Category: Privacy (Consumer Privacy)

1

How Should Data Security Breach Notification Work?

In 2005, a series of data security breaches affected tens of millions of records of personal information. I blogged about them here, here, here, here, and here.

One of the major issues with data security breaches involves what kind of notification companies should provide. The spate of data security breach announcements began in February 2005, when ChoicePoint announced its breach pursuant to California’s data breach notification law. At the time, California was the only state that mandated individual notice following a breach. Subsequently, numerous states passed laws requiring that companies notify individuals of breaches. Federal legislation is currently being considered to create a national security breach provision. But key questions remain in hot contention. First, what kind of breach should trigger a notification? If the risk of harm is low, some companies contend, then providing notice can be quite costly with little benefit in return. Second, what kind of notice should be given? Notice to each individual affected? Notice to the media or FTC only?

Professors Paul Schwartz (law, Berkeley) and Ted Janger (law, Brooklyn) have posted on SSRN their article, Notification of Data Security Breaches, 105 Mich. L. Rev. 913 (2007), which seeks to answer these questions. From the abstract:

The law increasingly mandates that private companies disclose information for the benefit of consumers. The latest example of such regulation through disclosure is a requirement that companies notify individuals of data security incidents involving their personal information. In the wake of highly publicized data spills, numerous states have now enacted such legislation, and federal legislation in this area has also been proposed.

These statutes seek to punish the breached entity and protect consumers by requiring that a breached entity disclose information about the data spill. There are competing possible approaches, however, to how the law is to mandate release of information about data leaks. This Article finds that a reputational sanction from breach notification can be important, but not for the reasons conventionally discussed. Moreover, a further function of breach notification is mitigation of harm after a data leak. This function requires a multi-institutional coordinated response of the kind that is absent from current policy proposals. To fill this gap, this Article advocates creation of a coordinated response architecture and develops the elements of such an approach.

For anybody interested in data security, this article is definitely worth checking out.

2

The Free Credit Reports That Aren’t Free

freecreditreport1.jpg

You’ve probably seen the commericals, which run incessantly on CNN and other cable channels. A happy young man says: “I’m thinking of a number . . . ” That number is a credit score, which you can obtain at a website called FreeCreditReport.com. You probably have heard that under a new federal law, credit reporting agencies are required to provide each person with a free credit report once a year. That website, however, has the much more obscure name AnnualCreditReport.com. I previously blogged about my experiences using AnnualCreditReport.com. One of the problems is that if you don’t know that the correct website is AnnualCreditReport.com, then it is very easy to go to the FreeCreditReport.com website. After all, it is featured quite prominently in a Google search for “free credit report.”

But there’s one catch — it ain’t free. Far from it. From the fine print:

When you order your free report here, you will begin your free trial membership in Triple AdvantageSM Credit Monitoring. If you don’t cancel your membership within the 30-day trial period, you will be billed $12.95 for each month that you continue your membership.

ConsumerInfo.com and Freecreditreport.com are not affiliated with the annual free credit report program. Under a new Federal law, you have the right to receive a free copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under that law, you must go to www.annualcreditreport.com.

FreeCreditReport.com is run by Experian, one of the credit reporting agencies. Experian also has another website offering free credit reports: ConsumerInfo.com. Recently, the FTC settled a case against ConsumerInfo.com website. According to an FTC news release:

Read More

15

The Rise of Customer Blacklists

hotel1a.jpgBlacklists appear to be the rage these days. With the ease of storing and sharing personal information — coupled with lax privacy law restrictions on such activities — companies can increasingly create blacklists of bad customers. In this article from the Ottawa Citizen, hotels in Australia and Canada (and soon the United States) are signing up for a service that compiles a blacklist against “bad” hotel guests:

Blacklisting everyone from the whisky-swilling scoundrels whose partying sabotaged your last vacation to the louts who channel Pink Floyd by dismantling their rooms, the new Australian database — which is expected to expand to Canada and the U.S. by year’s end — helps prevent unsavoury individuals from obtaining short-term accommodations.

“People are becoming less considerate of the space they’re staying in,” says Josh Ginty, project manager of the Guests Behaving Badly registry.

“What we hope to do is proactively advertise to those people … that their details will be recorded if they breach house rules. That in itself is often a strong enough deterrent.”

Accessible only to operators of hotels, motels and vacation homes, the membership-based registry tracks five levels of guest misconduct. These range from “lower-level blatant disregard” for regulations, such as smoking in non-smoking rooms or swimming in the pool after hours (several staff warnings must be ignored before the activity is reported on the registry) to higher-level infractions such as non-payment of the hotel bill, assault or vandalism.

“If you steal a couple of towels, we’re interested in tracking that,” says Mr. Ginty. “But it doesn’t compare to someone who has verbally or physically abused the night manager.”

More than 1,000 properties have signed up for the service since it launched in December 2006. Expansion to other continents is planned to begin in six months, depending on how easily the database can be adapted to each country’s privacy laws.

