Regulators Issue Final Model Privacy Notice

By Mehmet Munur

On November 17, eight federal regulators issued final rules and model privacy notice forms as required under the Gramm-Leach-Bliley Act. While the use of the notice forms are not required, the two-page forms create a safe-harbor for disclosures required under the GLBA.

The notice forms replace the Sample Clauses previously issued by the regulators. The regulators stated that their studies “confirm[ed] that a notice composed solely of the Sample Clauses promotes ease of scanning to perform simple tasks – because the notice is short and not because it is understandable – but the Sample Clauses do not do well on comprehension measures. Moreover, the testing showed that current notices – in which the Sample Clauses are typically embedded – do poorly on all measures.” Therefore, the regulators appear to want to increase the use of the model clauses as much as possible.

The FTC has been pushing for alternate means of providing notice to individuals for some time. The FTC noted in its February 2009 Behavioral Advertising Staff Report that “privacy policies have become long and difficult to understand, and may not be an effective way to communicate information to consumers. Staff therefore encourages companies to design innovative ways – outside of the privacy policy – to provide behavioral advertising disclosures and choice options to consumers.” Then in its recent Sears Enforcement, FTC stated that Sears failed to “disclose adequately that the software application, when installed, would: monitor nearly all of the Internet behavior that occurs on consumers’ computers.” Sears had mentioned the broad nature of data collection only in the 75^th line of a legal agreement. Then in August, FTC once again mentioned the Sears enforcement and the need to provide better notice in the Health Breach Notification Rule; stating “[b]uried disclosures in lengthy privacy policies do not satisfy the standard of ‘meaningful choice.’” FTC will be conducting Privacy Roundtables in the near future. We expect the highlights notices, model privacy notices, and Carnegie Mellon’s Nutrition Label Approach to privacy statements to take center stage in these roundtables.

Read More...

FTC Delays Enforcement of Red Flags Rule, Court Holds Red Flags Do Not Apply to Lawyers

by Mehmet Munur

The FTC news release notes that the Federal Trade Commission delayed the enforcement of the Red Flags rules until June 1, 2010. The FTC news release also notes the decision by the U.S. District Court for the District of Columbia that the FTC Red Flags Rules did not apply to attorneys. The Federal Trade Commission v. American Bar Association order states that the memorandum will be published in the next thirty days.

The FTC promulgated the Red Flags Rules under the authority given to it by the Fair and Accurate Credit Transactions Act. FTC had previously suspended the enforcement of the rules until November 1, 2009. Congress is currently considering a bill that would limit the scope of the Red Flags Rules.

Read More...

FTC Modifies ChoicePoint Consent Order and Imposes Stricter Compliance

By Mehmet Munur

The Federal Trade Commission announced today that it had entered into a modified consent agreement with ChoicePoint due to ChoicePoint’s inability to live up to the original consent agreement entered into in 2006.

The FTC entered into a consent agreement with ChoicePoint was due to compromise of 163,000 financial records and at least 800 cases of identity theft. The breach was possibly a watershed moment in data breaches and brought attention to data aggregators. ChoicePoint paid $10 million in civil fines, $5 million in consumer redress, and countless millions of dollars in forwent business opportunities, attorneys’ fees, and settlement fees for lawsuits. ChoicePoint also agreed to “establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from or about consumers” which would be subject to an audit every two years.

The FTC press release for the most recent consent order notes that ChoicePoint “turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off.” As a result, ChoicePoint, since acquired by Reed Elsevier, compromised the personal information of approximately 13,750 individuals. ChoicePoint must now pay a fine of $275,000 and report to the FTC every two months for two years. The FTC also increased the final data by which ChoicePoint would be subject to biennial audits by two years to 2028. The new consent order may be found here.

The FTC enforcement reiterates FTC's attitudes about privacy promises. Such scrutiny by the FTC will certainly be burdensome for ChoicePoint and require it to step up its information security operation or face even more fines and enforcement from the FTC.

Read More...

