Tag: Information Privacy Law Spring 2013

By: Jenna Small

In what is being called “unprecedented litigation,” the FTC has sued Wyndham Worldwide Corporation in federal court, alleging violations of Section 5 of the FTC Act for unfair and deceptive practices regarding Wyndham’s data security measures.  The FTC accused Wyndham of misrepresenting their information security policies and failing to provide sufficient security safeguards, which allegedly resulted in three major network breaches, the exposure of 600,000 credit card accounts and $10.6 million in fraudulent charges.

Wyndham has moved to dismiss the complaint, arguing that the FTC lacks authority to regulate data security standards for all industries under the unfairness prong of Section 5.  Wyndham contends that this is a “classic example of agency overreaching” and the FTC’s authority to regulate data security is limited to those areas where Congress has given the FTC specific rule-making authority (e.g., FCRA, GLBA, COPPA, and HIPAA).  Wyndham also asserts that the theft of credit card data does not constitute “substantial injury” as envisioned by Section 5 because federal law restricts consumer liability for unauthorized payments.

In its opposition to Wyndham’s motion to dismiss, the FTC maintains that Congress deliberately chose not to enumerate specific prohibited practices under Section 5, and thus the agency was delegated broad authority to prohibit unfair practices (citing other established uses of this power absent explicit statutory grants).  They further argue that this sort of systemic injury, a small harm to a large number of consumers, was the type of “substantial injury” contemplated by Congress in enacting the FTC Act.

In the 41 data security enforcement actions to date, the defendants have signed consent decrees with the FTC.  Since this is the first judicial test of the scope of FTC regulatory authority under the unfairness prong, the case may have significant ramifications for the agency’s regulations of data security standards and may ultimately necessitate legislative intervention.

For an article summarizing the complaint and subsequent motions (with links to the briefing), please refer to the following link:

http://www.lexology.com/library/detail.aspx?g=511af563-4502-4477-b79c-025c61276ef3

By: Erin Harper

A Consumer Sentinel Network report found that the country’s fastest growing crime involves using Social Security numbers to steal tax refunds. The website GoBankingRates.com estimates that $5.2 billion in tax refunds has already been stolen this year.

IRS Commissioner Steven Miller has said that the agency has increased its efforts to pursue and prevent identity theft-related tax fraud. As part of an IRS crackdown, a nationwide campaign led to more than 700 enforcement actions in January. The IRS has also added additional computer screening filters in an effort to combat fraud and has assigned more than 3,000 employees to engage in identity theft-related work.

According to Steven Toporoff, a Federal Trade Commission attorney, tax refund theft occurs in various ways. In some instances, the thief uses the taxpayer’s name and Social Security number to steal the person’s refund. In others, the thief uses the taxpayer’s Social Security number but his own or a fake name. Typically, taxpayers discover that they are victims of refund fraud when they attempt to file electronically and receive a rejection notice. Unfortunately, each tax identity theft case takes approximately 180 days to resolve. The IRS, however, is working to reduce the time it takes to get refunds to taxpayers victimized by this crime.

http://www.cbsnews.com/8301-505144_162-57572789/tax-refund-theft-is-nations-fastest-growing-fraud/

http://www.usatoday.com/story/money/business/2013/02/07/irs-identity-theft-enforcement/1899059/

By: Hiroyuki Tanaka

http://www.foxbusiness.com/personal-finance/2013/02/20/one-new-identity-theft-victim-every-3-seconds-in-2012/

This article is about the results of the”Javelin Strategy & Research’s 2012 Identity Theft Report.”

https://www.javelinstrategy.com/brochure/239

According to the article, in 2012, the victims of identity theft were 12.6 million.

It is genrally alleged that regularly monitoring financial transactions and receiving alerts about irregular transactions is a good way to prevent identity theft.  However, if personal information is used to open new accounts, consumers cannot monitor or receive alerts about identity theft.    As this article shows, more than half of victims were not only monitoring their accounts, but also using “financial alerts, credit monitoring or identity protection services.”  So the traditional way of preventing identity theft is not effectively working.

