You’ve met the dramatis personae on this blog over the past year or so: the Federal Trade Commission, which issued a staff report in February 2009 containing “self-regulatory” guidelines for online behavioral advertising and now is panting to go further; the State of California, one of several that requires the posting of a website privacy policy and use of data security safeguards, including vendor oversight; the State of Nevada, which requires the encryption of personal information; and the Commonwealth of Massachusetts, source of the most comprehensive information security regulation in the nation (201 CMR 17.00, which went into effect on March 1, 2010).

The patchwork is so befuddling that a reporter once barked at me in frustration: “You mean a business has to hire someone like you to keep track of all of this?” No offense meant, of course. None taken, I replied, but the answer was yes. In an indirect way, the FTC funds my Philly Beer Week expenditures.

Now the federal bear is beginning to growl. After reading the draft legislation unveiled by U.S. Representatives (D-VA) and Cliff Stearns (R-FL) on May 4 — which has attracted strong comments by the Direct Marketing Association, along with criticism from the Technology Liberation Front and others — I’m trying to decide whether things just got better or worse for my clients. Actually, scratch that. This bill needs to be rewritten, since it takes a top-down, process-heavy Gramm-Leach-Bliley type of approach and tries to plaster it onto the vast domain of cyberspace. (The Gramm-Leach-Bliley Act is the seminal 1999 financial privacy bill that requires financial institutions to provide initial and annual privacy notices to their customers and a way for them to opt out of having their personal information shared with unaffiliated marketers. No doubt you read every line of the GLBA privacy notice your bank sends you every year. Anyway, there is a real strong musty whiff of GLBA in the Boucher-Stearns draft.)

Cowpunk pioneer Dan Baird exercises his right to opt out of data-sharing. (Actually, this is from his 1991 album Love Songs for the Hearing Impaired).

On the plus side, the draft legislation would set a single national online privacy and data security standard that preempts (supersedes) state privacy and data security laws — one-stop shopping, unless you’re unfortunate enough to also be covered by GLBA, HIPAA, the CAN-SPAM Act or the Children’s Online Privacy Protection Act, in which case it’s unclear how the inconsistencies with the draft legislation would be resolved.

Data Security

The data security requirements generally follow those in the FTC Safeguards Rule promulgated under GLBA and are flexible and risk-based (appropriate administrative, technical and physical safeguards, as determined by the FTC, for protecting the security, confidentiality and integrity of covered information and preventing unauthorized loss, destruction, disclosure or misuse) as opposed to the one-size-fits-all prescriptive approach used by the encryption-happy legislature in Nevada. There is no notification requirement in the event of a data breach, although the safeguards must be sufficient to determine the scope of the breach and remediate its effects. The data security provision of the draft bill also contains a rather bizarre clause that, without any further explanation, requires a covered entity to establish reasonable measures to “assure the accuracy” of the information it collects.

Here’s the kicker, though: the Boucher-Stearns draft does not track state data security laws like Massachusetts’ in limiting its coverage to first and last name (or first initial and last name) combined with financial account number or government-issued identification number (e.g., Social Security number or driver’s license number). In fact, “covered information” as defined in the bill includes name, address or contact information. Practically speaking, then, this represents a potentially onerous expansion of existing data security regulation, even though the security requirements themselves resemble existing rules.

What information is “covered” by the bill?

Covered information includes any of the following: first name or initial together with last name; postal address; phone or fax number; e-mail address; unique biometric data; government-issued identification number; financial account number and any code or password necessary to permit access to the account; unique identifier (such as an IP address or customer number) if used to collect, store, or identify information about a specific individual or a computer, device or software application owned or used by a particular user or that is otherwise associated with a particular user; and “preference profile” (defined as “a list of information, categories of information, or preferences associated with a specific individual or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity”).

The draft bill therefore abandons the current regulatory focus on “personal” or “personally identifiable” information in favor of the FTC position that any data that is linkable to a specific web user or device requires protection.

