Tag Archives: U.S. Federal Trade Commission

About 4339 days ago Data Security

Are You Defending Your Transaction Data?

Think your online business isn’t big enough to have to worry about privacy and security issues? Think again. The previously unregulated era of data privacy is rapidly coming to a close. Privacy laws are on the books in more than 40 countries; the United States is instituting major new regulations for data privacy and security for the financial and healthcare industries. And broad legislative initiatives are under way. It’s time to make sure your data privacy house is in order, so when questions about your security preparedness get asked — and they will, sooner or later — you’ll be ready to respond. It’s also better to take some proactive privacy defense measures now, before you end up on the wrong end of a successful hack or a privacy breach lawsuit. And data security is already an issue if you do any business online, because your Web site has undoubtedly been scanned for vulnerabilities countless times. If your site hosting company tells you otherwise, someone’s asleep at the firewall. It’s easier to review your data security than you think. The questions you need to focus on are: What data are stored?. How and where are data stored? How are customer data processed? Who looks at the data? What should you do with the data? What Data Are Stored?Find out from your webmaster or e-commerce service provider what kind of data you’re storing. In fact, forget about the fact that you’re most interested in customer data, because this might put a filter on what data you’re told are stored. Identify all the data collected, such as name, address and order number, then select any customer-related data and sort them by the following types: High-risk customer data. These include complete credit card numbers and medical information. Lower-risk customer data. These include customer names and addresses, partial credit card numbers, phone numbers and order histories, except those of a personal nature. Minimal-risk customer data. These include Web site activity report information, such as number of hits, number of unique visitors, originating domain of visitors, and referring URL; aggregate customer information, such as purchases by age, region, and product; and all other nonidentifying customer data. How and Where Are Data Stored?You’ll almost certainly need to talk to whoever built or is involved in hosting your Web site to answer this question. This is, after all, a technical question. It involves what servers your data sit on and how they sit there. Here are the rules you should follow if you’re storing any high-risk customer data such as credit card numbers: The data must be stored encrypted. The data must reside on a database on a separate server from your Web server. Here’s why: If such high-risk data aren’t encrypted, they’re easier for someone to read. Don’t be surprised if encryption becomes a legal or business necessity in the United States in the next couple of years. It already is in some industries and countries. A separate database server for any high-risk data, even if encrypted, is more expensive. However, this is another area in which cutting corners is ill-advised. If the database holding that high-risk data sits on the Web server, it is inevitably more accessible to Internet traffic, including unauthorized access attempts. If you use a payment gateway services provider, by the way, there’s no reason to store credit card numbers anyway. Not doing so is the best security move you can take. How Are Customer Data Processed?Follow the data and see where they lead. Where are order confirmation messages sent? Are these messages e-mailed? If they are, and if they contain a customer’s complete credit card number, review Rule No. 1: Never send or request a credit card number via e-mail, which is an inherently insecure electronic communication format. Under all circumstances, you should always treat all your customer’s data with care. Many companies have come under fire simply for sending e-mail to their customers in a single mass e-mail that shows each address in the To field. If you’re part of a shared hosting environment or on an outsourced e-commerce platform, find out if any of your service providers access any of your customer or transaction data, and what they do with them. Standard Web site activity reports are pretty low-risk in terms of potential privacy breaches. If your site activity reports are like most, they’re based on Web server-logged activity, none of which identifies site visitors by name. Who Looks at the Data?You should already have most of the information you need on who is accessing the data and what they’re doing with them. Now find out who else, if anyone, is looking at this information. Are data sold to or shared with an outside company or business partner? After completing this step, you should have identified and categorized all the data being collected: How data are processed, where they go, and who looks at them. This is everything you need for a viable data privacy and security assessment. The next step puts this information into perspective. What Should I Be Doing With the Data?Businesses in the health-care and financial industries or that operate in Europe or other countries with strong privacy standards have this question answered by various laws and regulations. Otherwise, at least for now in the United States you can pretty much set your own privacy standards. You’ll find many recommended privacy policies and industry best practices to read up on at privacy.org and similar pro-privacy Web sites. But the bottom line still seems to be that as long as you do what you say you will do with your customer data in your privacy policy, you can almost do whatever you want. That is, until the market, the law or the FTC say otherwise. But regardless of whether you follow a privacy law that tells you how to collect, store and use customer information, or whether you get to make up your own methods, you need to get those methods in order. The data privacy hurricane is growing, so it’s time to tape up your windows. Copyright © 1995-2001 Pinnacle WebWorkz Inc. All rights reserved. Do not duplicate or redistribute in any form.

