The Secure Times

ControlScan, a Privacy and Security Certification Service and its Founder Settle with FTC

Sun, 28 Feb 2010 08:40:41 -0500

On February 25, 2010, the FTC announced two separate settlements. One is a Stipulated Final Judgment and Order to settle a complaint, without trial, filed in the U.S. District Court, Northern District of Georgia. This settlement is with ControlScan, a company that provides privacy and data security certification to online retailers and other Web sites. Based on the same facts, Richard Stanton, the founder and former chief executive officer of ControlScan also agreed to settle charges pursued by the FTC at the Federal Trade Commission. The FTC charged that ControlScan misled consumers about how often ControlScan monitored the sites and the steps it took to verify the privacy and security practices of the sites that had ControlScan certificates. The settlements bars future misrepresentations. Mr. Stanton's settlement requires him to give up $102,000 in "ill-gotten gains". The Stipulated Final Judgment and Order specifies that the complaint which it settles states a claim upon which relief may be granted against ControlScan under Sections 5(a)(1) and 13(b) of the FTC Act. A judgment against ControlScan of $750,000 is suspended, based on ControlScan’s inability to pay, but if the court finds that ControlScan misrepresented its financial condition, the entire amount will be payable immediately, less any amounts paid by Stanton.

More information can be found at http://www.ftc.gov/opa/2010/02/controlscan.shtm.

FTC Appeals Judge Walton's Decision on Red Flags Rule

Fri, 26 Feb 2010 09:13:12 -0500

Yesterday, February 25, 2010, the Federal Trade Commission filed notice of appeal to the DC Circuit Court of Appeals to attempt to reverse Judge Walton’s ruling late last year that the FTC cannot require practicing lawyers to comply with the Red Flags Rule. In August 2009, the American Bar Association challenged the applicability of the Red Flags Rule to lawyers, arguing that it would impose a serious burden on law firms. At that time, the ABA sought an injunction and declaratory judgment finding that lawyers were not covered. The FTC replied that lawyers should be covered because billing practices, such as charging clients on a monthly basis rather than upfront, made them “creditors” under the plain language of the Red Flags Rule. Judge Walton ruled from the bench in late October and issued his Order and Memorandum Opinion in December.

FTC Releases Report of Top Consumer Complaints

Wed, 24 Feb 2010 20:38:23 -0500

On February 24, 2010, the Federal Trade Commission (“FTC”) released the “Consumer Sentinel Network Data Book” (“Report”). This Report includes a listing of the top consumer complaints reported in 2009 to the FTC.

The top ten complaints for 2009 are:

Rank	Category	No. of Complaints
1	Identity Theft	278,078
2	Third Party and Creditor Debt Collection	119,549
3	Internet Services	83,067
4	Shop-at-Home and Catalog Sales	74,581
5	Foreign Money Offers & Counterfeit Check Scams	61,736
6	Internet Auction	57,821
7	Credit Cards	45,203
8	Prizes, Sweepstakes and Lotteries	41,763
9	Advance-Fee Loans and Credit Protection/Repair	41,448
10	Banks and Lenders	32,443

Federal Trade Commission to Host Third Roundtable on Privacy

Mon, 22 Feb 2010 11:15:45 -0500

The Federal Trade Commission (“FTC”) is preparing for the third and final roundtable discussion on privacy. The first roundtable was held in December 2009 in Washington, DC, to explore privacy implications of developing technology and business practices that collect and use of consumer data. This event was followed by a second roundtable in Berkley, CA in January 2010. The discussion in Berkley focused on benefits and risks created by technology and the privacy implications of social networking, cloud computing, and mobile marketing.

The third roundtable will be held on March 17, 2010 in Washington, DC. At this event, panelists will discuss the collection and use of “sensitive” information. In preparation for this roundtable, the FTC has requested comments on the following issues:

How can we best achieve accountability for best practices or standards for commercial handling of consumer data? Can consumer access to and correction of their data be made cost effective? Are there specific accountability or enforcement regimes that are particularly effective?
What potential benefits and concerns are raised by emerging business models built around the collection and use of consumer health information? What, if any, legal protections do consumers expect apply to their personal health information when they conduct online searches, respond to surveys or quizzes, seek medical advice online, participate in chat groups or health networks, or otherwise?
Should “sensitive” information be treated or handled differently than other consumer information? How do we determine what information is “sensitive”? What standards should apply to the collection and uses of such information? Should information about children and teenagers be subject to different standards and, if so, what should they be?

