FTC: Anatomy of a Data Security/Privacy Investigation and the Future of Privacy John Jay College of...
-
Upload
baldwin-gregory -
Category
Documents
-
view
216 -
download
1
Transcript of FTC: Anatomy of a Data Security/Privacy Investigation and the Future of Privacy John Jay College of...
FTC: Anatomy of a Data Security/Privacy Investigation and the Future of PrivacyJohn Jay College of Criminal JusticeCenter for Cybercrime StudiesNovember 10, 2011
Kristin Krause Cohen, Staff Attorney
Division of Privacy and Identity Protection
Federal Trade Commission
Disclaimer
The views expressed in this presentation are mine and are not necessarily those of the Commission or any individual Commissioner.
Meet the Federal Trade Commission
Nation’s only general jurisdiction consumer protection agency
~1,100 lawyers and staff members in Washington and 7 regional offices
Federal jurisdiction in the areas of antitrust and consumer protection
Three bureaus: Competition Economics Consumer Protection
Agenda for Today
How the FTC’s Data Security Program Has Evolved
The FTC Privacy Report Recent Privacy Enforcement Actions New Areas
Legal Standards
Relevant laws governing data security and privacy:
Fair Credit Reporting Act (FCRA) – Disposal Rule
Federal Trade Commission Act (FTC Act)
Other federal laws (HIPAA, DPPA, FERPA)
State laws
Anatomy of a FTC Investigation
Finding cases Pre-search Civil Investigative Demand or access letter Analyzing the facts Litigation or consent negotiation (or closing
letter) Compliance and monitoring
Perspective
FTC data security enforcement has become more granular
From the enforcement actions are specific lessons for businesses to learn, including those in the health industry
FTC’s definition of what is unfair or unreasonable will help to inform evaluation of privacy and security practices in other contexts.
Four Points that Guide the FTC’s Information Security Enforcement Information security is an ongoing process. A company’s security procedures must be
reasonable and appropriate in light of the circumstances.
A breach does not necessarily show that a company failed to have reasonable security measures – there is no such thing as perfect security.
A company’s practices may be unreasonable and subject to FTC enforcement even without a known security breach.
The Early Years
The FTC’s early privacy and data security enforcement is characterized by targeting companies that engaged in practices contrary to their published privacy policies
The Early Years
Geocities (1999) (first Internet privacy case) and Gateway (2004) The FTC alleged the companies used
personal information in a manner contrary to promises made to consumers.
Order required Geocities to notify members and allow their information to be deleted and prohibited Gateway from sharing personal information obtained under their original privacy policy without express consent.
False Representations About Data Security and FTC Enforcement
Common Vulnerabilities: Petco
Petco (2005) FTC alleged that Petco falsely represented that
personal information it obtained from consumers was maintained in an encrypted format
Petco’s website and web application were vulnerable to commonly known or reasonably foreseeable attacks
Order against Petco prohibited misrepresentations and required it to implement a comprehensive information security plan and obtain independent assessments of the plan
FTC use of “unfairness” prong of Section 5
Duty to protect data implied in requirement not to engage in unfair practices
Multiple Risks: BJ’s
FTC alleged BJ’s engaged in an unfair practice by “failing to employ reasonable and appropriate security measures to protect personal information. . . .”
Multiple Risks: BJ’s Specifically, FTC alleged BJ’s did not employ reasonable
and appropriate measures to secure personal information. Among other things, it: did not encrypt information while in transit or when
stored stored information in files that could be accessed
using a commonly known default user ID and password
did not use readily available security measures to limit access to its networks through wireless access points on the networks
did not employ sufficient measures to detect unauthorized access or conduct security investigations
stored information for up to 30 days when it no longer had a business need to keep the information
Peer-to-Peer Application Warning Letters Notified almost 100 organizations that files
containing PII shared from their computer networks to P2P networks
FTC simultaneously released business education on risks associated with P2P
Dartmouth study found thousands of documents with sensitive patient information on P2P networks
Social Networking: Twitter
Twitter (2010) FTC alleged Twitter failed to require strong
administrative passwords, secure storage of administrative passwords, periodic password changes, suspend accounts after repeated login failures
Consumers’ non-public tweets were revealed and unauthorized tweets sent from accounts
Employee Data: Ceridian/Lookout Services Ceridian/Lookout Services (2011) FTC
alleged companies failed to use reasonable and appropriate security to protect the personal information of its clients’ employees
Ceridian is a payroll processor and Lookout Services provided employers assistance with complying with immigration laws
Privacy Roundtables
Three public roundtables to explore privacy in light of new technologies, including social media
Significant public participation 200 participants reflecting range of perspectives Transcripts and comments on FTC’s website
Roundtable Themes
Increased collection and use of consumer data
Lack of understanding and informed consent
Consumers are interested in privacy Benefits of data collection and use Decreasing relevance of PII/non-PII
distinction
Privacy Report – Proposed Framework
Companies Should “Bake in” Privacy Employ reasonable safeguards to protect data Limit collection and length of retention Procedures to promote data accuracy Implement internal privacy programs
Simplified Privacy Choices Carve out commonly accepted business practices – fraud
prevention, fulfillment All other practices should have simple choice at relevant time and
context Improve Transparency
Improving and standardizing privacy disclosures to compare across businesses
Tiered access to consumer data that companies maintain Consumer education
Behavioral Advertising
Industry has made some progress in developing and implementing tools to allow consumers to control the collection and use of their online browsing data.
Privacy report included a recommendation to implement a universal choice mechanism for behavioral tracking, including behavioral advertising.
Do Not Track – 5 Issues to Consider
Any system should be implemented universally, so consumers do not have to opt out as they go from site to site
The choice mechanism should be easy to find, easy to understand, and easy to use
Any choices offered should be persistent and should not be deleted
Any system should be effective and enforceable Any system should let consumers opt out of being tracked
through any means and not permit technical loopholes
Recent FTC Privacy Enforcement Google Buzz
FTC alleged Google did not adequately disclose to gmail users that signing up for Buzz meant the identity of their frequent email correspondents would be made public, OR that they would be enrolled in some features of Buzz even if they chose not to sign up.
First FTC Settlement to require a company to adopt a comprehensive privacy program.
Recent FTC Privacy Enforcement
Chitika Online advertising company tracked consumers’ online activities even after
they chose to opt out of online tracking Unbeknownst to consumers, the opt-out cookie only lasted for 10 days
FTC alleged that Chitika’s claims about its opt-out mechanism were deceptive
ScanScout• Online behavioral advertising company deceptively claimed to users they could
opt out of receiving targeted ads by changing their browser settings• In truth, company used flash cookies for tracking that browser settings could not
block• Order requires company to adopt user-friendly mechanism that allows
consumers to opt out of being tracked
Implications of new technologies
Cloud computing Mobile
Questions?
More information available at:
www.ftc.gov
Kristin Krause Cohen
Federal Trade Commission