About 4369 days ago Computer Security

Protecting Against Privacy Problems

If e-commerce firms fail to consider issues regarding privacy, they may create an environment ripe for legislative encroachment, future Federal Trade Commission (“FTC”) actions and class action lawsuits. Privacy breaches pertain to a wide range of information collected by Web sites, from addresses, telephone numbers, email addresses and text entries to specific user interests found in registrations and mailing lists. This kind of information is called personally identifiable information (“PII”). In June 1998, the FTC submitted a report to Congress regarding online privacy. This report highlighted five key principles which the FTC recommends e-commerce sites employ in order to promote consumer privacy: Notice. Web firms should give consumers notice of any PII collection practices prior to actual collection, including, among other things, all parties involved in collecting, archiving or receiving PII. Choice. Consumers must first consent to uses of their PII. Such consent should be clear, easily available and sufficiently explanatory. “Choice” requires Web firms to provide either an “Opt-in” (consumers must click to provide their consent) or “Opt-out” method (consumers are presumed to consent unless they indicate otherwise). Access. Consumers must have a right to access their PII and correct errors and omissions. Security. Web firms should have reasonable protections to prevent corruption of and inappropriate access to PII. Enforcement. The FTC contended that enforcement mechanisms should be put into place for privacy regulations, but did not offer firm recommendations. The FTC looks favorably upon Web sites that meet trade association requirements for privacy protection. The principles illustrate the need for all Web sites collecting PII to post and maintain a clearly displayed privacy policy. Those sites that fail to do so risk, in certain circumstances, the prospect of an action by the FTC for unfair and deceptive trade practices. The FTC may sue an e-commerce firm for engaging in a deceptive trade practice if that firm violates its own privacy policy. For instance, the FTC settled a complaint against Geocities Corporation, an Internet service provider and Web hosting entity, regarding its PII collection practices. The complaint stated that Geocities violated its agreement with its users to not share any consumer information without their consent. The FTC also settled a case in May 1999 against Liberty Financial Companies, Inc., in which the FTC accused the company of falsely representing on its Web site that PII collected from children would be maintained anonymously. Today, Liberty’s actions might have also violated the Children’s Online Privacy Protection Act (“COPPA”) and the FTC’s associated regulations, which apply to Web sites geared towards children or sites that have actual knowledge of their collection of children’s PII. Under COPPA, the FTC developed a rule which mandates, among other requirements, detailed notice of PII collection and verifiable parental consent prior to disclosures, parental bans on further collection and dissemination, disclosure limits tied to a child’s participation in games and prize offers, and security procedures holding children’s information confidential. E-commerce firms offering financial services should also ensure compliance with the Gramm-Leach-Bliley Financial Modernization Act, which also imposes substantial privacy responsibilities. More recently, in the summer of 2000 the FTC settled separate charges against Toysmart.com and several online pharmacies. Toysmart.com had attempted to sell PII after it filed for bankruptcy despite the fact that Toysmart.com stated in its privacy policy that it would not do so. The charges against the online pharmacies involved, among other allegations, the sharing of PII and associated medical data with third parties. Sharing such data also implicates the Health Insurance Portability and Accountability Act of 1996, which imposes substantial restrictions and penalties regarding the use of medical data. One avenue often ignored by Web sites that can lead to liability involves advertising. Many Web sites do not realize that when they contract with a third party agency to manage Web site traffic and advertising, that agency’s ability to collect PII on the site can lead to violations of that site’s privacy policy. Ultimately, if Web firms do not take substantial steps to prevent consumer abuses stemming from their commercial practices, they face the specter of FTC complaints and class action lawsuits. Importantly, a number of steps can be taken to reduce the risk that these events will occur, including adherence to a well-drafted privacy policy and clear agreements between Web firms and agencies governing the use of collected data. This article, which may be considered advertising in certain jurisdictions, does not purport to give legal advice pertaining to any particular situation and creates no attorney-client relationship. Readers should seek professional legal advice concerning any particular situation they face. Jason Mark Anderman practices in Goodwin Procter’ s Intellectual Property/Technology Practice Area. He can be reached at janderman@goodwinprocter.com. Copyright © 2001 Goodwin Procter LLP. All Rights Reserved.

