Administration and Key Members Continue To Push Cybersecurity Legislation

Posted by Libbie Canter on October 31, 2011

Over the past month, a number of White House officials and key House and Senate members have discussed the importance of moving cybersecurity legislation forward.  Highlights include the following:

  • On October 4, White House Cybersecurity Coordinator Howard Schmidt said that he has “a high level of confidence that something will move forward” at an event hosted by the Center for Strategic and International Studies.  Department of Commerce General Counsel Cameron Kerry echoed those comments.
  • On October 7, at a University of Washington School of Law Cybercrime Conference, federal officials including FBI Assistant Director Gordon Snow highlighted the severity of online threats against financial and defense targets. 
  • On October 18, Senator Joe Lieberman (I-CT) said he remains optimistic about the possibility of getting cybersecurity legislation to the floor this year.
  • On October 19, an interagency team of senior administration officials, Senator Majority Leader Harry Reid (D-NV), and the chairmen and ranking members of the relevant committees met on Capitol Hill.  The parties indicated that it was “an extremely useful and constructive discussion, ending with agreement that all involved need to work together to pass a cybersecurity bill as quickly as possible.” 
  • Last week, Rep. Jim Langevin (D-RI), co-chairman of the bipartisan House Cybersecurity Caucus, called for Congress to move forward with cybersecurity legislation at a Brookings Institution event. 

This remains a legislative area to watch as Congress wraps up 2011 and looks at the legislative agenda for 2012.

Right of Publicity Suit Against Facebook Dismissed

Posted by Lindsey Tonsager on October 31, 2011

Last week, U.S. District Judge Richard Seeborg dismissed a putative class action against Facebook alleging that the company violated users’ rights of publicity by using their names and pictures for its Friend Finder service.  The Judge concluded that the class failed to demonstrate that they suffered any injury as a result of the service.  The Judge emphasized that Facebook did not publicize the plaintiffs’ names or profile pictures to any audience or in any context where they did not already appear.  Rather, the names and profile pictures were merely displayed on the pages of other users who were the plaintiff’s Facebook friends. 

The decision is welcome news not only to Facebook, but also Facebook app developers, some of whom have created innovative ways to allow users to interact with the developers’ products or services using friends’ names and likenesses. 

Google Buzz FTC Settlement Accepted

Posted by Mali Friedman on October 27, 2011

Following a public comment period that began in March of this year, the Federal Trade Commission has accepted as final a settlement with Google relating to the social network “Buzz” product that was launched in 2010.  (For more details about the Buzz product and its launch see Inside Privacy’s prior post, here).  As the Commission’s press release states, “The settlement resolves charges that Google used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz . . . .”

The Commission voted 4-0  to approve the settlement, which imposes numerous requirements on Google, including:

Continue Reading

First Circuit Holds That Mitigation Costs Are Sufficient To Support Claims in Card Breach Case

Posted by Dan Kahn on October 24, 2011

Reversing the decision of the lower court, the U.S. First Circuit Court of Appeals recently held in Anderson v. Hannaford Bros. Co. that under Maine law, claims for breach of contract and negligence can be premised on the cost of replacing credit/debit cards whose numbers had been breached and the cost of credit insurance where the card numbers had been intentionally stolen by sophisticated thieves who actually used that data for fraudulent purposes.  In reaching this conclusion, the court’s novel opinion differentiated numerous cases in which courts have held that similar claims of damages were insufficient to allow cases to move forward.  Although reaching a novel result, the First Circuit decision in Hannaford might have limited effect on future litigation because of the rather unique fact pattern on which the court of appeals’ opinion rests.

Continue Reading

Senator Rockefeller Requests FTC Report on Facial Recognition Technology

Posted by Kerry Monroe on October 20, 2011

Last month, as we previously reported, the Federal Trade Commission (FTC) announced that it will host a December workshop to explore potential privacy and security implications raised by the increasing use of facial recognition technology.  Yesterday, Senator John D. Rockefeller IV (D-W.Va.), chairman of the Commerce, Science, and Transportation Committee sent a letter to the FTC commending the agency for its examination of this emerging technology and requesting a report following the workshop.  Senator Rockefeller indicated that the report should include potential legislative approaches to protect consumer privacy as facial recognition technology proliferates.