FTC Settles with Six Companies with Lapsed Safe Harbor Certifications

By Mehmet Munur

On October 6, 2009, Federal Trade Commission filed six complaints against companies falsely claiming that they were self-certified to the Department of Commerce EU Safe Harbor when their certification had lapsed. This FTC action should serve as a reminder to Safe Harborites either to keep up their annual recertification or to avoid misrepresenting that they are self-certified to the Safe Harbor.

The EU Safe Harbor is one of the methods allowing US corporations to export data from the EU while complying with the Article 25 of the EU data Protection Directive, which requires that data only be transferred to countries with adequate data protections—with exceptions. The Department of Commerce, European Commission, and the Article 29 Working Party negotiated the Safe Harbor. US companies self-certify for the Safe Harbor and the DoC maintains a list of these companies on its export.gov website. However, the Federal Trade Commission and the Department of Transportation have the authority to enforce the Safe Harbor. While the Safe Harbor plays a crucial role for multinational corporations in transferring personal data from the EU without violating the EU Data Protection Directive’s adequacy requirements, now more than ever, failure to abide by the Safe Harbor requirements can result in enforcement actions by the FTC.

Six companies, World Innovators, Inc.; ExpatEdge Partners LLC; Onyx Graphics, Inc.; Directors Desk LLC; Collectify LLC; and Progressive GaitWays LLC, each represented that they were self-certified to the Safe Harbor when in fact their certification had not been renewed for several years. At least three of the companies had failed to either recertify or remove their representations related to their certification from their websites for two to three years. For example, ExpatEdge had certified for the Safe Harbor in 2002 but had failed to recertify since 2006. Onyx Graphics had certified in 2006 but failed to recertify since 2007. Progressive GaitWays had certified in 2004 but failed to recertify since 2006. Since the FTC enforcement, the remaining three companies have recertified for the Safe Harbor.

The six companies each entered into consent agreements with the FTC related to their infringing activities. The consent agreements are similar to the previous FTC settlement on the Safe Harbor. The consent agreements prohibit any of the companies from “misrepresent[ing] in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other third party.” Furthermore, the companies must make all documents related to compliance with the consent agreement available for inspection for the next 5 years.

In our previous blog post, we had stated that the FTC’s enforcement was tacked onto other issues related shipment of goods. This time the FTC has squarely addressed Safe Harbor violations using its deceptive trade practices powers. According to the FTC policy statement on deception, a material representation, omission, or practice that is likely to mislead the consumer is needed for any enforcement activity. Any “act or practice is likely to affect the consumer's conduct or decision with regard to a product or service” is considered material. Additionally, any express claims are presumed material. Furthermore, the Safe Harbor Principles and FAQ 11 of the Safe Harbor clearly state FTC’s jurisdiction to bring actions against Safe Harborites for deceptive trade practices. Therefore, the companies’ express claims that they were self-certified with the Safe Harbor when their certifications had expired are clearly material misrepresentations that would mislead a reasonable consumer under the circumstances.

The recent enforcement actions in this area are certainly signs of FTC’s willingness to bring enforcement actions in this area in the future. The recent changes to the list showing organizations certified to the Safe Harbor is possibly another indication of things to come. International Trade Administration website used to host the Safe Harbor list. Recently, it has moved to the Department of Commerce’s export.gov/safeharbor/ website, which is where all other Safe Harbor related documents used to reside. The list now more readily identifies non-compliant companies.

The FTC is likely to bring more enforcement actions against companies in the Safe Harbor list that represent that they are certified but have not in fact kept up their certifications with the Department of Commerce. The FTC is also likely to expand its enforcement activities into more substantive issues related to the privacy practices of Safe Harborites in the near future. Therefore, Safe Harborites intending to leave the Safe Harbor should either promptly renew their certifications or remove any public representation that they are certified with the Safe Harbor. This should help alleviate any FTC deceptive trade practices claims. However, note that obligations undertaken by a Safe Harborite do not disappear with the organization leaving the Safe Harbor. Therefore, removing such representations only resolves part of the issues involved in joining then leaving the Safe Harbor.

Read More...

