The document is a newsletter from the American Bar Association's Section of Antitrust Law's Privacy and Information Security Committee. It contains several articles on topics related to privacy and data security, including:
1) An analysis of the legal and policy issues surrounding location apps and geo-location technology.
2) A discussion of whether laws building upon PCI-DSS will lead to greater security.
3) An exploration of new privacy and data security considerations affecting retailers' cross-channel marketing efforts.
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Secure Times Spring 2010
1. The Secure Times VOLUME 5, NO. 1
SPRING 2010
NEWSLETTER OF THE SECTION OF ANTITRUST LAW’S PRIVACY AND INFORMATION SECURITY COMMITTEE
EDITORS: IN THIS ISSUE
Where Are We Headed? Sorting out the Legal and
Alysa Zeltzer Hutnik
Policy Questions around Location Apps
ahutnik@kelleydrye.com
By Saira Nayak . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Mary Ellen Callahan
Will Laws That Build Upon PCI-DSS Lead to Greater
mary.ellen.callahan@dhs.gov
Security?
By Chris Nutt and Frank Nagle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
David B. Esau
desau@carltonfields.com
The New Wave of Privacy and Data Security
Considerations Affecting Cross Channel Marketing
Carla A. R. Hine
by Retailers
chine@mwe.com
By Benita Kahn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
The Secure Times is published by the
American Bar Association Section of Data Security and Privacy Audits: Steps to Protect
Antitrust Law’s Privacy and Informa- Reports
tion Security Committee. The views
expressed in The Secure Times are the By Dana Rosenfeld and Kristin Hird . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
authors’ only and not necessarily those
of the American Bar Association, the
Section of Antitrust Law or the Privacy
and Information Security Committee.
When Does an Organization Have a P2P Problem?
If you wish to comment on the contents By Kristin Cohen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
of The Secure Times, please write to
the American Bar Association, Section
of Antitrust Law, 321 North Clark St., National Data Security Standards: Potential
Chicago, IL 60610
Implications of Preemption
COPYRIGHT NOTICE John Fedele . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Copyright 2010 American Bar Association.
The contents of this publication may
not be reproduced, in whole or in part,
without written permission of the ABA.
All requests for reprints should be sent
to: Director, Copyrights and Contracts,
A Word From the Chair:
American Bar Association, 321 N. Clark,
Chicago, IL 60654, FA X: 312-988-6030, We are pleased to present this latest edition of The Secure Times. This issue has a
email: copyright@abanet.org.
particular focus on practical considerations associated with business and legal is-
sues facing many privacy and data security practitioners – whether as a result of
new technology, evolving privacy standards, data security threats, and new legal
requirements. Articles include a legal and policy analysis of locational mobile ap-
plications; a forensic view of PCI-based laws and whether they are likely to improve
S E C T I O N O F security practices; evolving privacy considerations in cross-channel marketing;
ANTITRUST LAW
privilege considerations with data security and privacy audit reports; P2P risks and
2. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
remediation strategies; and potential effects of nationalizing their marketing efforts. This article delves into some of
data security standards. We hope that you find this informa- the legal and policy considerations under laws in the Unit-
tion informative and useful. ed States that privacy practitioners may want to consider
when counseling companies on the privacy and security
Please also check out the Privacy and Information Secu-
impact of geo-location and location apps. The article also
rity Committee’s website, and our online forum, www.
discusses the important market developments and other
thesecuretimes.com, which tracks the latest developments
factors that are driving adoption of this important and in-
on privacy and security issues, courtesy of our terrific
creasingly useful technology.
contributors to our monthly privacy updates. Finally, as
always, if you would like to become more involved in our Location Apps: Old Wine in a New Bottle
Committee – whether as a speaker, article or blog contrib-
Geo-location technology has been in use since 1999 and
utor, or in a behind-the-scenes role – please let us know.
has a wide range of application. Online retailers and
Happy reading. payment processors use it to authenticate users; the tech-
nology is also used in electronic tolling systems on bridges,
Alysa Z. Hutnik
and in the monthly swipe cards you use on public transit
systems.4 On your phone, location apps work to identify
Where Are We Headed? current location using your computer’s IP address or your
Sorting out the Legal and Policy smart phone’s GPS chip.
Questions around Location Apps
Location app development and adoption accelerated with
Saira Nayak the introduction of smartphones.5 Industry insiders point
From Silicon Valley to Silicon Alley, the mobile web is to the iPhone and Google Maps (an early location app), as
booming with location applications (apps) featuring some of the first examples of geo-location at work. With
“geo-location”1 – a type of technology that associates the over 45 million devices sold worldwide, the iPhone con-
location of your computer or phone with a physical venue tinues to be a significant factor driving geo-location
such as a restaurant or a store.2 This technology allows (and smartphone) adoption worldwide.6 Development of
companies to gain valuable real-time information about location-based apps is also active on other smartphone
the marketplace and their customers, while also provid- platforms – such as Google’s Android and Microsoft’s Win-
ing users with relevant, location-specific discounts and dows Mobile.
services. Geo-location is having a truly transformative im- Location apps can be plugged in to existing social media
pact on the online marketing business – because it is able platforms – such as Facebook and Twitter – which allow
to bring discounts and promotions directly to the point of third-party developers to integrate geo-location apps into
purchase.3 their service.7 This means that, with little technologi-
As “geo-marketing” heats up, so does the need to counsel cal investment, a company can leverage the capabilities
companies that are considering use of location apps in of existing platform services – like Facebook – to further
2
3. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
its marketing strategy. That’s precisely what McDonalds are male or female, etc. Foursquare also allows devel-
aimed to do when it “friended” Facebook in a well-pub- opment of compatible applications on its platform. For
licized marketing deal recently. Working together, the instance, Yipit13 is a Foursquare plug-in that determines
companies plan to create a location app that will direct the consumer’s best daily deal at shops, retailers and
you to the nearest McDonalds location. The app will also restaurants in his or her area. Because Yipit plugs into
allow users to personalize their location-based Facebook Foursquare, it also lets consumers know if there’s a good
status updates with pictures of a favorite McDonald’s in- deal going at one of the places the consumer has previ-
dulgence.8 ously checked into using Foursquare’s app.
• Pepsi is about to launch Pepsi Loot, which it describes
Many other companies are starting to integrate geo-lo-
as “the first geo-based iPhone application that has a loy-
cation into their loyalty program and marketing efforts
alty program associated with it.”14 This location app will
through innovative location apps that run on a user’s
connect users to the ecosystem of over 200,000 restau-
smartphone.9 Examples include:
rants or “Pop Spots” that serve Pepsi products. With
• Macy’s and Best Buy, who are working with Shop- this many locations, Pepsi customers will have plenty
kick, a Palo Alto-based start-up, on a mobile app that of opportunities to earn and redeem Loot points for dis-
will enhance consumers’ brick-and-mortar shopping counts and other goodies (like exclusive music and video
experience by providing “personalized offers, product downloads). Pepsi is also working to integrate its loyalty
information and peer advice, as well as guidance on program into Foursquare’s mobile app; Pepsi Loot users
which stores have the best offers.” 10
Shopkick was the would get a Foursquare notification when they are close
creator of Causeworld, an extremely popular mobile app to a Pepsi Pop Spot.
that allows shoppers to redeem “karma points” while These examples illustrate the rich diversity of companies
shopping at participating retailers, and then convert (and business models) currently integrating geo-location
those points to charitable donations. into their product or market strategy.
