Presentation is loading. Please wait.

Presentation is loading. Please wait.

First Quarter Developments in the Ever Changing Landscape of Privacy and Data Security (Tues. April 10, 2012)

Similar presentations


Presentation on theme: "First Quarter Developments in the Ever Changing Landscape of Privacy and Data Security (Tues. April 10, 2012)"— Presentation transcript:

1 First Quarter Developments in the Ever Changing Landscape of Privacy and Data Security (Tues. April 10, 2012)

2 2 First Quarter 2012 Developments: Todays Speakers Jana Fuchs Gina Hough Brandon Pollak Dan Rockey David Zetoony Hamburg Washington, D.C Washington, D.C San Francisco Washington, D.C To submit questions that arise during the presentation which we may be able to answer at a later date, please

3 3 First Quarter 2012 Developments: Outline 1.The Federal Trade Commission 2.State Attorneys General 3.Private litigation 4.Legislation 5.Europe

4 4 First Quarter 2012 Developments: The Federal Trade Commission Highlights of Q1 FTC Actions: –Agreement for Consent Order, In re UPromise (Jan. 5, 2012) –Warning Letter, Everify Inc. (Jan. 25, 2012) –Warning Letter, InfoPay Inc. (Jan. 25, 2012) –Warning Letter, Intelligator, Inc. (Jan. 25, 2012) –FTC Report, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing (Feb. 2012) –FTC Report, Consumer Sentinel Network DataBook for January – December 2011 (Feb. 2012) –FTC Report, Using FACTA Remedies: An FTC Staff Report on a Survey of Identity Theft Victims (Mar. 2012) –FTC Report, Protecting Consumer Privacy In an Era of Rapid Change: Recommendations for Businesses and Policymakers (Mar. 2012) –Consent Order, US v. RockYou (N.D. Cal. Mar. 26, 2011) … but what does it all mean? David Zetoony Washington, D.C

5 5 First Quarter 2012 Developments: The Federal Trade Commission Movement in Four Key Areas: 1.How to use de-identified data. 2.Changes to the definition of sensitive data. 3.Nailing down what is, and is not, reasonable and appropriate when it comes to data security. 4.Increased scrutiny on mobile applications. David Zetoony Washington, D.C

6 6 First Quarter 2012 Developments: The Federal Trade Commission Using De-Identified Data –Historical reasons for anonymizing or de-identifying data. –Trend toward treating anonymous or de-identified data as PII. –FTCs current position is that data is not anonymous if it is reasonably linked to a person, computer, or device. –Data is not reasonably linked if the following three elements are met: 1.Company takes measures to ensure that data is de-identified, 2.Company publicly commits to not try to re-identify, and 3.Company contractually prohibits downstream recipients from trying to re-identify. –Steps for limiting liability in connection with anonymous data… David Zetoony Washington, D.C

7 7 First Quarter 2012 Developments: The Federal Trade Commission Changes to the Definition of Sensitive Information –Historically term was defined by state laws. –Trend is toward a more amorphous definition. –FTCs current position goes beyond SSN and drivers license and includes financial, health, child and/or geo-location information. –Likely impact of FTCs position on litigation risk, and compliance risks… David Zetoony Washington, D.C

8 8 First Quarter 2012 Developments: The Federal Trade Commission Nailing Down the Elusive Reasonable and Appropriate Security. –Historically, FTC has taken the position that section 5 requires all companies to use reasonable and appropriate security, but has refused to define what that term means in specific terms. –Commission has brought roughly 40 cases for inadequate security; reading between the lines reveals those practices that the Commission believes categorically evidence a lack of reasonable and appropriate. –US v. RockYou, and FTC v. UPromise provide eight specific examples of what is not reasonable and appropriate. –Strategies for limiting liability in light of the FTCs position… David Zetoony Washington, D.C

9 9 First Quarter 2012 Developments: The Federal Trade Commission Increased Scrutiny on Mobile Apps. –Historically, FTC has indicated that it treats mobile market place the same as the internet. –Developments in this quarter, show that the FTC is increasingly scrutinizing privacy practices, and regulatory compliance practices in mobile apps. –Takeaways: Little doubt that the FTC will bring more and more COPPA enforcement actions against mobile app. developers. Little doubt that the FTC will look for any FCRA cases. Almost certainly more run of the mill privacy and data security cases effecting mobile apps. David Zetoony Washington, D.C