For those who cannot join the discussion in person, a live webcast of this conference will be available at the FTC's website.

House Energy and Commerce Subcommittees to Hold a Hearing the Commercial Uses of Location Information

Mon, 22 Feb 2010 11:01:00 -0500

On February 24, 2010, the House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection and Subcommittee on Communications, Technology, and the Internet will hold a joint hearing on the collection and use of location information for commercial purposes. This joint hearing is the third on privacy held by these two subcommittees this Congress. A joint hearing was held in June 2009 to learn about online behavioral advertising practices and to consider whether federal privacy legislation is necessary to address concerns associated with these practices. A second hearing was held in November 2009 on the online and offline collection and commercial use of consumer information.

The scheduled witnesses for Wednesday’s hearing are:

Lorrie Cranor

Associate Professor

Computer Science and Engineering & Public Policy

Carnegie Mellon University

Mike Altschul

Senior Vice President and General Counsel

CTIA – The Wireless Association

John B. Morris, Jr.

General Counsel

Center for Democracy and Technology

Anne Collier

Connect Safely

Jerry King

Chief Operating Officer
uLocate Communications, Inc.

Tony Bernard
VP/GM
Useful Networks

These hearings are being held in preparation for introducing privacy legislation. Rep. Boucher (D-VA), the Chairman of the Subcommittee on Communications, Technology, and the Internet, has stated that he intends to introduce a bill to regulate online collection and use of consumer information. Privacy legislation is expected soon.

Power i

Wed, 27 Jan 2010 14:54:57 -0500

An industry group is launching its response to the FTC's challenge for better self-regulation of behavioral advertising. In a variety of fora, the FTC has made it clear that it wants to see stronger and more clear disclosures regarding targeted on-line advertising. The challenge of just how to provide useful information to consumers, who may or may not understand the technologies at issue, has proved problematic to say the least.

The Future of Privacy Forum's answer, reported today in the New York Times, is a new "Power I" symbol that will alert consumers that further information is available regarding the source of the content they are seeing. The hopes is that this will give consumers the power to understand and shape how their information is used online.

The open question is whether the Power I will be enough for an FTC that seems uncomfortable with notice and consent (a/k/a contractual) solutions, and seems inclined to regulate in this area of rapidly evolving technologies. And of course it also remains to be seen whether consumers will view this "Power I" as empowering information, or as a "Power Eye" invading their privacy.

The full story is over at The New York Times, in the article by Stephanie Clifford, "A Little ‘i’ to Teach About Online Privacy."

Federal Legislation Update

Wed, 23 Dec 2009 15:44:21 -0500

Although Congress appears preoccupied with other issues, there has been news regarding privacy legislation. As noted previously on the blog, HR 2221 passed the House on December 8th. The bill, with co-sponsors in both parties, has been referred to the Senate Commerce, Science and Transportation Committee.

Earlier this month, the primary comprehensive Senate privacy bill, S 1490 introduced by Sen. Leahy, received a cost estimate from the Congressional Budget Office. The CBO found that the implementation costs for the bill, which includes a breach notice requirement, would likely exceed $139 million in at least one of its first five years after the effective date. This scoring would result in the bill being labeled as an unfunded mandate on businesses, though the report found that preemption of state laws on the subject would off-set some of the implementation costs. The bill and a narrower breach notice bill, S 139, were approved by the Senate Judiciary Committee in November. The CBO report found that implementation costs to government agencies covered by S 1490 likely would not exceed the $69 million threshold to be deemed an unfunded mandate.

The Chair of the House Energy and Commerce Committee's Subcommittee on Communications, Technology and the Internet, Rep. Boucher, announced his intention to introduce a data privacy bill that would include additional opt-out and opt-in rights for consumers in the sharing of the consumer's personal information. Rep. Boucher stated that he is working with the subcommittee's ranking member on a bill he hopes to introduce in early 2010.

Maine Will See Retooled Bill on Protecting the Privacy of Minors

Mon, 21 Dec 2009 08:24:56 -0500

Maine's Democratic state Senator Elizabeth Schneider is expected to introduce a revised bill aimed at protecting the online privacy of minors by the end of the month, Maine Public Broadcasting's A.J. Higgins reports.

