FTC Beat
Posts Tagged ‘Privacy Policy’
Nov 10
2016

How The FTC Guides Businesses Through Data Breaches

71852715_thumbnail

The Federal Trade Commission (“FTC”) recently released a data breach guide for businesses, along with a video and blog to help companies following the immediate aftermath of a data breach.  The FTC also provides a model data breach letter to notify individuals of a breach.  The agency – which views itself as the nation’s primary “privacy police” has faced scrutiny from private parties and courts for allegedly enforcing privacy and data security standards without promulgating specific rules. The agency instead favors outreach efforts, such its blogs, guides and roundtables to educate industry and the public regarding what it views as best practices.

In this vein, the Guide and the model letter are not a “safe harbor” but offer suggestions on important steps that organizations can follow once they discover data breaches.  The FTC emphasizes that the Guide does not pertain to the actual protection of personal information or prevention of breaches, because the agency has already issued separate guidance documents on those subjects.  In fact, the FTC also recently updated its guide on protecting personal information.

Following a data breach, the Guide suggests key steps organizations can take, which include:

  • Mobilizing the company’s breach response team to prevent further data loss – the team may include legal, information security, IT, human resources, communications, investor relations, and management; companies may consider hiring an independent forensics team;
  • Securing physical areas – lock any physical areas affected by a breach; consider changing access codes;
  • Taking affected equipment offline immediately – monitor all entry and exit points, and update authorized users’ credentials and passwords;
  • Removing improperly posted information from the company’s website, for instance in a situation where personal information affected by the breach is posted on the company’s website. The FTC also advises companies to search the Internet to see if breached information has been posted on other websites and to contact the owners of those websites;
  • Protecting evidence – the FTC reminds companies to retain forensic evidence (e. do not destroy it);
  • Documenting the investigation, including interviewing people who discovered the breach and making sure employees (such as customer service representatives) know where to forward information that might assist the company in its investigation;
  • Examining service provider relationships, to determine if providers have access to personal information and whether provider access privileges should be changed;
  • Determining whether data was encrypted at the time of the breach (note: encryption may obviate the need for data breach reporting in many states);
  • Implementing a communications plan that explains the data breach to employees, customers, investors, partners, and others such as the press. The FTC recommends “plain English” answers on a company’s website;
  • Following legal requirements – such as state data breach notifications and notifying law enforcement;
  • Offering at least a year of free credit monitoring – while not required, free monitoring has become standard and most regulators and consumers expect to see the offer in data breach notifications.

As to data breach notification letters, in addition to following the requirements of state laws, the FTC urges companies to advise people what steps they can take, based on the information exposed.  When a breach compromises social security numbers, individuals should be directed to contact the credit bureaus to request fraud alerts or credit freezes.  Since some scammers pounce on data breach victims, the FTC counsels organizations to tell consumers how they will be contacted going forward.  For instance, if the company will never contact individuals by phone, the company should tell consumers that – so individuals can detect telephonic phishing schemes.

The FTC encourages businesses to use the Guide and its accompanying materials to educate employees and customers, such as through newsletters and websites.  However, when facing an enforcement action or a lawsuit, will a company’s compliance with the Guide offer any relief from FTC or state Attorney General penalties or assist organizations in their defense in private data breach lawsuits?  Ultimately, the crux of breach liability usually relates to how it occurred, but taking swift, corrective actions following a breach should aid an organization when dealing with regulators and third parties by showing good faith actions to prevent further damages. Conversely, a company that fails to take corrective actions can exacerbate a breach and further negatively impact affected individuals and the organization.

The FTC’s Guide and accompanying materials are helpful references, particularly for smaller businesses.  As a practical matter, the words of advice I give companies facing a possible data breach is to first, take the time to determine what happened, how it happened, whether the breach continues, and what you can do to prevent it in the future.  While several states require reporting within a set number of days (e.g., 45), the laws allow organizations time to conduct factual inquiries, take corrective measures, and prepare to notify affected individuals.  Organizations should not rush through these key steps.  Second, communication is key.  A company facing a breach should develop a clear, consistent statement regarding the breach, the steps being taken and a single contact point.  The lack of a communication plan or a consistent message can cause a huge loss of customer and employee confidence and raise regulators’ interest.  Third, when preparing data breach notifications, organizations should note that it is likely that the letter will become public due to some states’ open records laws.  Numerous websites exist that track and publicize data breaches, based upon information in the notifications – often including copies of the actual letters.  Companies should not assume that regulators and consumers simply file the letters away.  While your organization cannot prevent the publicity, having a clear, concise data breach notification that meets each state’s requirements without providing excess data will help the company through the process and associated publicity.

