FTC Amends Rules Regarding Data Collection Of Personal Information Of Minors

Last month, the U.S. Federal Trade Commission (FTC) clarified and strengthened its rules regarding the collection of personal data of minors under the age of 13. In its announcement, the FTC stated:

"1. Modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
2. Offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
3. close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
4. Extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
5. Extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
6. Strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential
7. Require that covered website operators adopt reasonable procedures for data retention and deletion; and
8. Strengthen the FTC’s oversight of self-regulatory safe harbor programs.

The new rules become effective July 1, 2013. The rules are part of the Children's Online Privacy Protection Act (COPPA) enacted in 1998. The COPPA rules include personal information elements such as the child's full name, home address, email address, telephone number, or any other information that would allow someone to identify or contact the child. As they should, the new rules add more data elements. The FTC stated in its blog:

"The definition of personal information now includes geolocation information, as well as photos, videos, and audio files that contain a child’s image or voice. Also covered: persistent identifiers that can be used to recognize a user over time and across different websites or online services. But there’s a notable exception: COPPA’s parental notice and consent requirements don’t kick in if the identifier is used solely to support the internal operations of the site or service."

It strikes me that the above exception, or loophole, could be used to avoid and abuse consumer information. Those "persistent identifiers" are key since they are used by the online advertising networks, and enable both online tracking and behavioral advertising. Plus, there is a long history of repeated abuse of consumers' sensitive personal information by companies using zombie cookies, Flash cookies, zombie e-tags, search hijacking, and leaky apps on mobile devices. In September 2012, the FTC issued guidelines for mobile app developers.

Companies are advised to watch the FTC Children's Privacy page for additional updates.

In an ideal world, COPPA rules would not stop at age 13, but extend to age 18, the usual age of majority. It would have been better if the amended COPPA rules explicitly mentioned facial recognition.

6 States Now Ban Employers From Snooping On Your Social Networking Accounts

NBC News reported on Tuesday that six states now have laws making it illegal for employers to request login credentials (e.g., ID and password) to your social networking accounts. The states include California, Delaware, Illinois, Maryland, Michigan, and New Jersey.

The laws in California and Illinois went into effect on January 1, 2013. In the Spring of 2012, Maryland was the first state to ban employers from accessing consumers' social networking accounts.

Congratulations to lawmakers in these states for passing sensible legislation. If you live in a state doesn't have such a law, contact your elected officials today and demand action.

California AG Asks United Airlines To Provide A Privacy Policy With Its Mobile Device App

Recently, Kamala Harris, the Attorney General for the State of California, posted the following on her Twitter feed:

"@KamalaHarris Fabulous app, @United Airlines, but where is your app’s #privacy policy? http://1.usa.gov/SWGCTm"

A quick scan of United Airline's twitter feed did not find a reply by the airline to the AG's request. Harris' request refers to a 2004 law in California requiring website operators that collect consumers' personal information to post a privacy policy on its website. While that law predates mobile device apps, Harris' request highlights an important privacy and data security situation. Prior studies have documented privacy abuses by mobile device apps, and either lacking or sporadic access to apps' privacy policies both before and after a user installs an app.

Of course, a privacy policy won't prevent a data breach nor prevent abuse of consumers' sensitive personal information, but it is an important disclosure tool, like food labels, to help consumers:

• Understand what data is collected, archived, and shared with other companies by a product or service,
• Utilize any opt-out or opt-in service settings,
• Begin to evaluate whether or not a company complies with its own privacy policy, and
• Compare data security offerings between competitive products or services

One could argue that given the privacy abuses, privacy policies are even more important for mobile device users. With a traditional desktop or laptop device, there is usually to parties involved: the consumer and the website he/she is visiting. With mobile devices, there are more parties involved: the mobile device manufacturer, the mobile device operating system developer, the app developer, the telecommunications provider, and the app store. It's critical for consumers to know which party's privacy policy applies; and an opportunity to streamline,, consolidate, and reduce the number of privacy policies.

Now that Harris has highlighted the issue, it is an opportunity for the california legislature to amend its state's laws to include apps; and for legislatures in other states to do the same.

What's your opinion of Harris' request? What's your view of privacy policies for mobile device apps?

New Data Breach Law In Connecticut Begins October 1

A new data breach law goes into effect in Connecticut on October 1. The Connecticut Attorney General office announced:

"Connecticut law generally requires anyone who conducts business in Connecticut and who – in the ordinary course of business – owns, licenses or maintains computerized data that includes personal information to disclose a security breach without unreasonable delay to state residents whose personal information is believed to have been compromised. Failure to provide such notice could be considered a violation of the Connecticut Unfair Trade Practices Act (CUTPA)."

The new law includes an email address for companies to report breaches directly to the Connecticut AG office. Previously, companies were required to notify only consumers affected by data breaches. Now, companies must notify both breach victims and the state.

California Legislature Approves Location Privacy Act

On Wednesday, the California legislation passed SB 1434, which requires government agencies to obtain a warrant before collecting your location-based information. All that is left is for the Governor to sign the law. The law reads:

"This bill provides that no government entity shall obtain the location information of an electronic device without a valid search warrant issued by a duly authorized magistrate."