• The Loopt mobile app11 allows consumers to check-in to
various locations (retailers, restaurants), and instantly How Does Current US Law Apply to Location
share consumer check-ins with their network. Loopt Apps?
also works with retailers to provide coupon offers at the We’ve seen that geo-location is both an exciting techno-
point of interest, eliminating the need to coupon clip. logical trend and an important marketing tool – one that
• Foursquare12 combines the fun of a game with the util- provides crucial, time-sensitive data to companies about
ity of geo-location by allowing consumers to earn badges their customers. Combining customers’ data profile with
based on the number of places they’ve checked into. The their precise geographic location can be clearly beneficial
company recently introduced a tool that allows partici- to a company’s promotional efforts. In the absence of a
pating businesses to see data on their Foursquare-using comprehensive federal privacy framework addressing geo-
customers: number of check-ins, how many check-ins location, how should legal advisors counsel companies
seeking to capitalize on this exciting technology? What
3
4. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
type of obligations does this type of data collection trigger loyalty-based program for its users using geo-location ser-
under current federal and state laws? vices like Loopt or Foursquare? In such cases, it’s a good
idea to review the terms of service and privacy policies of
Here are some important points to remember when coun-
other parties implicated by the agreement.
seling clients on the data security and privacy implications
of using location apps in a product or marketing strategy: For example, if your client is developing a mobile app with
geo-location features for the iPhone, then you will want
Know Your App to review Apple’s iPhone developer agreement to make
Factual due diligence is very important when counseling sure that the technology meets Apple’s requirements for
companies around the use of geo-location and location iPhone apps. For instance, a recent version of the iPhone
apps. It is important to be mindful of policies around the Developer Agreement requires that all iPhone apps that
collection and storage of geo-location data, and whether use “location-based APIs” be compliant with “all appli-
that data can be linked to individual users.15 When com- cable privacy and data collection laws and regulations….”17
bined with personal information, geo-location data can be Once the location is deployed, it’s a good idea to monitor
extremely sensitive. The ability to create a “super data pro- partner policies for important changes. For example,
file” – that merges a user’s personal information with their Apple recently announced changes to its developer policy
location – has raised privacy concerns with both consumer that prohibits use of the iPhone’s geo-location features for
advocates and regulators.16 apps that are designed primarily to deliver targeted ads.18
Ideally, the legal advisor would already be familiar with the Once the factual due diligence is complete, and before the
company’s business model and technology. A preliminary location app or service is launched, the company should
step would be to review the company’s existing informa- amend its information security practices, as well as its pri-
tion security practices to determine what type of personal vacy and other notices, to reflect the collection and use of
information is already being collected and the data flows geo-location data.
for that information. Next, the legal advisor would need
to determine how the location app would collect data, how Do FTC Principles on Behavioral Advertising
that data would be stored, and what data flows are involved. Apply?
Two years ago – in a particularly prescient move - the FTC
The data flow question is critical. To get the full answer,
held a town hall meeting on mobile marketing, where it
the legal advisor will need to ask questions about whom the
specifically discussed the privacy impact of location-based
company is partnering with for development, deployment,
services.19 The FTC’s findings from that workshop are in-
and marketing of the location app. Will the company share
cluded in a report discussing the FTC’s Self-Regulatory
geo-location data with an online advertiser or marketer?
Principles for Behavioral Advertising.20 The four Princi-
Will the company host the location app on its own mobile
ples21 are not binding regulations or statutes, but they do
or Internet website, or on a social-media platform like
provide guidance for self-regulatory efforts. They are:
Facebook? Does the company want to develop a virtual
4
5. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
Principle 1 - Transparency and Control; is inconsistent with its privacy policy, may be liable un-
Principle 2 - Reasonable Security and Limited Data Re- der state and federal26 deceptive trade practices laws. To
tention of Consumer Data; avoid this type of risk, companies should make sure that
their data collection and use matches what is laid out in the
Principle 3 - Affirmative Express Consent for Material
company’s privacy policies and notices.
Retroactive Changes to Privacy Promises;
and A company can also be found to have engaged in an “un-
Principle 4- Affirmative Express Consent to (or Prohibi- fair” practice under federal27 and state28 laws for failing to
tion Against) Sensitive Data. protect personally identifiable data.
The Principles specifically apply to companies engaged in
With the proliferation of location apps on smartphones,
“behavioral advertising” – which is defined as “the track-
companies may need to start thinking about different,
ing of consumers’ online activities over time … in order to
more creative forms of notice29 to comply with federal
deliver advertising targeted to the individual consumer’s
or state laws – or risk losing users who eventually tire of
interests.”22 The Principles omit first-party advertising,
being notified every single time the app is opened. Take
i.e., ads generated in response to a single website visit or
the example of a mobile store locator app – a notification
search query, from the definition.
each time you open the app to locate a store would be re-
Based on the testimony at the 2008 Town Hall and other dundant, especially since you are electing to have the app
comments, FTC staff has recommended that “precise geo- guide you to the store’s location in the first place. A less in-
graphic location” be classified as a sensitive category of trusive method, which would be just as effective, could be
information – one that deserves “heightened protection.”23 an initial notification – supplemented by key reminders for
As we saw earlier, FTC staff also recommend that an “af- important events like software updates.
firmative express consent” or user opt-in be obtained for
collection of sensitive data. Since the Principles are in-
Federal and State Data Security Obligations
tended to provide self-regulatory guidance, companies In instances where geo-location data is being combined
should strongly consider using opt-in notice for location with personal data to provide a service, legal advisors
apps – especially if they also plan to use the collected data should be mindful of obligations that certain types of
for target advertising efforts. companies have under other federal and state laws for
collection and protection of personal information. These
Be Aware of Liability under Deceptive or include:
Unfair Trade Practices Laws
Children’s Online Privacy Protection Rule – Under au-
Under Section 5 of the FTC Act,24 and similar state stat-
thority from Congress, the FTC has issued rules governing
utes,25 companies can be prosecuted for privacy violations
the online collection of personal information from chil-
stemming from a “deceptive” notice. Put differently, a
dren, which applies to websites and online services that
company that captures data for one purpose, and then
are directed to children under the age of 13.30 The FTC is
proceeds to use that same data for another purpose that
5
6. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
currently reviewing COPPA and considering, among other State Security Breach Notification Laws – a majority
things, whether to expand the definition of “personal in- of states have laws that require consumers to be notified in
formation” under the rule to include “mobile geo-location the event that their “personal information” is “breached.”37
data.”31
State Safeguard Laws – eight states, including Califor-
HIPAA32 and FTC Health Breach Rule – If the com- nia, Maryland and Texas – have enacted general safeguard
pany developing a location app is a “covered entity” under laws to protect personal information.38
HIPAA, then activities involving personal health informa-
State Business Record Disposal laws – at least 19 states
tion may come under the ambit of HIPAA and the FTC’s
now have laws that regulate the disposal of business re-
Health Breach Notification Rule. Under the recent HI-
cords containing personal information.39
TECH amendments, HIPAA obligations now apply to
“business associates” of covered entities, such as third Massachusetts Data Security Regulations – obliges
party service providers.33 companies to encrypt the personal information of Mas-
sachusetts’ residents.40 These encryption requirements
FACTA and The FTC Red Flag Rules – Under author-
apply broadly and include personal information stored on
ity from the Fair and Accurate Credit Transaction or
laptops as well as other portable devices.”41
“FACTA,” the FTC has promulgated the Red Flags Rules,
which it will enforce starting December 31, 2010. These Applicable Law from other Jurisdictions
Rules require that “creditors” and “financial institutions”
While this article focuses on the application of U.S. law, le-
develop written information security programs that iden-
gal advisors should consult laws and guidance from other
tify potential “red flags” for identity theft.34 Companies
relevant jurisdictions. European law, in particular, may
that come within the ambit of this rule may consider red-
differ from U.S. requirements. For instance, Europe’s e-
flagging geo-location data – particularly if it is used in
privacy Directive states that an individual’s location data
combination with personal information to deliver target-
may not be stored once the service is provided – unless
ed ads or services.
