D. Reed Freeman, Jr. 202/ 342-8880 rfreeman@kelleydrye

1. PRIVACY AND INFORMATION SECURITY: ENFORCEMENT TRENDS AND BEST PRACTICESABA Consumer Protection Conference January 29, 2007 D. Reed Freeman, Jr. 202/ 342-8880 rfreeman@kelleydrye.com

2. Recent Trends in FTC and State Enforcement • Data Breach Notification • SPAM Enforcement • Spyware • Telemarketing and Do-Not-Call • Pretexting • Information Security • COPPA • International Cooperation • Liability for Acts and Practices of Business Partners • Placement of Privacy Disclosures

3. Data Breach Notification • 34 states, 2 Territories and a City • Different definitions of “personal Information” • 28 states have a safe harbor for encrypted data • 12 states have a safe harbor for no reasonable likelihood of injury, harm, loss, or risk • Different timing, content, and recipients for notices • 7 states require regulator notice • 20 states require CRA notice • Different enforcement mechanisms: 14 states allow a private right of action

4. Data Breach Notification (Cont’d) • Single, Federal Rule this year? • Some litigation even where no law on the books • Oregon -- Providence Health System-Oregon • AVC available at http://www.doj.state.or.us/media/pdf/finfraud_providence_avc.pdf

5. SPAM Enforcement • 7 Cases in 2006 • Civil penalties, consumer redress near $1 million • Number of cases and dollar amounts increasing • Recent trend in holding email marketers liable for email activities of affiliates • FTC v. Global Net: Due diligence before entering into affiliate relationships; monitoring during relationship • Settlement at: http://www.ftc.gov/os/caselist/0423168/051116stip0423168.pdf • Focus tends to be on deceptive subject lines, from lines, effective opt-out mechanisms, unauthorized relays, disclosure that the email is an advertisement, and failure to display a physical address • Practice Tip: Yesmail case and filtering opt-out requests by email. • Settlement at: http://www.ftc.gov/os/caselist/0623002/061024yesmailstipfnl.pdf

6. Spyware • 11 FTC and State Cases in 2006 • E.g.,Odysseus, Zango • Stipulated Interim order in Movieland (January 12, 2007) • New York AG case against Direct Revenue • Washington AG High Falls Media, Secure Computer cases • Attention to placement and proximity of privacy disclosures; effect of software on consumers’ computers; uninstall mechanisms • FTC chairman’s speech and cases suggest that “critical” information should be disclosed clearly and conspicuously • Fines increasing – up to $3 and $4 million • Injunctive relief includes affiliate marketing restrictions similar to those in spam cases • Implications and practice tips for all companies offering software downloads

7. Telemarketing and Do Not Call • 9 Cases in 2006 • High priority for the FTC • Fines going up: Do-not-call settlements as much as $5.3 million • Latest do-not call settlement: $100,000 with DirecTV telemarketing vendors (December 14, 2006) • Do-not-call cases often focus on facts specific to existing business relationship with consumers and entity-specific do-not-call lists

8. Telemarketing and Do Not Call (Cont’d) • FTC also aggressively using its “assisting and facilitating” authority against: • payment processors • partners that set up of sham corporations • list providers • fulfillment houses • Most recent case: Global Marketing Group, et al. (December 20, 2006) (payment processor in advanced fee loan case) • Prerecorded calls: FTC announced it will continue to forbear enforcement of call abandonment provisions in connection with prerecorded calls to consumers with whom seller has an established business relationship until end of its prerecorded call abandonment proceeding (December 18, 2006)

9. Pretexting • 6 FTC cases involving pretexting for telephone records in 2006 • Increasing priority for FTC and States • HP Settlement -- $14.5 million • Complaint and Settlement available at: http://ag.ca.gov/newsalerts/release.php?id=1394&PHPSESSID=03f57f9da61374df31606e0393aac4c8 • New Telephone Records and Privacy Protection Act of 2006. • Illegal to obtain a person’s telephone records without authorization • Penalties: Up to 10 years in prison; up to $500,000 fine • Reverse liability? -- Potential liability for corporate victims of pretexting

10. Information Security • 14 total cases through 2006; 4 major cases in 2006 • Guidance Software (deception) • ChoicePoint (FCRA, unfairness, deception); (redress program announced December 6, 2006) • Card Systems (unfairness) • DSW (unfairness) • Common factual allegations: • failing to protect against “Structured Query Language” attacks by implementing simple, low cost, and readily available defenses to SQL attacks; • storing sensitive information in clear, readable, unencrypted text that could be accessed through commonly known IDs and passwords;

11. Information Security • Common FTC allegations in Information Security Cases (Cont’d) • storing user credentials in readable text, facilitating unauthorized access (failing to use strong passwords); • failing to monitor and control connections to the network, including through wireless connections; • failing to employ sufficient measures to detect unauthorized access to sensitive personal information; • failing to authenticate recipients of sensitive personal information; • storing sensitive information for longer than necessary; and • Failing to conduct security investigations or audits.

12. Information Security (Cont’d) • Latest data from Privacy Rights Clearinghouse • February 5, 2005 - January 24, 2007 • 100,738,417 records subject to breach • 455 reported incidents • GLB Safeguards Rule and its application on beyond financial institutions • FTC guidance and best practices • Seehttp://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm

13. COPPA • Status of the rule • Rule kept as is on sliding scale approach • Cases • FTC got its biggest fine ever -- $1 million, in Xanga case • Complaint and consent decree available at: http://www.ftc.gov/opa/2006/09/xanga.htm • Practice tip: When collecting date of birth as required by COPPA, make sure your back-end systems use it! • New implications for social networking sites

14. International Cooperation SAFE WEB Act • Expanded information sharing with and from foreign law enforcers • Expanded investigative cooperation with foreign law enforcers • Allows FTC to conduct investigations on behalf of foreign law enforcement authorities in appropriate cases -- scope yet to be determined • FTC remedial authority in cross-border cases • Clarifying FTC authority to make criminal referrals • Allows for foreign staff exchange programs

15. Liability for Acts and Practices of Business Partners • Growing trend in FTC and state enforcement • Cases • Email marketing • Telemarketing • Spyware • Rebates • Information security next? • Fundamental principles: due diligence and monitoring

16. Placement of Privacy Disclosures • Cases • Odysseus • Zango • Advertising.com • Enternet Media • Washington v. High Falls Media • Recent case in negative option context: Think All Publishing (January 25, 2007) • Implication for online and offline industries generally

17. Helpful Resources • ABA Consumer Protection and Privacy and Information Security Committees • IAPP Daily Dashboard • DM News • BNA Internet Law News • MediaPost • Your own complaints

18. Lew Rose 202342.8821 Questions? John Villafranco 202342.8423 202342.8880 Reed Freeman