August 1, 2008

Japanese court: Privacy law gives no private right of action

Privacy Laws and Business (subscription required) reports that the Tokyo District Court has issued a decision that the Japanese Personal Information Protection Law does not provide a private right of action for failure to comply. The plaintiff in this case alleged that an opthalmology clinic failed to provide copies of medical records as required by Article 25-1 of PIPL, which gives data subjects the right of access to data held about them on request. Japanese citizens have successfully brought cases for privacy breaches under civil tort law, but this case was the first to claim that suits could be brought to enforce positive rights granted by PIPL, up to now enforced only by the relevant ministries.

Posted by Kasey on August 1, 2008 12:20 PM | | Comments (0) | TrackBacks (0)

July 23, 2008

Alaska's New Breach Notification Law Is #44

Alaska's new breach notification law is the 44th state breach notification law to be passed.  Alaska's new law, Alaska Stat. § 45.48.010 et seq., also includes restrictions on use of Social Security numbers, and allows consumers to place a security freeze on their credit reports.  For more on this and a complete collection of state breach notification laws, see Proskauer's Privacy Law Blog.

Posted by Kristen Mathews on July 23, 2008 7:52 PM | | Comments (0) | TrackBacks (0)

June 22, 2008

New CAN-SPAM Rule Gives Long-Awaited Answers

On May 12, 2008 the Federal Trade Commission issued its long awaited final set of rules under the CAN-SPAM Act of 2003 (the “Act”). The rule:

•    Modifies the term “sender” with respect to multi-advertiser e-mails;
•    Clarifies the opt-out request process;
•    Defines the term “person”; and
•    Clarifies the meaning of “valid physical postal address” of the sender

This rule will take effect on July 7, 2008. 

Continue reading "New CAN-SPAM Rule Gives Long-Awaited Answers" »

Posted by Kristen Mathews on June 22, 2008 9:12 PM | | Comments (0) | TrackBacks (0)

June 11, 2008

Metadata Goofs: CNET blog dissects anti-Google lobbying letter to Congress

In another example of metadata gone wrong, this CNET blog post dissects metadata contained in an anti-Google lobbying letter sent to Congress by the American Corn Growers Association and other farmers' groups.   Ties to a cable industry lobbying agency are discernible via metadata in the letter, which asks Congress to hold hearings on a Google-Yahoo advertising deal.

 

 

Posted by Kristen Mathews on June 11, 2008 9:45 AM | | Comments (0) | TrackBacks (0)

June 10, 2008

Emerging Standards For Mobile Marketing

Many B2C companies are beginning to explore marketing to consumers’ wireless devices using text messaging (“SMS,” or “short message service”) and MMS messaging (“Multi-media Messaging Service”). They may even target their promotions based on where the recipient is physically located using the wireless device’s GPS technology. They also may target their promotions to teens and tweens. What legal issues should companies be aware of as they navigate through this relatively new area?
 
This question is very timely, as mobile marketing has received a lot of attention from regulators and industry organizations in the last few months.

Statutes. Statutorily, we have two federal laws that apply to mobile messaging: the Telephone Consumer Protection Act (the “TCPA”) and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (the “CAN-SPAM Act”). Each of these laws apply to mobile promotional messaging, depending on the technology used to send the messages. We also have a host of state laws that apply, either expressly or implicitly, to mobile promotional messaging. In summary, the laws require that companies obtain express consent from individuals before sending promotional messages to their wireless devices. In some cases, specific consent language is required.

Mobile Marketing Association Guidelines. In addition to statutes, we also have various industry standards that apply to text messaging campaigns. The Mobile Marketing Association (MMA), for example, has a set of Consumer Best Practices Guidelines for mobile marketing, which is incorporated by reference into the carrier agreements under which short codes are issued by carriers to companies that want to launch text messaging campaigns. These best practices provide, among other things, requirements for consumer notices, consent and opt-out rights.
 