About 4642 days ago E-Commerce

So You Want to Share Your Mailing List

With dot-com companies making a bundle off users’ personal information, you may wonder whether you can do the same — without alienating your customers. After all, many of those efforts have gotten plenty of bad press. Earlier this year Internet ad firm DoubleClick Inc. was forced to postpone its plan to create profiles on Web travelers by combining data on their Web use patterns with their personal information. The resulting profiles, DoubleClick maintained, would help marketers better target advertising. Privacy-conscious consumers roared their disapproval. Meanwhile, the government has taken notice. In May the Federal Trade Commission urged Congress to set tougher standards for collecting consumer information online. A separate bill that began making its way through the Senate Judiciary Committee last spring would require Web sites to notify consumers about what information they’re collecting. Are you still game to rent out customer data? If so, take heart: you can do so responsibly. (See “Getting Started,” below.) For example, Boston-based music retailer Newbury Comics Inc. invites customers to join its E-Mail Club. Members get discounts on merchandise in exchange for letting the company track their purchases; the 21-store chain uses that data for merchandising and marketing. Newbury Comics also e-mails club members information about promotions that are jointly sponsored by bands, nightclubs, concert promoters, and recording companies (for instance, alerting Foo Fighters fans about new CDs or upcoming shows). But those sponsors never get direct access to customers. “E-mails are always from Newbury Comics,” says Trish Chapman-Kane, director of Newbury Comics Interactive. “We’re not going to ever sell personal information or trade it with anyone.” Even though Newbury Comics charges its marketing partners nothing for the conduit to its customers, the mailing list still generates revenues: each of its 12,000-plus members pays $3 a year to participate. In any case, businesses can share information about their customers without getting into trouble with them, says Andrew Shen, policy analyst for the Electronic Privacy Information Center, in Washington, D.C. The key: “Be very open about what you’re doing and why.” Getting Started The following are guidelines for responsibly sharing information about your customers. Be up front. Whenever you collect information, tell your customers what you’ll use, how you’ll use it, who’ll get access to it, and how you’ll protect it. Let them say no. Make sure customers know they can decline to provide data that may be shared. Seek selectively. Consumers get nervous about providing birth dates, Social Security numbers, income figures, and details about their kids. If you don’t need it, don’t request it. Get branded. TRUSTe and other Internet privacy organizations offer Web site “seals of approval.” .