May 26
2015

Keeping Your Privacy Promises: Retail Tracking and Opt-Out Choices

No time for talking. Cropped image of beautiful young woman in pink dress holding shopping bags and mobile phone

As children, many of us were taught how important it is to “keep your word.” Similarly, it is black letter privacy law that if a company commits (for instance, in a privacy policy or in website statements) to certain actions or practices, such as maintaining certain security features or implementing consumers’ choices on opt-outs, the organization must abide by those practices. Many companies have faced the Federal Trade Commission’s (“FTC”) ire when the agency found the organizations’ practices failed to comport with their privacy promises. Recently, the FTC settled the first action against a retail tracking company, Nomi Technologies, Inc. (“Nomi”). The FTC alleged that Nomi mislead consumers with promises that it would provide an in-store mechanism for consumers to opt-out of tracking and that consumers would be informed when locations were utilizing Nomi’s tracking services. In fact, according to the FTC, Nomi did not provide an in-store opt-out and did not inform consumers of locations where the tracking services were used. This action signals that the FTC will continue to exert its jurisdiction over privacy practices it deems false or deceptive, including those occurring in emerging technologies like retail tracking.

The FTC’s complaint stated that Nomi’s technology (called its “Listen” service) allows retailers to track consumers’ movements through stores. The company places sensors in its clients’ stores, which collect the MAC addresses of consumers’ mobile devices as the devices search for WiFi networks. While Nomi “hashes” the MAC addresses prior to storage in order to hide the specific MAC addresses, the process results in identifiers unique to consumers’ mobile devices which can be tracked over time. Nomi provided its retail clients with aggregated information, such as how long consumers stayed in the store, the types of devices used by consumers, and how many customers had visited a different location in a chain of stores. Between January and September 2013, Nomi collected information on approximately 9 million mobile devices, according to the FTC’s complaint.

What Nomi did wrong, according to the FTC, was fail to honor its privacy policy which “pledged to…always allow consumers to opt out of Nomi’s service on its website as well as at any retailer using Nomi’s technology.” Nomi presented an opt-out on its website, but (per the complaint), no option was available at retailers using Nomi’s service. The FTC also asserted that consumers were not informed of the tracking (contrary to the privacy policy promises). Thus, the FTC alleged that Nomi’s privacy promises were false because no in-store opt-out mechanism was available, nor were consumers informed when the tracking occurred.

Nomi’s settlement does not require any monetary payment but prohibits Nomi from misrepresenting the options through which consumers can exercise control over the collection, use, disclosure or sharing of information collected from or about them or their devices. The settlement also bars Nomi from misrepresenting the extent to which consumers will be provided notice about how data from or about a particular consumer or device is collected, used, disclosed or shared. Nomi is required to maintain certain supporting records for five years. As is typical with FTC consent orders, this agreement remains in force for 20 years.

What can companies learn from Nomi’s settlement, even those not in the retail tracking business?

  • While this is the first FTC action against a retail tracking company, the FTC has repeatedly stated that it will enforce the FTC Act and other laws under its jurisdiction against emerging as well as traditional technologies.
  • Consumers could opt-out on Nomi’s website by providing a MAC address in an online form. The FTC did not seem to have a problem with this part of Nomi’s practices. If Nomi had not promised that consumers could also opt-out at the retail locations, and that they would be notified of tracking, there would not have been an FTC action. In other words, it was Nomi’s words (in its privacy policy) that got it in hot water with the FTC. All companies should review their privacy policies regularly to make sure the language comports with their practices.  If you don’t do it, don’t say it.
  • The FTC noted that Nomi had about 45 clients. Most of those clients did not post a disclosure or notify consumers regarding their use of the Listen service, and Nomi did not mandate such disclosures by its clients. The FTC did not address what, if any, obligation, these businesses may have to make such disclosures. Will it become common/mandated to see a sign in a retail location warning that retail tracking via mobile phones is occurring (similar to signs about video surveillance)? One industry group’s self-regulatory policy requires retail analytics firms to take “reasonable steps to require that companies using their technology display, in a conspicuous location, signage that informs consumers about the collection and use of MLA [mobile location analytics] Data at that location.” This issue will become more prevalent as more retailers and other businesses use tracking technology.
  • Interestingly, the FTC brought this action even though traditional “personal information” was not collected (such as name, address, social security number, etc.). Organizations should not assume that collecting IP addresses, MAC addresses, or other less personalized information presents no issues. The FTC takes privacy statements seriously, whatever the information collected (though certainly there is more sensitivity toward certain categories such as health, financial, and children’s information).