that data is needed for billing and interconnection pur-
Section 222 of the Federal Communications Act – re- poses.42 These laws continue to evolve rapidly; Mexico just
quires that telecommunications providers take specific announced its first-ever Federal Law for the Protection of
steps to secure customer proprietary network information Personal Data, which proscribes regulations for both pub-
(CPNI).35 lic and private entities.43
Electronic Communications Privacy Act - sets out Looking Ahead: Regulation and the Future
requirements under which the government can access of Location Apps
private Internet communications. This includes elevated The future of geo-location technology and location-based
process such as a warrant for certain categories of person- apps is closely aligned with the ongoing debate around
al information that are considered “content.”36 what constitutes effective regulation of privacy and data
6
7. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
security online. This is a debate that continues to evolve being allowed to remotely power-off a lost phone to pro-
in all branches of government – administrative, judicial, tect valuable data. Clearly these are valuable uses of the
and legislative. The FTC has signaled its intent to articu- technology that should not be restricted due to locational
late a national framework to protect consumers’ privacy privacy concerns.
online, while also supporting self-regulatory approaches.
It is likely that our perspective on location apps will
Congress is currently considering federal privacy legis-
change with increased adoption of geo-location tech-
lation that will impose additional notice obligations on
nologies. Already, geo-location is becoming an almost
companies with regards to the collection and use of per-
ubiquitous feature of the mobile web – a feature that en-
sonal data.44 Privacy legislation has been introduced in
hances other applications and services. Will widespread
Congress that classifies “precise geolocation information”
adoption of this technology eventually alleviate privacy
as sensitive data, and would require that the user spe-
concerns about its use? Much of that answer will lie in
cifically opt-in to use of this type of data for advertising
how favorable the user experience is with the technology,
purposes. Finally, in a decision that will likely impact pri-
and whether people are able to trust that their personal
vacy analysis for all types of electronic communications,
information will not be compromised by use of a location
the Supreme Court is currently considering the important
app or service. One thing is certain – it is likely that the
question of whether there is a reasonable expectation of
rules governing the collection and use of geo-location
privacy in text messages sent by government employees
data will change in the near future. Legal advisors and
under the Fourth Amendment.45
practitioners should continue to monitor all activity –
In addition to government attention on the issue, con- government-initiated, as well as those in the court of
sumer advocates have been publicly vocal about their public opinion.
policy concerns with geo-location. These concerns most-
Saira Nayak is a Principal at Nayak Strategies, where
ly focus on the ability of governments and other entities to
she counsels companies on privacy and data compliance,
create comprehensive data profiles that may compromise
as well as regulatory outreach. She can be reached at
a user’s locational and other privacy.46 The Electronic
saira@nayakstrategies.com. The information contained
Frontier Foundation, in its whitepaper on locational pri-
in this article is not intended as, nor should it serve as a
vacy, highlights two additional concerns: retention of
substitute for, legal advice, which turns on specific facts.
geo-location data may subject a company to legal requests
for data, and storing geo-location data over extended pe-
riods of time will increase the likelihood of identity theft. Endnotes
1 Apparently, “geo-location” is the tech buzzword of the year.
Proponents argue that the geo-location has some very Daniel Ionescu: Geolocation 101: How it Works, the Apps,
beneficial uses – some of which have yet to be discovered and Your Privacy, http://www.pcworld.com/article/192803/
geolocation_101_how_it_works_the_Apps_and_your_privacy.
– and that over time, these benefits will outweigh the html (last visited May 14, 2010)
privacy concerns about the technology. Consider, for in-
2 Wikipedia.com, Geo-location, http://en.wikipedia.org/wiki/
stance, the utility of being able to locate a lost phone, or Geo-location (last visited May 14, 2010)
7
8. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
3 Stephanie Clifford, Linking Customer Loyalty with Social 16 Marshall Kirkpatrick, Location Data Sensitive Like Medical
Networking, New York Times, April 28, 2010, http:// Information, Says Congressional Witness, http://www.
www.nytimes.com/2010/04/29/business/media/29adco. readwriteweb.com/archives/location_data_sensitive_like_
html?emc=tnt&tntemail0=y medical_information_s.php (last visited May 14, 2010).
4 Wikipedia.com, Geo-location Software, http://en.wikipedia. 17 iPhone Developer Program License Agreement, § 3.3.7., http://
org/wiki/Geolocation_software (last visited May 14, 2010) www.eff.org/files/20100302_iphone_dev_agr.pdf (last visited
May 14, 2010).
5 Wikipedia.com, Location-Based Service, http://en.wikipedia.
org/wiki/Location-based_service (last visited May 14, 2010) 18 Bruce Chen: iPhone Devs Not Allowed to Use Geo-location Just
for Ads, http://www.wired.com/gadgetlab/2010/02/iphone-
6 Sarah Perez: iPhone OS International Growth on the Rise, Still apps-not-allowed-to-use-geolocation-just-for-ads/ (last
Dominates Mobile Web Traffic, http://www.readwriteweb.com/ visited May 14, 2010).
archives/iphone_os_international_growth_on_the_rise.php
(last visited May 14, 2010) 19 See generally Transcript of Town Hall Record, Beyond
Voice: Mapping the Mobile Marketplace (May 6, 2008)
7 This is how you can post your Foursquare check-ins on Facebook (Session 4, “Location-Based Services”), available at http://
or add your current location to your tweets. htc01.media.globix.net/COMP008760MOD1/ftc_web/
transcripts/050608_sess4.pdf
8 Emily Bryson York: McDonalds to Use Facebook’s Upcoming
Location Feature, http://adage.com/digital/article?article_ 20 FTC BA Principles Report, http://www.ftc.gov/os/2009/02/
id=143742 (last visited May 14, 2010) P085400behavadreport.pdf
9 Simon Salt: What’s Next For Geolocation? Apps, Apps, Apps, 21 Id. at 30 – 42.
http://www.readwriteweb.com/archives/whats_next_for_
geolocation_apps_apps_apps.php (last visited May 14, 2010) 22 Id. at 46.
10 Shopkick Signs Major Partnership Deals with Best Buy and 23 Id. at 42.
Macy’s in Lead-Up to App Launch in the Summer, http://www.
prweb.com/releases/mobile/retail/prweb3923484.htm (last 24 15 U.S.C. § 45 (a)(1).
visited May 14, 2010).
25 See, e.g., Massachusetts Consumer Protection Act, Mass. Gen.
11 Loopt, http://www.loopt.com/loopt (last visited May 14, 2010). Laws. Ch. 93A §2(a) (2009)
12 Foursquare, http://foursquare.com/ (last visited May 14, 26 See, e.g., In the Matter of Microsoft Corp., FTC Docket No.
