Recent Developments in Privacy and Information Recent Developments in Privacy and Information SecuritySecurity

October 16, 2006October 16, 2006

ABA Antitrust SectionPrivacy and Information Security Committee & Corporate Counseling

CommitteeElaine D. Kolish

Ken DreifachMarc Zwillinger

2

AgendaAgenda

Federal Developments State Developments Private-Sector News Other Developments

3

Federal DevelopmentsFederal Developments

Federal Trade Commission Updates– Spyware case settled with large judgment

– $1 million penalty in COPPA case

– First telephone pretexting settlement

– Testimony on Pretexting

– ID Theft Task Force Interim Recommendations

SEC Announces Review of Its Data Security Rules Government Announces More Missing Laptops Federal Legislative Activities

4

FTC Permanently Shuts Down Spyware DistributorsFTC Permanently Shuts Down Spyware Distributors

Stipulated judgment in FTC v. Enternet Media requires defendants to– Give up $2.045 million in ill-gotten gains (suspended amount $8.5 million) – Stop making misleading statements about the features of its software

code/content (e.g., code is browser update or cell phone ring tone)

Resolves FTC’s Fall 2005 complaint – Defendants allegedly installed spyware on consumers’ machines – Spyware tracked consumers’ internet activity, changed browser settings,

and displayed pop-ups even when browser was off– Assets and operations were frozen last fall

One of 7 FTC actions against spyware in last year

5

FTC Obtains $1 million COPPA PenaltyFTC Obtains $1 million COPPA Penalty

In United States v. Xanga.com, Inc., FTC alleged Xanga collected, used, and disclosed personal information about children under 13 without parental notification or consent

Xanga, a popular social-networking site with 25 million registered accounts in 2005, stated that children under 13 could not join, but allowed users entering a birthdate indicating they were under 13 to join nonetheless

$1 million civil penalty is largest under COPPA Xanga’s principals also named in action Other cases may be coming

6

Pretexter Settles with FTCPretexter Settles with FTC

In FTC v. Integrity Security & Investigation Servs., Inc., FTC alleged defendants obtained consumers’ confidential telephone records and credit card information and sold the information unlawfully to third parties

– Conduct alleged to be “unfair” under FTC Act Settlement bars defendants from pretexting or obtaining or selling

consumers’ phone records or personal information unless authorized by law Defendants also required to surrender money made from sale of information

($2,700) Four other pretexting cases still in litigation

7

FTC Seeks Additional Powers To Combat PretextingFTC Seeks Additional Powers To Combat Pretexting

In testimony before the House,– FTC requested (again) that Congress

• Create more specific prohibitions against pretexting• Provide civil penalties against accused pretexters• Pass cross-border fraud legislation, given that many websites selling

consumer information are registered to foreign addresses

– Describes FTC’s history of prosecuting pretexting since 2000 • Past actions involved financial records and institutions

– Describes current initiatives against phone pretexting• Five cases filed Spring 2006

8

Presidential ID Theft Task Force RecommendationsPresidential ID Theft Task Force Recommendations

President established Interagency Task Force on May 10, 2006 to address issues of identity theft

Final Strategic Plan from Task Force due in November Task Force issued interim recommendations on 9/19/06 on

measures that could be implemented immediately, including: – Provide via OMB data-breach guidance to all federal agencies.

– Develop universal police report for victims

– Amend criminal restitution laws to allow ID theft victims to recover

– Reduce government SSN use

– Develop of alternative authentication methods

– Improve governmental data security and breach response

9

New SEC Data Security Rules For Brokerage And New SEC Data Security Rules For Brokerage And Advisory Firms Likely ForthcomingAdvisory Firms Likely Forthcoming

SEC staff announced that they are reviewing their data security rules and will likely make them more robust. No time frame has been announced.

SEC Regulation S-P currently requires broker-dealers and investment advisers to adopt written policies and procedures reasonably designed to protect consumer information and records, including during disposal.

10

Commerce Department Reveals 1,137Commerce Department Reveals 1,137Laptops Missing Since September 2001Laptops Missing Since September 2001

Laptops stolen mostly from Census Bureau and National Oceanic and Atmospheric Administration.

About 250 of these, nearly all from Census Bureau, contained personally-identifiable information.

Only 107 were fully encrypted; all were password-protected.

11

House Approves Electronic Surveillance BillHouse Approves Electronic Surveillance Bill

The House of Representatives approved HR 5285 – the Electronic Modernization Surveillance Act, by a vote of 232-191. It would strengthen U.S. government’s ability to perform electronic surveillance on U.S. residents by easing process to obtain search warrants.

Bill would also permit federal law enforcement officials to monitor U.S. residents for up to 90 days without a court order in the wake of an "armed attack" or a "terrorist attack," or if the president perceives an "imminent threat of attack," and clarify that the U.S. government can pursue wiretaps on any mode of electronic communications, and not simply telephone or radio-based communications.

