long it might take the proposal

to be considered, typically proposals of this significance are considered for approx. two years before being adopted

– The Regulation will be enforceable in all Member States two years after it has been adopted

Jana FuchsHamburg


com

39


• Reform Proposal Reactions & Reality Check– Points of discussion are e.g.:

• Conflicts resulting from foreign application of the regulation, e,g. Patriot Act

• Missing rules for the enforcement of foreign application

• Missing regulation for cloud computing, in particular for non-EU clouds

• Data transfer regulation is not part of the reform proposal

• Explicit consent requirements as obstacles to business operations

Jana FuchsHamburg


com

40

First Quarter 2012 Developments: Contact Information

Jana Fuchs

Gina Hough

BrandonPollak

Dan Rockey

David Zetoony

Hamburg49-40-30-33-16-0

[email protected]


[email protected]


[email protected]

San Francisco415-268-1986

[email protected]


[email protected]






First Quarter Developments in the Ever Changing Landscape of Privacy and Data Security (Tues. April...

Documents

Transcript of First Quarter Developments in the Ever Changing Landscape of Privacy and Data Security (Tues. April...