New uses for facial recognition technology are being deployed in both the public and private sectors.  The Federal Bureau of Investigations is working to activate a nationwide facial recognition service, Next Generation Identification, which will be available to law enforcement authorities in select states by January 2012.  And, as Senator Rockefeller noted in his letter, "facial recognition technology is already being put to use in a broad range of commercial areas," including real-time scanning to identify the demographic features of crowds or of individuals standing next to advertising displays, as well as scanning of photographs users upload to an online service to identify the individuals depicted in them.

The FTC workshop is scheduled for December 8, 2011, and Senator Rockefeller has requested that the FTC provide a preliminary report to the Senate Committee on Commerce, Science, and Transportation by February 8, 2012.

ECPA Turns 25 -- Legislators, Industry Groups Call for Reform

Posted by Kurt Wimmer on October 20, 2011

As the Electronic Communications Privacy Act (ECPA) turns 25 years old this week, calls are increasing for an update to bring this aging law into the age of cloud computing.  Senators Ron Wyden (D-Ore.) and Mark Kirk (R-Ill.) this week joined with the Digital Due Process Coalition to call for significant revisions of the law, which establishes standards for law enforcement access to electronic communications and associated data.  The Digital Due Process Coalition is composed of a diverse group of companies, associations, and privacy advocates that includes Apple, Amazon, Facebook, Microsoft, the Center for Democracy and Technology, EFF, and a number of notable academics in the field of Internet law.  The group’s guiding principles would require law enforcement to:

  • Obtain a search warrant before compelling a service provider to disclose a user’s private communications or documents stored online;
  • Obtain a search warrant before tracking the location of a cell phone or other mobile communications device;
  • Obtain a court order based on demonstrating relevance to an authorized criminal investigation, before obtaining transactional data in real time about when and with whom an individual communicates using e-mail, instant messaging, text messaging, the telephone, or any other communications technology.
  • Obtain a court order based on demonstrating relevance to an authorized criminal investigation, before obtaining transactional data about multiple unidentified users of communications or other online services when trying to track down a suspect.

Most law enforcement, industry, and consumer advocates would concede that ECPA, which was passed before the Internet was widely available, is outdated.  Efforts to modernize the bill have been made repeatedly, particularly in 1998 and 2000.  ECPA sets inconsistent and increasingly irrational standards over the life of electronic content.  For example, access to an email may depend on whether it is stored by the service provider or on a local computer, and whether it is opened by its recipient.  An electronic document may be protected by the Fourth Amendment when stored locally, but potentially available to law enforcement without a warrant if stored in the cloud. 

But differences in views with respect to how the law should be updated have complicated the legislative process.  The Department of Justice (DOJ), concerned that lawmakers may revise ECPA in a way that hinders prosecutors in expediently obtaining digital data to assist in investigations, supports only clarifications in the law that would reflect the DOJ’s interpretation of the current law.  However, Senators Wyden and Kirk, along with Representative Jason Chaffetz (R-Utah) in the House) have introduced legislation consistent with the Digital Due Process Coalition’s goals.  A similar bill was introduced by Senate Judiciary Chairman Patrick Leahy (D-Vt.) earlier this year.  Senator Leahy noted today during a floor speech that he is aiming to mark up the bill “before the end of the calendar year."

Mobile Marketing Association Releases Mobile Privacy Policy Framework

Posted by Dan Kahn on October 19, 2011

Recently, the Mobile Marketing Association (MMA), a non-profit profit organization representing participants in the mobile marketing industry, released a privacy policy framework for mobile applications.  Although framed as a model privacy policy, the MMA Privacy and Advocacy Committee makes clear that the document is intended to be a “starting point” rather than a verbatim model.  Its hope is that the document will “encourage the mobile application developer community to continue to move consumer privacy interests forward.”

Continue Reading

Court Holds That CAN-SPAM Preempts Michigan Anti-Spam Suit

Posted by Dan Kahn on October 17, 2011

A federal district court in Michigan recently held that the federal CAN-SPAM Act preempts Michigan’s anti-spam law.  Unlike the federal law, Michigan’s statute offers individuals who receive unsolicited commercial email, or “spam,” a private cause of action.  The decision, by Judge Janet T. Neff of the Western District of Michigan in Hafke v. Rossdale Group, LLC, is one of only a few court opinions construing the scope of state laws preempted by the federal CAN-SPAM Act.