The federal Children's Online Privacy Protection Act (COPPA) already protects the privacy of children under 13, but Schneider has expressed concern that COPPA does not do enough to protect all minors from marketing, particularly prescription-drug and health care product marketing on the web.

The new bill in the works will replace controversial legislation previously introduced by Schneider, signed into law and scheduled to enter into force in September 2009. The first bill, which proposed severe restrictions on marketing to anyone under the age of 18, was subject to a barrage of criticism and several legal challenges. Maine attorney general Janet Mills even declared that she would not enforce the law due to constitutional free speech concerns. (My colleague, Deborah Birnbach, and I covered those developments in a November article in Goodwin Procter's Privacy & Data Security Advisory newsletter.)

As a result, Schneider has agreed to draft a more narrowly focused measure, with the specific goal of addressing medical information. It will be interesting to see how the new bill balances the protection of privacy with the free-speech concerns brought up by Mills and other critics. A public hearing on the new bill could be scheduled as early as next month, when the state legislature reconvenes.

House Passes Financial Industry Reform Bill

Fri, 11 Dec 2009 16:30:04 -0500

On December 11, 2009, the House of Representatives passed a comprehensive financial industry reform bill, H.R. 4173, that would, among other measures, create a new financial oversight agency--the Consumer Financial Protection Agency (CFPA). The legislation, passed by a vote of 223 to 202, consisted of multiple bills regarding financial industry practices, including portions of H.R. 3126, the Consumer Financial Protection Agency Act. Under the new legislation, jurisdiction over consumer financial protection regulations, such as the Fair Credit Reporting Act and the Truth in Lending Act, would transfer from the Federal Trade Commission to the CFPA. The Senate, which introduced similar financial reform draft legislation in November, is still debating how it will address financial industry reform. More information regarding the financial reform legislation passed by the House can be found here.

H.R. 2221--The Data Accountability and Trust Act Passes in the House

Thu, 10 Dec 2009 19:01:57 -0500

On December 8, 2009, the United States House of Representatives passed H.R. 2221, the Data Accountability and Trust Act. The bill has now been referred to the Senate Committee on Commerce, Science, and Transportation.

H.R. 2221 would require an entity, which owns or possess personal consumer information, to enact data protection security policies and to notify individuals if a security breach occurs. The Federal Trade Commission would be required to promulgate rules regarding data breach notification and protection standards. The bill would also preempt similar state laws.

FTC Holds Workshop on Journalism in the Internet Age

Fri, 04 Dec 2009 17:58:48 -0500

On December 1 and 2, the Federal Trade Commission held a workshop -- "How Will Journalism Survive the Internet Age?" -- exploring how the Internet has affected journalism and discussing a wide range of news-organization related issues, such as the economics of journalism in print and online, new business models for journalism online, and the ways in which journalism costs could be reduced while still maintaining quality.

Commentators on this week's workshop have noted that what was not discussed -- notably behavioral advertising and other types of targeted online advertising -- is as important as issues that were discussed. Future regulation of consumer privacy and behavioral advertising is still unsettled as legislators and regulators debate the scope of potential privacy legislation and new rules or models that will regulate the industry.

Further debate on this topic is likely to continue at the Federal Trade Commission's first Privacy Roundtable that will be held on Monday, December 7, at the Federal Trade Commission Conference Center in Washington, D.C. A live webcast of this conference will be available at the FTC's website.

IAB Launches Consumer Education Campaign About Behavioral Advertising

Fri, 04 Dec 2009 16:36:20 -0500

The Interactive Advertising Bureau (IAB), which is made up of media and technology companies that sell online advertising, recently launched a consumer education campaign about behavioral advertising. The campaign uses online ads with eye-catching content such as "Advertising is Creepy." The ads link to the IAB's Privacy Matters page, which contains information about online advertising that is organized by categories such as: (1) Understanding Online Advertising; (2) How is My Online Privacy Protected?; (3) How Can I Protect Myself Online?; and (4) Understanding and Managing Cookies.

Online publishers are donating ad space for the campaign, and currently 500 million impressions have been promised.

Additional coverage of the campaign launch is available here.