2010). C-4069 (Dec. 20, 2002) (alleging that company violated
privacy promises for its Passport product).
13 Yipit, http://yipit.com/perch/san-francisco/ (last visited May
14, 2010). 27 15 U.S.C. § 45 (a)(1). See, e.g., Life is good, Inc., FTC Docket
No. C-4218 (Apr. 16, 2008) (alleging that the company violated
14 Dan Butcher: Pepsi rolls out multifaceted LBS mobile loyalty promises about the security provided for customer data);
initiatives, http://www.mobilemarketer.com/cms/news/ Petco Animal Supplies, Inc., FTC Docket No.C-4133 (Mar. 4,
database-crm/6138.html (last visited May 14, 2010). 2005) (same).
15 FTC staff has recommended that “precise geographic location” 28 See, e.g., Cal. Bus. & Prof. Code, §17200 (West 2009).
be given “heightened protection.” FTC Staff Report, Self-
Regulatory Principles for Online Behavioral Advertising 29 It is notable that the following language was added to the final
(2009) (FTC BA Principles Report) at 42, http://www.ftc.gov/ version of the FTC Behavioral Advertising Report: “Where the
os/2009/02/P085400behavadreport.pdf. data collection occurs outside the traditional website context,
companies should develop alternative methods of disclosure
and consumer choice that meet the standards described above
(i.e., clear, prominent, easy-to-use, etc.).” FTC BA Principles
Report, at 48.
8
9. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
30 16 C.F.R. § 312. 44 Rep. Boucher and Rep. Stearns introduced a discussion draft
of the yet un-named legislation on May 4, 2010. http://www.
31 See FTC Seeks Comment on Children’s Online Privacy boucher.house.gov/images/stories/Privacy_Draft_5-10.pdf
Protections; Questions Whether Changes to Technology
Warrant Changes to Agency Rule, http://www.ftc.gov/ 45 See generally City of Ontario v. Quon, 529 F.3d 892, cert.
opa/2010/03/coppa.shtm granted, (U.S. Dec. 14, 2009) (No. 08-1332).
32 42 CFR Part 2. § 164.501. 46 The Electronic Frontier Foundation has published a white
paper on locational privacy which is defines as “the ability of
33 See Complying with FTC’s Health Breach notification rule, an individual to move in public space with the expectation
http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus56. that under normal circumstances their location will not be
shtm systematically and secretly recorded for later use.” Andrew J.
Blumberg & Peter Eckersley: On Locational Privacy, And How
34 Identity Theft Red Flags and Address Discrepancies Under to Avoid Losing it Forever, http://www.eff.org/wp/locational-
the Fair and Accurate Credit Transactions Act of 2003, 16 privacy (last visited May 14, 2010).
C.F.R. § 681 (2007).
35 CPNI data includes phone numbers called, frequency, duration
and timing of such calls and related services purchased by the Will Laws That Build Upon PCI-DSS
consumer. 47 U.S.C. §151 (1996).
Lead to Greater Security?
36 The Electronic Communications Privacy Act of 1986, 18
U.S.C. § 2510. By Chris Nutt and Frank Nagle
37 See, e.g., Fla. Stat. Ann. §817.5681 (1)(a) (2009). According Minnesota, Nevada, and Washington have enacted laws
to a recent post on the Proskauer privacy blog, 46 states –
with the exception of Alabama, Kentucky, New Mexico, and that provide financial institutions, e.g., banks, with the
South Dakota – now have data breach laws. http://privacylaw. ability to recover the costs of reissuing payment cards
proskauer.com/2010/04/articles/data-breaches/its-not-too-
late-to-come-to-the-party-mississippi-joins-45-other-states- after cardholder data has been stolen. With re-issuance
by-enacting-a-security-breach-notification-law/ costs estimated to be between “$20.00 and $50.00”1 for a
38 California enacted the nation’s first general information single card, this could have a tremendous impact on many
safeguard law. Cal. Civ. Code §1798.81.5(b) (2009). organizations.
39 See, e.g., Cal. Civ. Code §1798.81 (2009).
Each state has its own requirements for protecting card-
40 Standard for the Protection of Personal Information of holder data, but most state laws rely, to some extent, on
Residents of the Commonwealth, 201 CMR 17.00 (2009),
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg. the Payment Card Industry Data Security Standard (PCI-
pdf DSS). It is clear, for example, that the PCI-DSS standards
41 201 CMR 17.04(5) . have impacted the state laws in Minnesota,2 Nevada,3 and
Washington.4 In this article, we review the technical re-
42 Directive 2002/58/EC of the European Parliament and of
the Council of 12 July 2002 concerning the processing of quirements of PCI-DSS to examine whether they will
personal data and the protection of privacy in the electronic positively impact security and reduce payment card fraud.
communications sector (Directive on privacy a nd electronic
communications), Article 9, para 1, OJ L 201, 31.L7.2002.
Our analysis of PCI-DSS is split into two sections:
43 The law also provides for up to $1.5 million in penalties for weaknesses and strengths. Contrasting the technical
violations. http://www.senado.gob.mx/gace61.php?ver=gace
ta&sm=1001&id=2879&lg=61 (last visited May 14, 2010). requirements with real world implementation of best
9
10. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
practices in various industries, including those not sub- network introduces risk that the data will be intercepted.
ject to PCI-DSS, we attempt to identify whether PCI-DSS’s This is especially true because PCI-DSS does not require
technical requirements will “enhance cardholder data se- networks that store, process, or transmit cardholder data
curity.” to be isolated from general purpose computing systems.5
This exposes cardholder data to risk from a breakdown in
Weaknesses physical security (for example, an attacker connecting an
There are several weaknesses in the PCI-DSS technical external device to the network), as well as from general
requirements, three of which are discussed in the fol- purpose computing systems that have been compromised.
lowing sections. We chose to discuss these three specific Because general computing systems are used to access the
weaknesses in PCI-DSS because the recommendations Internet and email, they are much more likely to be com-
are widely accepted security practices and their imple- promised. When these systems are not segmented from
mentation would substantially increase the protection of networks where cardholder data is stored, processed, or
cardholder data. transmitted, they could be used to target cardholder data
transmitted over a shared medium.
