Posts Tagged ‘Data Security’

FTC announces its 30th data protection settlement – with Twitter

Remember when hackers got into Twitter’s databases, allowing them to send out phony tweets from the likes of then President-elect Obama and certain Fox news anchors? Well, the FTC was definitely paying attention to that incident.   Today, the agency announced an investigation and settlement of Twitter’s data security practices – its first ever case against a social networking service (and 30th data security case to date).  The term of the settlement is 20 years, and Twitter will be required to set up a comprehensive data security program, implementing privacy and security controls in its systems and workplace.  The company will also be subject to an independent, third party audit of its practices every other year for the next 10 years.. Read all the details on the FTC’s site.


Today at the ABA: Expanding the FTC’s Role through Financial Reform

April 22, 2010 1 comment

I have also posted this entry to the ABA’s Secure Times blog.

The big question being debated at this morning’s session on financial reform legislation and the proposed Consumer Financial Protection Agency/Bureau: how will the legislation impact the FTC’s authority, both in terms of rulemaking and imposition of civil penalties?

In December 2009, the House passed the “Wall Street Reform and Consumer Protection Act of 2009” (HR 4173).  An important provision in the bill would strip the FTC of its powers to regulate consumer financial protection — while also expanding the agency’s powers in two key ways.  First, by giving the FTC “APA” rulemaking authority for areas that fall within the FTC’s jurisdiction and second, by giving the agency greater latitude to assess civil penalties for unfair and deceptive practices.

These amendments will surely impact FTC enforcement of online advertising, marketing, privacy, and data security.  For instance, violations under the FTC’s expanded authority could trigger civil penalties even in the absence of an FTC order. Civil penalties would be assessed in antitrust cases brought by the FTC that include a consumer protection claim.

In addition, the HR 4173 language that expands the FTC’s authority would impose liability on companies that “substantially assist” in an unlawful act, even if the company does not have direct knowledge or responsibility for the violation.  This provision will probably raise some serious concerns for companies currently enjoying a safe harbor under the Communications Decency Act.

Today, FTC rulemaking jurisdiction comes in two flavors – “APA” rulemaking under certain laws as prescribed by Congress e.g. the Children’s Online Privacy Protection Act, as well as general rulemaking authority under the 1975 Magnusson-Moss Act.  Under the latter, the FTC can only regulate “prevalent” unfair and deceptive acts, and must justify that regulation with “substantial evidence.”   The key difference between these two types of rulemaking occurs during judicial review; a court can overturn an FTC regulation under Magnusson-Moss if the rule lacks a substantial evidentiary record to support it.  In contrast, FTC regulations enacted under the APA rulemaking scheme, such as those implementing COPPA, can only be overturned if the agency was “arbitrary or capricious” in enacting the rule – a much higher standard. As former FTC Chairman Muris explained in his presentation at the panel, Magnusson-Moss gives the FTC authority to act only when a problem occurs often enough to justify a rule, or when a problem has a common cause in a sufficient number of cases.

Current FTC Chairman Jon Leibowitz, supported by President Obama and the Administration, has strongly advocated for an expansion in the FTC’s authority, stating that it is “critical” for the FTC to carry out its mission of protecting consumers.  In particular, Leibowitz has argued that the procedural requirements of Magnusson-Moss – such as the requirement that a practice be prevalent before the agency can act – makes FTC rulemaking more burdensome than at most other federal agencies. Although the relevant amendments expanding the FTC’s power are missing from the Senate version of the legislation, it is widely expected that these differences will be worked out in conference.  Financial reform legislation appears to be on a fast track – earlier today, a Senate panel approved the bill, and both Republicans and Democrats have indicated that passage is likely.

The CFPA would be a new independent federal agency – the composition of which would vary depending on whether you are looking at the House (5 members and a Director for two years) or Senate Bill (5 members).  Its enactment would strip the FTC and other federal banking agencies of their federal consumer protection powers under a number of laws, including the Electronic Funds Transfer Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, the Home Mortgage Disclosure Act, the Real Estate Settlement Procedures Act, the Secure and Fair Enforcement for Mortgage Licensing Act, the Truth in Lending Act and the Truth in Savings Act.   In short, any product or service that results from or is related to engaging in a financial activity and that is to be used by a consumer “primarily for personal, family or household purposes” will come under the new agency’s purview.

