The Children’s Advertising Review Unit recently held that screening for age to avoid collecting personal information from children under 13 was not enough. In Bandai America (the website is Bandai’s Wireless.com site), CARU found that although Bandai’s website had a screening mechanism that asked for a date of birth, there was no tracking once a child put in a birth date. Thus, anyone under 13 could come back and enter a different (inaccurate) date of birth to get by the screen. CARU’s COPPA compliance guidelines require that not only must interactive sites have an age screening mechanism, but there also must be some reasonably effective means of tracking so children can’t get around the screening process. Forewarned is forearmed.
Who Pays For the Data Security Breach?
Have you received one of those “data security breach” letters? Quick, call the credit bureau and bank. Change the checking, credit card and license numbers. Most financial institutions have absorbed the cost of reissuing payment cards or providing new checks, even when these financial institutions had nothing to do with the security breach. When B.J.’s Wholesale Club disclosed that a theft of credit card information had occurred, two financial institutions sued to recover the costs that resulted from that breach. The institutions claimed B.J.’s breached its legal obligation to maintain the security of the financial institution and should be liable for the damages. Those claims were initially rejected, but have now been revived by the U.S. Court of Appeals for the Third Circuit, which has issued a decision holding these financial institutions were intended third-party beneficiaries of the contract among the retailer, its merchant bank, and the payment card industry, to keep customer data safe. If the retailer breached data protection rules imposed by the payment card industry and the financial institutions were third-party beneficiaries of that agreement, then any damage and loss could be recovered based on contract law claims. Stay tuned.
You Would Think They Would Know Better
Cyber-Ark Software, a U.S.-based information security company, surveyed information technology professionals at the Infosecurity Europe Expo 2008 in London this past April. They asked 300 senior IT folks attending the Expo about abuses relating to information access, and guess what they found? First, about one-third of all IT professionals surveyed abused their own company’s information access rights policies to view information unrelated to their job (e.g., spying on employees or looking at confidential information). The survey report noted that passwords of IT and systems oversight staff often aren’t required to be changed as often as user passwords—or sometimes not at all. In most cases, IT administrators have free reign to use or abuse access privileges—which apparently happens too often.
The notion of “internal firewalls” is highlighted by this report. While companies often take great pains to protect themselves from external threats, as history has shown us in the physical world, the biggest dangers are from “inside jobs.” Without protections that apply internally, snooping, economic espionage, sabotage, spying and data security risks will remain a looming threat to the information assets of a business enterprise.
Data, Data Everywhere, But Hackers Drop into Secure Websites
Criminals stole customer information from the Hannaford Bros. and Sweetbay grocery chains’ computer networks. As shoppers swiped cards at checkout and their information was routed to transaction processors using state-of-the-art, fiber-optic, hard-wired cable for transmissions, malicious software intercepted the information and transmitted it to an ISP off-shore. Experts are still trying to figure out how the code got into the systems in the first place.
Continue reading “Data, Data Everywhere, But Hackers Drop into Secure Websites”
Data Security Breach – Who Are You Going to Call?
The New York State Information Security Breach and Notification Act amends the State Technology Law (Section 208) and the General Business Law (Section 899-aa), and requires that any New York State entity, as well as any person or business conducting business in New York and who owns or licenses computerized data that includes private information, must disclose any breach to New York residents (New York State governmental entities must also notify non-residents). This is similar to well more than 30 other states that have data breach notification statutes. Did you also know that when notification is necessary, New York law requires notification to the Attorney General, the Office of Cyber Security & Critical Infrastructure Coordination, and the Consumer Protection Board? Did you know there’s a “New York State Security Breach Reporting” form? No company relishes the idea of having to deal with a compromise of sensitive customer data? And no company should have to worry about not having the right legal advice when dealing with their customers, regulators and law enforcement officials. Rimon has a Data Security Group that keeps track of these laws in the United States and throughout the world.
Test Data? Really?
Are you using real customer data for testing? In a recent survey, well over 60 percent of IT professionals use live customer data for application testing and for software development. Guess how many IT professionals outsource application testing (and share live data with the testing company)—about 50 percent. Worried about sensitive data? Compliance with data breach statutes? Privacy concerns? Is this a potential gap in the security wall many companies build around their networks? You bet. Could it be a big compliance, legal and regulatory problem? Bigger bet. While live customer data is obviously the most representative for testing, it’s also the most risky. What can you do? Use fake data. Anonymize or sanitize real data. Use encryption. Limit access and strengthen contract, monitoring and audit controls. We know privacy and security, regulation and compliance. Call us.