Wireless Association Standards for Location-based Marketing. The CTIA (The Wireless Association) recently issued a set of best practices that provide for, among other things, consumer notice and consent for location-based marketing, and consumer choice for sharing of location information with third parties. These guidelines also address retention and security of location-based information, abuse reporting and public self-certification of compliance with the best practices. (Self-certification, in itself, presents its own set of legal issues.)
 
Federal Trade Commission. Just this past May, the Federal Trade Commission (FTC) hosted a public town hall meeting, “Beyond Voice: Mapping the Mobile Marketplace.” Topics discussed included the evolution and future of mobile marketing, location-based marketing, consumer disclosures and consents, the challenges of small PDA screens for consumer notifications, teen and tween-targeted campaigns, parental controls and security issues with respect to data stored on mobile devices. Also in May, two consumer advocacy groups (the Center for Digital Democracy and the U.S. Public Interest Research Group) announced their plan to file a complaint with the FTC, asking it to examine behavioral advertising via mobile devices and to promulgate special rules regulating mobile marketing to children and teens.
 
It is reasonable to anticipate that the FTC will ultimately issue either guidelines or rules which apply to mobile marketing campaigns, in an attempt to set forth uniform requirements for mobile marketing. Until then, companies must navigate and synthesize the various sources of applicable laws and standards, and derive an approach that meets their business objective while avoiding backlash from the media, the industry, the wireless carriers and consumers.

Continue reading "Emerging Standards For Mobile Marketing" »

Posted by Kristen Mathews on June 10, 2008 2:01 PM | | Comments (0) | TrackBacks (0)

May 29, 2008

FTC settles with telephone pretexters involved in HP matter

Widely reported today. See FTC press release and settlement document. As related in the CNET story and the press release, a larger fine was imposed on the Depantes, but was negotiated to a $3,000 payment due to their limited resources. Other parties who defaulted were subjected to fines of over $400,000 and $100,000.

Posted by Kristen Mathews on May 29, 2008 2:43 PM | | Comments (0) | TrackBacks (0)

May 24, 2008

UK plans surveillance database

UK government ministers are to consider plans for a database of electronic information holding details of every phone call and e-mail sent in the UK, it has emerged.   The plans, reported in the Times, are at an early stage and may be included in the draft Communications Bill later this year, the Home Office confirmed.

A Home Office spokesman said the data was a "crucial tool" for protecting national security and preventing crime.   The Home Office spokesman added: "The Communications Data Bill will help ensure that crucial capabilities in the use of communications data for counter-terrorism and investigation of crime continue to be available." 

However, the UK privacy watchdog is concerned about this development and Jonathan Bamford, Assistant Information Commissioner said: "We have warned before that we are sleepwalking into a surveillance society. Holding large collections of data is always risky; the more data that is collected and stored, the bigger the problem when the data is lost, traded or stolen. Defeating crime and terrorism is of the utmost importance, but we are not aware of any pressing need to justify the government itself holding this sort of data. If there is a problem with the current arrangements, we stand ready to advise on how they can be improved, rather than creating an additional system to house all records".

 

Posted by Eduardo Ustaran on May 24, 2008 2:44 AM | | Comments (1) | TrackBacks (0)

May 22, 2008

FBI flubs redaction of PDF containing supposedly sensitive data

Not the first time this has happened at the DOJ, as the story relates. Not mentioned are prior flubs at the CIA and DOD. The foot of the article there is a link to the NSA recommendations regarding redaction of PDFs.

Also of interest is the comment that 90% of federal wiretaps target cell phones.

Posted by Kristen Mathews on May 22, 2008 2:48 PM | | Comments (0) | TrackBacks (0)

May 21, 2008

EU Data Protection Watchdog Supports Data Breach Notification Law

This blog post relays the recent opinion by the European Data Protection Supervisor (EDPS) in favor of the EU enacting data security breach notification laws.

The EDPS recently adopted an opinion on the European Commission’s proposal to amend the Directive on Privacy and Electronic Communications, commonly known as "the ePrivacy Directive." If enacted, the proposed amendment to the ePrivacy Directive (a revised Article 4) would implement the first pan-European data breach notification requirement (even if somewhat limited by U.S. standards).

