Posted on March 17, 2010 by Joseph I. Rosenbaum

LifeLock CEO May Not Be Giving Out His Social Security Number Anymore

Todd Davis, the CEO of LifeLock is not the first CEO to appear in advertising, but was probably the first to prominently display his U.S. Social Security Number in full-page ads in major newspapers and billboards across the country. Although these ads disappeared a while ago, the action brought by the Federal Trade Commission and the Attorneys General of 35 states of the United States, has now resulted in a settlement valued at $11 million. FYI, the states involved were: Alaska, Arizona, California, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Mississippi, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington, and West Virginia. The settlement resolves claims that LifeLock’s advertising was deceptive and misleading and misrepresented the types of services consumers could expect if they become victims of identity theft and their personal information was compromised.

While LifeLock does provide some measure of identity-theft protection, it was apparently not as robust and comprehensive as the advertising might lead a consumer to believe (personal information would be “useless to a criminal”). As a result of the action, not only has LifeLock promised to make changes (or has already made changes) to address the FTC complaint - in its business practices as well as its advertising - but the complaint also named CEO Davis and his co-founder Robert J. Maynard, Jr., who both will be barred from making the same misrepresentations as LifeLock. The $11 million received from LifeLock will provide refunds to consumers who signed up for the service. Information about eligibility and how the redress program will work can be obtained directly from the FTC - LifeLock Redress Program.

FTC Chairman Leibowitz stated: “Consumers received far less protection than they were promised," noting further that LifeLock’s service was ineffective against identity theft involving existing credit cards or bank accounts. Despite the advertised claims, according to the FTC, LifeLock often did not encrypt data in storage or transmission, didn’t install any antivirus protection software on computers used by employees, and failed to even require strong password protection for employees’ access to systems and files.

The documents were filed by the FTC in the U.S. District Court for the District of Arizona, and you can obtain a full copy of the original Complaint and the Stipulated Final Judgments against LifeLock, Davis and Maynard, right here: Federal Trade Commission v. LifeLock.

The Advertising Technology & Media law practice has lawyers and the resources of Reed Smith’s litigation and regulatory enforcement team to help clients seeking to prevent legal and regulatory problems and, if necessary, defend you if they arise. We have a team of data security and identity-theft lawyers with hands-on experience who know how to respond if a data breach occurs and can counsel you in complying with federal and state requirements. Need to know more? Call Joe Rosenbaum, or any of the lawyers at Reed Smith with whom you work - and, by the way, don’t give out your Social Security Number.

Tags: , , , , , ,
Posted on October 21, 2008 by Joseph I. Rosenbaum

The War on Privacy Opens a New Front

In the aftermath of many well publicized data breaches, in the past few years, more than 40 U.S. states have enacted data breach disclosure laws—“identity theft” statutes—which, among other things, require consumers to be notified when personally identifiable information is or may have been compromised in a database. But recent reports citing ineffectiveness of such legislation (e.g., Carnegie Mellon University researchers found notification laws only reduce identity theft by around 2 percent) and a growing sense that notification laws don’t prevent the problem, have caused some states to examine other approaches. At least two states, Nevada and Massachusetts, have enacted different legislation aimed at prevention, and Washington and Michigan are actively considering new measures.

Nevada’s law requires businesses to encrypt personally identifiable information about their customers that is transmitted electronically. So credit card information and other personal information sent by email, SMS text message or other digital means must be encrypted. Under the Nevada law, companies that comply but still have a breach, would have a statutory limit on their liability for damages (i.e., $1,000 per customer per occurrence). But companies that don’t comply would have unlimited civil liability. If these statutes establish the standard by which businesses are judged in protecting sensitive consumer data, then those standards could easily form the basis of a civil argument that a business owner failing to comply has been negligent.

Massachusetts has also enacted measures that, effective in January, will require businesses that gather personal information about its residents to encrypt sensitive data on portable devices such as laptops and wireless devices. These new laws are intended to protect residents and consequently apply to companies out of state that have either customers or operations there. Companies concerned about compliance, even small companies, have started to worry about these new laws—computers that have encrypted hard drives, software that automatically encrypts information, and even tracking devices embedded into portable computers and similar mobile devices, are becoming increasingly popular.
Tags: , , , ,
Posted on September 21, 2008 by Joseph I. Rosenbaum

Data Breach. Cause for Alarm or a Big Yawn?

