Employee Use of P2P Software Results in FTC Enforcement Actions

By Mehmet Munur

The Federal Trade Commission announced that it brought two separate enforcement actions against a debt collector and a car dealership because of the unauthorized sharing of sensitive personal information through P2P network software installed by their employees. As is common in most FTC enforcement actions, the companies will be required to cease misrepresentations about privacy and security of personal information, maintain a comprehensive information security program, and submit to third-party security audits for 20 years. These enforcement actions, once again, point to the importance of having privacy policies that align with privacy practices and the importance of having reasonable security practices in place.

The FTC complaint against the debt collector, EPN, alleges that it collected personal information without reasonable and appropriate security. EPN collected name, address, date of birth, gender, Social Security number, employer address, employer phone number, and in the case of healthcare clients, physician name, insurance number, diagnosis code, and medical visit type from its clients for debt collection purposes. EPN’s Chief Operating Officer installed a P2P application on its systems. One of its clients found the files shared on the same network and alerted EPN about it. In fact, EPN shared through this P2P application information about 3800 individuals. EPN did not have a business need for the application. FTC stated that EPN did not have an incident response plan, risk assessment, measures against P2P software use by its employees, and procedures for detecting unauthorized access to personal information. FTC alleged that these were unfair and deceptive practices under the FTC act.

It is interesting that the FTC did not point to a privacy policy for representations relating to the privacy and security of the information collected by EPN—even though EPN, doing business as Checknet, Inc., has a website privacy policy. However, the privacy policy does not have an effective date and it may have been added after the FTC investigation began.

The FTC complaint against the car dealer, Franklin’s Budget Car Sales, alleges that the dealership shared a privacy notice with its customers stating that it would restrict access to non-public personal information and that it maintained physical, electronic, and procedural safeguards that complying with federal regulations. The dealership then collected personal information such as names, Social Security numbers, addresses, telephone numbers, dates of birth, and drivers’ license numbers from consumers. FTC also alleges that the dealership did not provide an annual notice. Currently, Franklin Toyota’s website privacy policy shows the model privacy clauses—instead of a web privacy policy. They are also still the model form—without some of the choices for creating the form having been made. FTC alleges that the dealership failed to put into place reasonable security procedures—similar to EPN’s alleged failures. As a result of those failures, information relating to 95,000 consumers was shared on the P2P networks. Therefore, the FTC alleged violations of the Section 5 of the FTC Act (for misrepresenting its privacy and security measures in its privacy notice), Safeguards Rule of the GLBA (for failing to implement reasonable security practices), and the Privacy Rule of the GLBA (for failure to send annual privacy policies).

Both companies agreed to similar terms as a result of these complaints. The consent order with the dealership requires it not to misrepresent its privacy, security, and confidentiality of personal information it collects nor violate GLBA. It also requires the dealership to designate an employee accountable for information security, conduct a risk assessment, design and implement reasonable safeguards, among other things. The dealership must also submit to third-party assessments once every two years for 20 years. The debt collector’s consent order is similar—but for the GLBA requirements.

There are several lessons to be learned from the enforcement actions—some new, some old.

First, the enforcement action highlights the importance of having a privacy policy and abiding by the letter and spirit of that privacy policy to avoid an enforcement action under the FTC Act. Google, Facebook, Twitter and others ran into this same trap of having a privacy policy that did not align with their privacy and security practices.

Second, failure to have reasonable security without making any representations regarding the importance of privacy and security to an organization can still result in an enforcement action—especially where the harm to consumers may include sharing of sensitive personal information. Here, the FTC seemed perturbed by the fact that some of the personal information shared with the P2P networks may never be taken out of circulation due to the decentralized nature of P2P networks. In fact, some of this information likely included information relating to healthcare procedures.