At today’s session, we saw differing viewpoints from both Tim Muris, former FTC Chairman, and Julie Brill, incoming FTC Commissioner, on this current push to expand the FTC’s authority under financial reform legislation.

Former Chairman Muris views the FTC’s current role as important, and he sees FTC rulemaking as relevant in certain areas – e.g. the do-not-call rules.  He is concerned about the current proposals to expand the FTC’s authority because the agency often lacks industry-specific knowledge and expertise (I see this most recently in the area of privacy, as the FTC is currently gleaning this knowledge through its Exploring Privacy roundtable series). Muris also thinks the agency’s rulemaking authority under Magnusson-Moss is more than sufficient as it imposes an obligation on the agency to be clear about its proposed theories while focusing its evidence on key questions.  He cites the agency’s recent business opportunity rulemaking as an example of an instance where the FTC initially proposed a broad rule that would have disproportionately impacted both fraudulent and legitimate business.  The FTC eventually narrowed its proposed business opportunity rule after the public comment process.

On civil penalties, Muris thinks these are important only when a company violates an FTC order or rule.  He sees blanket civil penalty authority as a mistake that may have unintended consequences – such as a penalty on a firm’s stock price.  He’s also concerned that the standard of review laid out in the financial reform legislation will return the FTC’s definition of unfairness to its pre 1994 definition i.e. the Sperry-Hutchinson or “cigarette rule” which defines an unfair practice as one that is injurious to consumers, violate established public policy or is it unethical or unscrupulous.  As many know, Congress amended the FTC Act in 1994 to specify that an unfair act or practice is one that causes or is likely to cause substantial injury to consumers that is not reasonably avoidable and is not outweighed by countervailing benefits to consumers or competition.

Providing a counterpoint to Muris’ remarks, FTC Commissioner Julie Brill, speaking “on behalf of herself,” is generally in favor of expanding the FTC’s authority.  She sees the FTC as both a law enforcement and regulatory agency.  She views civil penalties as just “one of the arrows” in the FTC’s quiver – not to be used in every instance, but as appropriate.  As a law enforcer, she does not see the FTC’s request to have civil penalty authority as unusual – since most state AGs already have this type of authority.  To view such penalties as “automatic” is particularly misleading to her, since the FTC would only be able to obtain such penalties after judicial review in court. Brill also sees the FTC as a regulatory agency and notes that APA rulemaking is enjoyed by most other federal agencies. In addition, she points out that APA rulemaking under the proposed amendments would also be subject to review by a judge in court. Brill also views civil penalties as helpful in quantifying equitable remedies to compensate consumers for their injury – e.g. disgorgement or restitution for data breach violations.

Taking a broader view of the situation, Brill sees an expansion of the FTC’s authority as a way to make the agency’s enforcement efforts more effective – which benefits both consumers and competition in the long run. She also feels that consumers want an agency that has the right enforcement tools – not an “emasculated” FTC – and finds it surprising that the issue is even being debated, given the events of the financial meltdown and the current economic recession.

On the subject of FTC regulation, Brill is strongly in favor of an update, noting that rulemaking under Magnusson-Moss can often take up to 8 – 10 years.  She recalls comments she made on the hearing aid rule as an Assistant AG in Vermont in 1992 – rules that have yet to be issued, nearly 20 years later.  Her statements suggest that expanded rulemaking authority might give companies in dynamic industries – such as technology – FTC regulation that actually keeps pace with innovation.

The question of course, is whether such FTC regulation would also stifle innovation preemptively.  Companies have started to take note of the recent push to expand the FTC’s power, and it is likely that the topic will continue to be debated fiercely in the coming weeks as financial reform legislation comes to a vote. Some have even expressed concerns that such an expansion of the FTC’s rulemaking authority could impact funding and investment in technology and Internet companies by both Wall Street and Silicon Valley VCs.  For more, take a look at this transcript of the Progress & Freedom Foundation’s recent forum entitled “Supersizing the FTC.”