By August 2008, there were more publicly disclosed data breaches among U.S. businesses than for all of 2007. More information is created, flowing and stored by commercial enterprise than ever; more clever schemes are being hatched by criminals for hacking or disrupting information; employees don’t appreciate the value of assets you can’t feel; and consumers are befuddled by a maze of privacy notices, data theft notices, credit report advertisements, and scare tactics launched by advocacy groups—well intentioned though they may be. More than 40 U.S. states have laws requiring disclosure of data breaches. If these were intended to create incentives to prevent data breaches and reduce occurrence, how do we explain the steady rise? Are the laws ineffective? Are businesses accountable beyond some adverse publicity, once they provide legally mandated disclosure? Have we become jaded by news reports, privacy and breach notices as just so much junk mail? In the credit card world, consumers generally have a maximum $50 liability if a card is lost or stolen. In situations where there are no real time approvals, credit card companies take the risk. In that environment, a business decision is made to accept certain loses because the potential revenue generated by the business model yields a greater reward. In the world of consumer privacy and personally identifiable information disclosure, who is taking what risk? Studies for years indicate IT professionals appreciate that digital crime—theft of intellectual property, piracy, theft of trade secrets, customer data or employee information—is a problem. Many companies may not even know their security is breached and others have little incentive to solve the problem. Need more information? Come to my web page, contact me and tell me what you think. Call if you need help with a policy, a position or an understanding of your legal rights and obligations. We can help.

Tags: , , , ,
Posted on July 15, 2008 by Joseph I. Rosenbaum

Coping With COPPA

The Children’s Advertising Review Unit recently held that screening for age to avoid collecting personal information from children under 13 was not enough. In Bandai America (the website is Bandai’s Wireless.com site), CARU found that although Bandai’s website had a screening mechanism that asked for a date of birth, there was no tracking once a child put in a birth date. Thus, anyone under 13 could come back and enter a different (inaccurate) date of birth to get by the screen. CARU’s COPPA compliance guidelines require that not only must interactive sites have an age screening mechanism, but there also must be some reasonably effective means of tracking so children can’t get around the screening process. Forewarned is forearmed.

Tags: , , , , ,
Posted on July 15, 2008 by Joseph I. Rosenbaum

Who Pays For the Data Security Breach?

Have you received one of those “data security breach” letters? Quick, call the credit bureau and bank. Change the checking, credit card and license numbers. Most financial institutions have absorbed the cost of reissuing payment cards or providing new checks, even when these financial institutions had nothing to do with the security breach. When B.J.’s Wholesale Club disclosed that a theft of credit card information had occurred, two financial institutions sued to recover the costs that resulted from that breach. The institutions claimed B.J.’s breached its legal obligation to maintain the security of the financial institution and should be liable for the damages. Those claims were initially rejected, but have now been revived by the U.S. Court of Appeals for the Third Circuit, which has issued a decision holding these financial institutions were intended third-party beneficiaries of the contract among the retailer, its merchant bank, and the payment card industry, to keep customer data safe. If the retailer breached data protection rules imposed by the payment card industry and the financial institutions were third-party beneficiaries of that  agreement, then any damage and loss could be recovered based on contract law claims. Stay tuned.

Tags: , , , ,
Posted on July 15, 2008 by Joseph I. Rosenbaum

You Would Think They Would Know Better

Cyber-Ark Software, a U.S.-based information security company, surveyed information technology professionals at the Infosecurity Europe Expo 2008 in London this past April. They asked 300 senior IT folks attending the Expo about abuses relating to information access, and guess what they found? First, about one-third of all IT professionals surveyed abused their own company’s information access rights policies to view information unrelated to their job (e.g., spying on employees or looking at confidential information). The survey report noted that passwords of IT and systems oversight staff often aren’t required to be changed as often as user passwords—or sometimes not at all. In most cases, IT administrators have free reign to use or abuse access privileges—which apparently happens too often.

The notion of “internal firewalls” is highlighted by this report. While companies often take great pains to protect themselves from external threats, as history has shown us in the physical world, the biggest dangers are from “inside jobs.” Without protections that apply internally, snooping, economic espionage, sabotage, spying and data security risks will remain a looming threat to the information assets of a business enterprise.

