Archive for February, 2012

ID Theft Consumer Complaints to FTC Declining

Posted by fgilbert on February 28th, 2012

The Federal Trade Commission annual report on complaints filed by consumers, released on February 28, 2012, provides a list of the top consumer complaints received by the agency in 2011. For the 12th year in a row, identity theft complaints topped the list.

Of more than 1.8 million complaints filed in 2011, 279,156 or 15 percent, were identity theft complaints. In the past three years, the number of identity theft complaints has significantly declined: from 20% in 2009 to 15% in 2011.

The report also indicates that the number of complaints for credit card fraud has declined by 3 percentage points since 2009, from 17 percent in 2009 to 14 percent in 2011. It is clear that, despite their shortcomings, the security breach disclosure laws have contributed to raising companies and consumers’ awareness, and to identifying security incidents faster and more easily. As a result, credit card companies have been in a better position to promptly block stolen cards or credit card numbers.

On the other hand, the number of identity theft complaints related to tax- or wage-related fraud has doubled since 2009, jumping from 12.7% percent to 24.1 percent in 2011. This area clearly needs more attention. Proper measures need to be identified to reduce this type of fraud.

Complaints Number Percent
Identify Theft 279,156 15 percent
Debt Collection 180,928 10 percent
Prizes, Sweepstakes, and Lotteries 100,208 6 percent
Shop-at-Home and Catalog Sales 98,306 5 percent
Banks and Lenders 89,341 5 percent
Internet Services 81,805 5 percent
Auto Related Complaints 77,435 4 percent
Imposter Scams 73,281 4 percent
Telephone and Mobile Services 70,024 4 percent
Advance-Fee Loans and Credit Protection/Repair 47,414 3 percent

The 103 page Report breaks out complaint data on a state-by-state basis and contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and other complaints. Florida, Georgia, and California have received the highest number of identity theft complaints (computed per capita), while Maine, and North & South Dakota received the smallest number of identity theft complaints.

White House Unveils Consumer Privacy Bill of Rights

Posted by fgilbert on February 22nd, 2012

On February 23, 2012, the White House unveiled its proposal for a Consumer Privacy Bill of Rights as part of its Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy. The Framework consists of four key elements: a Consumer Privacy Bill of Rights; a stakeholder driven process to specify how the principles in the Consumer Privacy Bill of Rights apply in particular business contexts; strong enforcement by the Federal Trade Commission; and a commitment to increase interoperability between the US privacy framework and those of the international partners of the United States.

Overview

The Consumer Privacy Bill of Rights is intended to provide a baseline of clear protections for consumers online and greater certainty for companies. The Administration indicates that it will encourage stakeholders to implement the Consumer Privacy Bill of Rights through codes of conduct and will support Federal legislation that adopts the principles of the Consumer Privacy Bill of Rights.

Broad Definition of “Personal Data”

The proposed Consumer Privacy Bill of Rights defines “personal data” as any data or aggregations of data that are linkable to a specific individual, a definition that is very similar to that which is used by the European Union Data Protection Directive and the proposed EU Data Protection Regulation. “Personal data” may also include data that are linked to a specific computer or other device.

Seven Principles

The Consumer Privacy Bill of Rights is a comprehensive statement of the rights that consumers should expect, and the obligations to which companies should commit.  It applies the well-known Fair Information Practice Principles (FIPPs) to today’s interactive and highly interconnected environment. Seven fundamental rights for consumers are identified:

  • Individual Control: Control over what personal data companies collect and how they use the data.
  • Transparency: Easily understandable and accessible information about privacy and security practices.
  • Respect for Context: Collection, use, and disclosure personal data in a manner that is consistent with the context in which consumers provide the data.
  • Security: Secure and responsible handling of personal data.
  • Access and Accuracy: Right to access and correction of personal data.
  • Focused Collection: Limitation on the collection and retention of personal data.
  • Accountability: Use of appropriate measures to assure adherence to the Consumer Privacy Bill of Rights.

Next Steps and Other Key Concepts

In addition to the Consumer Privacy Bill of Rights, the White House Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, identifies three key objectives:

  • Fostering Multi-stakeholder Processes to Develop Enforceable Codes of Conduct

The Framework outlines a process to produce enforceable codes of conduct that implement the Consumer Privacy Bill of Rights. The Commerce Department National Telecommunications and Information Administration (NTIA) will convene open industry and privacy advocates to develop enforceable codes of conduct that implement the Consumer Privacy Bill of Rights for specific industry sectors.

The administration will also work with Congress to enact comprehensive privacy legislation based on rights outlined in the Consume Privacy Bill of Rights to promote trust in the digital economy and extend baseline privacy protections to commercial sectors that existing federal privacy laws do not cover.

