Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

As reported in BNA’s Privacy Law Watch, as a result of the FTC’s opposition to the transfer of the personal information, the parties entered into a consent order agreeing that the information will be destroyed before the magazine’s assets are sold.  The consent order called for the destruction to be carried out in a manner that will make the information “unreadable, undecipherable, or non-reconstructable through generally available means.”

This incident is a reminder of the legal significance of privacy promises made outside the context of an actual privacy policy.  It also highlights the need to anticipate changes in business circumstances (such as mergers or sales of assets) when making any privacy representations. Inappropriate commitments may prove damaging to the company, its investors and creditors.  Read more about emerging privacy issues in bankruptcy in an article published by GC New York.

The bills include (i) the “SEC Freedom of Information Restoration Act” (H.R. 5924) (introduced by Representatives Darrell E. Issa (R-Calif.) and Spencer Bachus (R-Ala.) along with 13 other House Republicans); (ii) H.R. 5948 (introduced by Representative John Campbell (R-Calif.) and cosponsors Scott Garrett (R-N.J.), Jeb Hensarling (R-Texas) and Walter B. Jones Jr. (R-N.C.)), and (iii) the “SEC Transparency Act of 2010” (H.R. 5970) (introduced by Representative Ron Paul (R-Texas)).  In addition to the bills introduced by House Republicans, Senator Patrick Leahy (D-Vt.) also voiced concerns regarding the breadth of Section 929I and introduced bipartisan legislation cosponsored by John Cornyn (R-Texas), Ted Kaufman (D.-Del.) and Chuck Grassley (R.-Iowa) that strikes exemptions that give the SEC authority to withhold records on entities subject to the SEC regulation.

The BNetzA has indicated that these investigations and administrative fine proceedings are time consuming and complex.  For example, the BNetzA must bring evidence showing that the caller culpably made prohibited advertisement calls.  Proving such intent may require questioning multiple witnesses and a legal examination of how prior consent was obtained in each case.

Since August 2009, making unsolicited marketing calls or suppressing caller ID in Germany constitutes an administrative offense subject to fines of up to €50,000 (for calls made without prior consent) and €10,000 (for not displaying the number).  Through April 2010, the BNetzA had received over 57,000 written complaints regarding unsolicited telephone advertising, and, to date, the BNetzA has completed eleven administrative proceedings resulting in fines totaling €694,000.  The proceedings thus far have concerned mainly violations of the ban on cold calls and failure to display the caller’s number.  Numerous investigations are pending at this time.

For further information on these cases, please contact Dr. Jörg Hladjk in the Brussels office of Hunton & Williams.

Vladeck’s letter explained that, since its inception, the debtor’s website “Sign-up Confirmation Page” told potential members/subscribers: “Please note our amazing privacy policy. We never give your info to anybody.”  Another representation, which appeared on the website and was directed to magazine subscribers, stated: “[O]ur privacy policy is simple: we never share your information with anybody.”  Those submitting online profile information were told that such information “will not be published. [W]e keep it secret.”  The magazine catered to a young gay audience, including individuals whose sexual orientation was a secret.  The creditors have been seeking to acquire the magazine’s subscriber information, among other assets.  Under these circumstances, Vladeck argues, a transfer of the information to the creditors would contradict the privacy statements made to the subscribers, in possible violation of the FTC Act’s prohibition against “unfair or deceptive acts or practices.”

This incident is a reminder of the legal significance of privacy promises made outside the context of an actual privacy policy, and it highlights the need to anticipate changes in business circumstances (such as mergers or sales of assets) when making any privacy representations.  Inappropriate commitments may prove damaging to the company, its investors and creditors.  Read more about emerging privacy issues in bankruptcy in an article published by GC New York by Lisa J. Sotto, Scott H. Bernstein and Boris Segalis.