Privacy: And Now for Something Completely Different

The privacy requirements of the draft legislation would drastically reshape the state of the world. Here’s a high-level overview:

The bill would generally preserve the current practice of providing notice of a site’s privacy practices and an ability to opt out prior to any collection, use or sharing of information online BUT would require affirmative express consent (that is, an opt-in) before covered information could be shared with unaffiliated third parties. These requirements would not apply to information collection, use and sharing for transactional or operational purposes (i.e, as necessary to effectuate a transaction between the site and an individual). Sharing of information with a service provider which assists the site to effectuate a “first-party transaction” with the individual is also permitted, subject to an opt-out consent requirement. Finally, the bill includes a behavioral advertising exception whereby information could be shared with online advertising networks without opt-in consent, but subject to certain notice and opt-out requirements, such as the prominent display of a notice or seal on the covered entity’s website and on or near targeted advertisements, along with a link to information about behavioral advertising and how consumers can opt out.

For the required “notice,” every site that collects covered information would need to post clearly and conspicuously (and make accessible via a link on its home page) a privacy policy containing the mandatory disclosures. (The draft bill also contains privacy notice requirements for covered information collected offline, so if it is passed, businesses should consider adopting an integrated, holistic privacy policy covering all aspects of their operations.) Some of these disclosures are already standard practice, such as a description of the information collected, purposes for collecting and using the information, how the information is collected, categories of third parties with which the information may be shared, and how individuals may obtain access to their information. Other disclosure requirements break new ground, such as:

◊ how information may be merged, linked or combined with other information from unaffiliated sources
◊ how information is stored by the entity
◊ how long the information is retained in identifiable form
◊ how the entity disposes of (or renders anonymous) covered information after the end of the retention period
◊ a means to contact the entity with an inquiries or complaints about the handling of covered information
◊ consent mechanism as required by the bill

Notably the draft legislation would codify the FTC’s diktat that material changes in privacy practices cannot be applied retroactively (i.e., to information collected prior to their posting), and information cannot be shared for purposes previously undisclosed that an individual would not reasonably expect, unless the entity gets the individual’s opt-in.

Finally, in its February 2009 staff report on behavioral advertising, the FTC posited that certain information might warrant special protection due to the increased risk of harm or embarrassment to the individual. Sure enough, the draft legislation would also create a special category of “sensitive information” for which an opt-in is required prior to collection. “Sensitive information” includes, when associated with covered information of an individual, information about medical history or condition; information about financial accounts; information about sexual orientation, race, ethnicity or religious beliefs; and — interestingly — “precise geolocation information.”

Am I Gonna Get Hit by This?

If it passes, and if you collect covered information (which you probably do) either online or offline, then yes, unless you have a very small customer or user base or are a government agency. Excluded from the draft legislation’s reach are government agencies and entities that collect covered information from fewer than 5,000 individuals in any 12-month period. However, if you collect any sensitive information at all, you are covered even if your customer or user base is under 5,000.

Who Is Going to Come After Me If I Don’t Comply?

The primary enforcer would be the FTC, the big 900-pound gorilla in this draft legislation, since it would have the power to prosecute violations as unfair or deceptive acts or practices and would also acquire broad rulemaking authority to regulate online privacy and data security (although the draft bill prohibits the FTC from requiring specific technologies or software). Based on the FTC’s activity to date in these areas, the agency would not be shy about using this power. State attorney-generals and consumer protection agencies could also enforce the law. Private actors, however, have no right of action.

Undoubtedly the Boucher-Stearns draft legislation will be heavily changed before it is passed, if it is even passed. Significant problem areas, as pointed out by the DMA and other commenters, are the expansive definition of covered information (which would lump mere name and contact information into the same protected category as Social Security numbers) and the requirement of an opt-in to share covered information with unaffiliated marketers. This regime is even more restrictive than GLBA and is a huge departure from how business is currently conducted on the Internet. If the bill passes in anything resembling its current form, expect to be bathed in disclosure and to paddle through a profusion of annoying click-throughs.

Two items emerged almost immediately from the roundtables and the FTC’s related comments: (1) the FTC does not believe industry self-regulation in behavioral advertising is working, and (2) the category of “personally identifiable information” (PII) that has been used in privacy law up to this point to denote sensitive information warranting legal and regulatory protection is effectively obsolete.