Finally, the FTC appears to be following a “study, report, then bring enforcement actions” plan for topics of interest—as any reasonable regulator should. In the P2P space, the FTC obtained comments and looked at consumer protection and competition issues in a 2005 staff report. More recently, the FTC completed a study on widespread data breaches as a result of P2P software use by businesses in 2010 and notified about 100 organizations. The FTC also published guides for consumers and businesses relating to the P2P software use. Then, the FTC had an enforcement action against Frostwire LLC for the default settings in the P2P software that shared too much personal information. Now, the FTC brings this enforcement action against businesses that cause breaches due to the use of P2P software. The FTC has been following a similar study-report-bring-enforcement-actions plan with mobile privacy, mobile payments, and behavioral advertising issues. Therefore, I would expect more enforcement actions in those fields as a result of the plan FTC has been carrying out in this P2P area.

These latest enforcement actions are reminders that businesses must pay attention to their privacy and security practices or risk being subject to onerous consent orders prescribing privacy and security programs.

Read More...

FTC Issues Final Breach Notification Rules as Required by the Stimulus Bill

By Mehmet Munur

On August 18, Federal Trade Commission issued the final rules on breach notification as required by the American Recovery and Reinvestment Act of 2009, commonly known as the stimulus bill. The rules will take effect in 30 days from publication in the Federal Register. The FTC will only begin enforcement after 180 days of the publication of the final rules.

The final rules addressed the public comments to the proposed rules, clarified certain issues such as the broad scope of the rules, the application of either the HHS or FTC breach notification rules, notifying individuals by email, notifying the FTC for breaches involving more than 500 individuals, and privacy notices.

FTC received 129 comments related to its notice of proposed rulemaking. Google (see our previous blog post on Google Health) was noticeably absent from the list, while Microsoft (see our previous blog post on HealthVault) commented on several issues including email notices and use of cloud computing storage. Microsoft’s concerns related to cloud computing prompted FTC to require that vendors of PHR and PHR related entities notify their third party service providers of their status as vendors of PHR.

The FTC adopted the definition of personal health record without modification. Under the proposed rules, breach of name and credit card numbers would have triggered a notification. The FTC backed away from that interpretation and now states that name and credit card numbers alone will not constitute personal health record. On the other hand, FTC renewed its statement that de-identified data would not be considered personal health record “[g]iven the small risk that such data will be re-identified by unauthorized third parties.” Such references show FTC’s renewed interest in the identification of individuals using non-personally identifiable information. FTC had previously mentioned the issue in February in the Behavioral Advertising Staff Report.

The FTC confirmed the wide scope of the new breach notification rules. The proposed rule applies to vendors of PHR and PHR related entities “irrespective of any jurisdictional tests in the Federal Trade Commission Act.” Therefore, even if an entity is not covered by the FTC Act, it may fall under the scope of the breach notification. Additionally, the Commission reiterated that “foreign entities with U.S. customers must provide breach notification under U.S. laws.” Similar to the EU Data Protection Directive, the rules appear to apply to the individual’s data regardless of the data’s location.

The FTC agreed with some of the commentators to the proposed rules that some entities would be covered by both the FTC and the HHS rules. Therefore, the FTC “consulted with HHS to harmonize the two rules, within the constraints of the statutory language.” A related issue concerned the provision of a single breach notification for a single breach, though several entities may be involved. The FTC addresses this issue by providing examples of when entities may comply with both the FTC and the HHS requirements to provide notice.


The final rules also addressed privacy notices and, with it, FTC’s recent incursion into privacy enforcement and behavioral advertising. FTC addressed privacy notices because the “final rule provides that a breach of security means acquisition of information without the authorization of the individual.” FTC stated that “an entity’s use of information to enhance individuals’ experience with their PHR would be within the scope of the individuals’ authorization, as long as such use is consistent with the entity’s disclosures and individuals’ reasonable expectations.” The FTC reiterated its suspicion of lengthy privacy notices, which it originally voiced in the Behavioral Advertising Staff Report, by stating that “the Commission expects that vendors of personal health records and PHR related entities would limit the sharing of consumers’ information, unless the consumers exercise meaningful choice in consenting to such sharing. Buried disclosures in lengthy privacy policies do not satisfy the standard of “meaningful choice.”” The FTC cited to the recent Sears enforcement to reinforce its seriousness in enforcing the meaningful choice doctrine. There, Sears had buried its data mining activities deep in its privacy policy instead of providing clear and conspicuous notice of the broad scope of its activities. This could be an indication that the FTC may consider data processing without adequate notice as a data breach.