The comments went on to state that accountability can only be effective for the private sector if the government is held to similar requirements with respect to its own protection and use of data.
The Centre’s ten recommendations are:

1. The Department of Commerce should represent the United States in global privacy discussions;
2. The Department of Commerce should continue to support development of policy frameworks that will support the global flow of data;
3. The government should articulate a vision for innovation and privacy in the information economy;
4. Information policy must have a home within the government;
5. Both industry and government must be accountable for its use of information;
6. Federal privacy law must pre-empt state law;
7. U.S. privacy policy should focus on successful privacy results rather than on procedures that do little to enhance privacy;
8. Preventing harm must remain a significant feature of the U.S. approach to privacy;
9. The Department of Commerce should undertake an initiative to develop privacy norms that apply to data analytics; and,
10. Privacy oversight and enforcement are best carried out by regulatory agencies with authority over specified industry sectors.

View the Centre’s full response to the Department of Commerce’s notice of inquiry and supporting documents, filed June 14, 2010.

Julie Brill brings twenty years of privacy enforcement experience as Assistant Attorney General for Consumer Protection and Antitrust for the State of Vermont and Deputy Attorney General for Consumer Protection and Antitrust for the State of North Carolina.  Edith Ramirez was a litigation partner at Quinn Emanuel Urquhart & Sullivan in Los Angeles.

Additional information is available on the Commissioners' page of the Federal Trade Commission’s website.

The first three panels of the day described the emerging environment for information and the privacy protection issues raised by a rapidly changing data ecosystem.  The opening session on internet architecture focused closely on the security issues inherent in current architecture and the privacy questions that must be addressed as the infrastructure evolves in response to security concerns.  The second panel discussed health information and the complex concerns raised by using genomic data for medical research.  In the third segment, panelists grappled with the perennial question of what constitutes sensitive information, and considered the extent to which that characterization of data is a useful differentiator for purposes of data governance.

The final panel, “Lessons Learned and Looking Forward,” which included the Centre for Information Policy Leadership's Paula Bruening and Fred Cate, asked participants to consider the findings of all three roundtables and to offer solutions to privacy questions raised in those discussions.  The panelists proposed possible new approaches to privacy protections and, when asked, gave suggestions about what the FTC should do next.  Comments reflected the need for fresh thinking about new models of protection, and cautioned the FTC against reverting to traditional models of notice and choice that have proven limited in their usefulness.

FTC staff has committed to a thorough review of the proceedings and the public comments submitted in conjunction with the three roundtables.  The FTC noted that any document issuing from the roundtable series likely will be made available for public comment, providing an additional opportunity for interested parties to weigh in.

Ms. Harbour concluded that privacy is a fundamental right that consumers expect businesses to respect regardless of advances in technology.  She expects the FTC to continue to evaluate consumers’ preferences and, armed with these insights, “shape the conversation about the intrinsic value of privacy.”  Ms. Harbour also expects the FTC to step in to protect consumers where the Commission believes companies have violated privacy promises.

While Ms. Harbour noted that she was expressing her own views rather than the FTC’s, recent commissioner appointments suggest that the FTC will continue to be increasingly active in privacy enforcement.  Specifically, one of the newly appointed commissioners, Julie Brill, has spearheaded litigation and legislative efforts in a wide variety of areas affecting consumers, including privacy, in her roles as Assistant Attorney General for Consumer Protection and Antitrust for the State of Vermont and Deputy Attorney General for Consumer Protection and Antitrust for the State of North Carolina.  Ms. Brill also has served as Chair of the Committee on Privacy for the National Association of Attorneys General.

In her introductory remarks, outgoing FTC Commissioner Pamela Jones Harbour identified many of the key issues addressed over the course of the day, including (1) the importance of defaults, (2) the lack of consumer knowledge regarding how data are collected and used, (3) the lack of consumer engagement with online notices, (4) the special challenges presented by mobile devices and cloud computing, and (5) the role of de-identified data.

In his opening comments, David Vladeck, Director of the Bureau of Consumer Protection, identified what he perceived to be the three main messages from the first Exploring Privacy workshop, which was held in Washington, D.C., on December 7, 2009.  First, consumers have little understanding of how their data are used and transferred.  Second, notices often are not an effective tool for communicating with consumers, but they remain important to facilitate transparency.  And finally, consumers do care about privacy even though they may behave otherwise.  Vladeck also stressed that the roundtables are not the only tool the FTC is using to address privacy.  “We continue to maintain an active law enforcement practice to protect privacy,” Vladeck noted.