1. Encryption of Network Traffic
PCI-DSS requirements do not adequately protect cardhold- To reduce the risk of cardholder data being stolen during
er data when it is transmitted across computer networks. transmission, PCI-DSS should require that cardholder
Even though PCI-DSS requirement 4.1 requires the “use of data be encrypted anytime and anywhere it is transmitted.
strong cryptography and security protocols such as SSL/
2. Application Privileges
TLS or IPSEC to safeguard sensitive cardholder data dur-
PCI-DSS also does not require the concept of “least priv-
ing transmission,” the standard falters in that it limits
ilege” to be applied to application accounts. PCI-DSS
where these cryptosystems are required. The standard
requires least privilege to be applied to user accounts, but
specifically states that cryptography need only be used
says nothing of the level of privilege assigned to applica-
over open, public networks, such as the Internet, wireless
tion accounts. PCI-DSS requirement 7.1 addresses least
technologies, Global System for Mobile communications
privilege only from the perspective of “need to know,”
(GSM), and General Packet Radio Service (GPRS). While
meaning only users filling job roles that require access to
it is important to encrypt sensitive information over open
cardholder data should have access to cardholder data.
networks, it is equally important to secure sensitive data
transmitted over any network, including an organization’s Least privilege, however, is equally important for accounts
Local Area Network (LAN) – the network that connects used to run applications, especially when these applica-
computer systems in a small physical area. tions have access to sensitive data. In order to function,
applications must have access to system resources. As with
Sensitive data must be encrypted whenever and wherever
user accounts, application accounts are often assigned
it is transmitted because the security of the media and
privileges in excess of those required for the application to
nodes cannot be guaranteed, even on a LAN. Having card-
function properly. Taken alone, this is not a tremendous
holder data transmitted unencrypted on any computer
10
11. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
risk because an attacker must first be capable of having by default until the release of Microsoft Windows Vista.
the target application perform unintended tasks on the at- Since every Microsoft operating system prior to Windows
tacker’s behalf. Unfortunately, injection vulnerabilities, 6
Vista stores passwords that are less than 15 characters as
which result in an attacker executing code, other appli- an LM hash, this vulnerability is a substantial risk to many
cations, or commands in the context of the application’s organizations. While an attacker must be able to place and
account, are very common and difficult to identify. Once execute tools on a target system to access the LM hash, this
a vulnerability is identified, excess privileges assigned to has proven to be a simple task in many environments.
an application account could permit an attacker to access
PCI-DSS should require applications to use secure encryp-
additional systems or data, posing a substantial risk to
tion and authentication protocols outside of the context
cardholder data.
of wireless networks. This also is in line with a layered
PCI-DSS should require applications to be run with the defense strategy, and would greatly mitigate the risk to
minimum privileges necessary to operate properly. This is cardholder data.
in line with a layered defense strategy, and would mitigate
the risk to cardholder data. Strengths
PCI-DSS requirements do not address all security con-
3. Legacy Encryption and Authentication
cerns or all security best practices, but the requirements
Protocols
do a good job of identifying first steps to protecting sen-
The PCI-DSS standards also do not prevent the use of in-
sitive data. Our experience has shown that security best
secure authentication protocols. Legacy encryption and
practices are rarely implemented when not required by
authentication protocols are mentioned only in the context
an authoritative body such as the PCI Security Standards
of wireless networks. There are, however, legacy encryp-
Council. Organizations often wait until they have been
tion and authentication protocols that are frequently
compromised and specific security best practices are rec-
leveraged by attackers to obtain unauthorized access to
ommended to them by an incident response firm. Because
systems and data. One of the most common is the legacy
PCI-DSS requires adherence to a subset of security best
LAN Manager hash (LM hash).
practices that reduces risk and mitigate attacks, we believe
Password hashes are a way of storing and authenticating that PCI-DSS improves security, and that laws that utilize
a user without storing the user’s password in clear text. PCI-DSS requirements as their basis will similarly help
In the Microsoft Windows7 95 and Windows 98 operating improve security.
systems, the LM hash was used to store user passwords.
In the sections below, we identify five specific PCI-DSS sub-
The LM hash is a legacy method for storing passwords,
requirements that are important to the overall defense of
and has substantial weaknesses8 that would allow an at-
an organization and an effective incident response. These
tacker to obtain a password from a password hash within
requirements highlight the strengths of PCI-DSS.
seconds. For backward compatibility, LM hash support
was built into all Microsoft operating systems and enabled
11
12. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
1. Log Analysis and Retention 2. File-Integrity Monitoring
Two of the five sub-requirements we chose to highlight Another sub-requirement that can significantly help with
originate from Requirement 10: “Track and monitor all ac- early detection of incidents is sub-requirement 11.5: “De-
cess to network resources and cardholder data.” Tracking ploy file-integrity monitoring software to alert personnel
access to systems and resources, especially those con- to unauthorized modification of critical system files, con-
taining cardholder data, is essential to properly respond figuration files, or content files; and configure the software
to a security incident. The ability to utilize this data for a to perform critical file comparisons at least weekly.” File-
timely response after an intrusion relies upon both a regu- integrity monitoring software regularly checks important
lar review of logs and the availability of a long log history. system files that are often altered by an attacker during an
These two issues are addressed by requirements 10.6: “Re- intrusion. By checking the integrity of these files at least
view logs for all system components at least daily…” and weekly, organizations will be alerted to potential intru-
10.7: “Retain audit trail history for at least one year, with a sions in a timely manner. Although file-integrity products
minimum of three months immediately available for anal- are freely available,10 most companies do not utilize this
ysis.” Requirement 10.6 is crucial for early identification fundamental defense mechanism due to a lack of familiar-
of intrusions, but logs are rarely reviewed on a daily basis ity with the workings of these types of products. We have
in the real world. While free log aggregation and analysis performed many investigations where proper file-integ-
tools are available, merchants often do not utilize these
9
rity checking would have alerted the organization to the
products, and in many cases logs are never reviewed. breach much sooner than it was actually detected.
In many investigations, we find that log analysis could 3. Vulnerability Scans After Significant Network
have detected the incident, potentially reducing the win- Changes
dow of exposure during which the attacker has access to Many of the PCI-DSS requirements deal with taking pro-
the system. Logging as required by PCI-DSS results in a active actions to prevent intrusions from happening. One
large amount of log files. If these files are not analyzed in key sub-requirement that falls into this category is sub-
an automated and timely manner, security incidents will requirement 11.2: “Run internal and external network
go undetected. Requirement 10.7 is critical for enabling vulnerability scans at least quarterly and after any signifi-
investigators to properly understand the full scope of an cant change in the network.” PCI-DSS defines “significant
intrusion. Because incidents are often not detected in a changes” as including, but not limited to, the following:
timely manner, it is important for organizations to retain
a long history of logs. We have performed a number of in- New system component installations;
vestigations where important log information had not Changes in network topology;
been saved, which drastically impeded the investigation. Firewall rule modifications;
As PCI-DSS is adopted by state legislatures, sub-require- Product upgrades.
ments 10.6 and 10.7 will force companies to better position
All of these events have the ability to significantly alter
themselves to detect and respond to intrusions.
the security landscape of the network. The security of
12
13. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
the network should be re-assessed after any such changes. five sub-recommendations to be crucial aspects of a secure
Getting a quarterly vulnerability scan by an approved ven- environment that are often overlooked due to a lack of
dor is one of the basic requirements of PCI-DSS, and most education about the importance of these defensive mecha-
merchants who are familiar with the requirements under- nisms and a lack of skill and time to implement them. As
stand and obtain such a scan. As states permit PCI-DSS PCI-DSS becomes more incorporated in state (and poten-
compliance to form the basis of legal action, companies tially federal) law, these sub-recommendations will help
will be forced to better prevent intrusions by complying organizations properly position themselves to react quick-
with sub-requirement 11.2. ly and effectively to an intrusion when it occurs.