"This bill would provide that no search warrant shall issue for the location of an electronic device pursuant to this section for a period of time longer than is necessary to achieve the objective of the authorization, nor in any event longer than 30 days, commencing on the day of the initial obtaining of location information, or 10 days after the issuance of the warrant, whichever comes first."

"This bill, as proposed to be amended, provides that extensions of a warrant may be granted, but only upon a finding of continuing probable cause by the judge or magistrate, and that the extension is necessary to achieve the objective of the authorization. Each extension granted for a warrant pursuant to this subdivision, shall be for no longer than the authorizing judge or magistrate deems necessary to achieve the purposes for which the warrant was originally granted, but in any event, shall be for no longer than 30 days."

Read SB 1434 for other provisions and exceptions. In an announcement, the ACLU emphasized the importance of this legislation:

"We shouldn't have to choose between using our smartphone and protecting our privacy. Unfortunately, outdated laws like the Electronic Communications Privacy Act of 1986 (yes, 1986!) do not provide the clear protection that sensitive information like location history - which can reveal your friends, activities, habits, and more - deserve. As a result, law enforcement agencies in California and elsewhere treat access to location information as a "routine tool" and frequently obtain this sensitive data with little or no judicial oversight."

Earlier this year, 35 ACLU chapters requested information from about 380 police departments in 31 states, and received about 200 replies. You can view the nationwide map with replies for your town and state of law enforcement tracking of consumers smart phones locations.

So now, at least in California, search warrants are required first. It will be interesting to see how this affects the use by law enforcement of automated license plate readers, which can append GPS location and other meta data (e.g., time, stop duration, nearby stores) data to scanned plates.

Companies Lobby As Congress Considers Changes To The Video Privacy Protection Act

On Monday, this blog discussed a recent ruling by a California District Court judge regarding a lawsuit against Hulu.com, KISSmetrics, and several defendant. The suit alleged that the defendant companies tracked consumers without notice and consent. Hulu and others attempted to use the Video Privacy Protection Act (VPPA) as a defense, which the court rejected -- meaning movie/video streaming is covered by the VPPA. That blog post also mentioned lobbying efforts by Netflix and Facebook. Today, I'd like to discusses the lobbying activities related to H.R. 2471, and explore the related privacy issues.

H.R. 2471 was introduced in July 2011 by Representative Robert Goodlatte, and passed by the House of Representatives in December 2011. It amends 18 USC 2710, commonly referred to as the VPPA. The Senate has not yet voted on the proposed legislation. In July 2012, MediaPost reported:

"Sen. Patrick Leahy (D-Vt.) this week proposed amending the federal video privacy law to enable consumers to consent on an ongoing basis to the disclosure of information about their movie rentals. Leahy made the proposal as an amendment to a controversial Cybersecurity Act of 2012 (S. 3414)... even if the cybersecurity bill doesn't go through, Leahy's move indicates that the lawmaker agrees with Netflix that the law should be changed..."

Not everyone agrees that the law should be changed, or needs to be changed:

"University of Minnesota law professor Bill McGeveran testified to a Senate panel in January that Netflix could simply offer Facebook users a “play and share” button. If users click on that button, the company could then spread information about users' movie selections to their friends on a per-occasion basis."

Senator Leahy proposed the original VPPA legislation. Now, he supports changing it. You can read the senator's January 2012 statement about why he supports changing the VPPA. To the senator's credit, he mentioned several cautions:

"My original [VPPA] proposal was also to include library records, but we were unable to sustain that protection as the bill worked its way through Congress. More recently, I have worked to add protections for library and bookseller records to section 215 of the USA PATRIOT Act... I worry that sometimes what is “simpler” for corporate purposes is not better for consumers. It might be “simpler” for some if we had no privacy protections, no antitrust protections and no consumer protections, but that is not better for Americans... A one-time check off that has the effect of an all-time surrender of privacy does not seem to me the best course for consumers."

I think that there may be more going on. Forbes reported in December 2011:

"While Netflix has rolled out frictionless Facebook sharing for its Canada and Latin America customers, it has held off in the U.S. in the hopes that Congress will address the issue... Virginia Rep. Robert Goodlatte introduced an update to the Video Privacy Protection Act in July that will allow a "video tape service provider" to disclose people's activity on an "ongoing bases," and that "consent may be obtained through the Internet" -- meaning clicking a box will suffice... Political money analysis non-profit Maplight notes that "the online computer services industry (e.g., the Digital media Association and Netflix), which supported the bill, gave on average 73% more to House members who voted 'YES' ($2,644) than to House members who voted 'NO' ($1,525)."

A review of Senator Leahy's donors may also provide a clue. Media, entertainment, and film companies seem to dominate his donors who gave the most. As of August 15, the senator's largest donors ranked: Time Warner, 3; Walt Disney, 4; Vivendi, 5; Comcast, 9; and Sony, 14.

