Privacy & Data Security Advisory - August 2009

The Federal Trade Commission (“FTC”) recently issued a Staff Report reviewing new developments in the use of mobile devices and their impact on mobile commerce (“M-commerce”). Titled “Beyond Voice: Mapping the Mobile Marketplace,” the Staff Report was the culmination of a series of nine town hall sessions that the FTC conducted in May 2008. Of particular note, as a result of its findings, the FTC has stated that it will expedite its regulatory review of the Children’s Online Privacy Protection Rule, originally slated for 2015, to take place in 2010. The four sitting Commissioners voted unanimously to issue the report.

The Staff Report noted that there are currently 257 million U.S. mobile subscribers, translating into a penetration rate of more than 80% of the U.S. population. Trend data suggest that, in the near future, U.S. consumers will more often access the Internet from mobile devices than from PCs. Moreover, the use of smartphones that have PC-like functionality has created new opportunities but also new privacy and security concerns for M-commerce.

The FTC’s nine town hall sessions focused on the following developments and issues in M-commerce:

• The mobile marketplace in the United States, including “the contours of the current mobile marketplace,” and “factors affecting the adoption of new mobile applications”
• Mobile messaging, including commercial uses and consumer protection concerns relating to premium rate and unsolicited messaging
• Differences between mobile devices and personal computers, and an “overview of how mobile devices are becoming powerful tools for consumers”
• Location-based services, including “currently available location-based technologies and services,” “privacy and security issues implicated by the widespread deployment of location-enabled mobile devices” and notice and consumer consent regarding the use of location data
• Mobile advertising and marketing, including consumer protection and privacy concerns
• Consumer management of mobile devices, including consumers’ awareness of their ability to control mobile devices
• Concerns pertaining to mobile marketing to children and teenagers
• Industry best practices for billing, consumer disclosures, handling of complaints and dispute resolution
• Mobile security issues, including issues relating to open platform development, mobile phone recycling and contactless payments via mobile phones

The FTC Staff Report made three rather limited findings resulting from the town hall sessions:

First, the majority of complaints made to state regulatory agencies with respect to mobile marketing relate to inadequate cost disclosures for mobile services. The Staff Report stated that the FTC will therefore monitor the adequacy of cost disclosures, bring law enforcement actions when appropriate and work with industry to improve its self-regulatory enforcement.

Second, the Staff Report concluded that law enforcement agencies, including the FTC, should monitor the impact on consumers of unsolicited mobile text messages, malware and spyware, and take enforcement action where warranted. The report acknowledged that wireless carriers block hundreds of millions of unsolicited text messages per month, at a substantial cost. The report concluded, however, that the cost to consumers of receiving voluminous unwanted text messages would be far greater. Moreover, although malware and spyware have not yet posed significant problems on mobile devices, this situation is likely to change as consumers increasingly utilize mobile devices as a means of Internet access. The Staff Report called for strategies to prevent or minimize the growth of spam, malware or spyware on mobile devices.

Third, the Staff Report concluded that the increased use of smartphones as a means of access to the mobile web creates a unique privacy challenge, particularly insofar as children are concerned. In light of the concerns raised in the Staff Report, the FTC has determined that its regulatory review of the Children’s Online Privacy Protection Rule, originally slated for 2015, will begin in 2010. The FTC has stated that it will provide an opportunity for extensive public comment.

As with the FTC’s recent Staff Report pertaining to behavioral advertising, the FTC’s M-Commerce Staff Report reflects substantial concern over privacy and security issues, but a rather cautious regulatory approach to date in an area that the FTC acknowledges to be rapidly evolving. Participants in the M-Commerce industry should be particularly watchful, however, of the FTC’s 2010 regulatory review of the Children’s Online Privacy Protection Rule, and for the opportunity to present public comment on any proposed changes. The Staff Report took note of a variety of comments from the Children’s Advertising Review Unit of the Council of Better Business Bureaus, consumers’ and children’s advocacy groups, and even the consumer laws of Finland, in questioning whether current industry practices with respect to children and M-commerce marketing were adequate. These comments focused on the adequacy of notice and opt-in practices for mobile marketing to children, age screening, and parental consents and controls. These issues are likely to receive considerable attention in the course of the 2010 regulatory review.

Last October, Nevada made news as the first state to implement a data protection law mandating encryption for certain personal information transmitted electronically. The law, codified at Nev. Rev. Stat. § 597.970 and discussed in Goodwin Procter’s September 22, 2008 Privacy & Data Security Advisory, requires ‘in state’ businesses to encrypt customers’ personal information before electronically transmitting the information (other than by fax) outside the business’ secure system.

Recently enacted, Senate Bill No. 227 will expand Nevada’s data security law in several ways when it becomes effective on January 1, 2010. First, businesses that accept credit cards will be required to comply with the current version of the Payment Card Industry Data Security Standard. Second, SB 227 will expand the encryption requirement to data storage devices containing personal information (such as laptops, cellular telephones and USB drives) that are moved outside the secured physical and logical boundaries of the entity. Finally, SB 227 changes the type of encryption required, imposing stricter encryption standards. To meet the new standard, encryption technology must include (i) an encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology and (ii) appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology. In contrast, the current Nevada standard for encryption provides greater latitude in the selection of an encryption technology.

