Skip to main content

Privacy and Security Bits and Bytes

Our Friday feature is back!

  •  FTC Imposes Largest Civil Penalty Ever for Violation of Children’s Online Privacy Protection Act (COPPA) – Magic Kingdom Subsidiary Pays Up

The Chairman of the Federal Trade Commission, Jon Leibowitz, said:  It's the law, it's the right thing to do, and, as today's settlement demonstrates, violating COPPA will not come cheap.

Amidst allegations that a major online game developer – a subsidiary of Disney Enterprises, Inc. – illegally collected and disclosed personal information from hundreds of thousands of children under age 13, the FTC yesterday released a consent judgment against Playdom, Inc. and one of its executives imposing a $3 million dollar civil penalty – the largest civil penalty ever for violation of COPPA.

According to the FTC complaint, Playdom, Inc., a developer of online multiplayer games, and the company’s Chief Executive Officer, Howard Marks, operated approximately 20 online virtual world websites that enabled users to access online games and other activities.  The FTC alleged that in over 1.2 million instances, defendants collected, used or disclosed the personal information of children in violation of COPPA.  Specifically, the complaint asserted that the defendants (1) collected children’s personal information and enabled children to publicly disclose their personal information through personal profile pages and community forums, which contradicted statements made by the defendants in their privacy policy, (2) used a privacy notice that “did not clearly, completely, or accurately” disclose all of the defendants’ information collection, use and disclosure practices for children, (3) failed to provide parents with a direct notice of their information practices prior to the collection, use and disclosure of children’s personal information, and (4) did not obtain verifiable consent from parents prior to such information processing, as required by the FTC rules implementing COPPA.

More reading:

Mercury News

Bloomberg News

  • Lawrence, Massachusetts Alley Reveals Hundreds of Illegally Dumped Personal Records

When you see a story like this, the reaction is “There oughta be a law!”   In this case, there is.   Despite the Massachusetts law (M.G.L 93H) establishing standards for “proper” disposal of records containing personal information – and setting civil penalties for “improper” disposal --  a public alley in Lawrence, Massachusetts is the resting place for many garbage bags overflowing with sensitive personal information and dumped papers in clear view, including blank checks, Social Security cards, and patient records from a doctor’s office.  According to published and broadcast reports, after discovery of the dumping, many of the bags had been removed from the alley by unknown persons.  Lawrence officials are still investigating – but there has been no comment from the Massachusetts Attorney General’s office (charged with enforcing the Massachusetts statute) on the matter.

  • PIN Pad Tampering Probe at Michaels Craft Stores Expands

Texas-based arts and crafts store Michaels announced that besides Chicago, PIN pads in 19 additional states were tampered with. Michaels released a statement on May 4 stating its Chicago-area customers should monitor their accounts as a result of PIN pad tampering in area stores.

Although Michaels identified less than 90 PIN pads that were affected, it removed 7,200 similar PIN pads from stores nationwide as a cautionary measure. It intends to replace the removed PIN pads within 15 days. The company again urged customers to monitor their bank accounts and to inform their financial institutions if they discover unusual activity.

The states affected are Colorado, Delaware, Georgia, Iowa, Illinois, Massachusetts, Maryland, North Carolina,  New Hampshire, New Jersey, New Mexico, Nevada, New York, Ohio, Oregon, Pennsylvania, Rhode Island, Utah, Virginia and Washington.

More reading - BankInfoSecurity

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.