EPIC shared its views about the legislation:

"H.R. 2471 weakens the consent provision of the VPPA by diminishing the ability of users to control the use and disclosure of their personal information. Under the Amendment, companies like Netflix would be able to obtain one-time, blanket consent from a user and then continuously disclose on Facebook all of the movies watched by that user. Netflix would automatically post this viewing information regardless of whether users would choose to post such information themselves. In addition to transferring control over the user’s information from the user to the company, the Amendment’s blanket-disclosure provision allows companies to profit from the association between users and products. Currently, users of social networking services such as Facebook must take some affirmative action, such as liking or sharing, in order to associate themselves with the product. Thus, users are able to decide on a case-by-case basis which associations they want Facebook to disclose to their friends. By automatically disclosing everything a user watches, the Amendment would make simply watching a movie the equivalent of “liking” it."

The "one-time, blanket consent" that concerns EPIC appears to be the same, "one time check-off" Senator Leahy said he is concerned about. So, I hope that Senator Leahy and the Senate explore improvements to H.R. 2471 that address these concerns. The "one-time, blanket consent" seems tilted too far for the benefits of companies at the expense of consumers.

In my opinion, H.R. 2471 as passed by the House is unacceptable and insufficient. It doesn't go far enough to protect consumers' privacy. How much farther should the legislation go? What might better legislation include?

Below is my list of privacy issues which better legislation, including changes to the VPPA, should include:

• Keep consumers in control of their privacy. This means that the default privacy setting should be "nothing shared" unless the consumer gives explicit consent. A one-time consent is insufficient and undesirable.
• Privacy policies need to be accurate and readable. Since the days of VHS tapes, the Internet has grown along with the use by companies of privacy policies at their' websites. The legislation needs to ensure that privacy policies (including Netflix.com) are crystal clear about what personal information is shared and to whom. That includes any meta data (e.g., viewing time, device, number of views) delivered with the video/movie titles. Otherwise, consumers have no way to make an informed decision about giving consent.
• Mobile devices matter. This is critical since social networking web sites support mobile devices, and this support necessitates several corporate partners (e.g., the mobile device manufacturer, the device operating system manufacturers, telecommunications providers, co-marketing firms, advertisers). Given so many partners' privacy policies, it is difficult for consumers to determine which policy applies. The legislation needs to ensure that mobile app privacy policies are consistently accessible both before and after app installs, and are consistent with partners' website policies. Prior studies have documented poor and inconsistent access to mobile app privacy policies.
• Flexible consent options. For users to maintain control, there should be several sharing opt-in choices. I'd rather see opt-in as device-specific and not global (e.g., across all devices a consumer has). That control may also need to be topic or genre specific. Remember, not all movies are entertainment. Some are closer in content to books (e.g., documentaries) and include sensitive topics (e.g., health care, diseases).
• Consent has limits. The sharing options must provide consumers with the ability to distinguish between sharing with friends and sharing with advertisers. That control should distinguish between social networking websites. Some video/movie-sharing advocates claim, "... people are more willing to share information about what they're watching now." That doesn't mean all consumers nor all social networking websites. Consumers need the control to pick which social networking sites to share their video/movie choices. A single, one-time blanket consent to share is insufficient.
• Children matter. None of the articles I have read about proposed VPPA changes discussed privacy for children. The modified legislation must fit with existing privacy legislation for children, since 56% of parents give their children smart phones for safety and security reasons. Changes to VPPA need to reflect this, which H.R. 2471 does not seem to do.
• Consent can be revoked. Consumers change their minds. People get married, have children, change their consumption habits, experience a data breach, or whatever -- lifestyle changes and experiences impact consumers' privacy choices. The legislation needs to provide consumers with the ability to revoke consent and stop video/movie sharing. H.R. 2471 does not seem to address this.
• Geography alone is an insufficient reason. Just because frictionless movie sharing is already available in other countries (which H.R. 2471 proponents mention), doesn't mean it should be available in the USA. Plenty of laws vary by country or region.
• Speed is not the priority. The old saying, "haste makes waste" applies here, too. A speedy update of the VPPA is not wise. The issues need to be thought through and reconciled with other privacy laws.

In the interest of full disclosure, I am a Netflix subscriber.

If you have opinions or concerns about H.R. 2471, I encourage consumers to contact your elected officials in the Senate, as the Senate could vote to approve H.R. 2471, or develop its own version of legislation to amend the VPPA. Of course, if you are a Vermont resident, please contact Senator Leahy's office.

What's your opinion of H.R. 2471?

Vermont Updates Its Breach Notification Law

On May 8, 2012, the State of Vermont amended its Security Breach Notice Act. was amended. The changes included:

• The breach can be either a known unauthorized acquisition, or a "reasonable belief of an unauthorized acquisition..."
• Breach notice must be provided to Vermont residents within 45 days after discovery of the breach
• Breach notice must be given to the Vermont Attorney General with 14 business days of the date the breach was discovered, or the date affected Vermont residents were notified
• Breach notice must include the date discovered, a description of the breach, the number of Vermont residents affected, and a copy of the notice sent to affected Vermont resident
• Textual changes to make the law's description of sensitive personal information consistent with the industry-standard, PII (Personally Identifiable Information)

Breach notice to affected Vermont residents must describe the incident, the date of the breach, the types of personal data lost/stolen, and methods to protect sensitive personal data from further breaches

Download the amended Vermont Security Breach Notice Act (Adobe PDF).