4. Incident Response Plan Conclusion
Finally, we highlight the last sub-recommendation in As more states build upon PCI-DSS to create laws, mer-
PCI-DSS, 12.9: “Implement an incident response plan. Be chants will no longer face just fines from the PCI Council
prepared to respond immediately to a system breach.” We when they are not PCI-DSS compliant, they will also face
have seen organizations both large and small that are not a variety of legal actions. Exactly how these legal actions
properly prepared to handle an intrusion, and often do will affect small and large businesses remains uncertain.
not have any predetermined course of action when such It is certain, however, that if these laws force merchants
an incident occurs. Having a plan to deal with intrusions to fully comply with PCI-DSS, then these merchants will
is already a requirement for government organizations have a much higher security baseline making it harder,
under the Federal Information Security Management although not impossible, for attackers to compromise pay-
Act (FISMA). A completed plan gives organizations the ment cards. As with many laws, PCI-DSS-related laws will
ability to rapidly handle intrusions when they occur, and only be as strong as their enforcement. PCI-DSS in its cur-
often greatly reduces the impact of intrusions. While re- rent form relies on smaller merchants to self-certify that
sources are freely available11 that offer templates for such they are compliant, and many merchants do not even go
plans, many organizations are not aware that this essen- that far, often never filing the appropriate paperwork to
tial policy is required or even necessary. This can result in show compliance. If PCI-DSS-related laws are not active-
a chaotic response when an incident does occur. Not only ly enforced, then it is likely that this non-compliance will
does PCI-DSS require the creation of an incident response continue into the future. With effective enforcement, PCI-
plan, it also requires that this plan be tested annually, and DSS has the potential to significantly impact the security
be modified to include lessons learned from actual intru- of merchants’ networks positively.
sions. Testing and keeping the incident response plan as a
living document are important steps in ensuring the orga- Chris Nutt is a Managing Consultant at MANDIANT
nization is in a constant state of readiness for dealing with where he is responsible for incident response investigations
intrusions. and training in incident response. Over the past six years
Mr. Nutt has worked with the Fortune 500, the federal
While all of the recommendations within PCI-DSS help government, and federal law enforcement to investigate
an organization secure its information, we consider these
13
14. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
and remediate complex computer intrusions. Frank The New Wave of Privacy and Data
Nagle is a Senior Security Consultant at MANDIANT Security Considerations Affecting
where he performs vulnerability assessments, incident Cross Channel Marketing by
response for PCI and non-PCI related intrusions, and Retailers
incident response training.
Benita Kahn
Endnotes The Shift in Cross Channel Strategies
1 http://www.infolawgroup.com/2007/06/articles/privacy-law/ Ten years ago it was not unusual for retailers to reach their
minnesotas-plastic-card-security-act/
customers through multiple channels that included brick
2 Minnesota Plastic Card Security Act (H.F. 1758).
and mortar, phone, direct mail and an e-commerce site,
3 Nevada Security of Personal Information Law (NRS-603A). with most of the emphasis in the first three categories.
4 Protecting Consumers from Breaches of Security (HB 1149). Over the past ten years, however, the number of Internet
users has increased five-fold from 360 billion users to over
5 General purpose computing systems are those not used for
purposes other than storing, processing, or transmitting 1.8 trillion users.1 In a recent survey, it was determined
cardholder data. that 74 percent of American adults use the Internet and,
6 Injection occurs when user-supplied data is sent to an interestingly, 55 percent of American adults connect to
interpreter as part of a command or query. Attackers trick the the Internet wirelessly with WiFi connections on laptops
interpreter into executing unintended commands via supplying
specially crafted data. or handheld devices like smartphones.2 The growth in the
use of mobile phones is particularly notable, with 91 per-
7 Windows is a registered trademark of Microsoft Corporation in
the United States and other countries. cent of Americans as mobile subscribers and 257 million
8 Summers, W., Bosworth, E., “Password Policy: The Good, The
“data-capable” devices active on U.S. carriers’ networks.3
Bad, and The Ugly,” Proceedings of the WISICT, Vol. 58 (2004). All of this connectivity and mobility is changing the focus
9 Splunk 4.1, http://www.splunk.com; OSSEC 2.4, http://www. of the multi-channel retailer and explains why retailers
ossec.net/ are interested in new ways to make use of these mobile
10 Tripwire 2.4.2, http://sourceforge.net/projects/tripwire/; channels.
Osiris 4.2.3, http://osiris.shmoo.com/
Not only are we seeing changes in the types of multi-
11 U.S. Dept. of Commerce, NIST Special Publication 800-61:
Computer Security Incident Handling Guide,” National Institute channel communication, but we are also seeing more cross
of Standards and Technology (Mar. 2008); American Institute channel integration. Customers are researching, shop-
of Certified Public Accountants, “AICPA Incident Response
Plan Template For Breach of Personal Information”(2004).
ping, and returning in any combination of channels and
in ways that were not predicted a few short years ago. It
is now commonplace for retailers to serve coupons to cus-
tomers through text messaging and honor the coupon by
merely having the customer show the code to the sales
associate. With 50 million smartphones in service in the
14
15. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
United States, retailers can take their marketing beyond goals, however, should benefit the consumer by driving
sending a coupon by text message with applications that down prices with the improved efficiencies in market-
can be downloaded to the smartphone. Apple recently dis- ing. The goals should also result in providing consumers
closed that it has over 100,000 applications in its App Store with relevant solutions to their needs. Email provides
and over 3 billion apps have been downloaded. Many of
4
a good example of the economic incentive cycle. Email
these apps make use of geolocation information that is grew so quickly because it was more efficient than postal
included in the mobile unit, which allows very specific re- marketing. But with the growth of email, consumers were
gional marketing. The speed with which the first 500,000 overwhelmed and much of the email was landing in bulk
I-Pads were sold suggests more engagement with technolo- mail folders. The lesson learned was that sending what the
gy by consumers while on the move. The ability to connect customer wants means sending less email with a higher re-
with these engaged individuals by offering WiFi in stores sponse rate. The benefit to consumers – a more targeted
or through geolocation information while the customer is email.
in the store creates instant cross channel experiences.
Meeting the goals of a cross channel strategy requires data.
During this time, retailers have also begun to place more Retailers need data to respond more quickly to changes in
value on the role privacy plays in gaining the trust of their demand patterns, to reduce out of stocks, to match product
customers. A recent survey of retailers shows the emer- offerings to the right customer, and to improve customer
gence for the first time of the significance of privacy and service. The technology that has allowed the gathering
security to cross channel marketing, which is noted as a of this information has been accomplished through such
top business opportunity. Forty-seven percent of those things as point of sale (POS) scanning, electronic payment
retailers surveyed indicated that proactively addressing options, loyalty programs using swiped cards, and elec-
privacy and data security will enable them to move for- tronic order management. To accomplish better offerings,
ward with an aggressive cross-channel strategy.5 This however, requires aggregation and integration of data,
shift also shows the importance of a cross channel strat- which increases risk and complexity. The numerous data
egy, which is requisite to keeping a competitive position. breaches over the last several years has demonstrated the
So there is little doubt that the retailer/customer interac- risk and economic cost associated with collecting greater
tion will incorporate many channels and new methods of amounts of electronic data.
communication. How privacy will be addressed in this
The complexity results from both state and federal laws.
quickly-changing communication process is a topic that is
If information is obtained from the issuer of a retailer’s
garnering much attention.
private label credit card, Gramm-Leach-Bliley concerns
The Role of Privacy in the Economic are raised. For example, how is the source of the data
Incentive designated in a database? Given that the data can only be
used in the manner the financial institution could use the
Goals for the cross channel strategy are to drive traffic,
data, there must be some means to designate that in the
generate incremental sales, and grow sales volume. These
database as well. At the state level, Massachusetts has im-
15
16. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
posed very detailed data security requirements that must information risk management in more progressive com-
be addressed when storing and transmitting data. These6
panies.