10 10 First Quarter 2012 Developments: The Federal Trade Commission Some Additional Areas of FTC Attention… –Attention on deceptive and unfair practices in the context of credit monitoring services and ID theft products. –Additional thoughts from the FTC concerning when companies can share with sister entities, parents, and subs. David Zetoony Washington, D.C

11 11 First Quarter 2012 Developments: State AG & Other Agencies Gina Hough Washington, D.C

12 12 First Quarter 2012 Developments: State AG & Other Agencies Data privacy Moves to the Top of the List for State Attorneys General –36 State AGs question Googles privacy changes; Failure to opt-out cited –Calfornia AG agreement with Amazon, Google, Hewlett-Packard, RIM sets stage on mobile app. Privacy –Minnesota AG goes after HIPPA Violation –Massachusetts AG pursues Property Management firm; firm pays civil damages Gina Hough Washington, D.C

13 13 First Quarter 2012 Developments: State AG & Other Agencies Cal AG Mobile App Settlement –California AG announced February 22 that reached agreement with Amazon.com, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion to strengthen privacy protections for smartphone owners who download mobile applications. –Agreement requires: privacy policy for mobile apps method for users to report violations by app developers –Violations of privacy policies would be treated as violation of UCL (Cals mini-FTC Act) Gina Hough Washington, D.C

14 14 First Quarter 2012 Developments: Private Litigation Dan Rockey San Francisco

15 15 First Quarter 2012 Developments: Private Litigation Current State of Privacy Litigation –Unprecedented number of filed cases (both data breach and unauthorized collection/use of PII) –Emergence of a dedicated privacy plaintiffs bar However –For all the activity, little tangible success for plaintiffs –Cases routinely dismissed at the pleading stage on Article III standing or inability to meet actual injury element of claim –No out-of-pocket damages = No claim Dan Rockey San Francisco

16 16 First Quarter 2012 Developments: Private Litigation High Profile Defense Victories E.g., In re iPhone Application Litigation (2011) Plaintiffs alleged that Apple and mobile ad networks unlawfully allowed third party apps to collect personal information without user consent or knowledge. Drawing on a long line of decisions, the Court dismissed all claims, finding insufficient plaintiffs allegations that they suffered harm in the form of a diminished value for their personal data. But see It is not obvious that Plaintiffs cannot articulate some actual or imminent injury in fact. It is just that at this point they havent offered a coherent and legally supported theory of what that injury might be. Dan Rockey San Francisco

17 17 First Quarter 2012 Developments: Private Litigation Is the Tide Turning? Claridge v. RockYou, Inc. (N.D. Cal. 2011) Defendant failed to secure user data, allowing hacker to have access to 32 million usernames and passwords –Plaintiffs: FTC Personal information is... Currency. The monetary value of personal data is large and still growing.... Academic studies social networking credentials worth up to $35 on black market –Court: Plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his PII has caused him to lose some ascertainable but unidentified value and/or property right inherent in the PII. Dan Rockey San Francisco

18 18 First Quarter 2012 Developments: Private Litigation Is the Tide Turning? Fraley v. Facebook (N.D. Cal., Dec. 19, 2011) Plaintiffs alleged that Facebook unlawfully appropriated its users data through its Sponsored Stories marketing program –Plaintiffs: Facebook executives trusted referrals are Holy Grail of Marketing and were 2-3 times more valuable than standard Facebook ads –Court: Plaintiffs sufficiently alleged that their personal endorsements had concrete, provable value in the economy at large, which can be measured by the additional profit Facebook earns from selling Sponsored Stories compared to its sale of regular advertisements. Dan Rockey San Francisco

19 19 First Quarter 2012 Developments: Private Litigation Is the Tide Turning? Villegas v. Google (complaint filed Feb. 28, 2012) Plaintiffs allege that Google and Point Roll were exploiting a gap in the Safari and IE browsers to circumvent a user's cookie settings Asserts claims under and asserts violations of the CFAA, ECPA, Cal. Penal 502, UCL, CLRA –Damages? Plaintiffs allege, inter alia, that Google allowed toxic cookies to be placed on their computers, requiring costly toxic cookie clean up costing potentially thousands of dollars (i.e., batch delete not reasonable mitigation) Dan Rockey San Francisco