Several Websites Are Dark Today To Protest SOPA And PIPA

To protest the proposed SOPA and PIPA legislation in the U.S. Congress, several websites have gone dark for the day. Critics of the legislation are concerned about the legislation's negative impacts on jobs and on free speech on the Internet. You could call the proposed legislation an online mugging.

Some of the websites that have promised to go dark on Wednesday:

• Free Press
• iSchool at Syracuse University
• MoveOn.org
• Mozilla
• Reddit
• TwitPic
• Wikipedia
• WordPress
• XDA Developers

Other websites, like Google, support the protest by remaining available but with anti-SOPA and anti-PIPA messaging:

"End Piracy, Not Liberty"

In December, GoDaddy reversed its support of SOPA after many users protested by moving their websites to competitors' hosting services.

If you want to learn more about the online protest, read this. If you want to learn more about SOPA and PIPA, read the analysis by EFF. The text of the SOPA legislation is here. ABC News has a basic summary.

California Modifies Its Data Breach Laws To Improve Notification

Loeb and Loeb LLP reports that California has modified its security breach rules to expand notification. The revised law goes into effect January 1, 2012. Notification letters to consumers must include:

• A list of the types of personal data exposed,
• The date(s) or date range of the data breach,
• A description of the data breach,
• Whether or not an investigation by law enforcement delayed the notification, and
• The toll-free phone numbers and addresses of the major credit reporting bureaus

Consumers must be notified in writing, unless law enforcement views notification as an obstacle to criminal investigations. Organizations with breaches affecting more than 500 California residents must also notify the California Attorney General's office. According to Loeb and Loeb, the organizations that must comply with Senate Bill 24:

"... any agency, person, or business that owns or licenses computerized data that includes personal information. In the event of a security breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, that agency, person, or business must issue a security breach notification."

Loeb & Loeb LLP provides a variety of services for its Fortune 100 clients, including media and technology, antitrust, finance, corporate and securities, energy, and more. The firm has about 300 attorneys with offices in Los Angeles, New York, Chicago, Nashville, Washington, DC, and Beijing.

These California modifications are good, because too many breach notifications lack details. More disclosure is better since it helps breach victims judge the severity of the breach. I have read several and some states post online the breach notices received by their state judicial agency.

Senator Schumer Asks Cellular Carriers To Deactivate Stolen Cell Phones

When cellular phones are stolen, often the cellular service provider remotely deactivate the SIM card in the stolen phone. While a deactivated SIM card prevents thieves from accessing the victim's contacts and email, thieves can insert a replacement SIM card and then either use or resell the stolen phone. To deter thefts, Senator Charles Schumer (D-New York) believes that phone companies should do more.

Last week, the Senator wrote a letter to several cellular service providers asking them to deactivate stolen cellular phones. That would make it impossible for thieves to use or resell stolen cell phones. CBS New York reported that New York City ranks second behind Miami in the number of stolen cellular phones annually. According to data from the New York Police Department:

"Forty-one percent of all thefts in New York involve a cell phone, meaning the cell phone is stolen alone or the cell phone is stolen with other goods..."

According to the Senator, the technology already exists today to remotely deactivate stolen cellular phones. Reportedly, on Verizon currently deactivates stolen cell phones. AT&T, T-Mobile, Nextel, and other cellular service providers don't.

Yeshiva World reported:

"IMEI numbers, unlike SIM cards, are assigned exclusively to each cell phone and are not replicated. In the United Kingdom, carriers have the ability to disable handsets based on IMEIs, serial numbers, or other unique identifiers. This prevents criminals from swapping SIM cards to activate a stolen cell phone."

The Senator's proposal makes sense to me. When your credit card account is hacked or your credit card is stolen, your bank will issue you a replacement account and/or credit card. Cellular service providers can do the same.

What do you think of the Senator's proposal?

Comparison Of The Current Data Breach Bills In Congress

There is a good article by the Center For Democracy And Technology (CDT) which compares the current data breach bills in the U.S. Congress. I discussed this proposed legislation in this prior blog post. The CDT reported:

"... there are a number of pending data breach bills, including Representative Rush’s DATA, Representative Bono Mack’s recently marked up SAFE Data Act, and Senators Pryor and Rockefeller’s (acronym-free) Data Security and Breach Notification Act. Other pending legislation, including Senator Leahy’s Personal Data Privacy and Security Act as well as the White House’s Cybersecurity Proposal, also addresses data breaches."

This proposed legislation is important because:

"Current federal law requires notification of consumers in the event of a breach only in limited circumstances, while nearly every state has its own version of a data breach law. Congress is now looking to simplify data breach laws with a national standard, but the question is whether such a standard would be a step forward for consumers. It’s an issue, that CDT has been following since at least 2005."

Whenever politicians want to "simplify" something, it's usually time to start worrying. What may be simpler for corporations and organizations could place consumers' sensitive personal information at risk. And, the usually players will argue about the cost burdens on companies. Let's remember the burdens on consumers, too, who typically have fewer resources.