Over the course of the day, 35 panelists addressed technology’s role in protecting privacy and how the government should encourage the adoption and use of privacy-enhancing technologies.  There was broad agreement that stand-alone privacy-enhancing technologies have met with little consumer acceptance, but that these technologies have been adopted by businesses and have been introduced into operating systems, browsers and email clients.  When encountering these protective measures, consumers often avoid or turn off privacy features of technologies that interfere with their access to the material and services they want.

As at the first workshop, there was broad agreement that, although notice and choice have offered little privacy protection, there is no clear consensus as to what might replace or supplement that framework.  Two approaches that were frequently mentioned are the Centre for Information Policy Leadership’s use model and its accountability project.

Thursday’s roundtable revealed a surprising amount of agreement in favor of the FTC playing a more pronounced regulatory role in, at a minimum, identifying the objectives of “good” privacy protection, as well as setting standards for measuring the achieved objectives.  This position was supported not only by privacy advocates and academics, but also by a number of business participants who noted the need for greater certainty in privacy regulation.

Speaking on the final panel, the Centre for Information Policy Leadership’s Senior Policy Advisor, Fred Cate, echoed two themes from his earlier presentation at the December roundtable: first, that the government should be careful to avoid creating disincentives for good privacy behavior or otherwise discouraging efforts to protect privacy; and second, that government can contribute to enhancing privacy in many ways, including by funding the development of more useful privacy-enhancing technologies and then helping to create a market for such technologies by purchasing them itself.

Whatever the government’s ultimate role may be, there seemed to be general agreement that protecting privacy responsibly requires, in Peter Cullen’s words, “people, processes, and technologies.”  Essentially, although technologies alone are not sufficient, technological considerations must not be left out of the equation.

The FTC’s third and final roundtable in this series will take place in Washington, D.C., in March 2010.  In addition, Danny Weitzner, Associate Administrator for Policy at the National Telecommunications and Information Administration, announced that the Department of Commerce is looking at the linkage between privacy and innovation and is observing the FTC’s process.  He further welcomed input from stakeholders as to the Department’s role in helping protect privacy.

The Forum’s paper presents the details of a model for data protection in which the use of data, rather than its collection, sets in motion an organization’s obligations to apply fair information practices.  The model employs the full complement of fair information practices: notice, choice, access and correction, collection limitation, use minimization, data retention, data quality and integrity, data security and accountability.  The paper describes in granular detail how each of these practices applies to various uses of data (e.g., fulfillment, internal business processes, marketing, fraud prevention and authentication and national security and legal).  The approach proposes a means to implement fair information practices in a way that reflects the data environment of the 21st century.

Barbara Lawler of Intuit represented the Forum at the FTC’s “Exploring Privacy” event.  In introducing the concepts presented in the paper, she built upon the observation of panelists at the FTC event that the “choice” model is of increasingly limited utility in the new data environment.  Ms. Lawler noted that consumers would have to read and act on privacy notices almost constantly throughout the day to exercise any kind of control over their data, and that consumers cannot be expected to police a marketplace full of complex business models, vendor relationships and technologies.

Next year likely will be an important one, as privacy regulators, experts, advocates and business representatives continue to consider ways to provide optimal protection for data while best enabling its productive and creative use.  The use-and-obligations model will likely serve as an important contribution to that discussion.

The event’s closing session – “Exploring Existing Regulatory Frameworks” – featured several speakers including Barbara Lawler of Intuit who provided an overview of the Business Forum for Consumer Privacy's “Use-and-Obligations” approach to privacy governance.  The Business Forum’s paper is available here.  In response to the FTC's request for greater simplicity, Professor Fred Cate suggested a framework based on three categories of information-related activities:  those that are prohibited or heavily disfavored, those that are permitted without specific notice or consent, and a large middle ground that applies consent requirements on a sliding scale from implied to explicit.  The panel’s tone indicated a general consensus that the "notice and choice" privacy governance model is becoming increasingly irrelevant.  At the IAPP conference the following day, EPIC’s Marc Rotenberg agreed that "notice and choice is only effective when the consumer has real choices to make."