The bottom line is “do what you say” when it comes to privacy practices. All companies should evaluate their privacy policies at least every six months to ensure that they remain accurate and complete, have working links (if any), and reflect a company’s current practices.

posted in:
Privacy
Jan 28
2015

International Data Privacy Day: Our Top 10 Data Privacy Tips

iStock_000052810800_Large

It’s International Data Privacy Day!  Every year on January 28, the United States, Canada and 27 countries of the European Union celebrate Data Privacy Day.  This day is designed to raise awareness of and generate discussion about data privacy rights and practices.  Indeed, each day new reports surface about serious data breaches, data practice concerns, and calls for legislation.  How can businesses manage data privacy expectations and risk amid this swirl of activity?

Here, we share some tips from our firm’s practice and some recent FTC guidance.  We don’t have a cake to celebrate International Data Privacy Day but we do have our “Top 10 Data Privacy Tips”:

1. Review Your Organization’s Privacy Policy. Remember that privacy policy you had counsel prepare a few years ago?  It’s a good time to review it and assess whether it still reflects company practices.  What kind of personal information does your company collect? How does it move through your business?  How is it shared?  Has your organization’s policy on sharing personal information changed?  Does the privacy policy reflect legal changes in the states where you operate?  Privacy policies are not meant to be stagnant documents.  You should review them at least twice a year to ensure they are accurate. Even something as simple as the privacy officer’s contact information may need an update.

2. Do What You Say.  When you post a privacy policy, you are committing to the practices in the policy.  If your policy says “we will never share your information with third party marketers” – then you shouldn’t be sharing with third party marketers.  Common sense?  Yes, but companies have faced enforcement actions and litigation for pledging to “never share” when they did share.  Other companies like Snapchat settled with the FTC over statements in their privacy policies concerning how their apps operate and secure information that the FTC claimed were not true. Privacy policies should carve out disclosures for sharing information where sharing is likely to take place, such as in response to legal process, like a court order.  We also recommend a carve out in the event of a sale or reorganization of the business or of its assets. Other carve-outs may be warranted.

3. Ensure Your U.S.-E.U. Safe Harbor Is Up-to-Date. Last year, the FTC took action against several companies, including the Atlanta Falcons and Level 3 Communications, for stating in their privacy policies that they were U.S.-E.U. Safe Harbor Certified by the U.S. Department of Commerce when, in fact, the companies had failed to keep their certification current by reaffirming their compliance annually. While your organization is not required to participate in Safe Harbor, don’t say you are Safe Harbor Certified if you haven’t filed with the U.S. Department of Commerce. And, remember that your company needs to reaffirm compliance annually, including payment of a fee.  You can check your company’s status here.

4. Understand Your Internal Risks. We’ve said this before – while malicious breaches are certainly out there, a significant percentage of breaches (around 30 percent, according to one recent study) occurs due to accidents or malicious acts by employees.  These acts include lack of firewalls, lack of encryption on devices (such as laptops and flash drives), and failing to change authentications when employees leave or are terminated.  Many data breaches are While you are at it, review who has access to confidential information and whether proper restrictions are in place.

5. Educate Your Workforce. While today is International Data Privacy Day, your organization should educate your workforce on privacy issues throughout the year. Depending on the size of the company and the type of information handled (for instance, highly sensitive health information versus standard personal contact details), education efforts may vary. You should review practices like the confidentiality of passwords, creating a secure password and changing it frequently, and avoiding downloading personal or company sensitive information in unsecured forms.  Just last week, a security firm reported that the most popular passwords for 2014 were “123456” and “password.”  At a minimum, these easily guessed passwords should not be allowed in your system.