FTC Senior Staff Appointments

Mon, 30 Nov 2009 17:19:05 -0500

The FTC has announced the appointments of several senior staff at the Commission:

Cecelia Prewett as the Director of the Office of Public Affairs. Ms. Prewett has a background in communications both in the public and private sector, working for the American Association for Justice, AARP, the State of Illinois, and on Capitol Hill as a communications director to several Members of Congress
Jessica Rich as Deputy Director in the Bureau of Consumer Protection ("BCP"). Ms. Rich was most recently the Acting Associate Director of the Division of Privacy and Identity Protection in the BCP. She was formerly an Assistant Director in the same division and the Division of Financial Practices, legal advisor to the Director of the BCP, and staff attorney in one of the FTC's consumer fraud divisions.
Charles Harwood as Deputy Director in the Bureau of Consumer Protection. Mr. Harwood previously was the Director of the FTC's Northwest Regional Office in Seattle for 20 years. Prior to joining the FTC, Mr. Harwood served as a counsel to the U.S. Senate's Committee on Commerce, Science, and Transportation, and the U.S. Department of the Interior's Indian Arts and Crafts Board.
Norm Armstrong, Jr. as Deputy Director in the Bureau of Competition. Mr. Armstrong has served as Acting Deputy Direct in the Bureau of Competition, Deputy Assistant Director of the Mergers IV Division, Counsel to the Director, and Liaison to the Department of Defense.
Joel Winston as Associate Director of the Division of Financial Practices. Mr. Winston has previously held several positions within the FTC including Associate Director of two divisions, Assistant Director of a division, and Assistant Deputy Director of the BCP.
Maneesha Mithal as Associate Director of the Division of Privacy and Identity Protection. Ms. Mithal has previously served as Assistant Director of the same division and Assistant Deputy Director of the BCP.
Mark Eichorn as Assistant Director of the Division of Privacy and Identity Protection. Mr. Eichorn has served as an Attorney Advisor to the Chairman and in the Division of Advertising Practices.

Consumer Advocates and Pharmacists' Group Request FTC and HHS Investigation of Possible Violation of Health Privacy Rules

Tue, 24 Nov 2009 10:16:05 -0500

The National Community Pharmacists Association (NCPA) and seven consumer advocacy groups have requested that the FTC and the Department of Health and Human Services to investigate activities by CVS Caremark that may violate HIPAA. In a letter filed with the FTC and HHS, the organizations alleged that CVS Caremark used health information in violation of healthy privacy and antitrust laws. CVS Caremark was created from the 2007 merger of the pharmacy CVS and the pharmacy benefits manager Caremark Corp. The letter alleges, among other things, that CVS Caremark uses the information it obtains from non-CVS pharmacies through its pharmacy benefits management program to market the CVS mail-order pharmacy and CVS in-store pharmacy programs to those consumers--an inappropriate use of protected health information.

CVS Caremark recently settled an action with the FTC regarding its data security practices.

Additional coverage of the story is available here.

House Subcommittees Hold Hearing to Address Potential Privacy Legislation

Mon, 23 Nov 2009 16:09:07 -0500

On November 19, 2009, the House Subcommittee on Commerce, Trade, and Consumer Protection and the House Subcommittee on Communications, Technology, and the Internet conducted a hearing entitled "Exploring the Offline and Online Collection and Use of Consumer Information." The hearing focused primarily on the collection, dissemination, and use of personal information from both online and offline sources, as well exploring privacy issues that should be addressed by future legislation. Highlights of the hearing included:

Subcommittee members and witnesses discussed many facets of personal information use for marketing purposes, such as how consumer data is collected, the types of data that businesses collect, consumers' ability to access his or her personal information held by marketers, and consumer education concerning privacy matters.
Participants discussed elements that could be addressed in future legislation included increasing transparency and choice, consumer education, and providing consumers with a clear statement of their rights--such as the ability to "opt in" and/or "opt out" of having personal data collected. Witnesses, such as Chris Hoofnagle with the University of California, Berkley - School of Law, encouraged consumer education measures, noting that most consumers are unaware of their obligation to object to data collection practices with which they do not agree, and that many consumers assume that personal information collected by companies is secure--which may not always be the case.
Many of the witnesses advocated privacy protection through a self-regulatory scheme, but Subcommittee members countered that self-regulation is ineffective at stopping "bad actors" and comprehensive legislation is necessary to protect consumers from unscrupulous businesses.
Finally, almost all of the witnesses stressed that legislation should be tailored to meet the needs of different types of businesses and industries, as well as creating different standards to regulate the offline versus online collection and use of personal information.

In a separate interview, Chairman of the House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection, Bobby Rush (D-IL), indicated that a draft privacy bill would not be circulated before the end of the year.