FTC Obtains TRO Against E-Commerce Merchant Falsely Claiming Safe Harbor Certification

By Mehmet Munur

On July 31, the Federal Trade Commission obtained a temporary restraining order against a California website for deceptively claiming to be a member of the EU Safe Harbor administered by the Department of Commerce. This is the first FTC enforcement involving the FTC’s authority to prosecute violations involving EU Safe Harbor and FTC’s authority to prosecute an American company for deception of foreign consumers.

According to the FTC complaint, the defendants posed as UK websites, did not deliver on minimal consumer protections, and lied about being in the Safe Harbor. Balls of Kryptonite, LLC, is based out of Pasadena, California. However, it operates under www.bestpricedbrands.co.uk and www.bitesizedeals.co.uk, states prices in pound sterling, and referred to UK competitors and Royal Mail. The website did not specifically state its location, though such a disclosure is required under the Distance Selling Directive. Therefore, the FTC inferred that the websites advertised and sold consumer electronics products to consumers in the UK “under the pretext of being located within the UK.”

The websites shipped products from the US to the UK. Customers also had to pay substantial customs duties and import taxes. Some of these products were incompatible with the UK power grid. The websites also stated that the products would be covered under warranty. The products were not designed for distribution in the UK and, therefore, were not covered by warranty. Further, consumers were not allowed to cancel their orders, charged 50% restocking fees, and items were not shipped for weeks.

Finally, the defendants advertised that they self-certified with the Department of Commerce for the EU Safe Harbor when they were not. However, this false statement defies all logic. It does not help the defendants establish that they are a website based in the UK. A corporation must have a US establishment that receives personal information from the EU/EEA before it can certify to the Safe Harbor. Maybe this was the company’s way of stating that it was transferring data to the US. Maybe, the website owner believed that the Safe Harbor deception would make their website more attractive to UK customers. Nonetheless, Balls of Kryptonite is likely subject to this enforcement not due to inadequate legal advice, but lack of legal advice.

Nevertheless, the temporary restraining order resulting from the enforcement action makes an interesting example due to its scope. The TRO enjoins the defendants from misrepresenting “[t]he extent to which Defendants are members of, adhere to, comply with, are certified by, are endorsed by, or otherwise participate in any privacy, security, or any other compliance program sponsored by any government or third party.” Thus, the FTC enjoined the defendants from misrepresenting that they are members of any third-party privacy program. In effect, the FTC is recognizing that the health of the Safe Harbor Program is intricately linked to the third-party programs. The Safe Harbor Enforcement Principle requires an independent dispute resolution mechanism that TRUSTe’s EU Safe Harbor Program and BBB EU Safe Harbor offer. However, one could argue that third-party privacy seals programs should enforce their own marks and that the FTC should focus on the Safe Harbor program exclusively.

The enforcement action sets a much-needed precedent for false claims related to the Safe Harbor program. Nevertheless, the majority of the complaint was based on false statements concerning the shipment of goods. The Safe Harbor issue appears to be tacked onto the other issues. The Safe Harbor program has been in existence for nearly a decade and studies by the European Commission in 2004 and others in 2008 have argued that enforcement has been lax. One would hope that, in the future, the FTC would bring section five claims exclusively in the data protection realm in addition to mixed consumer protection claims.

Read More...

FTC Issues Final Breach Notification Rules as Required by the Stimulus Bill

By Mehmet Munur

On August 18, Federal Trade Commission issued the final rules on breach notification as required by the American Recovery and Reinvestment Act of 2009, commonly known as the stimulus bill. The rules will take effect in 30 days from publication in the Federal Register. The FTC will only begin enforcement after 180 days of the publication of the final rules.

The final rules addressed the public comments to the proposed rules, clarified certain issues such as the broad scope of the rules, the application of either the HHS or FTC breach notification rules, notifying individuals by email, notifying the FTC for breaches involving more than 500 individuals, and privacy notices.

FTC received 129 comments related to its notice of proposed rulemaking. Google (see our previous blog post on Google Health) was noticeably absent from the list, while Microsoft (see our previous blog post on HealthVault) commented on several issues including email notices and use of cloud computing storage. Microsoft’s concerns related to cloud computing prompted FTC to require that vendors of PHR and PHR related entities notify their third party service providers of their status as vendors of PHR.