For the rest of the blog post...

Posted by Kristen Mathews on May 21, 2008 8:30 AM | | Comments (0) | TrackBacks (0)

Are you sure that hard drive is clean?

Two related stories relate to data being recovered from hard drives.

This WSJ blog post relates the story of data being recovered from an improperly erased hard drive, and suggests that criminal charges relating to theft of the data will be dismissed, since the subject didn't improperly acquire the data.

The second story concerns the recovery of data from the damaged hard drive of the Columbia space shuttle.





Posted by Kristen Mathews on May 21, 2008 8:26 AM | | Comments (0) | TrackBacks (0)

Wired queries whether NebuAd technology provides opt-out from ISP monitoring

The prospect of ISP-based behavioral marketing has been the subject of much debate, first in the UK and now in the US, over the last several months.

This Wired article analyzes the operation of the NebuAd technology (NebuAd is one of the vendors of the ISP-based tracking technology), including its patent application, and Charter's statements about the monitoring, and suggests that while customers can opt-out of ad delivery, they cannot opt out of the traffic monitoring process.

See also this letter from two Congressmen (Markey D-MA and Barton R-TX) to Charter Communications asking Charter to hold off on implementing the technology until a discussion between Charter and the Congressmen presides.

This blog post by Declan McCullagh comments on the Congressmen's letter.




Posted by Kristen Mathews on May 21, 2008 8:13 AM | | Comments (0) | TrackBacks (0)

May 9, 2008

More information on Turkish privacy legislation

Privacy Laws and Business has more information on the proposed privacy legislation in Turkey, part of its campaign for EU entry. A bill was sent to the legislature this week that would define personal data and regulate the state's collection of personal data and transfer to third parties or other countries. It would establish an "autonomous privacy watchdog" to implement the law. More information also available from Today's Zaman.

Posted by Kasey on May 9, 2008 3:27 PM | | Comments (0) | TrackBacks (0)

Coolest use of a data protection law ever . . .

Boing Boing reports on an unsigned Manchester band who, unable to afford cameras for a video, performed in front of CCTV cameras and then filed data protection requests for the footage.

Posted by Kasey on May 9, 2008 3:19 PM | | Comments (0) | TrackBacks (0)

May 6, 2008

Turkish privacy law proposed

Canadian Privacy Law Blog reports that Turkey has proposed a new privacy law, part of its bid to enter the European Union. We'll post details as we learn them.

Posted by Kasey on May 6, 2008 5:11 PM | | Comments (0) | TrackBacks (0)

Chronicle of Higher Ed article discusses state data warehouses and pending changes to FERPA regulations

This story from the Chronicle of Higher Education ("Huge Databases Offer a Research Gold Mine -- and Privacy Worries") discusses state data warehouses with extensive information on students in the context of pending changes to regulations under the federal Family Educational Rights and Privacy Act (FERPA). Here is a link to the notice of proposed rulemaking.

Article quote:
"The most celebrated example is Florida, which began in 2001 to assemble a "data warehouse" that allows officials to track a person's progress from kindergarten through graduate school and beyond, including postcollege wages and employment, military service, incarceration, and receipt of public assistance.  Many researchers say that Florida's system, along with somewhat less ambitious education databases in Texas, Washington, and roughly a dozen other states, is a vital tool for assessing schools and colleges and helping them to improve."


Excerpt from the Proposed Rules:

These proposed regulations would implement section 507 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot Act) of 2001 (Pub. L. 107-56), enacted Oct. 26, 2001, and the Campus Sex Crimes Prevention Act, section 1601(d) of the Victims of Trafficking and Violence Protection Act of 2000 (Pub. L. 106-386), enacted Oct. 28, 2000, both of which amended FERPA. The proposed regulations also would implement the U.S. Supreme Court's decisions in Owasso Independent School Dist. No. I-011 v. Falvo, 534 U.S. 426 (2002) (Owasso) and Gonzaga University v. Doe, 536 U.S. 273 (2002) (Gonzaga). Finally, the proposed regulations respond to changes in information technology and address other issues identified through the Department's experience administering FERPA, including the need to clarify how postsecondary institutions may share information with parents and other parties in light of the tragic events at Virginia Tech in April 2007. The Department has developed these proposed regulations in accordance with its ``Principles for Regulating,'' which are intended to ensure that the Department regulates in the most flexible, equitable, and least burdensome way possible. These proposed regulations seek to provide the greatest flexibility to State and local governments and schools while ensuring that personally identifiable information about students remains protected from unauthorized disclosure.

Posted by Kristen Mathews on May 6, 2008 8:27 AM | | Comments (0) | TrackBacks (0)

May 1, 2008

Adware is dead . . .

So get over it, says Eric Goldman. As a veteran of the great adware wars of 2003-2006, I have to agree that the danger of over-reaching, innovation-hindering legislation was always greater than the annoyance of "interruptive advertising." And as Eric points out, the danger is still there. We're see similar knee-jerk reactions to behavioral targeting, for example, with the New York and Connecticut bills.

Posted by Kasey on May 1, 2008 12:29 PM | | Comments (0) | TrackBacks (0)

April 26, 2008

Roll call of data breaches grows in the UK

The UK Information Commissioner has been notified of almost 100 data breaches by public and private sector organisations since the loss of 25 million people's details by HM Revenue and Customs last November, according to figures released this week.  Half of the 28 private sector security breaches were by financial services companies.

Information that has gone missing includes unencrypted laptops and computer discs, memory sticks and paper records. Information has been stolen, gone missing in the post and whilst in transit with a courier. The material includes a wide range of personal details, including financial and health records.

The ICO is investigating the circumstances of the breaches. The Information Commissioner has now decided to use its enforcement powers to require organisations to make procedural changes to improve data security, such as encryption.

 

Posted by Eduardo Ustaran on April 26, 2008 5:24 PM | | Comments (0) | TrackBacks (0)

April 22, 2008

Actress Sues Individuals Over Craigslist Job Posting Allegedly In Her Name

Unlike many plaintiffs in other Web site posting cases, this one is suing the users who actually posted the content as opposed to the service provider (Craigslist). The causes of action are fraudulent impersonation, appropriation invasion of privacy, false light invasion of privacy, conspiracy to invade privacy, and conspiracy to commit criminal conduct. No separate claim for violation of the right of publicity is stated, although it might be included in appropriation invasion of privacy.
 

Posted by Kristen Mathews on April 22, 2008 10:28 PM | | Comments (0) | TrackBacks (0)

"Whaling" Is the Latest Phishing Craze

First there was "phishing" (sending spoofed e-mails in mass to see who would bite), then "spear phishing" (aimed at particular victims), and now "whaling" (aimed at large corporate targets).
 
So look before you click on that official subpoena.
 
 

Posted by Kristen Mathews on April 22, 2008 10:22 PM | | Comments (0) | TrackBacks (0)

April 15, 2008

Australia issues draft voluntary data breach guidelines

The Australian Office of the Privacy Commissioner has released a consultation draft of data breach response guidelines.

The guidelines recommend four steps in responding to a breach:
  1. Contain the breach and do a preliminary assessment.
  2. Evaluate the risks associated with the breach, for example, what information is involved, who and what caused the breach, who is affected, and what is the risk of harm to those affected.
  3. Consider and issue notification.
    • When to notify? Most importantly, the OPC has recommended a harm-based analysis for notification: "In general, if an information security breach creates a real risk of serious harm to the individual, those affected should be notified."
    • How to notify? Notification may be sent directly to the affected individuals, for example by phone, mail, in person or (notably) email. Indirect notification, for example, in the media or posted on a website, should occur only when direct notification could cause further harm, when costs are prohibitive, or when contact details for affected individuals cannot be determined.
    • What to notify? The draft recommends type of information involved, how the company has responded, what assistance is being provided to affected individuals or other sources of information available, company contact details, whether the regulator has been notified, and how a complaint may be lodged with the Privacy Commissioner.
  4. Prevent future breaches.
While the Privacy Commissioner has issued these voluntary guidelines, she has also recommended mandatory breach notification to be included in the coming rewrite of the Privacy Act. So this draft provides insight into how Australia might incorporate such a notification requirement.