20 20 First Quarter 2012 Developments: Private Litigation Statutory Violation = Actual Harm? Gaos v. Google (N.D. Cal. Mar. 29, 2012) –Plaintiff alleged: Google allows website owners (and third parties) to see user-submitted search terms, which can be linked to user through re-identification –Court: Dismissed state law claims but permitted Stored Communications Act claim to proceed Plaintiff does not need to allege any actual injury other than a violation of the statute: injury required by Article III... can exist solely by virtue of statutes creating legal rights, the invasion of which creates standing. Dan Rockey San Francisco

21 21 First Quarter 2012 Developments: Private Litigation Statutory Violation = Actual Harm? Edwards v. First American (9 th Cir. 2010) Case involves alleged kickbacks between Title Company and Title Insurance Agency RESPA makes violators liable for 3x any charges paid for settlement services –Court, following Third and Sixth Circuits, held that statutory violation supplies actual injury sufficient to establish Article III standing –SCOTUS granted review; decision expected this summer Dan Rockey San Francisco

22 22 First Quarter 2012 Developments: Private Litigation Plaintiffs are beginning to crack the code. Companies should not get complacent. Embrace Privacy By Design, evaluating privacy impact of new initiatives at the outset When the inevitable breach or mishap occurs, consider response carefully with an eye to potential litigation (e.g., by offering free credit monitoring, voluntary notifications) Be careful what you say about your customers data – it may come back to haunt you Dan Rockey San Francisco

23 23 First Quarter 2012 Developments: Federal Legislation Brandon Pollak Washington, D.C

24 24 First Quarter 2012 Developments: Federal Legislation The Cybersecurity Act of 2012 –On Tuesday, February 14, 2012, Senators Lieberman, Collins, Rockefeller and Feinstein introduced S. 2105, The Cybersecurity Act of –S addresses several critical areas: Title I: Critical Infrastructure Title II: FISMA Reform Title III: Clarifies the roles of Federal Agencies Title IV: Workforce Development Title V: Research and Development Title VI: Federal Acquisition Risk Management Strategy Title VII: Information Sharing Title VIII: Public Awareness Reports Title IX: International Cooperation Brandon Pollak Washington, D.C

25 25 First Quarter 2012 Developments: Federal Legislation The Cybersecurity Act of 2012 –Senate Majority Leader Harry Reid placed S onto the Senate Calendar and he has expressed his intention to bring the bill to the Senate Floor during the current legislative work period. –Several Senate Republicans, led by Senators John McCain and Kay Bailey Hutchinson, have sharply criticized the legislative process that produced S –Eight Senate Republicans, led by Senator McCain, introduced an alternative cybersecurity bill called the SECURE IT Act (S. 2151) on March 1st. Brandon Pollak Washington, D.C

26 26 First Quarter 2012 Developments: Federal Legislation The U.S. House of Representatives –Rep. Mary Bono Mack (R-CA) and Rep. Marsha Blackburn (R-TN) introduced the House version of the SECURE IT Act (H.R. 4263) on March 27 th. –Key components of the legislation include: (1) Authorizing Information Sharing; (2) Securing Federal Networks; (3) Prosecuting Cybercrime; and (4) Prioritizing Cybersecurity Research –The House of Representatives is still ironing out the final details of its cybersecurity package, leaders are expected to put four bills on the floor separately this work period, and then use a procedural maneuver to combine them before they are sent to the Senate. Brandon Pollak Washington, D.C

27 27 First Quarter 2012 Developments: Federal Legislation White House Privacy White Paper –The White House released a white paper proposing a policy framework for consumer privacy, Consumer Data Privacy In a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy. –Four major elements: (1) Consumer Privacy Bill of Rights; (2) Market and industry Codes of Conduct; (3) Enforcement, primarily by the FTC but also by state Attorneys General; and (4) International Cooperation, primarily between the U.S. and European countries. –The paper suggests that Congress enact new privacy legislation. Brandon Pollak Washington, D.C