The FTC adopted the definition of personal health record without modification. Under the proposed rules, breach of name and credit card numbers would have triggered a notification. The FTC backed away from that interpretation and now states that name and credit card numbers alone will not constitute personal health record. On the other hand, FTC renewed its statement that de-identified data would not be considered personal health record “[g]iven the small risk that such data will be re-identified by unauthorized third parties.” Such references show FTC’s renewed interest in the identification of individuals using non-personally identifiable information. FTC had previously mentioned the issue in February in the Behavioral Advertising Staff Report.

The FTC confirmed the wide scope of the new breach notification rules. The proposed rule applies to vendors of PHR and PHR related entities “irrespective of any jurisdictional tests in the Federal Trade Commission Act.” Therefore, even if an entity is not covered by the FTC Act, it may fall under the scope of the breach notification. Additionally, the Commission reiterated that “foreign entities with U.S. customers must provide breach notification under U.S. laws.” Similar to the EU Data Protection Directive, the rules appear to apply to the individual’s data regardless of the data’s location.

The FTC agreed with some of the commentators to the proposed rules that some entities would be covered by both the FTC and the HHS rules. Therefore, the FTC “consulted with HHS to harmonize the two rules, within the constraints of the statutory language.” A related issue concerned the provision of a single breach notification for a single breach, though several entities may be involved. The FTC addresses this issue by providing examples of when entities may comply with both the FTC and the HHS requirements to provide notice.


The final rules also addressed privacy notices and, with it, FTC’s recent incursion into privacy enforcement and behavioral advertising. FTC addressed privacy notices because the “final rule provides that a breach of security means acquisition of information without the authorization of the individual.” FTC stated that “an entity’s use of information to enhance individuals’ experience with their PHR would be within the scope of the individuals’ authorization, as long as such use is consistent with the entity’s disclosures and individuals’ reasonable expectations.” The FTC reiterated its suspicion of lengthy privacy notices, which it originally voiced in the Behavioral Advertising Staff Report, by stating that “the Commission expects that vendors of personal health records and PHR related entities would limit the sharing of consumers’ information, unless the consumers exercise meaningful choice in consenting to such sharing. Buried disclosures in lengthy privacy policies do not satisfy the standard of “meaningful choice.”” The FTC cited to the recent Sears enforcement to reinforce its seriousness in enforcing the meaningful choice doctrine. There, Sears had buried its data mining activities deep in its privacy policy instead of providing clear and conspicuous notice of the broad scope of its activities. This could be an indication that the FTC may consider data processing without adequate notice as a data breach.

The final rules now make it easier to provide individual notice through email as well. The FTC is persuaded that the relationship between the vendors of PHR, PHR related entities, and consumers take place online, email notice can be used as a default option. Individual’s express affirmative consent to notify by email is no longer necessary. Nevertheless, the consumers must still have a meaningful choice not to receive notice by email. Additionally, the FTC made it clear that no confirmation is required for the receipt of emails, only “reasonable efforts to contact all individuals” is required. EPIC advocated for social media breach notification. The FTC declined to adopt such measure, but stated that the rule did not preclude other forms of notice in addition to the required forms. We are looking forward to public reactions to the first social media breach notification on Twitter, Facebook, or LinkedIn.

Web postings related to breaches on entities’ websites now need not be maintained for 6 months. The FTC shortened the public posting on websites to 90 days. With respect to notifying the FTC of breaches for breaches involving more than 500 people, the FTC increased the time to provide notice to FTC to 10 business days from 5. In addition, entities may use the form created by the FTC to notify the FTC about breaches. Email notification of the FTC is not an option at this time due to security concerns.

While the effective date of the rules were set by the Stimulus Bill and cannot be changed, the FTC stated that it will “will use its enforcement discretion to refrain from bringing an enforcement action for failure to provide the required notifications for breaches that are discovered” 180 after the publication of the final rules. The HHS should shortly follow with its final rules on the Stimulus Bill.

Read More...