So what can be done to prevent identity theft?  One way to go is leaving it to the consumer’s choices.  According to the article, 15% of identity theft victims “decide to change their behaviors and avoid smaller online merchants.”  This shows that most of the consumers keep on using the same service even after the identity theft.  As there is no clear standard for consumers to choose which service is paying more attention to the identity theft, it is difficult for consumers to change behaviors.  It can be said that consumers tend not to change their behaviors if they are satisfied with the quality or price of the service other than the privacy protection.   So, leaving it to consumers’ choices does not seem to be a good idea.  Another way to go is posing higher liability such as strict liability on service provider and strengthening government regulation including its enforcement.  As this will result in the huge increase of costs for service providers, it will be difficult to form a consensus.  But, as the victims of identity theft are increasing year by year, it is necessary to find common ground to balance the profits of companies and consumer protection.

By Benjamin Smith

The Supreme Court’s 2012 decision in US v. Jones failed to resolve many open questions in Fourth Amendment privacy protection, including the particularly shadowy domain of International Mobile Subscriber Identity (“IMSI”) catchers. IMSI catchers, colloquially called “stingrays”, are devices used by law enforcement agencies to monitor cell phone conversations, for which ordinary wiretaps are not feasible, without going through telecommunications providers. IMSI catchers work by fooling a cell phone into thinking the catcher is a local cell tower. It can then force the cell phone to use insecure channels even if otherwise set to encrypt its conversations. Once the IMSI catcher has routed the cell phone onto an insecure channel, any conversation may be easily monitored and recorded.

There are two major Fourth Amendment concerns with IMSI catchers. First, it is unclear whether the use of an IMSI catcher qualifies as a search. Some might have hoped a case like US v. Jones to come close to resolving the question, but it did not. It seems unlikely that use of an IMSI catcher would not be ruled a search, but IMSI catchers are currently routinely used without a warrant. Judges have begun to push back against the warrantless use of IMSI catchers, including in the ongoing US v. Rigmaiden case in the District of Arizona, but such resistance is only in its earliest days.

In addition, when an IMSI catcher is activated, it does not target a specific cell phone but instead draws in all cell phones operating nearby. If an IMSI catcher records all conversations, conversations will be recorded equally from innocents as from suspects. Thus, even if law enforcement is using an IMSI catcher only under a warrant and with court approval, unintended intrusions without a warrant are bound to occur. The security of such data collected from innocents is unclear.

As the technology becomes cheaper and more widely available to law enforcement agencies, privacy questions about IMSI catchers will have to be resolved. In the mean time, remember it as an emerging technology with unusual privacy implications.

Additional information on IMSI catchers is available below:

http://www.slate.com/blogs/future_tense/2013/02/15/stingray_imsi_catcher_fbi_files_unlock_history_behind_cellphone_tracking.html

http://blogs.wsj.com/digits/2012/10/22/judge-questions-tools-that-grab-cellphone-data-on-innocent-people/

http://online.wsj.com/article/SB10001424052970204621904577014363024341028.html

http://gritsforbreakfast.blogspot.com/2013/03/bypassing-telecoms-stingrays-allow.html

By Kamilah Alexander

Parents now have one more thing to protect their children from- identity theft.  In a development that should surprise no one, identity thieves are now targeting kids.  The enticement is simple- unlike an adult with an existing identity that needs to be altered, a child’s identity is an empty canvas upon which thieves can create any picture they desire.  Moreover, because children generally have no need of their own credit for a long period of time, the theft of a child’s identity can go undetected for numerous years.  It’s likely not until the child eventually applies for (and is denied) his or her first credit card or loan (car, college), that the identity theft will be discovered, long after the child’s credit has been ruined.

A local news station in Jacksonville, Florida reports that, in an effort to combat the identity theft of children, Florida lawmakers have recently introduced a bill that would let parents create a credit profile for their children and then freeze that credit profile.  An ability to freeze a child’s credit would certainly help parents. They wouldn’t have to continuously monitor their children’s credit profiles, something adults find challenging enough to do for themselves.

http://www.wokv.com/news/news/local/your-child-risk-identity-theft/nWjbH/

By Glenn Velazquez-Morales

In another example of the recurring discussion about the relationship between the Privacy Act of 1974 and the Freedom of Information Act (FOIA), the National Pork Producers Council denounced that the Environmental Protection Agency (EPA) released personal and “business-confidential” data of U.S. hog farmers to various interest groups in the United States.