The federal Controlling the Assault of Non-Solicited Pornography And Marketing Act (or CAN-SPAM Act), enacted in 2003, regulates the transmission of spam email.  For violations meeting specified criteria, it provides for criminal penalties and permits civil enforcement by the Federal Trade Commission and other federal agencies, Internet Service Providers, and state attorneys general.  It does not, however, permit individuals who have received unwanted email to bring suit. 

Therefore, those who have wished to bring suit for receiving unwanted spam have looked to states’ anti-spam laws, such as that of Michigan.  However, CAN-SPAM contains an express “preemption” provision, meaning it specifies the circumstances under which states may or may not regulate the same subject matter as the federal statute.  CAN-SPAM states that it supersedes state law “that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception.”  It also states that it does not preempt state laws “that are not specific to electronic mail” or those that “relate to acts of fraud or computer crime.”

In Hafke, the court had to interpret whether CAN-SPAM preempted the Michigan anti-spam law.  To reach a decision, the judge first reviewed the handful of prior cases on the scope of CAN-SPAM’s preemption.  Those cases, relying on CAN-SPAM’s preservation of state laws that prohibit “falsity or deception,” have differentiated state laws regulating “base error” from state laws regulating tortious conduct or material misrepresentations -- the courts have held that CAN-SPAM preempts the first kind of laws but not the second.  Building on those decisions, the judge held that because the Michigan law does not by its text require falsity or deception and because the plaintiff alleged only “technical” violations, CAN-SPAM barred the plaintiff’s claim.

HHS Considers Providing Right to Receive Test Reports Directly From Labs

Posted by Rachel Grunberger on October 15, 2011

The U.S. Department of Health and Human Services (HHS) is currently accepting comments on a proposed rule that would amend regulations under the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 

Under the HIPAA Privacy Rule, individuals have the right of access to their protected health information.  However, the rule currently contains exceptions for CLIA-certified laboratories and CLIA-exempt laboratories.  These exceptions were originally included in the Privacy Rule to avoid a conflict with CLIA requirements that limited patient access to reports, according to HHS.

HHS’s proposal would provide individuals the right to receive their test reports directly from laboratories by amending the HIPAA Privacy Rule to remove the exceptions for CLIA-certified laboratories and CLIA-exempt laboratories.  HHS explains that, because the Centers for Medicare & Medicaid Services (CMS) is proposing to amend the CLIA regulations to allow CLIA-certified laboratories to provide patients with direct access to their test reports, there is no longer a need for the exceptions.  HHS believes the existing exceptions will impede individuals’ right of access to test reports, and the failure to eliminate them “would be inconsistent with the CMS proposal and the goals of HHS to improve individuals’ electronic access to their health information and have widespread adoption of EHRs by 2014.”

 Comments on the proposed rule are due November 14, 2011.

New California Law Restricts Use of Credit Reports for Employment Purposes

Posted by Steve Satterfield on October 14, 2011

Earlier this week, California became the latest state to restrict the use of consumer credit reports in the employment context, as Gov. Jerry Brown signed into law A.B. 22.  As we previously have blogged, a growing number of states--including Connecticut, Hawaii, Illinois, Oregon, Washington, and Maryland--have augmented the protections provided by the federal Fair Credit Reporting Act ("FCRA") with laws that further limit the ways in which credit reports may be used in making employment decisions. 

Continue Reading

Bono Mack Holds Hearing About Consumer Privacy Expectations

Posted by Libbie Canter on October 14, 2011

Yesterday, the House Subcommittee on Commerce, Manufacturing, and Trade held a hearing entitled , “Understanding Consumer Attitudes About Privacy.”  The hearing featured a single panel with a mix of industry representatives and consumer privacy advocates, including representatives from Intuit, Microsoft, the Digital Advertising Alliance, Evidon, and the World Privacy Forum. 

A primary focus of the hearing was the efficacy of industry self-regulatory initiatives and other efforts to provide consumers with information and choices about managing their online privacy.  In particular, members expressed interest in the “About Ads” self-regulatory principles for online behavioral advertising and other company-specific efforts to provide consumers with notice and choice. 