The FTC’s Exploring Privacy series will continue with roundtables scheduled for January 28, 2010, in Berkeley, California and March 17, 2010, in Washington, DC.  The FTC is expected to complete the creation of the record during the January session and to explore future initiatives at the meeting in March.

Issuance of this model notice follows the enactment, in October 2006, of the Financial Services Regulatory Relief Act (“Relief Act”).  Section 728 of the Relief Act directs the federal financial services agencies to jointly develop a model privacy notice that incorporates all of GLBA-mandated disclosures to consumers.  Section 728 also provides a safe harbor.  Financial services institutions that elect to use the model form will be deemed in compliance with the GLBA notice requirements.  In response to the Relief Act requirements, on March 29, 2007, the financial services agencies published a proposed model privacy notice.  The final model privacy notice is substantially similar to the proposed model with certain revisions based on comments submitted to the agencies and consumer testing.

For further information regarding the final model privacy notice please refer to our earlier post.

A final version of the latest amendments has not yet been made public, but the BNA has circulated a copy of what is purported to be the final draft, which includes changes to provisions related to service providers.  First, the definition of “service provider” has been modified to (1) clarify that “any person” who “stores” personal information through the provision of services will fall within the definition’s scope (the term “stores” was not included in the prior version’s definition), and (2) remove the express exclusion of the U.S. Postal Service from the term “service provider.”

The “safe harbor” provision with respect to existing service provider contracts also has been revised.  Pursuant to the regulations, businesses that are subject to the regulations generally must require by contract that third-party service providers implement and maintain appropriate security measures for personal information.  While the previous version of the regulation stated that “any contract a person has entered into with a third party service provider prior to March 1, 2012, shall be deemed in compliance . . . notwithstanding the absence in any such contract of [this requirement], so long as the contract was entered into before March 1, 2010,”  the new version provides that “until March 1, 2012, a contract a person has entered into with a third party service provider to perform services . . . satisfies [this provision] even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.”  The revision clarifies that the deadline for updating service provider contracts entered into prior to March 1, 2010 is March 1, 2012, and any contracts entered into after March 1, 2010 must comply with the regulations upon execution.

In October 2006, the Financial Services Regulatory Relief Act (“Relief Act”) was enacted.  Section 728 of the Relief Act directs the federal financial services agencies to jointly develop a model form privacy notice that incorporates all of GLBA mandated disclosures to consumers.  Section 728 also provides a safe harbor.  Financial services institutions that elect to use the model form will be deemed in compliance with the GLBA notice requirements.  In response to the Relief Act requirements, on March 29, 2007, the financial services agencies published a proposed model privacy form.  The final model privacy form is substantially similar to the proposed model form with certain revisions based on comments submitted to the agencies and consumer testing.

The final model form privacy notice addresses the legal requirements of GLBA and is designed to facilitate consumer comprehension.  In terms of content, it is two pages in length, but may be printed on a single sheet of paper.  The first page is organized in five parts: (i) the title, (ii) an introductory section, (iii) a disclosure table describing the types of sharing by financial institutions and, if appropriate, whether a consumer can limit or opt out of sharing, (iv) a mechanism to limit sharing for opt out purposes, and (v) the financial institution’s customer service contact information.  The second page contains supplemental explanatory information in frequently asked question format, as well as definitions of relevant terms.  The content set forth in the model form must remain unchanged for financial institutions to rely on the safe harbor.

The financial services agencies' announcement of the final model privacy notice is anticipated in the near future although a draft of the final rule has been circulated.

The FTC also announced today a settlement with Iconix Brand Group, Inc., which owns, licenses and markets apparel brands including Candie's, Mudd, Bongo and OP.  The FTC alleged violations of the Children’s Online Privacy Protection Act ("COPPA") and Section 5 of the FTC Act.  As to the COPPA violations, the FTC noted that several of the brands' websites collected full dates of birth, presumably putting the company on notice that it had collected information from individuals under the age of 13 although it did not notify parents in advance or seek their consent.  In addition, the brands' privacy statements included a representation that the company does not "seek to collect" personal information from individuals under the age of 13, which the FTC charged was a deceptive trade practice in violation of Section 5 of the FTC Act.  Iconix agreed to pay $250,000 in civil money penalties and to delete all information collected and maintained in violation of COPPA, in addition to other equitable measures such as training employees.