6. Understand Specific Requirements of Your Industry/Customers/ Jurisdiction. Do you have information on Massachusetts residents?  Massachusetts requires that your company have a Written Information Security Program.  Does your company collect personal information from kids under 13?  The organization must comply with the federal Children’s Online Privacy Protection Act and the FTC’s rules.  The FTC has taken many actions against companies deemed to be collecting children’s information without properly seeking prior express parental consent.

7. Maintain a Data Breach Response Plan. If there were a potential data breach, who would get called?  Legal?  IT?  Human Resources?  Public relations?  Yes, likely all of these. The best defense is a good offense – plan ahead.  Representatives from in-house and outside counsel, IT/IS, human resources, and your communications department should be part of this plan. State data breach notification laws require prompt reporting. Some companies have faced lawsuits for alleged “slow” response times.  If there is potential breach, your company needs to gather resources, investigate, and if required, disclose the breach to governmental authorities, affected individuals, credit reporting agencies, etc.

8. Consider Contractual Obligations. Before your company commits to data security obligations in contracts, ensure that a knowledgeable party, such as in-house or outside counsel, reviews these commitments.  If there is a breach of a contracting party’s information, assess the contractual requirements in addition to those under data breach notification laws. The laws generally require notice to be given promptly when a company’s data is compromised while under the “care” of another company. On the flip side, consider the service providers your company uses and what type of access the providers have to sensitive data. You should require service providers to adhere to reasonable security standards, with more stringent requirements if they handle sensitive data.

9. Review Insurance Coverage. While smaller businesses may think “we’re not Target” and don’t need cyber insurance, that’s a false assumption. In fact, smaller businesses usually have less sophisticated protections and can be more vulnerable to hackers and employee negligence.  Data breaches – requiring investigations, hiring of outside experts such as forensics, paying for credit monitoring, and potential loss of goodwill – can be expensive. Carriers are offering policies that do not break the bank. Cyber insurance is definitely worth exploring.  If you believe you have coverage for a data incident, your company should promptly notify the carrier. Notice should be part of the data breach response plan.

10. Remember the Basics! Many organizations have faced the wrath of the FTC, state attorneys general or private litigants because the companies or its employees failed to follow basic data security procedures. The FTC has settled 53 data security law enforcement actions. Many involve the failure to take common sense steps with data, such as transmitting sensitive data without encryption, or leaving documents with personal information in a dumpster. Every company must have plans to secure physical and electronic information. The FTC looks at whether a company’s practices are “reasonable and appropriate in light of the sensitivity and amount of consumer information you have, the size and complexity of your business, and the availability and cost of tools to improve security and reduce vulnerabilities.” If the FTC calls, you want to have a solid explanation of what you did right, not be searching for answers, or offering excuses.  Additional information on the FTC’s guidance can be found here.

*                            *                            *

 Remember, while it may be International Data Privacy Day, data privacy isn’t a one day event. Privacy practices must be reviewed and updated regularly to protect data as well as enable your company to act swiftly and responsively in the event of a data breach incident.

Connect with Us Share

About Ifrah Law

FTC Beat is authored by the Ifrah Law Firm, a Washington DC-based law firm specializing in the defense of government investigations and litigation. Our client base spans many regulated industries, particularly e-business, e-commerce, government contracts, gaming and healthcare.

Ifrah Law focuses on federal criminal defense, government contract defense and procurement, health care, and financial services litigation and fraud defense. Further, the firm's E-Commerce attorneys and internet marketing attorneys are leaders in internet advertising, data privacy, online fraud and abuse law, iGaming law.

The commentary and cases included in this blog are contributed by founding partner Jeff Ifrah, partners Michelle Cohen and George Calhoun, counsels Jeff Hamlin and Drew Barnholtz, and associates Rachel Hirsch, Nicole Kardell, Steven Eichorn, David Yellin, and Jessica Feil. These posts are edited by Jeff Ifrah. We look forward to hearing your thoughts and comments!

Visit the Ifrah Law Firm website

Popular Posts