Comments have been requested by June 16, 2008 and can be sent to consultation@privacy.gov.au.

Posted by Kasey on April 15, 2008 11:45 AM | | Comments (0) | TrackBacks (0)

April 7, 2008

Working Party fires shot across the bow on search engine privacy

The Article 29 Working Party has issued its opinion on search engine privacy, the BBC and CNET report. The recommendation takes a number of shots at Google's business practices, and indeed those of the search industry as a whole. One position the working party took was expected - that IP address is personal information. Another is a development with widespread impact - that search histories and profiles, even without additional identifiers, are personal information.

The opinion clarifies some points about jurisdiction and non-EU based providers, and outlines a number of responsibilities of search providers, including:
  • Delete or anonymize personal data (including IP addresses and search histories) after 6 months, or if retained for longer, retained for no longer than strictly necessary for declared purposes. Make data retention information should be clearly accessible from the home page.
  • Other than such information that must be collected to provide the service, do not require additional personal data from users to perform a search.
  • Minimize cookie periods to no longer than demonstrably necessary. Use Flash cookies only with transparent information about their use and control.
  • Do not add data from third parties to existing profiles without consent.  
  • Give users rights to access, correction and deletion of data held about them, including profiles and search histories.
  • Do not correlate data across services without informed consent.
The opinion also discusses a number of issues relevant to the indexing and caching of websites, and search providers' responsibilities with respect to personal data that might be contained therein. The working party notes that providers of caching services can at some point become data controllers (and thus reqired to provide access, correction and deletion rights) if they retain the cache for longer than to resolve the issue of temporary inaccessibility of the website. An interesting question about this interpretation is, to what extent would it apply to caching for historical purposes, like the Wayback Machine?

Posted by Kasey on April 7, 2008 11:14 PM | | Comments (0) | TrackBacks (0)

April 6, 2008

BCR come of age

At the recent International Association of Privacy Professionals' Summit in Washington DC, BCR was one of the frequently used buzzwords alongside data beach notification, behavioural targeting and global compliance, which shows that the BCR concept is probably the most popular EU data protection law feature outside the EU.

BCR are finally coming of age and establishing themselves as a real runner.  There are a number of factors that evidence this and much of the concern of the previous years has turned into excitement.  For starters, BCR is one of the top priorities for the Article 29 Working Party according to its Work Programme for this year.  In fact, the Working Party subgroup dealing with BCR has already met several times since the beginning of 2008, which is quite an important indicator given that last year it only met once.

At a national level, EU member states and their data protection authorities are making all the right noises to ensure that the use of BCR to legitimise personal data transfers is a workable proposition.  Some countries, like Spain, have even amended primary legislation to facilitate the external binding effect of unilateral declarations made by corporate entities.  Other jurisdictions like Italy or Greece are looking to take similar steps, but what is truly encouraging about this is that such moves have been promoted by the regulators themselves.

Posted by Eduardo Ustaran on April 6, 2008 5:17 AM | | Comments (0) | TrackBacks (0)

April 1, 2008

New contributor

I'd like to introduce you to the newest member of the Secure Times contributing team. Eduardo Ustaran will be posting entries on developments and trends in EU privacy and data protection law. Eduardo is head of his firm's Privacy and Information Law Group. He is a dually qualified English Solicitor and Spanish Abogado based in London specialising in privacy, data protection and e-commerce law. You can find more information about Eduardo's international privacy practice is available on his firm's web site.