Yesterday, the FTC announced that ChoicePoint, Inc. agreed to strengthen its data security in order to settle charges that it failed to implement a comprehensive information security program as required by the earlier consent order it entered into with the agency following its well-publicized 2005 security breach.  This agreement, which expands the company's obligations under the original consent order, follows a security breach that occurred in 2008.  ChoicePoint allegedly turned off a security feature used to monitor access to one of its databases and failed to detect that the feature was disabled for four months.  During that period, the FTC alleged that the personal information of 13,750 people was compromised, putting them at risk of identity theft.  In addition to paying $275,000 to be used for consumer redress, the modified court order requires ChoicePoint to report to the FTC every two months for the next two years, providing "detailed information about how it is protecting the breached database and certain other databases and records containing personal information."

The three cases, following closely on the heels of seven Safe-Harbor-related settlements, demonstrate the FTC's resolve to enforce more aggressively and levy larger fines when settling cases.

First and foremost, the revisions emphasize a more flexible, risk-based approach to developing an information security program.  Previously the regulations required the adoption of a program incorporating specific elements without regard to the particular concerns of individual businesses.  The revised regulations instead direct businesses to implement an information security program that takes into consideration what is “appropriate to (a) the size, scope and type of business … ; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.” 

Second, the revisions modify several of the information security program requirements to reflect the risk-based approach.  For example, employers that must protect personal information from terminated employees will not be obligated to do so by “immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names.”  Rather, the new regulation has a more customizable requirement that such employers “prevent[] terminated employees from accessing records containing personal information.”

Third, the definition of “encrypted” has been amended so as to make the encryption requirement technology-neutral, and there is a general emphasis on technical feasibility with respect to the various technological elements of an information security program.  For example, the revisions qualify that all computer system security requirements, including secure user authentication protocols and secure access control measures, should be implemented “to the extent technically feasible.”  Previously, only encryption was subject to the technical feasibility qualification.

Fourth, the term “service provider” is now specifically defined, and persons who own or license personal information will have to include information security requirements in their contracts with third-party service providers.  This parallels the service provider provision contained in the FTC’s Safeguards Rule promulgated pursuant to the Gramm-Leach-Bliley Act.

Finally, the compliance deadline for these regulations has been extended to March 1, 2010.  This is the third time Massachusetts has extended the deadline, following prior extensions that occurred in February 2009 and November 2008.

The final rules and guidelines include provisions allowing consumers to dispute inaccuracies in their credit files directly with entities that furnish information to credit reporting agencies, including financial institutions and other organizations.  The Agencies’ guidelines specify the steps credit information furnishers should take to ensure the accuracy and integrity of the information they provide to credit reporting agencies, including suggestions such as when it may be necessary to provide supplemental information in order to avoid creating misleading impressions about creditworthiness.  The accuracy and integrity of information contained in credit reports is critical to individual consumers, as this information is used to assess eligibility for credit, employment, insurance and housing, and consumers with errors in their credit reports may be denied access to benefits.    

A copy of the final rules and guidelines is available here.

The Washington court’s ruling diverges from other recent rulings in the United States and Europe. In 2008, New Jersey’s Supreme Court held that Internet Service Providers (“ISPs”) are forbidden from disclosing subscriber IP addresses without a subpoena. The court held that New Jersey citizens have a “reasonable expectation of privacy” in the “subscriber information they provide to Internet service providers – just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies.” State v. Reid, 954 A.2d 503 (N.J. 2008).

Similarly, the European Union’s Article 29 Data Protection Working Party has noted that ISPs should “treat all IP information as personal data” unless the ISPs can “distinguish with absolute certainty that the data correspond to users that cannot be identified.” The Working Party has recommended that search engines delete or anonymize IP addresses once they are no longer needed, and should not retain the data longer than six months.