Continue Reading

SEC's Division of Corporation Finance Issues Guidance on Disclosing Cybersecurity Risks

Posted by David Fagan on October 14, 2011

By David Fagan & Steve Satterfield

Yesterday, the SEC’s Division of Corporation Finance issued a guidance document regarding public companies’ disclosure obligations relating to cybersecurity risks and breaches.  The guidance responds to a request by Sen. Jay Rockefeller that the SEC clarify its position on this increasingly important issue. 

The Division noted that as companies have turned to digital technologies to conduct their operations, cybersecurity risks--and incidents--have increased.  Although there is no disclosure requirement under the federal securities laws that specifically addresses cybersecurity, the Division explained that existing regulations may require disclosure of cyber risk assessments and the costs stemming from incidents.  It is important to note, as the Division does, that this is guidance, not a rule, regulation, or order (as some headlines have suggested).

We provide an overview of the guidance after the jump.  For additional information please see this E-Alert prepared by members of our Global Privacy & Data Security and Securities & Corporate Finance practice groups. 

 

Continue Reading

Video Privacy Protection Act Consent Bill Passes House Committee

Posted by Dan Kahn on October 13, 2011

Following up on a meeting last week, today the House Judiciary Committee held a hearing on Rep. Bob Goodlatte’s proposed amendment to the Video Privacy Protection Act (VPPA). The Committee favorably reported (i.e., approved) a modified version of Rep. Goodlatte’s bill, H.R. 2471, which would permit consent to be given to sharing video usage information electronically (1) on a one-time basis or (2) in advance of the disclosure for a set period of time or until consent is withdrawn by the consumer. The modified version approved by the Committee includes an amendment, introduced by Rep. Jerry Nadler and supported by Goodlatte, requiring the consent to be obtained distinctly and separate from any other legal or financial terms presented.

Congress passed the VPPA, which protects the privacy of certain video records, in 1988 in the wake of a scandal concerning the release of videotape rentals for then-Supreme Court nominee Robert Bork. The VPPA, which has not been amended since passage, currently permits sharing of protected information with consent only if the consent is in “writ[ing]” and obtained “at the time the disclosure is sought.”

Continue Reading

Stanford Researcher Unveils Latest Internet Privacy Study

Posted by Laura Brookover on October 11, 2011

Jonathan Mayer of Stanford’s Center for Internet and Society unveiled the Center's latest research report, “Tracking the Trackers: Where Everybody Knows Your Username,” at the National Press Club Tuesday morning. The event also featured remarks from Federal Trade Commission Chairman Jon Leibowitz and Senior Counsel to the U.S. Senate Committee on Commerce, Science and Transportation Christian Fjeld and a panel discussion on potential harms facing users from data collection.

In the study, Mayer and his fellow researchers looked at whether data collected and shared by major websites remained anonymous. The team specifically looked for evidence of “leakage," that is, the sharing of identifying information that can connect browsing activity with a user account or discrete individual. Where such a connection can be made, Mayer says, the information collected is no longer anonymous, or solely indicative of browsing activity in a particular moment in time. It is instead “pseudonymous,” because it is connected in a "clickstream" to past and future browsing activity.

The team opened user accounts with 185 websites to analyze the data provided by those websites to third parties (for example, advertising and data collection partners). The team found that 113 websites, or 61%, shared a username or user ID when sharing browsing data. Mayer noted that this sharing may be in conflict with some of the websites’ privacy policies, which disclaim the sharing of user information linked to “personally identifiable information.”

Mayer emphasized that there was no indication any of the sharing uncovered was intentional; in fact, he said it was “reasonable to infer that in the majority of cases it wasn’t intentional.” The study’s take away, Mayer said, is that “the web is suffused with identity,” and industry and consumers should recognize that this sort of sharing occurs.

Continue Reading

House Subcommittee Discusses COPPA Updates, Teen Privacy

Posted by Michael Beder on October 06, 2011

The House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade held the latest in its series of hearings on Internet privacy Wednesday morning. The hearing — titled “Protecting Children’s Privacy in an Electronic World” — focused on the Federal Trade Commission’s proposed updates to the regulations implementing the Children’s Online Privacy Protection Act (COPPA), which generally bars website operators from collecting or disclosing personal information from children under 13 without first obtaining parental consent. Lawmakers and witnesses also discussed whether Congress should enact additional legislation, particularly to protect teenagers. Click the jump to see a summary of some of the key issues addressed at the hearing and in witness’ prepared statements.

Continue Reading