The Pork Producers alleged that, in early February, the EPA disclosed information including home addresses, phone numbers, e-mail addresses, and information related to business operation of several hog and other poultry farmers to various environmental groups, including the Natural Resources Defense Council, Earth Justice and the Pew Charitable Trusts. The Council denounced that the information was gathered from several state water agencies in order to create a national database as part of a proposed rule known as the Concentrated Animal Feeding Operations. Later, after harsh criticism of many farmers and agriculture interest groups, the proposed rule was tabled. However, several environmental interest groups who supported the rule have publicly requested the information to be released and formally asked the EPA to do so under several dispositions of FOIA.

On the other hand, the EPA reacted to this allegation through a short statement in which expressed that the release of information was legitimate and required by law under the Freedom of Information Act. In addition, the EPA announced that the information will be publicly available throughout the US.

This controversy has the potential of being actively litigated if some of the farmers allege actual damages under Section 552a(g)(4) of the Privacy Act. Moreover, because this was a disclosure of a national database of hundreds of dozens of farmers across the US, it may be possible to foresee a class action suit against the EPA. However, as have been expressed by several Courts and legal experts, the interaction between the Privacy Act and FOIA is complicated because of the legitimate goals and values that these two statutes seems to protect. In this case, the legitimate privacy claim of the farmers will have to be weighted against the promotion of public transparency of the EPA throughout its rule-making process.

Here is the link to a report from the Des Moines Register regarding this controversy and the EPA response:

http://blogs.desmoinesregister.com/dmr/index.php/2013/02/20/pork-producers-troubled-by-release-of-data-to-activist-groups

Here is the link to the press released issued by the National Pork Producers Council:

http://www.nppc.org/2013/02/epa-releases-confidential-farm-data/

By Hung-Yi Hsiao

According to Consumer Sentinel Network data book 2012 released by FTC in February 2013, there were 369,132 identity theft complaints received by FTC in year 2012, nearly 90,000 more than year 2011.

Identity theft was the number one complaint category with 18% of the overall complaints. Among identity theft cases, tax or wage Related Fraud (43.4%) was the most common, followed by credit card fraud (13%), phone or utilities fraud (10%), bank fraud (6%), employment-related fraud (5%) and loan fraud (2%). Tax or wage Related Fraud was also the most rapid growth category in the past few years, growing from 15.6% in 2010, 24.3% in 2011, to 43.4% in 2012.

54% of the Identity theft victims notified a police department and a report was taken, while 6% victims also notified but no report was taken, and another 8% notified police and did not indicate whether a report was taken. 32% of the victims did not choose to notify police departments.

Among the victims of identity theft, 16,133(6%) were under 19, 57,491(21%) were in the age of 20-29, 52,704(19%) in 30-39, 49,403(18%) in 40-49, 45,483(17%) in 50-59, 30,583(11%)in 60-69 and 22,027(8%) in 70 and over. Comparing to data in 2010, there were 18,334(8%) under 19, 56,635(24%) were in the age of 20-29, 49,375(21%) in 30-39, 3,877(19%) in 40-49, 35,314(15%) in 50-59, 19,923(8%)in 60-69 and 12,984(5%) in 70 and over. It seems that identity theft criminals found more and more middle-aged and older victim in recent years.

http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2012.pdf

In the meanwhile, other research suggests that the number in FTC report is way lower than the real number. A report of a private marketing research agency indicates that there were more than 12.6 million identity theft victims in 2012, which equals 5.25% of U.S. adults, or 1 victim every 3 seconds. Almost 1 in 4 consumers that received a data breach letter became a victim of identity fraud. $21 billion dollars were stolen in identity theft incidents. The data of the research was gathered by a survey of a representative sample of 5,249 U.S. adults.

https://www.javelinstrategy.com/news/1387/92/More-Than-12-Million-Identity-Fraud-Victims-in-2012-According-to-Latest-Javelin-Strategy-Research-Report/d,pressRoomDetail

By: Andrew Laing

Canada has recently enacted new anti-spam legislation, unimaginatively known as Canada’s Anti-Spam Legislation, or CASL (you have to give our Congress some credit for coming up with CAN-SPAM).  The central achievement of the legislation is a tough opt-in regime for most commercial electronic communications: the law imposes a variety of new requirements Canadian businesses will have to meet regarding consent (which cannot be sought through purely electronic means), disclosure of information, and unsubscription procedures.