Blogging (or Live-Blogging) at the ABA Spring Antitrust Meeting

April 16, 2010 Leave a comment

Depending on wireless access, I will either be blogging or live-blogging certain tracks of the 2010 ABA Spring Antitrust Meeting, which will be held next week, April 21 – 23, in Washington DC.  The posts will appear on the ABA’s Secure Times blog and here, at the Balancing Act.

Please check back here on April 21st – I look forward to your review of my posts and of course, I always welcome comments!

The consumer protection and private advertising tracks for this year’s ABA Spring Antitrust Conference are laid out below:


8:45-11:45: Antitrust and Consumer Protection Fundamentals

9:00-10:30: Handling State Attorney General Advertising Cases: Substantive & Procedural Questions

10:45-12: It’s Not Easy Being Green: Environmental Claims, Standards and Deception (this session with focus on  third-party certification)

2-3:30 Administrative Litigation at the FTC – Navigating the Shifting Procedural Waters

2-3:30 Is Nothing Typical?  Applying the New Standards in the Revised FTC Testimonial Guides

3:34-5:15 Economics & Consumer Protection Law

3:45-5:15 False Claims of IP Protection: Competition & Consumer Protection Perspectives


8:15-9:45: Consumer Financial Protection:  Assessing the New Landscape

8:15-9:45: False Advertising Litigation: The Lanham Act Preliminary Injunction Hearing

1:30-3: Enforcement Priorities in Advertising Law


8:15-9:45: Changing Standards for Certifying Class Actions (the panel will address both antitrust and consumer protection standards)

8:15-9:45: Security & Privacy in the Cloud: Developing the Right Framework for Service Providers, Business customers, and Consumers

Categories: Uncategorized Tags: , , , ,

Law & Policy in the Cloud: A Murky Forecast

March 15, 2010 1 comment

Tomorrow, the FCC will announce its broadband plan, designed to catapult the United States into a fully wired (or wireless) society.  If successfully executed, the plan will created millions of well paying jobs – in infrastructure, and in services to support a new online ecosystem.  Information and data reaped from broadband activities will continue to transform products and services.  In about a decade, broadband – not the telephone – will serve as the communications backbone of our nation.

To achieve this goal however, we need to have laws and regulations that dictate how broadband is built, accessed and delivered.  Surprisingly, the FCC’s jurisdiction to regulate broadband is in question – and a final determination on this answer could take years, possibly decades of litigation.  In addition, there is continued regulatory uncertainty around the use of the data that is intended to flow across these vast broadband networks – particularly data that is stored away from the user’s desktop and in the cloud.

Indeed, the current state of law and policy – particularly as it relates to cloud computing – is definitely murky.  That was the consensus of most experts at a terrific conference hosted last Friday by Berkeley’s Center for Law & Technology entitled Emerging Law & Policy Issues in Cloud Computing. A threshold question, echoed by both Rich Sauer of Microsoft and Michele Dennedy of Sun, is which jurisdiction’s laws should apply to data stored in the cloud.

The inherent, “multi-tenant resourcing” nature of cloud computing provides the incredible efficiency gains that are driving business to the cloud today.  It also means that your data may be stored and transacted on a US server – or a server located outside of the US.  It’s hard to know exactly where the data is at any given moment. This poses some definite problems, particularly when you consider the divergent nature of the global laws governing data privacy and security.

Earlier this month, for instance, the German constitutional court struck down a 2008 law that required retention of certain information for law enforcement purposes (including the deterrence of terrorism) on the basis that it conflicted with Germany’s Constitution.  As Professor Thomas Fetzer of the University of Mannheim explained, the concept of human dignity is paramount under the German Constitution and trumps all other laws (including that of the European Union or other European countries). Under this formulation, an individual must be able to control his or her data at all times.  On the other end of the spectrum there’s China, which has warned of “consequences” for Google or any other company that does not filter search data.

Choice and transparency have emerged as two best practices for cloud companies. As companies encourage users to store their most valuable data – medical, financial, etc. – in the cloud, the choice of where that data sits will become even more important for jurisdictional purposes.  But as we also know, consumers today have limited knowledge about what data is being gathered about them and how that data is being used.  It’s hard to exercise choice when you don’t know what it exactly it is that you are choosing.

