D. Reed Freeman, Jr.

1
PRIVACY AND INFORMATION SECURITY ENFORCEMENT
TRENDS AND BEST PRACTICESABA Consumer
Protection Conference January 29, 2007

• D. Reed Freeman, Jr.
• 202/ 342-8880
• rfreeman_at_kelleydrye.com

2
Recent Trends in FTC and State Enforcement

• Data Breach Notification
• SPAM Enforcement
• Spyware
• Telemarketing and Do-Not-Call
• Pretexting
• Information Security
• COPPA
• International Cooperation
• Liability for Acts and Practices of Business
  Partners
• Placement of Privacy Disclosures

3
Data Breach Notification

• 34 states, 2 Territories and a City
• Different definitions of personal Information
• 28 states have a safe harbor for encrypted data
• 12 states have a safe harbor for no reasonable
  likelihood of injury, harm, loss, or risk
• Different timing, content, and recipients for
  notices
• 7 states require regulator notice
• 20 states require CRA notice
• Different enforcement mechanisms 14 states allow
  a private right of action

4
Data Breach Notification (Contd)

• Single, Federal Rule this year?
• Some litigation even where no law on the books
• Oregon -- Providence Health System-Oregon
• AVC available at http//www.doj.state.or.us/media/
  pdf/finfraud_providence_avc.pdf

5
SPAM Enforcement

• 7 Cases in 2006
• Civil penalties, consumer redress near 1 million
  
• Number of cases and dollar amounts increasing
• Recent trend in holding email marketers liable
  for email activities of affiliates
• FTC v. Global Net Due diligence before entering
  into affiliate relationships monitoring during
  relationship
• Settlement at http//www.ftc.gov/os/caselist/042
  3168/051116stip0423168.pdf
• Focus tends to be on deceptive subject lines,
  from lines, effective opt-out mechanisms,
  unauthorized relays, disclosure that the email is
  an advertisement, and failure to display a
  physical address
• Practice Tip Yesmail case and filtering opt-out
  requests by email.
• Settlement at http//www.ftc.gov/os/caselist/062
  3002/061024yesmailstipfnl.pdf

6
Spyware

• 11 FTC and State Cases in 2006
• E.g., Odysseus, Zango
• Stipulated Interim order in Movieland (January
  12, 2007)
• New York AG case against Direct Revenue
• Washington AG High Falls Media, Secure Computer
  cases
• Attention to placement and proximity of privacy
  disclosures effect of software on consumers
  computers uninstall mechanisms
• FTC chairmans speech and cases suggest that
  critical information should be disclosed
  clearly and conspicuously
• Fines increasing up to 3 and 4 million
• Injunctive relief includes affiliate marketing
  restrictions similar to those in spam cases
• Implications and practice tips for all companies
  offering software downloads

7
Telemarketing and Do Not Call

• 9 Cases in 2006
• High priority for the FTC
• Fines going up Do-not-call settlements as much
  as 5.3 million
• Latest do-not call settlement 100,000 with
  DirecTV telemarketing vendors (December 14, 2006)
• Do-not-call cases often focus on facts specific
  to existing business relationship with consumers
  and entity-specific do-not-call lists

8
Telemarketing and Do Not Call (Contd)

• FTC also aggressively using its assisting and
  facilitating authority against
• payment processors
• partners that set up of sham corporations
• list providers
• fulfillment houses
• Most recent case Global Marketing Group, et al.
  (December 20, 2006) (payment processor in
  advanced fee loan case)
• Prerecorded calls FTC announced it will
  continue to forbear enforcement of call
  abandonment provisions in connection with
  prerecorded calls to consumers with whom seller
  has an established business relationship until
  end of its prerecorded call abandonment
  proceeding (December 18, 2006)

9
Pretexting

• 6 FTC cases involving pretexting for telephone
  records in 2006
• Increasing priority for FTC and States
• HP Settlement -- 14.5 million
• Complaint and Settlement available at
  http//ag.ca.gov/newsalerts/release.php?id1394PH
  PSESSID03f57f9da61374df31606e0393aac4c8
• New Telephone Records and Privacy Protection Act
  of 2006.
• Illegal to obtain a persons telephone records
  without authorization
• Penalties Up to 10 years in prison up to
  500,000 fine
• Reverse liability? -- Potential liability for
  corporate victims of pretexting

10
Information Security

• 14 total cases through 2006 4 major cases in
  2006
• Guidance Software (deception)
• ChoicePoint (FCRA, unfairness, deception)
  (redress program announced December 6, 2006)
• Card Systems (unfairness)
• DSW (unfairness)
• Common factual allegations
• failing to protect against Structured Query
  Language attacks by implementing simple, low
  cost, and readily available defenses to SQL
  attacks
• storing sensitive information in clear, readable,
  unencrypted text that could be accessed through
  commonly known IDs and passwords

11
Information Security

• Common FTC allegations in Information Security
  Cases (Contd)
• storing user credentials in readable text,
  facilitating unauthorized access (failing to use
  strong passwords)
• failing to monitor and control connections to the
  network, including through wireless connections
• failing to employ sufficient measures to detect
  unauthorized access to sensitive personal
  information
• failing to authenticate recipients of sensitive
  personal information
• storing sensitive information for longer than
  necessary and
• Failing to conduct security investigations or
  audits.

12
Information Security (Contd)

• Latest data from Privacy Rights Clearinghouse
• February 5, 2005 - January 24, 2007
• 100,738,417 records subject to breach
• 455 reported incidents
• GLB Safeguards Rule and its application on beyond
  financial institutions
• FTC guidance and best practices
• See http//www.ftc.gov/bcp/conline/pubs/buspubs/sa
  feguards.htm

13
COPPA

• Status of the rule
• Rule kept as is on sliding scale approach
• Cases
• FTC got its biggest fine ever -- 1 million, in
  Xanga case
• Complaint and consent decree available at
  http//www.ftc.gov/opa/2006/09/xanga.htm
• Practice tip When collecting date of birth as
  required by COPPA, make sure your back-end
  systems use it!
• New implications for social networking sites

14
International Cooperation

• SAFE WEB Act
• Expanded information sharing with and from
  foreign law enforcers
• Expanded investigative cooperation with foreign
  law enforcers
• Allows FTC to conduct investigations on behalf of
  foreign law enforcement authorities in
  appropriate cases -- scope yet to be determined
• FTC remedial authority in cross-border cases
• Clarifying FTC authority to make criminal
  referrals
• Allows for foreign staff exchange programs

15
Liability for Acts and Practices of Business
Partners

• Growing trend in FTC and state enforcement
• Cases
• Email marketing
• Telemarketing
• Spyware
• Rebates
• Information security next?
• Fundamental principles due diligence and
  monitoring

16
Placement of Privacy Disclosures

• Cases
• Odysseus
• Zango
• Advertising.com
• Enternet Media
• Washington v. High Falls Media
• Recent case in negative option context Think
  All Publishing (January 25, 2007)
• Implication for online and offline industries
  generally

17
Helpful Resources

• ABA Consumer Protection and Privacy and
  Information Security Committees
• IAPP Daily Dashboard
• DM News
• BNA Internet Law News
• MediaPost
• Your own complaints

18
Questions?
Lew Rose
202342.8821
John Villafranco
202342.8423
202342.8880
Reed Freeman