FTC and HHS Issue Proposed Rules on Breach Notification

By Mehmet Munur

Both the Federal Trade Commission and the Department of Health and Human Services issued proposed regulations last week to satisfy their obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was a part of the American Recovery and Reinvestment Act of 2009. The FTC rules address the obligations of non-HIPAA covered entities such as vendors of personal health records and third party service providers, while the HHS rules address the procedures required to secure unprotected health care information. Affected entities should invest in technologies that prevent and detect breaches and also draft and implement policies to notify the appropriate parties when they do occur.

FTC Proposed Regulations:

While the FTC proposed regulations track the HITECH Act in many respects, they differ in others. The definitions of the terms business associate, HIPAA-covered entity, personal health record, PHR identifiable health information, vendor of personal health records, and unsecured stay substantially the same as under the HITECH act. However, the FTC adds more substance around the concepts of third party service providers, presumption for acquisition, notification of senior officials in vendors in a breach, and discovery of data breaches.

While PHR related entities and third party service provider are non-HIPAA covered entities, they are, nevertheless, covered by the HITECH Act’s breach notification provisions enforced by the FTC. Third party service providers include “entities that provide billing or data storage services to vendors of personal health records or PHR related entities.” Such services certainly include the likes of Google Health and Microsoft HealthVault. Both services have been in the spotlight recently. Google Health recently signed up CVS and HealthVault recently announced a partnership with the Mayo clinic.

Due to the difficulty in determining whether access results in acquisition of data, the proposed FTC regulations enhance the definition of breach by adding language that creates a presumption of unauthorized acquisition where unauthorized access has taken place. However, the vendor or the PHR related entity may rebut this presumption where it “has reliable evidence showing that there has not been, or could not reasonably have been, any unauthorized acquisition of such information.”

The proposed regulations also require entities to notify senior officials in vendors or PHR related entities and to obtain an acknowledgement in the event of a breach. The FTC also prevents entities from ignoring a breach by making inability to reasonably ascertain a breach to be a violation of the regulations. On the other hand, the failure to discover a breach would not constitute a violation of the rules if the organization had strong breach detection measures and still failed to detect it. Therefore, breach detection is almost as important as breach notification under the proposed regulations.

The FTC expects the rules to affect about 900 entities and cost a total of $1 million for 11 breaches per year. The FTC appears to be concerned about some overlap between the FTC and the HHS regulations and is therefore seeking comments on the dual role of certain entities which would bring them under the scrutiny of the both FTC and the HHS. More detail on the proposed rules can be found at the FTC website.

HHS Proposed Regulations:

The regulations proposed by the HHS mainly concern the definition of the term “unsecured” as it modifies “protected health information” under the HITECH Act. This term is crucial as notification is not necessary if the protected health information is secured.

If the Secretary had not issued timely guidance, the term “unsecured protected health information” would have meant “protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute (ANSI).” Now that the HHS has proposed these regulations, protected health information will be secured if it is encrypted or destroyed. However, such encryption and destruction will have to abide by the strict requirements of National Institute of Standards and Technology Special Publications on encrypting and destroying data.

The HHS relies on the existing HIPAA Security Rule for encryption and requires “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” where the keys for decryption have not been breached. However, as a new measure, the HHS issued an exhaustive list of NIST publications for encrypting data at rest and for encrypting data in motion. For example, NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, recommends that travelling laptops should be secured using full-disk encryption and pre-boot authentication. HHS also requires that electronic media be cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, which requires that magnetic hard drives be purged using “Secure Erase” or degaussing, making them inoperable. The HHS is seeking public comments on the adequacy of some of these methods. More detail about the HHS proposed rules can be found at the HHS website.

The comment period for both sets of regulations will last until June and the agencies should issue interim final rules by August, which may result in changes to the proposed regulations. In addition, Congress may create a federal breach notification law after it receives the joint FTC-HHS report on the entities the HITECH Act regulates. Nevertheless, both HIPAA covered entities and non-HIPAA covered entities should invest in technologies and policies to prevent data breaches that may affect their bottom lines through breach notification costs, regulatory fines, and tarnished brands.

Read More...