So what’s the next step for cloud companies that want to stay competitive in this space but also not run afoul of laws and regulations?  I think there are at least two opportunities that companies should be supporting:

Opportunity #1: Educate your Consumer

Since most consumers don’t know how data about them is collected, manipulated and stored, there appears to be a great opportunity for companies and regulators to join forces and resources to educate consumers about the issue.  The recent German action alluded to above, was brought – not by a competitor – but by a class of over 35,000 German consumers.  Unless consumers understand the benefits of how data can transform our commercial, personal and human experiences, it will be hard for cloud companies to press for relaxed regulations on data privacy and security issues.  An upcoming opportunity may present itself in the “digital literacy corps” that will be proposed in the FCC’s Broadband Plan tomorrow.

Opportunity #2: Advocate for Baseline Guidance

It’s clear that there are wide gaps between US laws and the laws of other nations when it comes to cloud computing.  That said, there appear to be some common principles – gleaned from the EU Data Privacy Protection Act and certain FTC guidances for example – that could define how companies provide notice to consumers, regardless of which jurisdiction in which they sit. In fact, the FTC could set up an advisory process – similar to what is already seen under the Children’s Online Protection Act, to provide a safe harbor and incentives for companies that put resources into this type of activity.

The cloud is definitely here to stay and it’s likely that the laws of the physical world will continue to struggle with its non-physical contours.  Remaining competitive in the cloud is important for any company doing business today – particularly as web technologies transform traditional industries.  Regulatory considerations are an important part of that competitive matrix.  Also important is being upfront with consumers about what type of data is being gathered and how it will be used.  It’s a great opportunity – to shape perceptions about an important computing trend that is transforming our lives, while also advocating for the types of laws and regulations that will preserve the innovation that continues to be a hallmark of the cloud space.

What could be more clear?

Categories: Uncategorized Tags: , ,

Congressional Gridlock & the Threat to our Cybersecurity

February 19, 2010 Leave a comment

A country is under daily threat of invasion from seemingly invisible enemies located outside of its borders.  Surprisingly, the country remains unprepared – its government has instituted no policies or procedures to respond to the imminent threat; policy makers and legislators struggle to define how such attacks should be treated under the laws of the land.

If you guessed that this country is the United States of America, you are right. The attacks are those that happen in cyberspace – ranging from cyberwarfare to the list of threats from “compromised” web applications in this McAfee report.  Countries already engage in cyberwarfare – Russia launched a cyber attack against the Republic of Georgia in August 2008; China has allegedly used cyberwarfare for years against India.  But now we are seeing frequent attacks against private enterprise too.  Just yesterday, we learned that the recent cyber attacks against Google and several other technology companies were mounted from unlikely battle stations, two universities in China, both of which receive funding from the Chinese government.   We also learned about the existence of the massive Kneber botnet that has infected 75,000 computers at over 2,500 corporate and government entities.  Was Congress paying attention?

Cyber attackers come in all shapes and sizes, and exist on a global scale, just like the Internet.  At a recent NAAG Presidential Initiative looking at cybercrime and other issues, Fred Huntsberry of Paramount Pictures stunned his audience with a presentation on Russian and Eastern European cybercriminals.  These guys run online websites that manage to violate content piracy and identity theft laws at the same time, and on a massive scale.  First, they provide pirated, just released theatrical content for download or streaming.  Then, as many are also members of identity-theft rings, they misappropriate the credit card information you stupidly provide for subscription access to all that great (pirated) content.

The size of the cybercrime operation does not necessarily dictate the impact of the activity.  Take for example, the cybercrime ring composed of 3 people – Albert Gonzalez and his two Russian partners, responsible for the biggest data breach in US history (Heartland Payment Systems, implicating over 130 million credit and debit card accounts).  This was on top of the Gonzalez team’s other enormous breaches – including hacking into the payment systems of some of the country’s top retailers (Barnes & Noble, Office Max, Sports Authority, etc.)