Posted by Kasey on April 1, 2008 10:51 PM | | Comments (0) | TrackBacks (0)

UK Information Commissioner continues enforcement spree

The UK Information Commissioner's Office (ICO) is not showing any signs of relaxation as far as its reinvigorated enforcement policy is concerned.  In recent weeks, the ICO has successfully prosecuted a Manchester debt recovery firm and two London lawyers for various offences under data protection law.  Following thousands of complaints from individuals and businesses to the ICO, ADC Organisation Ltd pleaded guilty to six charges under the Privacy and Electronic Communications Regulations and must pay a total of £2,500 in fines and costs.  In addition, Olubi Adejobi of Grier Olubi Solicitors and Robert Bentley of Bentley’s Solicitors, both based in London, were each fined £300 and ordered to pay costs of £500 for failing to notify as data controllers despite repeated reminders from the ICO. 

The ICO has also found Skipton Financial Services (SFS) in breach of the Data Protection Act. This follows the theft of an unencrypted laptop which contained the personal information of 14,000 SFS customers.The laptop, which contained names, dates of birth, national insurance numbers and investment amounts, was stolen from an SFS contractor. It is the ICO’s view that SFS should have had appropriate encryption measures in place to keep the data secure.

Posted by Eduardo Ustaran on April 1, 2008 7:27 PM | | Comments (0) | TrackBacks (0)

March 31, 2008

FTC issues consent orders in TJX, Lexis-Nexis cases

Retailer TJX and data brokers Reed Elsevier/Seisint have both agreed to consent orders with the FTC for their individual data breach cases. While no fines were levied in either case, both companies are required to build and audit comprehensive data security programs.

Posted by Kasey on March 31, 2008 2:27 PM | | Comments (0) | TrackBacks (0)

Hannaford's malware update

In a letter to Massachusetts regulators, Hannaford identified malware installed on servers at each of their stores as the culprit in their massive data breach (CNET reports). The malware intercepted credit card information at the point of sale (a first in security breach annals, where most have resulted from hacks into databases) and sent it to fraudsters overseas.

Posted by Kasey on March 31, 2008 2:24 PM | | Comments (0) | TrackBacks (0)

March 25, 2008

Canadian University Faculty Decline to Use Google In Fear of Patriot Act

This Canadian news story relates objections by faculty at a Canadian university to the use of Google services, because of fear of surveillance by the U.S. government, under the Patriot Act.
 
 

Posted by Kristen Mathews on March 25, 2008 4:32 PM | | Comments (0) | TrackBacks (0)

Anonymous Blogging Banned by Cisco

As related on the Patently-O blog, Cisco is being sued for comments made anonymously on a blog by a Cisco employee who was criticizing "patent trolls." Not just any Cisco employee, it was their IP Director. Cisco has now decided to prohibit anonymous blogging by employees on issues related to their employment.
 

 

Posted by Kristen Mathews on March 25, 2008 4:27 PM | | Comments (0) | TrackBacks (0)

CDT issues compendium of "sensitive data" categories for BT

Just in time to hash over at the privacy or consumer protection conference of your choice, the CDT has issued a document outlining what it suggests a compendium of proposed approaches for determining what should be classified as "sensitive data" for the FTC's proposed self-regulatory guidelines for behavioral targeting.

The document gathers together relevant definitions and their contexts from an array of privacy-related laws, guidelines and policy proposals, including HIPAA, COPPA and the EU directive. The CDT's own proposal to the FTC town hall meeting last year comes first, with it's controversial definition of PII (including both IP address and profiling data unconnected to any additional identifiers).

Posted by Kasey on March 25, 2008 4:13 PM | | Comments (0) | TrackBacks (0)

March 24, 2008

Hannaford Hit With 4 Class Actions in Days Following Breach Announcement

Since the supermarket chain's public announcement last week that its network was breached compromising the security of 4.2M payment cards, Hannaford Bros. Co. has been sued in four different consumer class action law suits.  The suits allege negligence, breach of implied contract to safeguard customer payment card information, and violation of state unfair trade practices laws.  The suits also allege that Hannaford failed to notify customers of the breach in a timely fashion. 


Posted by Kristen Mathews on March 24, 2008 11:11 PM | | Comments (0) | TrackBacks (0)