On April 15, the SEC reopened for comment the proposed model privacy notice form (“Model Form”), originally released March 29, 2007, that financial institutions would be able to use to provide disclosures in accordance with the privacy notice provisions of the Gramm-Leach-Bliley Act (“GLBA”). The earlier release was issued jointly by the SEC with the four federal banking agencies, the Federal Trade Commission, the National Credit Union Administration and the Commodity Futures Trading Commission. The new release was issued only by the SEC.

The comment period was reopened to allow public comment on the results of consultant-conducted consumer testing of different types of privacy notices, including a slightly revised version of the Model Form, which had occurred subsequent to the initial comment period. The results of the consumer testing have been posted in the comment file for the Model Form here. The new comment period on the Model Form ended on May 20, 2009.

Under rules adopted by financial regulators pursuant to the GLBA, including the SEC in Regulation S-P (“Reg. S-P”), a financial institution must provide notice to certain customers of its policies regarding the disclosure of those customers’ nonpublic personal information to non-affiliated third parties. These privacy notice provisions also require that consumers be provided with, where applicable, a reasonable opportunity to “opt out” of certain sharing of nonpublic information. The privacy notice must be provided by the financial institution to the customer at the start of the relationship and annually during the existence of the relationship. If the SEC adopts the Model Form, a financial institution would not be required to use the Model Form to meet Reg. S-P’s privacy notice requirements. However, during the first year after adoption, both the Model Form and the sample clauses for privacy notices currently provided in Reg. S-P would serve as safe harbors under the GLBA. After the one-year transition period, the sample clauses would no longer have that status, leaving the Model Form as the sole safe harbor.

The proposed Model Form would modify Reg. S-P, but this proposal is limited to the Model Form and should not be confused with the more comprehensive overhaul of Reg. S-P in the proposed rule issued by the SEC on March 4, 2008, for which comments were due on May 12, 2008.

The Federal Trade Commission announced an extension until November 1, 2009 to the compliance date for its Red Flags Rule (Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 published at 16 CFR Part 681). The compliance date for the Red Flags Rule was originally to have been November 1, 2008, and was previously extended to August 1, 2009. The most recent extension is intended to give creditors and financial institutions more time to review FTC guidance and develop written identity theft prevention programs. The Red Flags Rule requires “creditors,” defined broadly to include, among others, those entities that regularly permit deferred payments for goods or services, and “financial institutions” with covered accounts to implement programs to identify, detect and respond to the warning signs, or “red flags,” that could indicate identity theft. The financial regulatory agencies, including the FTC, jointly developed the rule. Financial institutions subject to the Red Flags Rule of other federal agencies are unaffected by this announcement.

The FTC has recognized that many covered entities, particularly small businesses and entities with a low risk of identity theft remain uncertain about their obligations. Specifically, many entities in the healthcare and retail sectors have been unaware that they were required to comply with this regulation. Some industry groups, including the American Bar Association and American Medical Association, have disputed whether their members should be required to comply with the Red Flags Rule. The ABA threatened to file suit if the FTC allowed the regulations to go into effect on August 1. The FTC has announced that its staff will redouble its efforts to educate entities about compliance with the requirements and provide additional resources and guidance to clarify whether businesses are covered by the rule and what they must do to comply.

Jacqueline Klosek and Dale Fulton published “Information Services, Technology and Data Protection” in the Summer 2009 issue of The International Lawyer.

Jeff Klein and Jacqueline Klosek published “Every Click You Take They Will Be Watching You” in the May 2009 issue of Privacy & Data Security Law Journal.

Jacqueline Klosek and Jillian Barber published “State Outlook 2009: Privacy and Data Security Proposals and Legislation” in the April 2009 issue of The Privacy Advisor.

Jacqueline Klosek, Agnes Bundy Scanlan and Rachel Samuels published “Preventing Identity Theft And Other Harm Through Increased Controls on Social Security Numbers: A Review of Select State Laws” in the March 2009 issue of Privacy & Data Security Law Journal.

SecureWorld Spotlight
Date: August 20, 2009
Location: Waltham, MA
Deborah Birnbach will speak on “201 CMR 17.00: A Litigator’s Perspective” at this one day conference focusing specifically on the Massachusetts regulation 201 CMR 17.00.

ACI's 3rd National Forum on Cyber & Data Risk Insurance
Date: September 16-17, 2009
Location: Philadelphia, PA
This American Conference Institute event will cover the state of the insurance market right now, new types of coverages and the results of recent litigation that will shape this field going forward. Carl Metzger will participate on the “Analysis of Claims, Losses, and Recent Litigation Over Privacy/Data Breaches” panel.           

IAPP Privacy Academy 2009
Date: September 16-18, 2009
Location: Boston, MA 
Lynne Barr, Agnes Bundy Scanlan, David Goldstone and James Shreve will participate in IAPP’s Privacy Academy. Lynne and Agnes will speak on “The New Massachusetts Privacy Law: What Does It Mean for You?” David will speak on “Massachusetts Data Security Regulations: Perspectives From Regulators, Enforcers, Practitioners and Industry.” James will speak on “Suggestions From the States: Designing a Workable Breach Notice Requirement.”

Cyber Security Breakfast
Date: September 18, 2009
Location: Goodwin Procter’s Silicon Valley office
The firm is sponsoring a breakfast meeting with James Woolsey and top executives regarding cyber security.