When I read proposed legislation, I consider it effective data breach legislation when it addresses all of the following components:

1. Definition of personal information. This can be tricky. Just as there are various data elements available about consumers today (e.g., GPS location data attached to photos, images, tweets, social media posts, etc.) that didn't exist 5 or 10 years ago, future technologies will contain new data elements that don't exist today.
2. Define organizations covered by this law. It should cover all organizations in both the private and government sectors. in prior "Red Flag" legislation, attorneys gained an exclusion
3. Dictate how data should be protected (e.g., if electronic records, then encryption) both during transmission and during storage. The legislation has to assume that a variety of identity-theft criminals and hactivists will continually attempt to hack or breach websites containing sensitive consumer information. Prior legislation seemed to assume the traditional data storage within a company's premises. Futurre legislation must assume traditional and cloud-computing storage. Ideally, certain types of sensitive personal information shouldn't be "stored in the cloud."
4. Define the types of events (e.g., a minimum number of records exposed, doemstic locations, international lcoations) that trigger notification
5. Define the parameters of notification (e.g., personal letter via snail mail, ads in news media)
6. Define the assistance provided to breach victims (e.g., consumers, employees, customers). There is no standard definition of "credit monitoring" which may or may not include credit monitoring, quarterly or real-time updates, real-time notices, credit resolution, insurance, and credit scores. Typically, companies offered one or two years of free credit monitoring services. This length is insufficient given the high value and long life of various data elements (e.g., Social Security Numbers).
7. Effect on state law. According to the National Council of States Legislatures (NCSL), at October 2010 about 46 states in the USA plus Puerto Rico and the U.S. Virgin Islands have breach notification laws. The four states lacking breach notification laws are Alabama, Kentucky, New Mexico, and South Dakota. Weak federal legislation that supercede state law would be a step backwards for residents in states with strong breach notification and data security laws.
8. Fit with existing law. There are existing laws for medical and financial informaton. New breach legislation should not weaken these existing laws.
9. Contain sufficient penalties for violators. This can't be a simple "slap on the hand," and must contain sufficiently high fines and/or jail time for repeat offenders.

Breach Notification And Privacy Laws

Australia may be falling behind other countries in implementing data breach notification laws to require companies and government agencies to notify consumers when their personal information has been exposed or stolen. ZDNet Australia reported:

"Australia currently doesn't have any legislation to force companies to disclose breaches, even though it was recommended as part of the Law Commission's report on privacy, released in 2008."

The article summarized existing breach notification laws or pending legislation in several countries:

"Internet and telecommunications service providers in the UK are also already required to disclose when they have experienced a breach. However, the EU commissioner said last month that she wanted to extend this to all businesses... New Zealand doesn't have any breach notification laws... Canada has a Bill that is proceeding through parliament that will require businesses to disclose data breaches if they may result in a "real risk of significant harm". Until this is passed, its Federal Privacy Commissioner has issued guidelines for organisations to follow in the event of a breach, but these are voluntary."

According to the National Council of States Legislatures (NCSL), at October 2010 about 46 states in the USA plus Puerto Rico and the U.S. Virgin Islands have breach notification laws requiring notification when consumers' personal information is disclosed. The four states lacking breach notification laws are Alabama, Kentucky, New Mexico, and South Dakota.

If you live in one of those four states without breach notification laws, you might want to ask your elected officials why.

The need for legislation in the USA is driven not just by data breach notifications but also to protect consumers' privacy. The Do Not Track opt-out setting for consumers is largely ignored by advertisers. Plus, ARS Technica reported:

"... the United States and Turkey are the only developed nations in the world without a comprehensive law protecting consumer privacy. European citizens have privacy rights, Asian citizens have privacy rights, Latin American citizens have privacy rights. In the US, however, in lieu of a comprehensive approach, we have a handful of inconsistent, sector-specific laws around particularly sensitive information like health and financial data..."

Given the state of privacy legislation in the USA and the tendency of consumers to avoid reading the terms of use and privacy policies for products and websites, the result has been that companies':

"... risk-averse lawyers have figured out that the best way to not violate [FTC guidelines] is to not make explicit privacy promises at all. For this reason, corporate privacy policies tend to be legalistic and vague, reserving rights to use, sell, or share your information while not really describing the company’s practices. Consumers who want to find out what’s happening to their information often cannot, since current law actually incentivizes companies not to make concrete disclosures."

Various legislation proposed in the U.S. Congress:

• The Data Breach And Security Act of 2011: re-introduced in June by U.S. Senators Mark Pryor (D-Arkansas) and John D. (Jay) Rockefeller IV (D-West Virginia) to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide breach victims with tools to protect their credit and finances.
• The Secure and Fortify Electronic Data Act (a/k/a the SAFE Data Act) introduced by Mary Bono Mack (R-California),Chairperson of the House Subcommittee on Commerce, Manufacturing, and Trade, to establish national standards for data security and breach notification.
• The Best Practices Act introduced by Bobby Rush (D-Illinois) in February 2011
• The Consumer Privacy Protection Act introduced by Cliff Stearns (R-Florida) in April 2011
• Do Not Track legislation introduced in the State of California Senate

I have not yet read the entire text of all four bills, and will do so once the content settles after revisions and consolidations.

FTC Testifies before Congress About Mobile Privacy

With several mobile device tracking, data collection, and app abuse issues emerging recently, it is important to know the position of one of the chief regulatory agencies in the United States. On May 10, Jessica Rich, Deputy Director of the Bureau of Consumer Protection at the U.S. Federal Trade Commission (FTC), testified before the Senate Judiciary Committee Subcommittee for Privacy, Technology and the Law about mobile device privacy.