The US has been on notice about the need for a comprehensive framework – to deal with cyber attacks and cyberwarfare – for many years now.  In 2001, Chinese hackers shut down; amazingly, almost 10 years later, we still lack a national plan of action to deal with cyber security, or a national data security law that defines both the issue and an offensive strategy to deal with its concerns.  Why do we lack the ability to deal with this very real and imminent threat?

A sobering white paper, recently published by former House Representative Thomas McMillen, provides some possible answers as to why there is no “political or corporate will” to enact cyber security legislation: an aggressive private sector lobby that has “resisted change” while paying “lip service” to the issues, a disengaged federal government (let’s add congressional gridlock to this category), and a public that fails to see the link between identity theft and cyber attacks (even though an estimated 40 million Americans are “cyber victims”). McMillen advocates for more public awareness – along the lines of what happened in the environmental movement – to catalyze the private sector to compete on security.  He also advocates for government regulation to give the industry the direction it needs on developing technologies and practices around cyber security.

If you believe McMillen’s report, there’s been little effective coordination between the public and private sector on cybersecurity – something that must happen for the government to effectively respond to a cyber attack.  For instance, imagine a situation where malware on smart phones (delivered through an innocuous March Madness application) is remotely activated to shut down the country’s telecom and broadband networks, paralyzing them during a hurricane.  How would the government and telecom providers resolve the issue? This was the scenario imagined by the Bipartisan Policy Center this week during their CyberShockWave mock attack exercise – featuring real former government officials in pretend government roles. After going through the exercise, the Center concluded that the US is “unprepared” for cyber threats (you can actually view the mock attack on a CNN special this weekend). And surprisingly, we do not yet have guidelines for how the government should communicate with private industry – like the telecom industry – in the case of such an emergency.

The lack of an effective cybersecurity framework is troubling.  But even more worrisome is the fact that the US is already losing the philosophical battle here against some formidable opponents.  Today’s cyber warriors are ideologically disposed towards cyber attacks – in China, hacking is often viewed as a patriotic activity.  They are intelligent – Shanghai Jiaotong University, one of the two universities identified as a source of the recent attacks against Google, recently beat out Stanford to win IBM’s prestigious Battle of the Brains competition.  And they are sophisticated – NPR’s interviews at this week’s Black Hat conference reveal a world where hacking is viewed as a business – complete with mission statements, budgets and continuing education programs.

It’s unlikely that cybersecurity legislation will be enacted in an election year when Congress already has so much on its plate.  Yet not doing so has severe consequences. Cyber attacks are behind one of the leading consumer complaints faced by federal and state regulators – identity theft.  Nearly 12 million consumers were affected by this crime in 2009 (according to a recent study by Javelin Research), making this a very real threat, not a policy issue that should be left for debate.   This reason alone should give Congress the political will to act; yet the gridlocked body continues to ignore the issue.

I hope it doesn’t take a real cyber attack to get their attention.

A Cry for Regulation

January 30, 2010 Leave a comment

A bizarre thing happened at the FTC’s second Exploring Privacy Workshop which was held in Berkeley this week.  Many of the web’s most popular companies – several of whom were featured panelists – were seen publicly urging the FTC to regulate the web.  As the day-long workshop progressed, it became clear that we have reached a point in the Internet’s evolution where regulatory guidance is critical.  For a company whose very business model relies on data mining of some sort – predictability regarding data security and online privacy rules is fast becoming a need, not a want.

The FTC understands these concerns and has been particularly responsive during the last few months, reaching out to stakeholders – web companies, academics and consumer advocacy organizations – all of which were well represented at last week’s workshop.  Based on the day’s discussions (you can see a replay of my live blog here), it became clear that participants were falling into two camps – one which urges clear guidelines and self-regulation, the other which wants more mandates and enforcement.  Then there’s the FTC’s current view – as discussed in this recent New York Times interview with current FTC Chairman Jon Leibowitz and David Vladek, the head of the FTC’s Bureau of Consumer Protection.