The issue of whether IP addresses are considered PII as a matter of law has significant implications for companies that collect and use consumer online information. To the extent IP addresses are considered PII, companies that use IP addresses for business purposes would be required to comply with numerous legal requirements with respect to that data.

Behavioral advertising involves collecting and analyzing information about consumer online behavior for marketing-related purposes, such as serving targeted ads, or developing purchase propensity models. In the U.S., the practice has come under scrutiny by consumer groups, legislators and the FTC. The FTC published a second report on its own proposed self-regulatory principles on February 12, 2009.

The new self-regulatory guidelines are based on seven principles: Education, Transparency, Consumer Control, Data Security, Consent to Material Changes, Sensitive Data and Accountability. The principles call on participating organizations to (i) conduct outreach campaigns to educate consumers about behavioral advertising, (ii) provide clear disclosures about their online behavioral advertising practices (including notices at data collection points), (iii) allow consumers to choose whether their data is used for behavioral advertising, (iv) provide security for consumer information and limit its retention, (v) obtain consumer consent to material changes regarding the use of their information, and (vi) require parental consent for the use of information collected from children under the age of 13. The principles also call for establishing an accountability program for monitoring compliance with the guidelines and reporting non-compliance to appropriate government agencies. The Better Business Bureau and the Direct Marketing Association are currently working together to develop accountability mechanisms, which are intended to be in place by early 2010.

The publication detailing the Self-Regulatory Principles is available at www.iab.net/behavioral-advertisingprinciples.

The enforcement action began after Sears disseminated a “research” software application for consumers to download and install on their home computers in connection with the “My SHC Community” program.  According to the FTC, Sears represented to consumers that this software application, if downloaded and installed, would track consumers’ “online browsing” activities.  The FTC alleged that Sears failed to disclose to consumers that the application would (i) track nearly all of the consumers’ online behavior (including information provided in secure sessions with third-party websites, shopping carts and online accounts), (ii) track certain offline activity on the computer, and (iii) transmit most of the tracked information to Sears’ remote computer servers.  In its complaint, the FTC argued that these facts would be material to consumers when deciding whether to install the software, and Sears’ failure to disclose the information constituted a deceptive act in violation of Section 5 of the FTC Act.  The FTC acknowledged the application “functioned and transmitted information substantially as described in the [Privacy Statement and User License Agreement],” but noted that this disclosure was available only in the lengthy agreement provided near the end of the multi-step registration process.

As part of the proposed settlement, Sears has agreed to do the following:

• Disclose to consumers all of the types of data that will be tracked by any software program or application disseminated by or on behalf of Sears, its subsidiaries or affiliates, that is capable of being installed on consumers’ computers and is used to monitor, record or transmit information about activities occurring on those computers or data that may be stored on, created on, or transmitted to or from those computers.  Disclose how data collected by such an application may be used, and whether the data may be used by a third party.  In accordance with the settlement, this information must be provided to the consumer on a distinct page prior to the display of any privacy policy, terms of use or end user license agreement.
• Obtain express, opt-in consent from consumers to the download of any such application and the collection of data through use of a button or link that is not pre-selected and is clearly labeled.
• Provide notification within thirty days of approval of the settlement to consumers who previously installed such an application.  This notification must explain (i) that they installed a Sears’ tracking application, (ii) that the application collects and transmits data as described in the company’s “Privacy Statement & User License Agreement,” and (iii) how they may uninstall the application.  The notification must be prominently posted on the My SHC Community website for two years from approval of the settlement.
• Within three days of the approval of the settlement, discontinue collecting any data transmitted by such applications installed prior to approval of the settlement.
• Within five days of the approval of the settlement, destroy any information collected about consumers by Sears through the use of the application in all cases where the application was installed prior to approval of the settlement.