Want to Know What to Do After a Data Breach?
Read “After a Data Breach: Navigating the tangle of state notification laws can be exasperating—and costly” an Oct. 29, 2007 article by Jennifer McAdams, posted on ComputerWorld. I was interviewed and quoted in the article. I have helped numerous companies navigate the tangled web of state laws and regulations that have appeared in the past few years, and the ATM Law group tracks and keeps up-to-date on developments in state and federal law concerning this important issue.
What Do DSS, GLB and SOX Have in Common?
If you carry, accept, use, issue or have anything to do with the world of credit cards, debit cards, gift cards, smart cards, stored value cards, pre-paid cards—need I go on?—you need to pay attention to DSS. That is the Payment Card Industry’s Data Security Standards that apply to all types of payment cards issued by the major card-issuing companies. The PCI DSS, in case you hadn’t heard, requires, as an example, that personally identifiable card data be rendered unreadable (truncated, encrypted, firewalled, decapitated—is anyone reading) whenever it is potentially exposed to a third party, when it’s stored, transmitted, used or processed. If you are a merchant with significant card-transaction volumes. encryption can be expensive or time-consuming or both—and no one wants to slow down transactions at the point of sale or at the point of billing. The DSS also requires audit records be kept so breaches can be detected, compromises traced and data integrity monitored. Yes, there are DSS Audit Guidelines from the PCI as well. Not to mention the fact that more than 30 U.S. states already have some form of data breach legislation that requires disclosure, notice and, in some cases, that some remedies be made available to consumers who are or potentially might be the victims of lapses in data protection.
Acquiring institutions—those financial institutions and card processors that have the relationships with merchants that accept and process cards—have until year-end to bring their systems and relationships into compliance, and some card associations are offering rewards for early compliance, but stiff penalties for delays and failure to comply.
How complex does it get? Well, imagine that a merchant opts to mask all credit card numbers, even though address information is unencrypted—but the numbers aren’t visible within any systems and therefore can’t be cross-referenced. PCI compliant? Probably? BUT, that won’t comply with Gramm-Leach-Bliley, the privacy statute applicable to banks and financial institutions that requires otherwise. What about SEC regulations regarding customer data and, of course, Sarbanes-Oxley, which says, “You must control access to your information.”
It’s enough to give anyone a headache. That’s why Rimon has a Financial Services, Corporate & Securities, Intellectual Property and, of course, an Advertising Technology & Media Law practice—so you get one seamless solution to your problems, no matter how complex the world gets.
COPPA – Xanga Settles
Based on a complaint that Xanga knew it was collecting (and sharing) personal information from children under the age of 13 (they asked for and were given the birth dates from registrants), the FTC reached a settlement agreement in which Xanga.com agreed to pay a civil penalty of $1 million. The complaint also alleged that Xanga didn’t notify children’s parents, nor did they give parents access to or control over their children’s information.
The Children’s Online Privacy Protection Act (“COPPA”) mandates that commercial web sites give parents notice and get consent before collecting personal information from children they know to be younger than 13 years old. The order which is part of the settlement with the FTC forces Xanga to erase any personal information collected and stored that violates the Act. Xanga also will have to put up hypertext links for the next five years to FTC-designated consumer educational materials.
Social networking has been in the news recently for many reasons. Recently, Facebook was faced with controversy when it started serving automated alerts about users’ friends and classmates. Facebook has less than 10 million users, compared with MySpace—which is now owned by News Corp.—which has in excess of 100 million users.
California Court Takes a Bite Out of Apple
In Apple v. Does (a.k.a. O’Grady v. Superior Court) Apple Computer sought to find the sources of certain leaks and rumors relating to trade secrets associated with an Apple product. Apple wanted to compel an email provider and Web publishers to divulge the information and the California Court of Appeal said “‘no,” ruling that the Stored Communications Act (the “Act”) prohibits these kinds of civil discovery efforts and prohibits Apple from compelling disclosure of the identity of the Websites’ sources. Aside from the holding that such a subpoena is not enforceable under the plain meaning of the Act, a subpoena compelling the disclosure of unpublished information from these particular entities would be unenforceable because of shield protections afforded reporters in California and, under the facts presented to the court, trying to get at these particular sources is protected by a conditional constitutional privilege against compulsory disclosure of confidential sources. If all this sounds like a lot of legal-ease, the bottom line is that Apple was barred from obtaining this type of information.