rules, which went into effect on March 1, 2010, require
This is all while keeping in mind that privacy is not just
implementation of a comprehensive information security
excluding or not collecting data, but rather is about un-
program covering access controls, encryption, up to date
derstanding the desires and boundaries of the retail
software and patching, firewalls, monitoring of systems,
customer. It means developing trust and having a conver-
and training. Washington, Minnesota, and Nevada have
sation with the customer through the channel selected by
implemented data security requirements linked to an in-
the customer and providing the information the customer
dustry imposed standard – the Payment Card Industry
wants to hear. Reaching the goals of data security, vendor
Data Security Standards – resulting in a need to continu-
management, oversight, and trust needed for a cross chan-
ally update compliance measures.
nel strategy, will require an enterprise-wide focus. For
Retailers must also ensure that uses of data match the success, policies must be driven from the top, define ac-
promises that were made when the data was collected. As countability, and then communicated, implemented, and
part of this, a lesson that can be derived from some of the trained through thoughtful processes. The enterprise-
FTC consent decrees is management of third party ven- wide policies should allow for privacy by design – bringing
dors and the need to conduct due diligence, monitor, and in all the necessary players at the front end of a marketing
contractually control those vendors.7 These third party project, such as marketing, privacy, information technol-
vendors run the gamut from providers of applications for ogy, information security, finance, risk management, and
the smartphones to database management to providers of legal.
text message marketing campaigns. There must be a pri-
The economic incentive does not rest solely in the hands
vacy professional involved in each aspect of planning at the
of the retailer. Consumers have begun to understand the
outset who, first, must fully understand how the technol-
risk/reward value proposition when sharing their data
ogy will work. Without this knowledge, it is not possible
and privacy plays a role in this equation. As a result, re-
to accurately disclose data uses at the time of collection.
tailers also need to understand the role of privacy in the
There must also be oversight of what will be collected,
risk/reward equation and examples help demonstrate
who will retain and/or own the data (including evalua-
this. For consumers, the value of TJX is its discounted
tion of whether the retailer is merely building its vendor’s
retail product. As a result, even after a significant data
database), how the data will be stored and secured, due
breach, consumers went back to TJX. But compare this
diligence with vendors, and, finally, the end of the life cycle
to a mint.com that allows consumers to aggregate finan-
of the data – its destruction. It is too difficult to reverse
cial account information across multiple institutions. A
engineer the process later to implement these privacy pro-
core value of mint.com is trust, which also means control
tections. As a result of the complexity and the need for
by the consumer. If mint.com were to have a data breach,
greater oversight, “privacy” as an isolated consideration
it would lose this trust and likely many of its consumers.
has transitioned to a broader information governance or
Knowing where the retailer stands on the value/risk/trust
16
17. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
continuum will also be essential in planning information collected. The settlement approved by the FTC for assert-
governance and marketing strategies. ed deception and unfairness violations by Sears Holdings
Management Corporation (Sears) has provided additional
The Shifting Regulatory Focus support to question the validity of notice and consent.10
Not surprisingly, with this change of focus in cross channel There also is questioning of whether it still makes sense to
marketing and more emphasis on the mobile marketing make a distinction between personally identifiable infor-
channel, new privacy and data security considerations are mation and non-personally identifiable information.
being raised by regulators and legislators. Over the last five
The problem with eliminating notice and consent is that no
to ten years, data breaches forced the focus of regulators on
obvious replacement has yet to appear. There are, however,
data security. During this time, however, companies were
some consistent themes emerging. Regulators believe that
figuring out how to make use of data that is collected and
privacy policies are too complicated, too vague, and too
were creating a knowledge economy, which may ultimately
long for consumers to understand. Further, if there is to be
make privacy an important non-price element of compe-
consent, it must be informed consent. As implemented in
tition. The recent FTC workshops8 and proposed privacy
the Sears consent decree, this requires disclosure of uses
legislation9 indicate a shift back to a focus on privacy.
of data and whether such data will be shared with third
Concerns are being raised relating to new risks to privacy parties in a manner that is clear, conspicuous, and un-
management, the user-generated nature of the Internet, avoidable when considering size, color, contrast, location,
and the transition to ever-expanding marketing through duration, and must be readable and understandable. The
mobile-based communication channels. The issues under task ahead is how to make disclosures clear and conspicu-
consideration are changing the historic view of privacy. ous when moving from a 17” screen to a 2-4” screen on a
Questions are being asked as to the need for a new para- smartphone. As important will be how to make disclosures
digm to match the fast-paced changes. Specific paradigms clear and conspicuous prior to a consumer downloading an
that are being questioned include notice and consent and application that collects and uses data about the consumer
the concept of personally identifiable information and through the smartphone. Suggestions so far include re-
what that includes – all while trying to maintain the long placing privacy policies with a nutrition-type disclosure or
standing privacy principles of fair information practices: a recognizable icon to scroll over. Another approach being
notice, choice, access, redress, and accountability. discussed is proportionality. This would suggest limiting
the amount of data collected to avoid nefarious uses later,
Currently, there are more questions than solutions. There
and, as a result, limited collection would mean limited use
is definite chatter that the concepts of notice and consent,
and limited need for retention.
and particularly privacy policies for the notice, may have
outlived their usefulness. In the recent workshops, the There are also questions about the need for policies and
FTC staff frequently cited a recent survey in which the notices to consumers to cover all information collected,
majority of consumers believed a company with a privacy whether online or offline. Historically, retailers could lim-
policy meant the company would not share information it privacy policies to only the information collected online.
17
18. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
But with the merging of offline and online through cross and legislators insist that the FTC investigate the privacy
channel marketing, regulators are questioning whether gaffes that occurred when these were introduced. This has
this model still works. For example, an online-only privacy led to an emphasis by the FTC on Privacy by Design – in
policy does not address how retailers will have meaningful other words, build privacy into the development life cycle
conversations with customers about these issues at their at the outset.
stores. When considering disclosures required for credit,
Accountability. Someone in the organization must have
state laws on return policies, tax issues, contract issues
a 360 degree view across all channels and all brands. Pri-
such as posting paycard association logos, there is little
vacy governance models that are adopted must reflect the
space left at the point of sale to disclose more. And with all
new cross channel world. This governance includes un-
of the other disclosures, it is unlikely that customers will
derstanding the technology being used by your company
read the postings.
and its vendors and administering the necessary controls.