This news dovetails nicely with our discussion of existing and proposed European and American laws governing electronic communications, and it also intersects with our recent consideration of “commercial speech” as a distinct category of expression.  Some opponents of CASL argue (as in the Financial Post article linked below) that the law makes it needlessly difficult for businesses to reach out to and inform consumers and that overzealous enforcement might cause the law to reach beyond what we usually think of as “spam” to encompass more innocuous interpersonal e-mails that discuss commercial transactions.  This raises a deeper question: to what extent is it desirable (or even permissible, under Canada’s Charter of Rights and Freedoms) to raise high barriers to electronic commercial expression in the name of consumer protection?  It’s worth keeping that question in mind as Canada’s CASL debate evolves in the coming years.

Here is a Canadian government website explaining CASL:

http://fightspam.gc.ca/

Here are links to two opinion pieces expressing opposing viewpoints on CASL:

http://www.thestar.com/business/2013/02/08/business_thinks_antispam_law_should_protect_them_not_consumers_geist.html

http://opinion.financialpost.com/2013/02/28/delete-this-anti-spam-law/

Finally, here is an overview of Canada’s approach to freedom of commercial expression (see section B(2)(b)):

http://publications.gc.ca/Collection-R/LoPBdP/CIR/8416-e.htm

By: Stephanie Smith

In 2011 Par Pharmaceutical (“Par”) was charged with violations of FDA regulations governing the off-label promotion of prescription drugs. In its defense, Par contended that its ability to convey “truthful” information to physicians was protected by the First Amendment,  and that the FDA’s efforts to curb promotion of off-label use was an unconstitutional impingement of commercial free speech.

The crux of Par’s argument was that such promotion was not unlawful and provides valuable and tailored information to physicians regarding its products. The FDA justified its position by responding “Whatever interests Par may assert are far outweighed by the government’s paramount interests of protecting the public health by ensuring the safety and effectiveness of drugs for their intended uses.”

This week it was reported that Pan has now settled the lawsuit on the basis that it pay a fine of $22.5m. It has also agreed to discontinue its First Amendment case against the FDA.

http://www.pharmalot.com/2013/03/par-settles-off-label-probe-drops-free-speech-suit/

By: Kimberly Chow

Last week, Senator Jay Rockefeller (D-W. Va.) reintroduced his “Do Not Track Online Act.” Under the bill, consumers on the Internet would be able to affirmatively choose not to allow companies to collect information on their online activities.  The Federal Trade Commission would provide enforcement.

Rockefeller’s initial bill, introduced in 2011, did not make it out of committee, and last year, the Federal Trade Commission endorsed a self-regulatory alternative in its report, “Protecting Consumer Privacy in an era of Rapid Change.” Currently, the World Wide Web Consortium (W3C) is assessing how consumers would send a Do-Not-Track message and what companies would do when they receive the message.  W3C’s Tracking Protection Working Group has been meeting since September 2011, with an end date in April 2014.

Some commentators who have complained that this self-regulatory approach is too slow are welcoming the possibility of legislation that might speed up the process.  But it remains to be seen whether the often-slow or ultimately unproductive legislative process is any more satisfying. While it’s possible that the bill may have greater success than it did two years ago because of increased public awareness of Internet data privacy issues and because its co-sponsor, Connecticut Senator Richard Blumenthal, sits on the Commerce Committee, it may yet turn out that the self-regulatory approach is the only way to get anything done.

http://www.adweek.com/news/technology/rockefeller-reintroduces-do-not-track-act-147610

http://www.prnewswire.com/news-releases/consumer-watchdog-backs-sen-jay-rockefellers-do-not-track-bill-194057131.html

http://www.w3.org/2011/tracking-protection/charter