The final rules now make it easier to provide individual notice through email as well. The FTC is persuaded that the relationship between the vendors of PHR, PHR related entities, and consumers take place online, email notice can be used as a default option. Individual’s express affirmative consent to notify by email is no longer necessary. Nevertheless, the consumers must still have a meaningful choice not to receive notice by email. Additionally, the FTC made it clear that no confirmation is required for the receipt of emails, only “reasonable efforts to contact all individuals” is required. EPIC advocated for social media breach notification. The FTC declined to adopt such measure, but stated that the rule did not preclude other forms of notice in addition to the required forms. We are looking forward to public reactions to the first social media breach notification on Twitter, Facebook, or LinkedIn.

Web postings related to breaches on entities’ websites now need not be maintained for 6 months. The FTC shortened the public posting on websites to 90 days. With respect to notifying the FTC of breaches for breaches involving more than 500 people, the FTC increased the time to provide notice to FTC to 10 business days from 5. In addition, entities may use the form created by the FTC to notify the FTC about breaches. Email notification of the FTC is not an option at this time due to security concerns.

While the effective date of the rules were set by the Stimulus Bill and cannot be changed, the FTC stated that it will “will use its enforcement discretion to refrain from bringing an enforcement action for failure to provide the required notifications for breaches that are discovered” 180 after the publication of the final rules. The HHS should shortly follow with its final rules on the Stimulus Bill.

Read More...

Amending Website Terms of Use Requires Care

By Mehmet Munur

Recent case law examining website terms of use highlights the importance of drafting qualified change of terms provisions for online agreements, proposing reasonable unilateral amendments, providing adequate notice, and keeping track of differing versions of online agreements and assents to such agreements.


Security & Privacy Update Summer 2009.pdf

Read More...

Sears Settles with FTC on Information Tracking

By Mehmet Munur

FTC entered into a settlement agreement with Sears in June related to its failure to provide adequate notice to its customers during the sign up process for an information collection software. This settlement highlights the need to create accurate highlight notices for privacy policies.

Sears invited customers visiting the Sears.com website and kmart.com websites to join the My SHC Community. Sears paid the customers $10 to sign up to participate in the community. Customers downloaded and installed a “research” software for participating in the community after being presented with the privacy policy and a license agreement.

Sears mentioned on its marketing material that the software would confidentially track online browsing. However, the FTC charged that the software allowed Sears to monitor consumer’s online sessions including shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails. FTC appears to be concerned that Sears’ “Privacy Statement and User License Agreement” did not discuss the full scale of the data mining until the 75th line of the agreement. The agreement stated:

Once you install our application, it monitors all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information.

Therefore, the FTC argued, burying the scope of this information collection activity in the 75th line of legal agreement did not adequately disclose the fact that the consumer was allowing the tracking for all of his internet activity. This, the FTC concluded, was a deceptive practice under section 5 of the FTC act.

In hindsight, Sears probably did not need all of the data that it gather in the first place. The competitive advantage that Sears may gain in collecting and processing such sensitive financial and health data is likely to be outweighed by the disadvantages in maintaining the confidentiality of such sensitive information and the public relations problems that follow its disclosure. Even if Sears could in fact use this data, installation of software that practically works like a commercial key logger likely requires specific and unambiguous consent.

In light of the Sears settlement, corporations should consider building several layers of privacy policies. Article 29 Working Party and the UK ICO have proposed simplifying privacy policies to provide better notice to data subjects. Such a scheme would require that corporations build and use highlights notices that provide a summary of privacy notices that then provides links to the full privacy policy.

In fact, some corporations, such as Google and Microsoft, have started using the A29WP approach in their privacy policies. Note that the users would still be bound to the full privacy policy with such an approach. Therefore, this highlights notice makes privacy policies easy to understand for consumers while maintaining the detailed approach of a privacy policy. Possibly, Sears could have used such a privacy policy on its website and more accurately described its information collection.

Read More...