One thing everyone does agree on is the need for better and more consumer education – particularly around data flows.  With this type of education, the need to regulate data security and online privacy so stringently may be alleviated. For instance, much has been made during this workshop and in previous discussions, about the failure of privacy notices.  I wonder however, how much of that failure is because consumers simply don’t understand the significance of an opt-in or opt-out, especially when it comes to their personal or identifiable data.

Obviously, there’s a joint role here for all stakeholders – an educated consumer is your best customer (to paraphrase the Syms slogan).  Companies should be thinking about ways to partner with regulators on public education initiatives – just take a look at what the alcohol industry has done by partnering with state AGs on underage drinking awareness campaigns.

The FTC’s third Exploring Privacy workshop will be held on March 17th in Washington DC in March.  Here are the questions posed by the FTC in anticipation of this final workshop:

  • How can we best achieve accountability for best practices or standards for commercial handling of consumer data?  Can consumer access to and correction of their data be made cost effective?  Are there specific accountability or enforcement regimes that are particularly effective?
  • What potential benefits and concerns are raised by emerging business models built around the collection and use of consumer health information?  What, if any, legal protections do consumers expect apply to their personal health information when they conduct online searches, respond to surveys or quizzes, seek medical advice online, participate in chat groups or health networks, or otherwise?
  • Should “sensitive” information be treated or handled differently than other consumer information?  How do we determine what information is “sensitive”?  What standards should apply to the collection and uses of such information?  Should information about children and teenagers be subject to different standards and, if so, what should they be?
Categories: Regulation Tags: , ,

Trying Another Form at the FTC’s first Privacy Roundtable

December 7, 2009 Leave a comment

At the first of the FTC’s Exploring Privacy roundtables held earlier today, Chairman Leibowitz was asked whether the FTC approach to regulating privacy has been successful.  Artfully dodging the question, Leibowitz responded by likening the privacy issue to Winston Churchill’s view of democracy:

“it has been said that democracy is the worse form of government — except for all those other forms that have been tried from time to time.”

The Chairman’s remark encapsulated the spirit of the day, as a reinvigorated FTC dived deep into consensus building with a who’s who from the world of privacy policy. This is just the start of the inquiry, with another two roundtables to follow. The plethora of smart thinking and ideas that flowed in stream-of-consciousness fashion from today’s panelists were helpful to the evolution of a regulatory construct for online privacy.  Yet, many questions remain unanswered.  And even with all the bright minds in attendance, the contours of an effective regulatory scheme for online privacy remain unclear.

More research on web attitudes, custom and habits is needed. As we learned today, the personal data ecosystem is extremely complex and layered (like those privacy notices you can never find the bottom of).  Did you know that there are over 20 different categories of companies – including web marketers, search engines and online data brokers – that currently collect information in personally identifiable or aggregated form? Incidentally, the FTC did a great job of pulling together supporting material for the roundtable, including this slide on the personal data ecosystem that should be a must-view for anyone surfing or shopping on the web.

Clearly there is tension between the approach advocated by those representing the consumer interest (CDT, CDD, EPIC, etc.), and those involved in what Commissioner Harbour described as a “digital arms race” – the race to monetize content and information and build massive ad-viewing bases in the digital economy. Consumer organizations are urging the FTC to adopt stricter privacy regulations – at a time when online advertising is exploding on both the desktop and mobile web.  Now, the FTC must engage in a careful balancing act – develop a regulatory framework that protects consumer data online while not impeding the growth of technological innovations that utilize profile data.

The discussion will continue at a second FTC roundtable on January 28th.   Here are some of the discussions I hope to hear in round two:

  • The volume of personal data that travels on the web today pales in comparison to the volume of data we will see in a future of web-enabled devices and integrated systems. Does a use-based classification system with individual opt-outs for each type of information really work with large volumes of information?  Or should all personally identifiable information be regulated in the same way, irrespective of use?
  • Several panelists indicated that self-regulation is not working.  What’s the alternative? Is the failure of self-regulation attributable to the lack of clear government guidelines or engagement on what online privacy policies should look like?
  • In 2008, for the first time, more people accessed the web through their mobile phones than through a desktop. As the FTC attempts to get ahead of the online privacy issue, what considerations should be given to privacy protections on the mobile vs. desktop web?