Customers have the ability to rate hotels with websites such as TripAdvisor.com. So why shouldn’t hotels be able to rate customers?

I don’t view the situations as symmetrical. Customers have long been spreading their opinions about hotels and other businesses — this is how the market produces good products and services. Word about bad hotels gets out and it leads to less business, thus creating an incentive for hotels to improve their service. But what happens when a similar process works against customers? True, some hotel guests are obnoxious and destructive, but do we really want to live in a country where people find themselves routinely blacklisted from various hotels and other businesses (stores, etc.)? In a Seinfeld episode, Elaine once found herself on a blacklist by doctors for being a bad patient. Perhaps this is the trend of the future. I sure hope not.

1

A Guide to Lobbyist Arguments on Consumer Protection

deck-cards.jpgChris Hoofnagle (Berkeley’s Samuelson Clinic) has posted on SSRN his paper, The Denialists’ Deck of Cards: An Illustrated Taxonomy of Rhetoric Used to Frustrate Consumer Protection Efforts. From the abstract:

The Denalists’ Deck of Cards is a humorous illustration of how libertarian policy groups use denialism. In this context, denialism is the use of rhetorical techniques and predictable tactics to erect barriers to debate and consideration of any type of reform, regardless of the facts. Giveupblog.com has identified five general tactics used by denialists: conspiracy, selectivity, the fake expert, impossible expectations, and metaphor.

The Denialists’ Deck of Cards builds upon this description by providing specific examples of advocacy techniques. The point of listing denialists’ arguments in this fashion is to show the rhetorical progression of groups that are not seeking a dialogue but rather an outcome. As such, this taxonomy is extremely cynical, but it is a reflection of and reaction to how poor the public policy debates in Washington have become.

The Deck is drawn upon my experience as a lawyer working on consumer protection in Washington, DC. Where possible, I have provided specific examples of denialism, but in many cases, these arguments are used only in closed negotiations. Some who read them find the examples humorous, while others find it troubling. But all who read the Washington Post will recognize these tactics; they are ubiquitous and quite effective.

This taxonomy provides a roadmap for consumer advocates to understand the resistance they will face with almost any form of consumer reform. I hope to expand it to include retorts to each argument in the future.

The paper is quite humorous and well-done — essential reading for any policy wonk.

0

The Digital Person: Now in Paperback

digital-person-1.jpgI’m pleased to announce that my book, The Digital Person: Technology and Privacy in the Information Age, is now out in paperback and has a much more affordable price. From the cover blurb:

Seven days a week, twenty-four hours a day, electronic databases are compiling information about you. As you surf the Internet, an unprecedented amount of your personal information is being recorded and preserved forever in the digital minds of computers. For each individual, these databases create a profile of activities, interests, and preferences used to investigate backgrounds, check credit, market products, and make a wide variety of decisions affecting our lives. The creation and use of these databases—which Daniel J. Solove calls “digital dossiers”—has thus far gone largely unchecked. In this startling account of new technologies for gathering and using personal data, Solove explains why digital dossiers pose a grave threat to our privacy.

The Digital Person sets forth a new understanding of what privacy is, one that is appropriate for the new challenges of the Information Age. Solove recommends how the law can be reformed to simultaneously protect our privacy and allow us to enjoy the benefits of our increasingly digital world.

Links to reviews of the book are at The Digital Person website.

0

Data Security Laws, the States, and Federalism

Remember well over a year ago, when last February ChoicePoint announced it had a major data security breach? Since then hundreds of breaches have been announced — over 200 instances involving data on 88 million people. Several bills were proposed in Congress; many Senators and Representatives quickly emphasized the importance of privacy and data security. And after all this time, what has Congress produced? Nothing.

Meanwhile, the states have been very busy. 31 states have passed data breach notification laws. 24 states have now passed credit freeze laws, which allow people to lock their credit files to prevent unauthorized activity.

The stateline.org website has a terrific chart of the states that have enacted data security laws, which is below in smaller form. Visit the stateline website for a larger view.

data-security-breach-laws2.jpgdata-security-breach-laws1.jpg

I never used to be a fan of federalism, but in following information privacy law, I’ve found that the states are by far more responsive to problems, more flexible and experimental in solutions, and more able to get things accomplished. Substantively, the states have also established a better balance between privacy and business interests than Congress.

The bills kicking around in Congress would preempt many of the state laws discussed above. Ironically, that is what might make Congress finally do something in response to the data security breaches. Companies afraid of an orgy of state laws are pushing Congress to act — not to protect privacy, but to wipe the board clean of state regulation and replace it with a weaker less-protective federal standard all in the guise of helping to “protect” our privacy.

Read More

2

Can Spam and Spyware Ever Be Good?

Over at the Conglomerate, Professor Eric Goldman’s paper, A Coasean Analysis of Marketing, is being workshopped in the Conglomerate’s Second Annual Junior Scholars Workshop. Professors Peter Huang and Frank Pasquale (previously a guest blogger here at Concurring Opinions) are providing commentary.