28 28 First Quarter 2012 Developments: Federal Legislation FTC Privacy Report –The final privacy report expands on a preliminary staff report the FTC issued in December The final report calls on companies handling consumer data to implement recommendations for protecting privacy, including: (1) Privacy by Design; (2) Simplified Choice for Businesses and Consumers; and (3) Greater Transparency –FTC staff to focus on five main action items: (1) Do-Not-Track; (2) Mobile; (3) Data Brokers; (4) Large Platform Providers; (5) Promoting Enforceable Self-Regulatory Codes –FTC recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation. Brandon Pollak Washington, D.C

29 29 First Quarter 2012 Developments: European Union Jana Fuchs Hamburg

30 30 First Quarter 2012 Developments: European Union Revision of Data Protection Rules –In January the EU Commission published the long-awaited reform proposal for EU data privacy rules –Existing legislation is based on an EU Directive drafted in 1995 –Currently all EU member states have implemented their own national rules based on the existing EU Directive, which are not fully harmonized –The Commissions reform proposal is now set out as an EU Regulation, which means it will be directly enforceable in all member states leading to a full harmonization of rules within the EU Jana Fuchs Hamburg

31 31 First Quarter 2012 Developments: European Union Reform Proposal –Proposed changes leading to further compliance obligations are e.g.: Foreign Application of the Regulation One-Stop Shop Explicit Consent Breach Notification Mandatory Data Protection Official Higher Penalties Jana Fuchs Hamburg

32 32 First Quarter 2012 Developments: European Union Foreign Application –EU Regulation will apply even if personal data is processed abroad –It would apply to data processing companies that are active in the EU market (e.g. offering goods or services to EU data subjects) Jana Fuchs Hamburg

33 33 First Quarter 2012 Developments: European Union One-Stop Shop –Only one data protection authority – the national authority of the Member State in which the company has its main establishment - shall be responsible –This 'one-stop-shop' for data protection will greatly simplify compliance efforts. Currently, businesses are supervised by different authorities in each Member State they are established Jana Fuchs Hamburg

34 34 First Quarter 2012 Developments: European Union Explicit Consent –Opt-In consent is strengthened –Whenever an individuals consent is required for its data to be processed, such consent would have to be express (i.e., not implied) Jana Fuchs Hamburg

35 35 First Quarter 2012 Developments: European Union Breach Notification –Companies would be required to notify the national supervisory authority of serious data breaches as soon as possible (if feasible, within 24 hours) –The individuals whose personal data could be adversely affected by the breach would also have to be notified without undue delay Jana Fuchs Hamburg

36 36 First Quarter 2012 Developments: European Union Data Protection Official –For companies employing 250 persons or more, the Regulation would require that they employ an internal data protection officer (DPO) –DPO has to be sufficiently qualified and if employed is subject to termination protection Jana Fuchs Hamburg

37 37 First Quarter 2012 Developments: European Union Penalties –For first offences, the national supervisory authorities may send a warning letter –For serious violations supervisory authorities could impose penalties of up to 1 million ($1.3 million) or up to 2% of the global annual turnover of a company –For less serious offences fines could start out at 250,000 ($330,000) or up to 0.5% of the worldwide turnover Jana Fuchs Hamburg

38 38 First Quarter 2012 Developments: European Union Next Steps – From Proposal to Regulation –The reform proposal has been passed to the European Parliament and all EU Member States for discussion and potential amendment –Although it is difficult to estimate how long it might take the proposal to be considered, typically proposals of this significance are considered for approx. two years before being adopted –The Regulation will be enforceable in all Member States two years after it has been adopted Jana Fuchs Hamburg

39 39 First Quarter 2012 Developments: European Union Reform Proposal Reactions & Reality Check –Points of discussion are e.g.: Conflicts resulting from foreign application of the regulation, e,g. Patriot Act Missing rules for the enforcement of foreign application Missing regulation for cloud computing, in particular for non-EU clouds Data transfer regulation is not part of the reform proposal Explicit consent requirements as obstacles to business operations Jana Fuchs Hamburg

40 40 First Quarter 2012 Developments: Contact Information Jana Fuchs Gina Hough Brandon Pollak Dan Rockey David Zetoony Hamburg Washington, D.C Washington, D.C San Francisco Washington, D.C


Download ppt "First Quarter Developments in the Ever Changing Landscape of Privacy and Data Security (Tues. April 10, 2012)"

Similar presentations


Ads by Google