Privacy Monday - November 18, 2013
The month of November is quickly slipping by - this is the time to be looking at the 2014 cybersecurity and data privacy goals and updates and planning ahead.
Our selected bits and bytes for this Monday:
FTC Denies AssertID, Inc.’s Application for Obtaining Verifiable Consent Under the COPPA Rule
The FTC recently announced (press release) that the Commission voted 4-0 to deny AssertID, Inc.’s (“AssertID”or “Company”) application for a proposed verifiable parental consent (“VPC”) method submitted for approval under the Voluntary Commission Approval Process provision of the COPPA Rule (“Rule”). The Company submitted their proposed VPC method, ConsentID, for approval on July 1, 2013, the FTC published the application in the Federal Register on August 21, and the public comment period closed on September 20, 2013. The Commission received six (6) comments on the application and the commentators urged the FTC to deny AssertID’s application on the basis that the AssertID VPC method primarily because the proposed method is not “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent,” as required by Section 312.5(b)(1) of the Rule. You can access our prior blog post describing the AssertID VPC method here.
In its letter to AssertID informing the Company of the Commission’s decision, the FTC stated that the Company has failed to show that its proposed VPC method satisfies the criteria required by Section 312.5(b)(1). Specifically, the Commission expressed concern about the reliability of the social-graph verification method proposed by AssertID, noting, as the commentators on the AssertID VPC method have, that (1) Facebook profiles can very easily be fabricated, in fact, according to Facebook’s 10-Q filing, there are 83 million fake Facebook accounts, and (2) many children under 13 have created social media accounts by falsifying age information. In the Commission’s view, AssertID’s limited beta testing of its VPC method was not sufficient to demonstrate that social-graph identity verification will be effective and sufficiently reliable in verifying in a live environment that the individual providing consent is in fact the child’s parent. The FTC declined to opine on whether the services that AssertID provides on behalf of Web site operators as part of the ConsentID service to satisfy their direct notice obligation under the Rule indeed satisfy the requirements of the Rule, as the Commission did not consider these services integral to the proposed VPC method.
Wall Street Journal - NIST Cybersecurity Framework
Excerpt: "Lawyers say the document will be highly influential, but some have been raising concerns about the privacy portions of the preliminary framework since its release.
In earlier iterations of the framework, “scant attention” was paid to the need for critical infrastructure organizations to address privacy as part of cybersecurity plans, according to a client alert from Mintz Levin.
“That nod to the importance of privacy has been replaced with a detailed methodology to protect privacy and civil liberties,” the alert said, briefly explaining the changes. “These added standards should receive close attention by industry reviewers.”"
Payment Card Industry Group Retools Data Security Rules
By Allison Grande
Excerpt: "Companies that process credit card data are required to comply with the standard, which is incorporated by reference in every merchant agreement. A failure to comply could expose the merchant to fines imposed by the card brands, the inability to accept a particular brand, or breach of contract claims, according to Cynthia Larose, the privacy and security practice chair for Mintz Levin Cohn Ferris Glovsky & Popeo PC.
While the changes contained in the latest version of the standard “are not dramatic,” the new version “benefits from many clarifications, real-life examples and flexibility built in to enable merchants to meet the intent of the requirements,” Larose told Law360 on Friday.
For example, the new version adds a “best practices for implementing PCI DSS” section that aims to push companies to make compliance “'continuous' rather than an annual validation exercise." It also adds guidance for cloud providers and merchants to clarify that there is “shared responsibility” for complying with the requirements, according to Larose.
“The merchant cannot outsource accountability, as it has shared responsibility with the service provider to comply,” she said. “You can outsource the functionality, but you cannot outsource the potential for liability.”"
Law360 - Security Flaws Land ACA Contractors In Legal Crosshairs
By Allison Grande
The report prompted Sen. Orrin Hatch, R-Utah, and others to push legislation that would delay the launch of the exchanges until the government could ensure they had strong protections. But the Internet-based hubs opened for business as scheduled Oct. 1, and their operators have done little in the past month to dispel privacy concerns, according to attorneys.
“We don't have the information yet to know whether or not the data security risks are real or worse than expected or have been fixed, so our assessment of the privacy risks associated with having so much incredibly sensitive information passing through these systems has not changed since they went live,” said Cynthia Larose, the privacy and security practice chair for Mintz Levin Cohn Ferris Glovsky & Popeo PC.
....Attorneys pointed out that consumers might face an uphill battle in pursuing their claims, given the hurdles plaintiffs have traditionally faced in proving that a loss of sensitive data caused them actual harm.
“It's been notoriously hard for plaintiffs in data security class actions to maintain their claims, so unless the private cause of action is related to certain information that was compromised, it would be pretty difficult to initiate an action for a breach of the system,” Larose said.
Plaintiffs might also have difficulty pinning liability for the data loss on a responsible entity in the vast web of the exchanges, according to attorneys.
However, some attorneys doubted whether federal and state enforcers would pursue data security violations very aggressively, given their close ties with the exchanges.
“The question becomes, who regulates the regulator?” Larose said.