Eric Goldman was teaching at Marquette Law School. This fall, he will be moving to Santa Clara Law School. He has a very informative blog about technology and marketing law issues.

I’ve read Eric’s paper, and it is quite interesting and provocative. Eric attempts to point out the brighter side to junk mail, spam, adware, and other marketing technologies that most of us detest. Is there such a thing as a good spam? I have my doubts, but Eric presents a thoughtful argument why we shouldn’t view spam and other marketing technologies as totally evil. He argues that we ought to be very careful in how we regulate marketing, and he proposes new approaches toward addressing the problems unwanted marketing create. Here’s the abstract:

Consumers claim to hate marketing—mostly, because they get too much unwanted marketing. In response, regulators develop medium-by-medium marketing suppression regulations. Unfortunately, these ad hoc solutions do little to satisfy consumers, and dynamic technologies and business practices quickly render them moot. Instead of continuing this cycle, there would be some benefit to developing a cross-media marketing regulatory scheme. However, any holistic solution must be predicated on a clear rationale for regulating marketing. The most common justification is that marketing imposes a negative externality on consumers, but this argument ignores the private and social welfare created by marketing and can lead to cost overinternalization and marketing undersupply. The Coase Theorem also suggests that social welfare improves by reducing the costs of matching marketers with interested consumers. To achieve this, consumers need a low cost but accurate mechanism to manifest their preferences. This Article shows that typical regulatory and marketplace solutions do not provide effective mechanisms. Instead, marketer-consumer matchmaking will improve from technology that will automatically infer consumer preferences and use these inferences to filter incoming marketing and seek out wanted content. This technology does not yet exist, but it is being rapidly developed. However, regulation of surreptitious monitoring devices (like adware and spyware) may inadvertently block the development of this socially-beneficial technology. As a result, current regulatory overreactions to developing technology may counterproductively foreclose social welfare improvements.

The Conglomerate welcomes your comments on Eric’s paper: “We invite all readers to comment on Eric’s paper in the commennts section of this post.” Please comment over at the Conglomerate post.

2

The ChoicePoint Settlement

choicepoint3.jpgRecently, the FTC announced a settlement in its complaint against the data broker ChoicePoint for a data security breach that resulted in over 160,000 people’s personal information being sold to identity thieves. According to the Washington Post:

Data broker ChoicePoint Inc. yesterday agreed to pay a $10 million federal fine over security breaches that exposed more than 160,000 people to possible identity theft. Privacy experts praised the settlement as a warning to companies to get more serious about protecting sensitive information.

The Alpharetta, Ga.-based company, one of the nation’s largest buyers and sellers of personal information such as Social Security numbers, birth dates and addresses, also agreed to pay $5 million into a fund to compensate people who suffered as a result of the breaches.

The Federal Trade Commission, which said the fine was the largest civil penalty it had ever imposed, said ChoicePoint violated consumers’ privacy and breaking federal laws by mishandling the information and misleading people about its privacy policy.

The FTC complaint is here. There are some important issues worth discussing in connection with the news of the settlement.

Read More

32

Do No Evil and Perhaps Do Some Good: Google, Privacy, and Business Records

google5.jpgI just blogged about the case where the goverment is seeking search query records from Google. I am very pleased that Google is opposing the goverment’s suboena. According to the AP artice:

Google — whose motto when it went public in 2004 was “do no evil” — contends that submitting to the subpoena would represent a betrayal to its users, even if all personal information is stripped from the search terms sought by the government.

“Google’s acceding to the request would suggest that it is willing to reveal information about those who use its services. This is not a perception that Google can accept,” company attorney Ashok Ramani wrote in a letter included in the government’s filing.

In contrast to Google, other search engine companies such as Yahoo complied with the subpoenas without putting up a fight. Google is to be applauded for taking the effort to rebuff the government’s request.

Read More

7

The Gifts You Can No Longer Return

My-Date-With-Drew.jpgIn the fun and light documentary, My Date With Drew, an average guy named Brian Herzlinger chronicles his attempt to get a date with Drew Barrymore. The documentary was made on a shoestring budget of just $1100, and Brian cut costs by buying a video camera at Circuit City, using it until the 30-day return window was up, and then returning it to the store for his money back.

But Herzlinger’s documentary may one day be notable not for his quest to meet a celebrity but for capturing what might be a quaint piece of nostalgia — the easy and hassle-free ability to return merchandise.

Returning merchandise has become much harder these days. Those unwanted gifts you received this holiday season might be much more difficult to return. According to a WSJ article (don’t bother clicking the link, as the article can’t be accessed without paying a massive fee):

Retailers are further clamping down on return policies, imposing penalty fees and using sophisticated computer databases to flag serial returners trying to game the system. Some are also adding exceptions and caveats to their return policies — for instance, making it particularly hard to return certain kinds of products, such as electronics.

Read More