Rich first cited some CTIA statistics: wireless penetration of 96% in the United States with 27% having smart phones. During 2010, about 62% of marketers used some form of mobile marketing for their brands.

Rich emphasized that the FTC has explored mobile and wireless issues since 2000, and hosted mobile wireless and consumer privacy workshops that explored some of the issues. As additional proof of the FTC's commitment to mobile privacy for consumers, Rich cited FTC actions against:

• Google for allegedly deceiving consumers by using information collected from Gmail users to generate and populate a new social network, Google Buzz, without users’ consent,
• Twitter for serious lapses in the company’s data security that allegedly allowed hackers to hijack accounts and to obtain access to private “tweets” and non- public data,
• Reverb Communications for alleged deceptive mobile gaming endorsements in the iTunes store,
• Philip Flora for using 32 pre-paid cell phones to over 5 million unsolicited text messages to the mobile phones of U.S. consumers.

Based upon several privacy roundtable discussions, the FTC drafted a preliminary report with privacy recommendations:

"First, staff recommends that companies should adopt a "privacy by design" approach by building privacy protections into their everyday business practices... Second, staff recommends that companies should provide simpler and more streamlined privacy choices to consumers. This means that all companies involved in data collection and sharing through mobile devices -- carriers, handset manufacturers, operating system providers, app developers, and advertisers -- should work together to provide these choices and to ensure that they are understandable and accessible on the small screen... Third, the staff proposed a number of measures that companies should take to make their data practices more transparent to consumers, including improving disclosures to consumers..."

All of this was nice a start, but the FTC's position is still weak and is heavily tilted for corporations at consumers' expense. More balance is needed.

As I read the FTC' Richs testimony (PDF), the recommendations are not mandatory but voluntary. And she skipped an important issue: that most or all tracking programs are opt-out based (e.g., where consumers are automatically included), instead of opt-in based (e.g., where consumers are in control and must opt-in or register first before companies can track them).

What do you think?

Facebook And Google Claim The "Do Not Track" Bill Is Bad For The Economy

In a letter to the California legislature (PDF), several companies including Facebook and Google claim that the proposed "Do Not Track" law is bad for the California economy:

"California Senate Bill 761 would create an unnecessary, unenforceable and unconstitutional regulatory burden on Internet commerce. The bill covers an overly broad range of information, and would regulate indirectly virtually all businesses who collect, use or store information from a website. The measure would negatively affect consumers who have come to expect rich content and free services..."

The companies that signed this letter included Acxiom, Allstate, American Express, Experian, Facebook, Google, Acxiom, Reed Elsevier, Specific Media, Time Warner Cable, Yahoo, and others. The companies claim that SB 761 is unnecessary because:

"... consumers can easily opt out of the collection of data through browser tools. The four leading Internet browsers - Internet Explorer, Safari, Firefox, and Google Chrome - all provide user-friendly filtering options that block the ability of companies to collect data or track Internet use."

This is not entirely correct, as websites and companies are not required to honor the do-not-track request from the web browser. According to these companies, this is how California's economy could be harmed:

"SB 761 would create a second, conflicting set of standards to which companies would have to conform or else face class action lawsuits. This would, in turn, create significant confusion and uncertainty for investors, businesses and consumers. Online commerce would simply be unworkable if websites were forced to comply with a patchwork of privacy and notice laws. This would impose an unprecedented and arduous regulatory burden on Internet commerce. Further, a do not track requirement on the use of this data would stifle innovation..."

A patchwork quilt of laws? That is what we have today with breach notification and data security across states. If these companies can exist with a patchwork quilt of breach notification laws in one area, they can live with a patchwork quilt of laws in another area.

The bigger issue is that these companies have taken a strong stand for extensive tracking. How? These companies are content with opt-out as the program standard: consumers are always automatically included and the burden is on consumers to consistently opt-out. I have long argued in this blog for the program standard to be opt-in: consumers aren't included until the consumers chooses to register or opt-in.

Plus, I Facebook's objections to any limitations on consumer tracking is not a surprise to me, given Facebook's ties to Rapleaf, and how Facebook uses its social plugins to both deliver content and to track consumers across the Internet. When you visit a website with a facebook social plugin, Facebook captures the date and time of your visit, the web page visited, your IP address, your computer's operating system, and (if you are signed into Facebook) your Facebook user ID number. This data collection rivals what Google collects.

The letter has a "sky is falling" aspect to it. These companies operated well when the Internet had little or no tracking. They will survive regardless of the claims.

Proposed "Do Not Track" Law In California: Senate Bill 761

It's been a busy couple of weeks regarding privacy news, and unfortunately the Sony data breaches have temporarily pushed aside other important news. Since California led the way with data breach notification legislation for consumers, I definitely wanted to discuss the following news.