Ms. Harrington stated that the FTC views lax data security as a threat to the marketplace and, therefore, strongly supports the proposed legislation.  The legislation is limited in scope to address only electronic data, but the FTC advocated expanding that scope to include hard copy data.  The FTC also supported provisions in the proposed statute that give consumers rights to access and dispute the accuracy of information held by data brokers, but sought assurances that such rights would be compatible with and not displace the existing protections afforded to consumers under the Fair Credit Reporting Act.

In the FTC’s opinion, a key provision of the legislation grants the Commission authority to impose civil penalties for violations.  Ms. Harrington contrasted this proposed authority with the FTC's current data security enforcement mechanism that is generally limited to injunctive relief the agency seeks when alleging that information security practices are unfair or deceptive under Section 5 of the FTC Act.  The proposed legislation, on the other hand, would allow the FTC to undertake enforcement actions against practices it deems harmful to consumers, irrespective of whether such practices could be construed as unfair or deceptive.  In addition, the rulemaking authority the legislation provides would enable the FTC to promulgate enforceable regulations establishing standards for data security.  

Statements and testimony of Ms. Harrington and other witnesses are available here.

Richard A. Feinstein, who was appointed Director of the Bureau of Competition, is rejoining the agency from a partnership at Boies, Schiller & Flexner LLP, where he focused on antitrust litigation and counseling. He was formerly an Assistant Director in the Bureau of Competition’s Health Care Services and Products Division, focusing on antitrust enforcement, including anticompetitive practices and mergers involving health care providers and payers, and anticompetitive conduct in the pharmaceutical industry. Feinstein worked previously at McKenna & Cuneo, LLP, and he was a trial attorney and supervisor in the Antitrust Division of the U.S. Department of Justice.

David C. Vladeck, who will serve as Director of the Bureau of Consumer Protection, has been a Professor of Law at Georgetown University Law Center, teaching federal courts, government processes, civil procedure, and First Amendment litigation. He co-directed the Center’s Institute for Public Representation, a clinical law program for civil rights, civil liberties, First Amendment, open government, and regulatory litigation. Vladeck previously spent almost 30 years with Public Citizen Litigation Group, including 10 years as Director. He has argued a number of First Amendment and civil rights cases before the U.S. Supreme Court, and more than 60 cases before the federal courts of appeal and state courts of last resort.

Joseph Farrell, who was named Director of the Bureau of Economics, has been a Professor of Economics at the University of California, Berkeley, where he has been Chair of the Competition Policy Center and an Affiliated Professor in the Haas School of Business. He also has served as Deputy Assistant Attorney General and Chief Economist for the Antitrust Division of the U.S. Department of Justice, and as Chief Economist for the Federal Communications Commission. His research has centered on competition policy, compatibility standards, and innovation. Farrell is a Fellow of the Econometric Society.

Susan S. DeSanti, who will be Director of Policy Planning, joins the Commission from Sonnenschein Nath & Rosenthal, where her practice has focused on antitrust counseling and litigation in a variety of industries. She previously spent 15 years at the Commission, during which she helped develop federal antitrust policy in standard setting, intellectual property licensing, antitrust and patent issues, generic drug entry, mergers, and joint ventures among competitors. During that time, she served in a variety of positions, including Director of Policy Planning, Deputy General Counsel for Policy Studies, senior attorney advisor to Chairman Robert Pitofsky, and attorney advisor to Commissioner Dennis Yao. In addition to several years in private practice before she joined the Commission, DeSanti recently served as Senior Counsel to the Antitrust Modernization Commission.

Jeanne Bumpus, who was re-appointed as Director of the Office of Congressional Relations, has served in that position since June 2006. She was a principal advisor to Senator John McCain and served as Staff Director and Chief Counsel for the U.S. Senate Committee on Commerce, Science, and Transportation. Bumpus began her work on Capitol Hill in the office of Washington State Senator Slade Gorton, where she served as Legislative Counsel. Earlier, she worked as an associate in the law firm of Davis Wright Tremaine in Seattle, Washington.

Joni Lupovitz, who will serve as Chief of Staff to the Chairman, joined the FTC in 1999 as an attorney in the Bureau of Consumer Protection’s Division of Enforcement and was promoted to Assistant Director for Enforcement the following year. Since 2005, she has served as an attorney advisor in the Office of Commissioner (now Chairman) Leibowitz, focusing on consumer protection matters. Before joining the FTC, Lupovitz was a partner with McDermott, Will & Emery, where she had a diverse civil litigation and administrative practice.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics.