About 4642 days ago E-Commerce

So You Want to Share Your Mailing List

With dot-com companies making a bundle off users’ personal information, you may wonder whether you can do the same — without alienating your customers. After all, many of those efforts have gotten plenty of bad press. Earlier this year Internet ad firm DoubleClick Inc. was forced to postpone its plan to create profiles on Web travelers by combining data on their Web use patterns with their personal information. The resulting profiles, DoubleClick maintained, would help marketers better target advertising. Privacy-conscious consumers roared their disapproval. Meanwhile, the government has taken notice. In May the Federal Trade Commission urged Congress to set tougher standards for collecting consumer information online. A separate bill that began making its way through the Senate Judiciary Committee last spring would require Web sites to notify consumers about what information they’re collecting. Are you still game to rent out customer data? If so, take heart: you can do so responsibly. (See “Getting Started,” below.) For example, Boston-based music retailer Newbury Comics Inc. invites customers to join its E-Mail Club. Members get discounts on merchandise in exchange for letting the company track their purchases; the 21-store chain uses that data for merchandising and marketing. Newbury Comics also e-mails club members information about promotions that are jointly sponsored by bands, nightclubs, concert promoters, and recording companies (for instance, alerting Foo Fighters fans about new CDs or upcoming shows). But those sponsors never get direct access to customers. “E-mails are always from Newbury Comics,” says Trish Chapman-Kane, director of Newbury Comics Interactive. “We’re not going to ever sell personal information or trade it with anyone.” Even though Newbury Comics charges its marketing partners nothing for the conduit to its customers, the mailing list still generates revenues: each of its 12,000-plus members pays $3 a year to participate. In any case, businesses can share information about their customers without getting into trouble with them, says Andrew Shen, policy analyst for the Electronic Privacy Information Center, in Washington, D.C. The key: “Be very open about what you’re doing and why.” Getting Started The following are guidelines for responsibly sharing information about your customers. Be up front. Whenever you collect information, tell your customers what you’ll use, how you’ll use it, who’ll get access to it, and how you’ll protect it. Let them say no. Make sure customers know they can decline to provide data that may be shared. Seek selectively. Consumers get nervous about providing birth dates, Social Security numbers, income figures, and details about their kids. If you don’t need it, don’t request it. Get branded. TRUSTe and other Internet privacy organizations offer Web site “seals of approval.” .

About 4765 days ago Computer Security

FTC Jumps the Gun with Privacy Proposal

The findings of a recent Internet privacy study conducted by the Federal Trade Commission (FTC) have prompted the agency to propose that Congress give it the power to set and enforce standards for consumer privacy protection. But e-commerce groups argue that such a regulatory proposal is premature and unnecessary. The industry has its own incentive to continue working diligently toward consumer privacy protection: Loss of consumer trust means the loss of consumer dollars. FTC to Congress: Enforce Fair Information Practices The FTC submitted a proposal titled “Fair Information Practices in the Electronic Marketplace” to Congress this week. It is the result of the 2000 Online Privacy Survey (2000 Survey) that the agency recently conducted. The FTC based its conclusions on the extent to which sites surveyed implemented the four fair information practice principles outlined in the agency’s 1998 report to Congress. These principles are defined as follows: Notice. Web sites would be required to provide consumers clear and conspicuous notice of their information practices, including what information they collect, how they collect it (e.g., directly or through nonobvious means, such as cookies), and how they use it. Choice. Web sites would be required to offer consumers choices as to how their personal information is used — beyond the use for which the information was provided (e.g., to consummate a transaction). Access. Web sites would be required to offer consumers reasonable access to the information they have collected about them, including a reasonable opportunity to review information and to correct inaccuracies or delete information. Security. Web sites would be required to take reasonable steps to protect the security of the information they collect from consumers. Up until now, the FTC’s stance on consumer privacy protection has been to allow the Internet industry to regulate itself with respect to these four principles. However, the results of the commission’s 2000 Survey have caused officials to change their tune. While 88% of 335 randomly selected Web sites posted privacy policies, the agency found that only 20% followed the choice, access, and security principles. Citing the lackluster results, the FTC wasted no time in submitting its proposal to Congress on Monday, requesting legislation that would allow it to formally establish and firmly enforce the four fair information practice principles. An Industry at Work Internet industry groups argue that the FTC’s request for legislation is premature, noting that the agency’s fair information guidelines have only been in existence for two years. In such a short period of time, the industry has made great progress in its self-regulation. In fact, the FTC’s 1998 report contained a survey indicating that only 14% of Web sites disclosed any information regarding their information practices. In the past two years, this figure made a substantial leap to 88%. But industry groups such as the NetCoalition.com, an advocacy group made up of 10 top Internet companies, including Amazon.com, America Online, and eBay, also acknowledge that there’s much room for improvement. Upon the release of the 2000 Survey, the CEOs of several NetCoalition sites sent a letter to approximately 400 Web sites, urging them to adopt and implement all four fair information practice principles. NetCoalition even went a step further than the FTC by encouraging sites to also provide contact information for consumers who have questions about privacy. The growth and industry support of privacy programs such as TRUSTe, a nonprofit organization, and BBBOnLine, a subsidiary of the Council of Better Business Bureaus, is also a good sign of the industry’s commitment to consumer privacy protection. These nonprofit initiatives award privacy seals to Web sites that meet strict privacy practice criteria. Those sites that bear the TRUSTe or BBBOnLine seals are more likely to gain the trust of the consumers who visit them. Self-Regulation Is Likely to Stay — for Now Fortunately for Internet companies, the FTC’s proposal to Congress met with a lukewarm reception from Democrats and downright opposition from the GOP and White House. The consensus seems to be that the industry deserves a better chance to demonstrate progress in the area of privacy. Such opposition near the end of an election-year Congressional session serves as a good indicator that the FTC will not get the regulatory power it desires — for now. In order for consumer trust to grow, and e-commerce along with it, every Web site needs to practice the four fair information principles. In this way, the results of the FTC’s next random sample will be outstanding, and self-regulation will endure, for more than just the present moment. For more information on privacy practices and the FTC, read the following articles: FTC Wants More Privacy Regs Web CEOs Release Letter Urging Privacy Copyright © 1995-2000 Pinnacle WebWorkz Inc. All rights reserved. Do notduplicate or redistribute in any form.

