1 / 27

Kristin Krause Cohen, Staff Attorney Division of Privacy and Identity Protection Federal Trade Commission

FTC: Anatomy of a Data Security/Privacy Investigation and the Future of Privacy John Jay College of Criminal Justice Center for Cybercrime Studies November 10, 2011. Kristin Krause Cohen, Staff Attorney Division of Privacy and Identity Protection Federal Trade Commission. Disclaimer.

faraji
Download Presentation

Kristin Krause Cohen, Staff Attorney Division of Privacy and Identity Protection Federal Trade Commission

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FTC: Anatomy of a Data Security/Privacy Investigation and the Future of PrivacyJohn Jay College of Criminal JusticeCenter for Cybercrime StudiesNovember 10, 2011 Kristin Krause Cohen, Staff Attorney Division of Privacy and Identity Protection Federal Trade Commission

  2. Disclaimer • The views expressed in this presentation are mine and are not necessarily those of the Commission or any individual Commissioner.

  3. Meet the Federal Trade Commission • Nation’s only general jurisdiction consumer protection agency • ~1,100 lawyers and staff members in Washington and 7 regional offices • Federal jurisdiction in the areas of antitrust and consumer protection • Three bureaus: • Competition • Economics • Consumer Protection

  4. Agenda for Today • How the FTC’s Data Security Program Has Evolved • The FTC Privacy Report • Recent Privacy Enforcement Actions • New Areas

  5. Legal Standards • Relevant laws governing data security and privacy: • Fair Credit Reporting Act (FCRA) – Disposal Rule • Federal Trade Commission Act (FTC Act) • Other federal laws (HIPAA, DPPA, FERPA) • State laws

  6. Anatomy of a FTC Investigation • Finding cases • Pre-search • Civil Investigative Demand or access letter • Analyzing the facts • Litigation or consent negotiation (or closing letter) • Compliance and monitoring

  7. Perspective • FTC data security enforcement has become more granular • From the enforcement actions are specific lessons for businesses to learn, including those in the health industry • FTC’s definition of what is unfair or unreasonable will help to inform evaluation of privacy and security practices in other contexts.

  8. Four Points that Guide the FTC’s Information Security Enforcement • Information security is an ongoing process. • A company’s security procedures must be reasonable and appropriate in light of the circumstances. • A breach does not necessarily show that a company failed to have reasonable security measures – there is no such thing as perfect security. • A company’s practices may be unreasonable and subject to FTC enforcement even without a known security breach.

  9. The Early Years • The FTC’s early privacy and data security enforcement is characterized by targeting companies that engaged in practices contrary to their published privacy policies

  10. The Early Years • Geocities (1999) (first Internet privacy case) and Gateway (2004) • The FTC alleged the companies used personal information in a manner contrary to promises made to consumers. • Order required Geocities to notify members and allow their information to be deleted and prohibited Gateway from sharing personal information obtained under their original privacy policy without express consent.

  11. False Representations About Data Security and FTC Enforcement

  12. Common Vulnerabilities: Petco • Petco (2005) • FTC alleged that Petco falsely represented that personal information it obtained from consumers was maintained in an encrypted format • Petco’s website and web application were vulnerable to commonly known or reasonably foreseeable attacks • Order against Petco prohibited misrepresentations and required it to implement a comprehensive information security plan and obtain independent assessments of the plan

  13. FTC use of “unfairness” prong of Section 5 • Duty to protect data implied in requirement not to engage in unfair practices

  14. Multiple Risks: BJ’s • FTC alleged BJ’s engaged in an unfair practice by “failing to employ reasonable and appropriate security measures to protect personal information. . . .”

  15. Multiple Risks: BJ’s • Specifically, FTC alleged BJ’s did not employ reasonable and appropriate measures to secure personal information. Among other things, it: • did not encrypt information while in transit or when stored • stored information in files that could be accessed using a commonly known default user ID and password • did not use readily available security measures to limit access to its networks through wireless access points on the networks • did not employ sufficient measures to detect unauthorized access or conduct security investigations • stored information for up to 30 days when it no longer had a business need to keep the information

  16. Peer-to-Peer Application Warning Letters • Notified almost 100 organizations that files containing PII shared from their computer networks to P2P networks • FTC simultaneously released business education on risks associated with P2P • Dartmouth study found thousands of documents with sensitive patient information on P2P networks

  17. Social Networking: Twitter • Twitter (2010) • FTC alleged Twitter failed to require strong administrative passwords, secure storage of administrative passwords, periodic password changes, suspend accounts after repeated login failures • Consumers’ non-public tweets were revealed and unauthorized tweets sent from accounts

  18. Employee Data: Ceridian/Lookout Services • Ceridian/Lookout Services (2011) FTC alleged companies failed to use reasonable and appropriate security to protect the personal information of its clients’ employees • Ceridian is a payroll processor and Lookout Services provided employers assistance with complying with immigration laws

  19. Privacy Roundtables • Three public roundtables to explore privacy in light of new technologies, including social media • Significant public participation • 200 participants reflecting range of perspectives • Transcripts and comments on FTC’s website

  20. Roundtable Themes • Increased collection and use of consumer data • Lack of understanding and informed consent • Consumers are interested in privacy • Benefits of data collection and use • Decreasing relevance of PII/non-PII distinction

  21. Privacy Report – Proposed Framework • Companies Should “Bake in” Privacy • Employ reasonable safeguards to protect data • Limit collection and length of retention • Procedures to promote data accuracy • Implement internal privacy programs • Simplified Privacy Choices • Carve out commonly accepted business practices – fraud prevention, fulfillment • All other practices should have simple choice at relevant time and context • Improve Transparency • Improving and standardizing privacy disclosures to compare across businesses • Tiered access to consumer data that companies maintain • Consumer education

  22. Behavioral Advertising • Industry has made some progress in developing and implementing tools to allow consumers to control the collection and use of their online browsing data. • Privacy report included a recommendation to implement a universal choice mechanism for behavioral tracking, including behavioral advertising.

  23. Do Not Track – 5 Issues to Consider • Any system should be implemented universally, so consumers do not have to opt out as they go from site to site • The choice mechanism should be easy to find, easy to understand, and easy to use • Any choices offered should be persistent and should not be deleted • Any system should be effective and enforceable • Any system should let consumers opt out of being tracked through any means and not permit technical loopholes

  24. Recent FTC Privacy Enforcement • Google Buzz • FTC alleged Google did not adequately disclose to gmail users that signing up for Buzz meant the identity of their frequent email correspondents would be made public, OR that they would be enrolled in some features of Buzz even if they chose not to sign up. • First FTC Settlement to require a company to adopt a comprehensive privacy program.

  25. Recent FTC Privacy Enforcement • Chitika • Online advertising company tracked consumers’ online activities even after they chose to opt out of online tracking • Unbeknownst to consumers, the opt-out cookie only lasted for 10 days • FTC alleged that Chitika’s claims about its opt-out mechanism were deceptive • ScanScout • Online behavioral advertising company deceptively claimed to users they could opt out of receiving targeted ads by changing their browser settings • In truth, company used flash cookies for tracking that browser settings could not block • Order requires company to adopt user-friendly mechanism that allows consumers to opt out of being tracked

  26. Implications of new technologies • Cloud computing • Mobile

  27. Questions? • More information available at: www.ftc.gov Kristin Krause Cohen Federal Trade Commission kcohen@ftc.gov

More Related