Bill clarifies procedures for challenging lawfulness of FISA order.

12

State DevelopmentsState Developments

H-P Pretexting Investigation and Fallout California Anti-Pretexting Legislation California Wi-Fi Security Bill California Supreme Court decision on multi-party consent rule Utah - State Minor Do-Not-Spam Registry Oregon AG Settlement on Data Breach

13

Pretexting at HPPretexting at HP

CA AG charged former HP Chairman with four felonies, based in part on her decision to provide to HP’s outside investigators the telephone numbers of reporters whose telephone records were then accessed without their permission.

Four others also charged, including HP’s former senior lawyer, a private detective, and two data brokers.

Charges include: fraudulent wire communications; wrongful use of computer data; identity theft; and conspiracy to commit these 3 crimes.

In testimony before the U.S. Congress, former Chairman Dunn said she did not know that investigators hired by HP would use legally dubious methods to gather information.

14

CA Governor Signs Bill Banning PretextingCA Governor Signs Bill Banning Pretexting

On Sept. 9, 2006, Governor Schwarzenegger signed a bill banning the sale or purchase of a consumer’s phone records without the consumer’s consent, as well as fraudulent obtaining of records.

$2,500 fine for first violation; $10,000 fine and jail time for subsequent offenses.

15

California Wi-Fi Security Bill WaitsCalifornia Wi-Fi Security Bill WaitsFor Governor’s SignatureFor Governor’s Signature

CA legislature passed a bill requiring wireless Internet equipment manufacturers to include security guidance with their products.

The law, which is effective Oct.1, 2007, would require warning labels to be placed on all equipment capable of receiving Wi-Fi signals.

Labels may take the form of stickers on product box, special notifications in install software or router setup, or automatic securing of connection.

At least one sticker must be positioned so that consumer must remove it prior to using product.

Warnings must describe how to secure files, folders, and connections.

Bill’s text acknowledges disagreement over whether it is legal to use another’s unprotected Wi-Fi connection, but concludes that authorized use is determined by specific circumstances of the access.

16

California Supreme Court ConfirmsCalifornia Supreme Court ConfirmsAll-party Consent RuleAll-party Consent Rule

High court refused to modify its ruling that out-of-state companies cannot record calls with Californians without their permission. Kearney v. Salomon Smith Barney Inc.

Case concerned a CA resident who called her GA-based financial broker.

Most states require only one party’s consent to monitor or record a call.

17

Alleged Spammers Face Fines For Violating State Alleged Spammers Face Fines For Violating State Minor Do-Not-Spam RegistriesMinor Do-Not-Spam Registries

Utah’s Division of Consumer Protection issued $30,000 in fines against companies it accused of sending commercial e-mail messages to e-mail addresses belonging to or accessible by children.

Fines were assessed pursuant to Utah’s do-not-spam Child Protection Registry, designed to protect minors from receiving e-mail solicitations for gambling, alcohol, pornography, or other material deemed “harmful to minors.”

Utah legislature approved the registry in 2004, making it a criminal offense to send prohibited e-mail to any address in the registry.

E-mail marketers must “scrub” their lists against the registry. Utah registry is subject of litigation alleging it is unconstitutional

under the First Amendment and preempted by CAN-SPAM.

18

Oregon AG Settles With Hospital Over Privacy BreachOregon AG Settles With Hospital Over Privacy Breach

Backup media containing patients’ personal information was stolen from an employee’s car.

Settlement requires hospital to provide free credit monitoring and remediation, improve security practices, compensate victims for losses, and pay $95,000 fine.

Unlike private plaintiffs, Oregon AG does not need to show resulting harm in order to punish breach.

19

Private Sector News / Miscellaneous DevelopmentsPrivate Sector News / Miscellaneous Developments

U.S. Court of Appeals for Armed Forces upholds expectation of privacy in email despite logon banner (U.S. v. Long)

Mass. Appeals Court reverses convictions under state computer crime statute (Comm. v. Piersall)

N.D. Illinois issues order against U.K.-based Spamhaus New Guidelines issued by PCI Security Standards

Council

20

Military Court Finds Expectation of Privacy in EmailMilitary Court Finds Expectation of Privacy in Email

Marine Corporal allegedly sent emails through DOD network related to drug sales, which were retrieved in investigation

Computer had standard DOD logon banner:– all information sent over this system may be monitored– Evidence of unlawful use found during monitoring will subject user to

criminal prosecution– Use of system constitutes consent to terms

Remarkably, court finds that logon banner provides consent to monitoring not historical search

User had subjective expectation of privacy That expectation was reasonable given: (1) employee’s sole control of

password; (2) sys admin was only allowed to monitor for limited purposes; (3) sys admin’s testimony that personal emails were allowed to be sent and that he did not regularly monitor due to privacy concerns

Court wanted policy to say “No Right of Privacy in System Use.”