About 4826 days ago Data Security

Fair Play?

Come April 21, Zeeks.com will face a new challenge — as if constantly coming up with “kewl” features for its ever-changing young audience wasn’t hard enough. As of that date, the one-and-a-half-year-old Internet playground and search engine for kids ages 6 to 13 will have to comply with the Children’s Online Privacy Protection Act (COPPA). COPPA, which emerged in response to widespread concern about the unregulated online collection of information from children, requires that commercial Web sites catering to the under-13 crowd obtain “verifiable parental consent” before collecting any information that could be used to identify or contact their preteen users. That includes the child’s name, telephone number, and E-mail and street addresses. While COPPA imposes the same requirements on all kid-oriented sites, two factors make the burden especially hard for smaller businesses to bear. One is cost. For instance, if Zeeks.com adds 1,000 members a day, the company would be looking at a compliance cost of at least $240,000 a year, including the tab for records storage and for five new employees, says cofounder Steven Bryan. But a larger problem is the potential loss of traffic. Once parents start receiving those permission requests, says Bryan, familiar brands like Disney will have an advantage over relative unknowns. That could spell trouble for sites that, like Zeeks.com, rely primarily on advertising revenues to stay afloat. Compounding the problem is the fact that some kids may choose to evade the consent process by heading for sites designed for teens or adults. Jorian Clarke, founder of Milwaukee-based KidsCom.com, a five-year-old online activities center for kids, dubs the dynamic the “peas and ice cream factor.” “If everything on a site becomes peas,” she explains, “kids are going to be looking elsewhere for the kind of content that meets their dessert needs.” Clarke worries that COPPA, which layers on extra costs, will help transform the Net into a playing field where only the large can compete. But others take a more optimistic view. Elizabeth Lascoutx, who directs the Children’s Advertising Review Unit at the Council of Better Business Bureaus, believes that the cost of complying with COPPA will soon decline. “I don’t think COPPA will have an enormous impact on the industry,” she says, “except for increasing parents’ comfort level with letting their kids surf the Web.” In fact, Bryan, who like Clarke supports COPPA’s goals, even sees a bright spot in the law. COPPA allows sites to retain information collected before April 2000 without obtaining parental consent. But Zeeks.com’s new competitors will have to comply with COPPA from day one. With 250,000 registered members as of January, Bryan observes, “I now have a position that is going to be very, very hard for a start-up to match.” Getting into the Act If your business must comply with COPPA, consider these tips from Toby Levin, team leader for Internet advertising at the Federal Trade Commission: Decide whether you need identifying information at all. There are lots of ways to provide content that don’t require you to collect information. For example, if you want your site to offer kids a personalized greeting, use screen names, not real ones. Take a look at the exceptions to the consent rule. For example, you can collect a child’s E-mail address in order to respond to a onetime request. If you delete the address after responding, you won’t trigger the other requirements of the rule. Consider methods other than print-and-send for collecting information, such as toll-free numbers, credit-card verification, or E-mail accompanied by a digital signature. For more information, visit www.ftc.gov or E-mail kidsprivacy@ftc.gov.