Tags: , , , ,
Posted on June 15, 2008 by Joseph I. Rosenbaum

Data, Data Everywhere, But Hackers Drop into Secure Websites

Criminals stole customer information from the Hannaford Bros. and Sweetbay grocery chains’ computer networks. As shoppers swiped cards at checkout and their information was routed to transaction processors using state-of-the-art, fiber-optic, hard-wired cable for transmissions, malicious software intercepted the information and transmitted it to an ISP off-shore. Experts are still trying to figure out how the code got into the systems in the first place.
 

Connecticut, after yet further large-scale data security breaches, has approved legislation, effective Oct. 1, 2008, which will require all businesses to have and display a privacy policy that explains how the business protects Social Security numbers. Businesses must safeguard data and documents with personal information from misuse by third parties, and violations trigger a $500 penalty—penalties per incident can total up to $500,000. While unintentional violations do not give rise to penalties, “unintentional” is likely to refer to lapses in the execution of a policy, not to companies without policy or a failure to implement a policy. Do you need help developing a privacy policy, information retention and disposal procedures? Need to comply with the new law in Connecticut and those of well over 30 states that have enacted data breach and data security and protection laws in the past few years? Call 212.702.1303 or email Joe Rosenbaum.

Did you read the article above about word-of-mouth advertising regulations in the UK? Then read the report entitled “Guidance on Data Security Breach Management,” sponsored by the UK Ministry of Justice and issued by the UK Information Commissioner’s Office (“ICO”). The report suggests a big difference between UK and U.S. data protection laws regarding best practices concerning data security breach notification.

In the United States, government operates on the presumption that a consumer is always better off when notified of a data security breach. The UK report explores the potential danger of “over-notifying” and asks if notification actually helps or simply creates anxiety, without the ability to allay the fears created, and postulates, “Not every incident will warrant notification, and notifying the whole 2 million strong customer database of an issue affecting only 2,000 customers may well cause disproportionate enquiries and work.” If consumers are barraged by data breach notices, with multiple notices to consumer reporting agencies and law enforcement officials, isn’t it more likely that people will start to ignore them? Read the full report.

Reed Smith has a global footprint, with lawyers who keep up to date in and across jurisdictions. Assumptions about the propriety, legal adequacy or efficacy of a response to a data breach may prove as disastrous as a breach itself. For companies that do business across state, provincial, regional and/or national boundaries, citizens of multiple jurisdictions may be involved. You need to know the correct responses. Need help? Contact Joe Rosenbaum to find out how Reed Smith’s privacy and data security team can meet your needs.
Tags: , , ,
Posted on May 19, 2008 by Joseph I. Rosenbaum

Data Security Breach - Who Are You Going to Call?

The New York State Information Security Breach and Notification Act amends the State Technology Law (Section 208) and the General Business Law (Section 899-aa), and requires that any New York State entity, as well as any person or business conducting business in New York and who owns or licenses computerized data that includes private information, must disclose any breach to New York residents (New York State governmental entities must also notify non-residents). This is similar to well more than 30 other states that have data breach notification statutes. Did you also know that when notification is necessary, New York law requires notification to the Attorney General, the Office of Cyber Security & Critical Infrastructure Coordination, and the Consumer Protection Board? Did you know there’s a “New York State Security Breach Reporting” form? No company relishes the idea of having to deal with a compromise of sensitive customer data? And no company should have to worry about not having the right legal advice when dealing with their customers, regulators and law enforcement officials. Reed Smith has a Data Security Group that keeps track of these laws in the United States and throughout the world.

Tags: , , ,
Posted on January 15, 2008 by Joseph I. Rosenbaum

Test Data? Really?

Are you using real customer data for testing? In a recent survey, well over 60 percent of IT professionals use live customer data for application testing and for software development. Guess how many IT professionals outsource application testing (and share live data with the testing company)—about 50 percent. Worried about sensitive data? Compliance with data breach statutes? Privacy concerns? Is this a potential gap in the security wall many companies build around their networks? You bet. Could it be a big compliance, legal and regulatory problem? Bigger bet. While live customer data is obviously the most representative for testing, it’s also the most risky. What can you do? Use fake data. Anonymize or sanitize real data. Use encryption. Limit access and strengthen contract, monitoring and audit controls. We know privacy and security, regulation and compliance. Call us.

Tags: , ,
Posted on December 4, 2007 by Joseph I. Rosenbaum

Financial Supermarket? No. Financial Advertising Supermarket? Well, Maybe...