There are also concerns over the concept of personally Data Minimization. This has been a long-standing
identifiable information, and whether PII can continue in principle, but the business imperative to enhance the
a world where even anonymous data can be combined with economic incentives will turn this into a push/pull conver-
enough other data to link it to email addresses, postal ad- sation. Someone will need to be there to make the correct
dresses, names, and other information to initiate targeted decisions for the retailer.
marketing. David Vladeck, the Director of the Consumer
Transparency. Keep in mind that the privacy profes-
Protection Bureau at the FTC, stated at the recent FTC
sional will have a different understanding of this term
privacy workshops that the distinction between PII and
than the marketing professional. The privacy view is to
anonymous information is a thing of the past. Director
have policies regarding collection and use visible, clear,
Vladeck therefore believes the question is how to build in
and conspicuous. The marketing group understanding of
transparency in clear and simple terms.11 As a result, the
transparency is making it non-intrusive. Someone must
FTC appears to be moving away from PII and towards
translate these differences and apply the risk/reward con-
whether data can be tied to a person or device. This may
tinuum to the conversation.
lead to the possibility of including IP addresses as data that
should be included in disclosures. All of this means that the “simple” job of the privacy officer
is becoming more complex. Not only will there be a con-
Conclusion tinuing need to understand and comply with numerous
Retailers should take away four key messages with respect privacy obligations, but it will now be necessary to build a
to privacy going forward: strong relationship between marketing and privacy. With
the focal point of data security, privacy officers worked
Privacy by Design. The Facebook beacon and Google
closely with the information security professionals in their
Buzz implementations are both examples of where priva-
company who protect confidentiality. The new relation-
cy considerations were not considered sufficiently before
ships that must be built for the cross channel strategy will
going public with these functions. Both privacy groups
18
19. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
involve a much more complex group than just informa- 5 The survey was conducted and reported by Retail Systems
Research. The full results of this survey on “Building Trust
tion technology. To allow the sharing of information, for
and Growing the Brand: The Role of Privacy and Security in
example, this group will likely involve different members Retail 2010” can be found at http://www.retailsystemsresearch.
com/_document/summary/1062, accessed on April 12, 2010.
of information technology who are the database adminis-
Of interest is that when the survey was taken in 2008, cross
trators. As retailers have begun to recognize, growing the channel agendas did not show up as a business opportunity, as
brand through this cross channel strategy requires that 74 percent had reduction of breach risk as their most important
business opportunity and 59 percent stated PCI compliance as
privacy has an important seat at the table and it is the pri- the top priority.
vacy professional who will need to act as the liaison among
6 See Massachusetts 201 CMR 17.00: Standards for the Protection
marketing, finance, compliance, and technology. of Personal Information of Residents of the Commonwealth.
Benita Kahn is partner a in the Columbus, Ohio office 7 See, for example, the recently announced FTC consent
decree with Dave & Buster’s, available at http://www.ftc.gov/
of Vorys, Sater, Seymour and Pease LLP, and a vice opa/2010/03/davebusters.shtm.
chair of the ABA’s Privacy and Information Security
8 http://www.ftc.gov/bcp/workshops/privacyroundtables/;
Committee (within the Section of Antitrust). She is Chair the series of day-long public roundtable discussions explored
of the Technology and Intellectual Property Group at the broader issues than just cross channel marketing issues of
retailers and, in fact, addressed the vast array of 21st cen-
firm and she concentrates her practice in privacy, data tury technology and business practices that collect and use
security, contract negotiations and drafting, consumer consumer data, such as social networking, cloud computing,
online behavioral advertising, mobile marketing, data bro-
protection issues, including technology and intellectual kers, third-party applications, and other diverse businesses;
property matters and other new media advertising issues. accessed May 15, 2010.
9 See http://www.boucher.house.gov/index.php?option=com_
content&view=article&id=1957, for the May 4, 2010 release
Endnotes
of draft privacy legislation by Representatives Boucher and
1 http://www.Internetworldstats.com/stats.htm, showing Stearns; accessed May 4, 2010.
statistics from December 31, 2000 until December 31, 2009;
10 See Sears Holdings Management Corporation, FTC File No. 082
accessed May 15, 2010.
3099 (2009), available at http://www.ftc.gov/opa/2009/09/
2 http://www.pewInternet.org/Reports/2010/Internet- sears.shtm. As noted in the press release, the FTC charged that
broadband-and-cell-phone-statistics.aspx?r=1; accessed May Sears “failed to disclose adequately the scope of consumers’
15, 2010. personal information it collected via a downloadable software
application.” While Sears disclosed it would track online
3 http://arstechnica.com/telecom/news/2010/03/wireless- browsing, it was only in a lengthy user license agreement,
survey-91-of-americans-have-cell-phones.ars; of the 257 available to consumers at the end of a multi-step registration
million data capable devices, 50 million are smartphones process that Sears further disclosed that the downloaded
capable of more advanced wireless services than SMS, MMS, software would “also monitor consumers’ online secure
and WAP browsing; accessed May 15, 2010 sessions – including sessions on third parties’ Web sites – and
collect information transmitted in those sessions, such as
4 http://www.apple.com/pr/library/2010/01/05appstore.html; the contents of shopping carts, online bank statements, drug
accessed May 15, 2010 prescription records, video rental records, library borrowing
histories, and the sender, recipient, subject, and size for web-
based e-mails.”
11 See transcripts from FTC workshops available at http://www.
ftc.gov/bcp/workshops/privacyroundtables/
19
20. The Secure Times VOLUME 5, NO. 1 | SPRING 2010
Data Security and Privacy Audits: house counsel directly hiring non-attorney third parties
Steps to Protect Reports to establish this privilege. In both situations, the steps
described below may support the assertion of the attorney
Dana Rosenfeld and Kristin Hird
client privilege.
As enforcement activities involving privacy and data se-
curity breaches increase and penalties for resulting law
Application of Attorney-Client Privilege and
violations grow steeper, companies are increasingly turn-
Self-Evaluative Privilege
ing to privacy audits to assess and strengthen their current The attorney-client privilege provides protection from dis-
practices. While a rigorous audit can identify and help a closure of confidential communications between attorney
company to remedy vulnerabilities in its systems and and client with several exceptions. The Supreme Court’s
policies, a written audit report can pose its own dangers if seminal decision Upjohn Co. v. United States1 declined to
obtained by civil litigants or regulators seeking to build a employ the “control group” test previously used to limit
case against the company. privilege claims, and held that communications even from
lower-level employees may be privileged depending upon
Because there is no audit privilege established by statute the context of the communication. While the Court noted
or case law for privacy and data security audits, companies that the purpose of the communication must be to secure
must rely on the sometimes spotty protection provided legal advice for the corporation, it declined to adopt a bright
by the attorney-client privilege, work product privilege, line rule, instead concluding that the existence of the priv-
or self-evaluative privilege. This article discusses the ilege must be determined on a case-by-case basis.2 The
application of attorney-client privilege and self-evalua- Court approvingly cited five factors previously outlined in
tive privilege, and suggests best practices to increase the the modified subject-matter test of Diversified Industries,
chances that an audit report will be protected from disclo- Inc. v. Meredith,3 and recognized three additional ele-
sure. ments. The eight elements identified by the Court are that
Outside counsel typically perform audits with assistance the communications were made: (1) to secure legal advice;
from in-house counsel, who often act in their dual capacity (2) by employees at the direction of corporate superiors; (3)
as attorney and as a corporate officer. Because an in-house solicited so that the corporation could secure legal advice;
attorney acting in this dual capacity can pose its own (4) concerning matters within the scope of the employees’
privilege issues, the use of outside counsel can assist in corporate duties; (5) kept confidential by the corporation;
establishing privilege protection. Alternatively, in-house (6) made to counsel acting as such; (7) were considered
counsel may hire non-attorney support to conduct or as- confidential when made; and (8) by employees aware that
sist with the audit. Work by non-attorney parties hired they were being questioned so that the corporation could
by attorneys to assist in providing legal advice is gen- obtain legal advice.4
erally protected from discovery by the attorney-client Subsequent decisions have shown a lack of predictability
privilege but it may be more difficult for dual capacity in- in determining whether attorney-corporate client com-
20