MEDIA CONTACT:

Office of Public Affairs
202-326-2180

This issue has also attracted attention at the national level and is currently being addressed in some Member States. On March 26, 2009, the French Data Protection Authority (CNIL) issued a report on online behavioral advertising stating that current business models are, in many aspects, a threat to privacy and do not comply with the French Data Protection Act. The CNIL called for more transparency, clear and user-friendly privacy notices, and more wide-spread collection of explicit consumer consent to behavioral advertising. The CNIL also encouraged businesses to adopt a code of conduct and to develop more effective tools that would allow Internet users to have control over information about them. The full report is available (in French) here.

Finally, the French Senate recently completed a study on online tracking and tracing devices and their impact on people’s privacy. The Senate organized a hearing with various stakeholders in which it addressed the question of existing and future tracking technologies and how these technologies can be better addressed in the context of the French Data Protection Act. The Senate is expected to issue a public report in the near future, which may contain legislative proposals to amend the French Data Protection Act.

CPNI is information that carriers collect concerning the quantity, technical configuration, type, destination, location and amount of use of a telecommunications service by a customer.  CPNI also includes information of the type contained in telephone bills.  FCC regulations require carriers to establish and maintain systems designed to ensure adequate protection of CPNI.  The regulations further require carries to certify their compliance annually and provide an accompanying statement explaining how their procedures ensure compliance.  Carriers also must provide a summary of customer complaints received in the past year concerning unauthorized releases of CPNI.
 
The FCC’s acting chairman, Michael J. Copps, stated that consumer privacy protection is a top priority for the Commission.  The Commission views the annual certification as essential for ensuring that carriers protect the sensitive information that they collect about customers and the Commission’s ability to monitor compliance.  Mr. Copps expressed hope that the scale of this enforcement action will facilitate compliance with CPNI rules going forward.  Click here to view the Commission’s news release.

Pinero contended that sometime in early 2008, defendants disposed of her 2005 federal and state tax returns intact in a public dumpster.  An unrelated individual found Pinero’s tax returns, as well as those of over 100 other people, and alerted a local television news station.

Pinero brought a putative class action, asserting state law claims of fraud, breach of contract, negligence, invasion of privacy, violation of the Louisiana Database Security Breach Notification Law ("LDSBNA") and violation of the Louisiana Unfair Trade Practices Act (LUTPA).  She also alleged that Jackson Hewitt violated 26 U.S.C. § 6103, which restricts certain disclosures of tax returns.  Pinero sought general damages for fear, panic, anxiety, sleeplessness, nightmares, embarrassment, hassle, anger, lost time, loss of consortium, and other emotional and physical distress, as well as special damages for credit monitoring, credit insurance, reimbursement for all out-of-pocket expenses related to notifying creditors of the improper disclosure, and reimbursement for all out-of-pocket expenses related to identity theft.

Jackson Hewitt moved to dismiss all claims.  Highlights of the court’s decision include:

• Dismissal of the negligence claim because the increased risk of identity theft is too speculative to qualify as actual damage;
• dismissal of the LDSBNA claim, in part because it only applies to breaches of computerized data;
• dismissal of the contract claim, in part because expenses related to credit monitoring to guard against future identity theft are not compensable damages;
• dismissal of the fraud and LUTPA claims (with leave to re-plead) for failure to explain why the representations in the privacy policy were misleading, since the mere breach of those promises does not alone establish that they were fraudulent;
• dismissal of the claim under 26 U.S.C. § 6103, since that statute only prohibits disclosure of tax returns by persons to whom access to tax returns was granted by the IRS; and
• denial of the motion to dismiss the invasion of privacy claim, since the alleged facts supported a claim for unreasonable public disclosure of private facts.

In response to this decision, Pinero filed an amended class-action complaint, re-pleading the fraud and LUPTA claims and maintaining the invasion of privacy claim.