  • Strengthening FTC and State AG Enforcement

The Administration encourages Congress to provide the FTC and State Attorneys General with specific authority to enforce the Consumer Privacy Bill of Rights.

  • Improving Global Interoperability

The Administration is aware that US companies doing business on the global internet depend on the free flow of information across borders.  To this end, the Framework lays the groundwork for increasing interoperability between the US data privacy framework and that of its global trading partners, as a means to provide consistent, low-barrier rules for personal data in the user-driven and decentralized Internet environment. Two key principles are promoted:  mutual recognition and enforcement cooperation.

Scope of the Bill of Rights too Narrow to Meet Other Countries’ Laws

If the Consumer Privacy Bill of Rights and the ideas outlined in the Framework are implemented, US companies will have clearer guidelines on how they should handle personal data online. However, the scope of the document is too narrow to provide a uniform protection to all types of personal data, whether or not they are collected as part of a consumer relationship online.

While this document – and the proposed implementation – may solve some of the issues associated with the collection of consumer information online, it is not clear how it would affect to other forms of collection or use of personal information. For example, it is likely that personal information collected or used in the context of employment would not be covered. It is also not clear whether the rules would cover information collected in connection with B to B relationships, such as when a company collects the personal information of prospective customers’employees in the context of CRM systems.

Thus, while the proposed seven principles would create a data protection framework that is a little closer to that which is in effect in more than 60 countries and on all continents, there would stil remain a susbstantial gap between the US regime and the data protection laws elsewhere if personal information such as information collected as part of employment or as part of a business relationship is not covered by a clear set of data protection principles, as well.

 

Full Text of Consumer Privacy Bill of Rights

The full text of the Consumer Privacy Bill of Rights follows:

The Consumer Privacy Bill of Rights applies to personal data, which means any data, including aggregations of data, which is linkable to a specific individual. Personal data may include data that is linked to a specific computer or other device. The Administration supports Federal legislation that adopts the principles of the Consumer Privacy Bill of Rights. Even without legislation, the Administration will convene multistakeholder processes that use these rights as a template for codes of conduct that are enforceable by the Federal Trade Commission. These elements—the Consumer Privacy Bill of Rights, codes of conduct, and strong enforcement—will increase interoperability between the U.S. consumer data privacy framework and those of our international partners.

1 – Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
  • Companies should provide consumers appropriate control over the personal data that consumers share with others and over how companies collect, use, or disclose personal data.
  • Companies should enable these choices by providing consumers with easily used and accessible mechanisms that reflect the scale, scope, and sensitivity of the personal data that they collect, use, or disclose, as well as the sensitivity of the uses they make of personal data.
  • Companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection, use, and disclosure.
  • Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place.
2 – Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.

At times and in places that are most useful to enabling consumers to gain a meaningful understanding of privacy risks and the ability to exercise Individual Control, companies should provide clear descriptions of:

  • What personal data they collect,
  • Why they need the data,
  • How they will use it,
  • When they will delete the data or de-identify it from consumers, and
  • Whether and for what purposes they may share personal data with third parties.
3. Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
  • Companies should limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data, unless required by law to do otherwise.
  • If companies will use or disclose personal data for other purposes, they should provide heightened Transparency and Individual Control by disclosing these other purposes in a manner that is prominent and easily actionable by consumers at the time of data collection.
  • If, subsequent to collection, companies decide to use or disclose personal data for purposes that are inconsistent with the context in which the data was disclosed, they must provide heightened measures of Transparency and Individual Choice.
  • Finally, the age and familiarity with technology of consumers who engage with a company are important elements of context.
  • Companies should fulfill the obligations under this principle in ways that are appropriate for the age and sophistication of consumers. In particular, the principles in the Consumer Privacy Bill of Rights may require greater protections for personal data obtained from children and teenagers than for adults.

4.         Security: Consumers have a right to secure and responsible handling of personal data.

Companies should assess the privacy and security risks associated with their personal data practices and maintain reasonable safeguards to control risks such as loss; unauthorized access, use, destruction, or modification; and improper disclosure.

5.         Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
  • Companies should use reasonable measures to ensure they maintain accurate personal data.
  • Companies also should provide consumers with reasonable access to personal data that they collect or maintain about them, as well as the appropriate means and opportunity to correct inaccurate data or request its deletion or use limitation.
  • Companies that handle personal data should construe this principle in a manner consistent with freedom of expression and freedom of the press.
  • In determining what measures they may use to maintain accuracy and to provide access, correction, deletion, or suppression capabilities to consumers, companies may also consider the scale, scope, and sensitivity of the personal data that they collect or maintain and the likelihood that its use may expose consumers to financial, physical, or other material harm.

6.         Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.