In February of this year, California Senator Alan Lowenthal introduced legislation (California Senate Bill 761) to provide consumers with greater protections and controls with mobile privacy. Since February, the original legislation has been amended a couple times. The latest bill revision at April 25 stated:

"... to adopt regulations that would require a covered entity, defined as a person or entity doing business in California that collects, uses, or stores online data containing covered information from a consumer in this state, to provide a consumer in California with a method to opt out of that collection, use, and storage of such information. The bill would specify that such information, includes, but is not limited to, the online activity of an individual and other personal information. The bill would subject these regulations to certain requirements, including, but not limited to, a requirement that a covered entity disclose to a consumer certain information relating to its collection, use, and storage information practices. The bill would, to the extent consistent with federal law, prohibit a covered entity from selling, sharing, or transferring a consumer's covered information. The bill would make a covered entity that willfully fails to comply with the adopted regulations liable to a consumer in a civil action..."

This bill starts to get a handle on the extensive data sharing by companies that most companies do not disclose in their website privacy and terms policies. Covered information includes consumers' online usage, including (bold text added for emphasis):

"... the Internet Web sites and content from Internet Web sites accessed; the date and hour of online access; the computer and geolocation from which online information was accessed; and the means by which online information was accessed, such as, but not limited to, a device, browser, or application... Any unique or substantially unique identifier, such as a customer number or Internet Protocol address... Personal information including, but not limited to, a name; a postal address or other location; an e-mail address or other user name; a telephone or fax number; a government-issued identification number, such as a tax identification number, a passport number, or a driver's license number; or a financial account number, or credit card or debit card number, or any required security code, access code, or password that is necessary to permit access to an individual's financial account."

That should sufficiently cover the UDID unique identifier in smart phones and mobile devices. I hope that more states pursue and adopt similar legislation. As reported in The Register UK:

"California stands to become the first US state to pass do-not-track legislation and is poised to beat any national law. The Do Not Track Me Online Act was only introduced to the US House of Representatives in Washington DC in February – that was by another Californian Democrat, Jackie Speier – and must navigate Capitol Hill's partisan log jam."

What I found most important for consumers to know:

"... the problem with do-not-track at the browser level is that there's no requirement on the web site to honor the do-not-track request."

The consumer advocacy group Consumer Watchdog sponsored the California legislation, and wrote this in an April 2011 letter Google (PDF):

"As you are aware, online commerce relies on consumer trust. Sadly, much of the current Internet business model is based on invasive and pervasive tracking of consumers’ online activities without their knowledge or control. This should not be the business model of a company whose motto is “Don’t Be Evil.” Do Not Track legislation would give consumers meaningful protection and control. It would build their confidence in the Internet – a win, win situation for business and consumer."

I agree with ConsumerWatchdog, as I have covered in this blog the pervasive and undisclosed online tracking in posts about tracking by credit reporting agencies, unannounced tracking with Fash cookies, persistent tracking with "zombie" cookies., and tracking by the advertising networks.

German Government Proposes New Data Breach Notification Law

In its "Privacy and Information Security Law" blog, the Hunton and Williams law firm announced that the German government has proposed a new data breach notification law:

"... telecommunications companies must report data breaches to the Federal Network Agency (the Bundesnetzagentur or “BNetzA”), and the Federal Commissioner for Data Protection and Freedom of Information. In the event the rights or protected interests of subscribers or other persons are affected by the data breach, such individuals also must be notified without undue delay."

While the notification of affected consumers is not required if the data is encrypted, the BNetza retains the right to require any telecommunications companies to notify consumers regardless of the data security protections in place at the time of the breach.

The new breach notification rules are part of broader changes under the European e-Privacy Directive, scheduled to go into effect in May of 2011. Other changes in these new European Union directives include tightened rules about how companies treat, collect consumers' data, and obtain consent with consumers' web browser cookies.

Privacy Quiz: Are You More Recognizeable Than Jackie O.?

Apparently, I am -- according my results of the Digital Privacy Quiz by the ACLU.

I took the online quiz the other day. It was easy and informative. The quiz helped me understand the ways we consumers are tracked, the lack of choice we face, and which of my online habits create risky to my privacy.

Most of the quiz uses a tongue-in-cheek approach with humor. So, don't expect a rigorous, serious-toned academic type quiz.

I like the phrase "digital privacy" because it is more than simply online privacy. It encompasses all of the ways companies collect information about consumers, and the variety of our habits that create information digitally.

Of course, the ACLU is interested in recruiting consumers to join their petition of Congress to tighten laws to protect consumers' digital privacy. Disclosure: I am and have been an ACLU member for many years. Also, I have spoken at a prior Massachusetts ACLU convention. I hope that you will take the quiz, and then read and sign the petition.

Last, a link for those who don't know who Jackie O. was.

To Help Consumers, New Credit Card Rules From The Federal Reserve Board

In February of 2009 this blog warned consumers about pending credit card interest rate increases. Yesterday, the Federal Reserve Board (FRB) announced new rules to protect consumers from unreasonable late payment and other penalty fees. The new rules prevent credit card issuers and banks from charging:

• Penalty fees that are more than $25 for late payments or violations of the account terms
• Penalty fees that exceed the dollar amount of the transaction. Example: credit card issuers cannot charge a $39.00 fee for a late payment that is higher than the minimum $20 payment. Now, that late payment fee cannot exceed $20.
• Inactivity fees when consumers don't use their credit cards to make purchases
• Multiple penalty fees based on a single late payment or other violation of the account terms.Now, banks can charge only a single fee.