Years ago, a number of companies hoped that by offering to simplify financial record-keeping and collect your financial information in one place, consumers would find it easier than trying to keep track of all of the numbers, codes and IDs they have to contend with in the real world. The concept fizzled, primarily because there was resistance to giving one website all the information—putting all your nest eggs, so to speak, in one basket. Now, some companies are hoping to revive the concept, this time with the lure of education, advertising and sponsorship.

Although the basic idea remains, the new aggregation model uses sponsored links—recommendations based on an analysis of consumer data and financial information—all geared to educating consumers about the availability of financial products and services. Just as search engines accumulate information about browsing—to prioritize and serve advertising believed to be of higher value to the individual—these new sites use the same model to recommend financial services. If you use a credit card to purchase airline tickets, the site might recommend or display an advertisement for an affinity credit card tied to an air carrier or one which offers points for your purchases. Use an overdraft line of credit for your checking account? You might see an advertisement or recommendation to consider a home equity line of credit to potentially lower your tax bill while you borrow.

While advertising-supported revenue models may have greater appeal from an economic viewpoint and may attract financial institution sponsors and advertisers, these sites still have to overcome consumer discomfort with making all—or a significant portion—of their nonpublic financial information available at a single point of aggregation. With the identity theft, data breach and privacy issues front and center in the past few years, one has to wonder if the power of advertising can overcome that anxiety.

Tags: , , , ,
Posted on May 2, 2007 by Joseph I. Rosenbaum

The Empire Strikes Back?

You can’t possibly have missed the flurry of articles in the press over the past few years regarding identity theft and the measures being taken (or vulnerabilities exposed) to protect the non-public, personally identifiable financial information consumers access, use and provide in the course of routine payment transactions—both off and online. Indeed, several years ago, the Payment Card Industry (“PCI”) began formulating it’s own self-regulatory standards governing the protection of consumer information relating to the processing of credit, charge and debit card transactions. This has led to the development of the PCI Data Security Standards (“DSS”) and corresponding Data Security Audit Guidelines. In broad terms, the PCI DSS requires the protection (by encryption or other effective means) of personal information in the payment card process—whether in storage, card processing, point of sale/purchase, recordkeeping—in every link in the chain of payment using a payment card or device linked to an account at a financial institution.

As a result of the furor over the release of private information—including releases from governmental agencies and databases (e.g., social security numbers, drivers license numbers)—more than 30 states have passed specific legislation requiring companies that know, or reasonably suspect, that data, databases or electronic/digital information involving personal information of consumers has been compromised or actually leaked, to disclose and notify consumers affected (or potentially affected) by the security lapse or potential breach. Federal legislation has been proposed, although nothing has yet been enacted, and the states have stepped in to fill the perceived gap and protect the information of its citizens, and to regulate the conduct of companies doing business within their borders.

Much of the angst over the private sector, commercial transaction compromises over security—starting most visibly with ChoicePoint several years ago and continuing in a steady stream thereafter—arises from the fact that retail merchant establishments have traditionally not had to worry about privacy and the secure management of customer personal and financial information, primarily because they haven’t been regulated or needed to do so. Enter the digital age of information and the ability of marketing and advertising gurus (within and for retailers) to data-mine and use vast amounts of previously cumbersome and often unattainable information about customers. If information has always been power, than digital information transforms that power exponentially, at the speed of light (literally for those physics majors masquerading as lawyers or marketing professionals).

The combination of security standard requirements, consumer protection legislation and digital technology has conspired to significantly increase both preventive and compliance costs to everyone in the chain of payments and financial transactions. Now some banks have decided to strike back. Three community banks and three state trade groups have filed a class-action lawsuit against TJX Cos. (to us folks, this is the company that owns TJ Maxx, Marshalls and HomeGoods). You might remember the news late last year when it was found that some computer hackers were accessing credit and debit card transactions made at TJX’ stores—at least since mid 2005, and that potentially more than 40 million cards may have been compromised. TJX disclosed the breach itself in January 2007.

Now the banks and trade groups are claiming that between the costs of reissuing cards and simply bearing the risk of theft and fraud to unwitting consumers wrought by the hackers, the bill to the banks is in the tens of millions of dollars. The lawsuit demands those costs should be covered by the retailer, and they want the courts to hold responsible and financially liable for the damages resulting from the breach.
Tags: ,