21

Court Rules On Necessary Evidence For Unauthorized Court Rules On Necessary Evidence For Unauthorized Access To A Computer System” ConvictionAccess To A Computer System” Conviction

Commonwealth v. Piersall - MA Appeals Court of MA reversed a lower court’s conviction of 15 counts of unauthorized access to a computer system, based on his use of former wife’s password to access her e-mail account.

MA state law prohibits unauthorized access of computer system, or access by any means accompanied by failure to terminate such access upon knowledge that access is unauthorized.

Jury had been given different printouts of wife’s e-mails that husband had accessed. Printouts bore 13 different dates.

On appeal, court noted that dates could not comprise sufficient evidence of separate “logins,” and that each unique date may not reflect a separate “login” to wife’s e-mail account.

22

U.S. Judge Orders Spamhaus To Pay $11.7 Million In U.S. Judge Orders Spamhaus To Pay $11.7 Million In Damages And ApologizeDamages And Apologize

UK-based Spamhaus Project publishes an e-mail “blacklist” of IP addresses suspected to be associated with spam.

Organizations in various countries use the list to block e-mails from the IP addresses on the list in hopes of avoiding spam.

Plaintiffs e360Insight, LLC, and David Linhardt, whose IP addresses appeared on Spamhaus’s blacklist, sued Spamhaus on business tort theories and secured a default judgment against Spamhaus, which did not appear in the action.

Spamhaus posted a defiant response on its website, noting that “default judgments obtained in U.S. county, state, or federal courts have no validity in the UK and cannot be enforced under the British legal system.”

Court may order ICANN to suspend Spamhaus’s domain, giving U.S. Commerce Department-controlled entity an opportunity to demonstrate its independence or further support those who believe it is overly subject to U.S. control.

23

Credit Card Companies Form New Security GroupCredit Card Companies Form New Security Group

The 5 major credit card companies create new organization to improve and implement payment standards for credit and debit cards.

First time that major brands—AmEx, Discover, JCB, Visa/MC—have agreed to single, shared framework.

New group, to be called Payment Card International (PCI) Security Standards Council, will take charge of PCI Data Security Standard, first set out by subset of 5 brands.

Group’s first action was to clarify previously-ambiguous language in PCI standards by replacing it with more definite language, including firm deadlines.

24

Ms. Kolish is a partner in the Business Regulation Practice Group. She specializes in advertising, marketing, and regulatory issues related to consumer products and services.

Her expertise includes conducting advertising claims analyses, advising on substantiation responsibilities, counseling on the compliance requirements of consumer protection laws, and privacy and security issues.

Prior to joining Sonnenschein, Ms. Kolish was the Associate Director in charge of the Enforcement Division at the Federal Trade Commission, Bureau of Consumer Protection in Washington, D.C. She is vice-chair of the ABA Antitrust Section’s Privacy and Information Security Committee.

Elaine D. KolishElaine D. Kolish

25

Mr. Dreifach is a partner in the Information Security & Internet Enforcement Practice Group. Previously, he was chief of the Internet Bureau in the Office of the New York Attorney General and from 2000-2006, he directed all enforcement efforts.

He has overseen the initiation, litigation and settlement of dozens of enforcement actions involving spyware practices, data privacy, spam, online gambling, credit card and e-payment practices, online auction fraud, identity theft, ISP practices, Web access for the disabled and, more generally, deceptive advertising and business practices. He has worked closely with the Federal Trade Commission and other state attorney general offices on policy and enforcement, leading several multi-state groups, and has drafted and consulted on numerous New York State bills regarding spyware, spam, ISP practices, rebate practices, and other consumer protection issues

Kenneth DreifachKenneth Dreifach

26

Mr. Zwillinger is the Chair of the Information Security & Internet Enforcement Practice Group, and in 2000 created the first Information Security & Internet Enforcement practice at any national law firm.

Mr. Zwillinger advises and counsels clients on protecting electronic information and how to respond to legal process served by the government. He has led scores of internal investigations and external responses to security breaches. In addition to his work in the information security and privacy space, he has helped design Internet enforcement and anti-piracy programs for combating illegal online behavior. He is regularly consulted by ISPs and Internet portals regarding liability for Internet activities, including intellectual property infringement, spyware, phishing, CAN-SPAM, online gambling, and adult content.

He is a former Trial Attorney with the Computer Crime and Intellectual Property Section of the Department of Justice where he prosecuted the first corporation tried and convicted under the Economic Espionage Act.

Marc J. ZwillingerMarc J. Zwillinger