In its announcement, the FRB also announced rules to require banks to reevaluate every six (6) months a consumer's credit card interest rate (e.g., the Annual Percentage Rate printed on your monthly statement). The bank must explain why they are increasing the interest rate on your credit card; or lower it within 45 days.

The new rules, which are part of Credit Card Accountability Responsibility and Disclosure Act of 2009, go into effect on August 22, 2010. I highly recommend that consumers read the FRB pages about the new credit card rules that start in August, and the credit card rules that already started in February 2010.

Will these new rules be enough? Will they protect consumers adequately? What do you think?

Wall Street, Financial Regulation, And The Need For Systemic Change

Past blog posts have covered some of the abuses of consumers by banks with credit card interest rate increasses. Our financial and banking system is so complicated, how can a consumer evaluate the financial reform discussion in Washington? How to evaluate the messages from reform advocates and opponents?

I found this episode of the Bill Moyers Journal very helpful. Moyers interviewed financial experts Simon Johnson and James Kwak about the factors that require systematic change and regulation in order to avoid a repeat of the 2008 financial system crisis. Johnson and Kwak are also co-authors of the book, "13 Bankers: The Wall Street Takeover and the Next Financial Meltdown."

After watching the Moyers Journal interview, the book is definitely on my must-read list. In my opinion, it should be on all voters' reading list. The interview covered some interesting topics:

• The management styles and habits typify Wall Street that led to the 2008 meltdown
• What needs to happen for real financial reform in Washington to be effective
• The nature of the threat from an "oligarchy" of 6 banks that control too much of our economy and Americans' deposits
• The case for breaking up the banks: too big to fail is too big
• Why regulation alone isn't enough
• What hasn't changed and how another financial meltdown can happen again
• It's not a partisan issue as neither party (Democrats or Republicans) are getting it right

Some excerpts:

"... according to Kwak, is that the legislation currently doesn't address the central problem of the crisis, that America's banks have grown 'too big to fail.' In fact, the problem has gotten worse, with just six banks holding assets in excess of 63% of the U.S. Gross Domestic Product. Kwak explains that the crisis actually made the surviving banks more powerful... these banks have gotten bigger, because they've bought each other. They've become more powerful. And they have an even stronger market position..."

During the interview, Moyers asked:

"Over the course of my lifetime, and my working career as a journalist, I've seen one regulatory agency after another taken over by the very industries they were supposed to regulate. Regulation requires a President who is committed to tough regulation. If you get a free market President like George W. Bush, you get regulation serving the industry... If you get a Democratic Party that's been compromised by its concessions and capitulations and contributions from Wall Street, you get a regulatory system that is a joke, and that's what we have. What's to ensure that the next regulatory system won't be a joke?"

And Johnson answered:

""The person who nailed this intellectually a long time ago was from the University of Chicago. George Stigler, not a man of the left, got a Nobel Prize [for concluding that] all industries end up with the industry capturing the regulators. What's happened to us is exactly what Stigler warned against, on a massive scale. The [Obama] Administration still argues that we should delegate responsibility, going forward, for lots of things around finance - like how much capital you should have - delegate that to the regulators... Now that's crazy. That's not acceptable. That's not what they should do, particularly because any Democrat should say 'well, wait a minute, the next free market president who doesn't believe in regulation [that] comes in will gut the system.' And any person from the right who's read Stigler should say 'well, those regulators are just gonna get captured.' You've got to put it in legislation..."

One blog that I will definitely start reading regularly is The Baseline Scenario. Sadly, Brooksley Born was right, and was shunned by supposed financial experts who knew better.

LPL Data Breach And Theft

Many companies and financial services Web sites advertise "bank-level" security. This news story is a sober reminder that data security is only as good as the employees who handle your sensitive personal information. Investment News reported:

"LPL Financial yet again has fallen prey to a technology blunder that placed private client information at risk. An unencrypted portable hard drive was stolen from the car of an LPL representative Feb. 24... The adviser, Christian D'Urso of StoneRidge Wealth Management in Beaverton, Ore., had one client in New Hampshire... As a result of the theft, private client information, including names, addresses, dates of birth and Social Security numbers “may have been breached,” Marc Loewenthal, LPL's senior vice president and chief security and privacy officer, wrote... This isn't the first time... In 2007, the firm reported that computer hackers had compromised the login passwords of 14 financial advisers and four assistants."

Reportedly, LPL has about 12,000 representatives and advisers, making it the nation's largest independent-contractor broker-dealer. What our government is (or is not) doing about data security at financial services companies:

"Neither the Financial Industry Regulatory Authority Inc. nor the Securities and Exchange Commission require notification of privacy breaches by advisers or firms, though a proposed amendment to the SEC's Regulation S-P would add this. That proposed amendment, 17 CFR Part 248, “Privacy of Consumer Financial Information and Safeguarding Personal Information,” was published in March of 2008 but remains pending."

In my opinion, FINRA and the SEC both should require advisors and firms to notify breach victims of data breaches. According to a company representative, the consequences to LPL advisers who lose client data start with a formal reprimand, increase to fines, and then to termination. A formal reprimand? That sounds too weak to me.

I want to know what the consequences are for senior company executives when their company experiences multiple data breaches; especially companies that handle other people's money.