  • Companies should collect only as much personal data as they need to accomplish purposes specified under the Respect for Context principle.
  • Companies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise.
7.         Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
  • Companies should be accountable to enforcement authorities and consumers for adhering to these principles.
  • Companies also should hold employees responsible for adhering to these principles.
  • To achieve this end, companies should train their employees as appropriate to handle personal data consistently with these principles and regularly evaluate their performance in this regard.
  • Where appropriate, companies should conduct full audits.
  • Companies that disclose personal data to third parties should at a minimum ensure that the recipients are under enforceable contractual obligations to adhere to these principles, unless they are required by law to do otherwise.


 

 

New Regime for Mobile Apps

Posted by fgilbert on February 22nd, 2012
The California Attorney General has unveiled its recent agreement with Mobile App providers Google, Facebook, Hewlett Packaard, Reserach in Motion/Blackberry in which the largest mobile apps providers have committed to ensure that mobile apps purchasers will have access to a clear, conspicuous, privacy policy before they download an app from their site.
The actual agreement is provided at:  http://oag.ca.gov/news/press_release?id=2630

FTC issues Report on Kids Privacy & Mobile Apps

Posted by fgilbert on February 16th, 2012

On February 16, 2012, the FTC released a new Report on Privacy issues in Mobile Apps. There are good lessons to be drawn from the document, both for mobile apps developers and for companies that operate websites. What is true for mobile apps is generally also true for websites.

Among other things, the report recommends:

  • Everyone – stores, developers and third parties providing services – should play an active role in providing key information to parents.
  • Information about data practices should be provided in simple and short disclosures.
  • It should be clear whether the app connects with social media
  • It should be clear whether it contains ads.
  • Third parties that collect data also should disclose their privacy practices.
  • App stores also should take responsibility for ensuring that parents have basic information.

The full report is available at: http://www.ftc.gov/opa/2012/02/mobileapps_kids.shtm


Teleconference on Proposed EU Regulation

Posted by fgilbert on February 10th, 2012
On Tuesday, February 14, 2012, at 12:30pm PST, the State Bar of California will host a teleconference where I will analyze and comment on the Proposal to Overhaul Data Protection in the European Union (unveiled on January 25, 2012).  Everyone is welcome to attend attend the conference call at no cost.

The phone number to use is:  1-866-548-4705  Participant code:  882704

If you cannot attend and wish to read about the proposed draft EU Data Protection Regulation (published on January 25, 2012), I have written extensively on the topic.  Feel to download my articles:

Short overview of the proposed legislative texts:

More on the draft EU Regulation on my blog:

Don’t forget the March 1, 2012 Deadline for Compliance with the Massachusetts Security Regulation 201 CMR 17.00

Posted by fgilbert on February 7th, 2012

Businesses that receive, maintain, process, or have access to personal information of Massachusetts residents are required to comply with the Massachusetts Security Regulation, 201 CMR 17.00. The Regulation requires business to implement and comply with a comprehensive a Written Information Security Plan or WISP in order to protect certain categories of personal information about employees, customers, prospects, business contacts and other third parties.

A first implementation deadline of March 1, 2010 required all businesses subject to the Regulation to WISPs for their operation. The Regulation contains a second deadline.  By March 1, 2012, covered businesses must have updated of all service provider contracts that were entered before March 1, 2010 in order to require these service providers to also comply with the requirements to adopt a WISP in order to protect this personal information. Thus, by March 1, 2012, companies that are subject to the Massachusetts Regulation will have to be fully compliant, both with respect to their own operations, and with respect to their contracts and interaction with their service providers.

Highlights of the Regulation are provided below.

Only certain categories of personal information are covered. The requirement applies only to the protection a person’s first and last name (or first initial and last name) combined with any of the following:

  • Social Security number
  • Driver’s license number
  • State-issued ID card number
  • Financial account (such as bank account, insurance account)
  • Credit or debit card number

The Regulation requires a business that owns or licenses this protected personal information in paper or electronic form to develop, implement, and maintain a comprehensive written information security program. Companies that fail to implement such a program may be subject to a $5,000 civil penalty for each violation.

The requirements include, among other things:

  • Designating one or more employees to maintain the comprehensive information security program;
  • Development and implementation of a comprehensive written information security program that contains administrative, technical, and physical safeguards appropriate to the size, scope, and type of business;
  • Special security measures for computer systems and wireless systems;
  • Secure user authentication and access controls;
  • Encryption of all records and files containing personal information that will travel across public networks or are transmitted wirelessly;
  • Use of reasonably up-to-date versions of system security agent software that must include malware protection and reasonably up-to-date patches and virus definitions.
  • Security monitoring and intrusion detection
  • Ongoing monitoring of company’s compliance with the information security program;
  • Ongoing employee training.
  • Use of reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information consistent with the Regulations and any applicable federal regulations;
  • Written contracts with these service providers;
  • Reviewing the scope of the information security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.

For a detailed analysis of the Massachusetts Security Regulation 201 CMR 17.00, click here.