RIP, PII

To the latter point, studies have shown that non-personalized information like IP addresses or even browser and operating system specifications can be combined with other information gathered from online browsing to build detailed personal profiles and even identify individuals with a reasonable degree of certainty. The FTC’s 2009 behavioral guidelines anticipated a breakdown of the existing personal/non-personal information dichotomy by expanding the category of information covered by the guidelines to include information that can be used to identify a specific computer or device (not just a particular human being). According to the FTC, such data include clickstream data that can be combined with a consumer’s website registration information; individual pieces of anonymous data combined into a detailed profile that is identifiable with a particular person; and behavioral profiles that are not associated with a particular consumer, but are stored and used to deliver personalized advertising and content to a particular device.

In addition, the guidelines identified a special category of personal information, such as health information, financial information, precise geographic location information or information about children, that is so sensitive it warrants heightened privacy protection (for example, requiring consumers to opt in before such data can be collected for behavioral advertising, rather than providing the standard opt-out).

More Powers for the FTC?

Greater privacy regulation in online behavioral advertising seems to be a given, therefore. Some sites like Yahoo! have felt it prudent to get ahead of the curve by expanding their privacy disclosure preemptively (for example, Yahoo!’s Ad Interest Manager allows you to see information about your browsing activities that Yahoo! collects for targeted advertising purposes and set your preferences accordingly). The big question, though, is how sweeping the new rules will be. One problem with a non-incremental approach is that the FTC is currently limited in its rule-making authority when it is using its power to combat unfair or deceptive practices under Section 5 of the FTC Act. This is the main authority the FTC has used for a decade to make its views known with respect to online privacy (Congress has granted it broader powers to regulate in specific areas, such as under the Children’s Online Privacy Protection Act and the CAN-SPAM Act).

However, a clause in Congress Barney Frank’s (D-Mass.) financial reform bill H.R. 4173, otherwise known as the Wall Street Reform and Consumer Protection Act of 2009, would greatly expand the FTC’s power to regulate and litigate, and not just against financial services companies. Specifically, the bill would allow the FTC to implement consumer protection regulations generally through the Administrative Procedures Act (APA) rule-making process, rather than through the more rigorous current process, which takes much longer and requires greater public participation and comment. The FTC would also be able to file suit directly instead of having to act through the Department of Justice. (NOTE: this is the second time in a week I have blogged about a little-known clause in Congressional financial reform legislation that drastically expands regulatory involvement in areas that have nothing to do with the 2008 financial collapse.) FTC Chairman Jon Leibowitz argued for such powers in Senate testimony on the pending legislation, promising to use them sparely. It remains to be seen whether Congressman Frank’s creation of an “FTC on steroids” (as some libertarian/anarchist tech bloggers have called it) will appear in the final act after reconciliation with Senator Chris Dodd’s (D-Conn.) bill.

So, what’s next for online privacy? More disclosure and more consumer choice, probably, as well as the possible creation of a sliding scale of privacy protection based on categories of totally de-identified data, data that can (either alone or in combination with other data available through the Internet) be associated with a unique individual, and sensitive personal data warranting strong safeguards. Online advertisers and ad networks: be aware that the FTC is watching you. Of course, I am watching them, and you can find new developments on this blog as soon as they occur.

The Christmas blizzard

Richard Convertino is a former federal anti-terrorism prosecutor who was forced out by an investigation of prosecutorial misconduct during the Bush administration. Information about the investigation was leaked to the Detroit Free Press. In his action against the Justice Department for whistleblowing retaliation and other claims, Convertino sought discovery of e-mails between Tukel, another prosecutor involved in the investigation, and his private attorney, e-mails that were sent from a Justice Department computer using Tukel’s DOJ account (not even a web-accessed personal e-mail account, as in Stengart). The court refused to grant access to the e-mails, holding that Tukel had a reasonable expectation of privacy which supported his assertion that the e-mails were still protected by the attorney-client privilege.

In finding for Tukel, the court specifically examined the Justice Department’s Internet use policy and determined that, in view of the policy, he was not on notice that his personal e-mails were being monitored and, therefore, his actions in deleting the e-mails from his account in an expeditious manner amounted to a non-waiver of the attorney-client privilege:

“Mr. Tukel reasonably expected his e-mails with his personal attorney to remain private…. Case law in this jurisdiction in not directly on point but New York gives the Court some direction. ‘[T]he question of privilege comes down to whether the intent to communicate in confidence was objectively reasonable.’ … In order for documents sent through e-mail to be protected by the attorney-client privilege there must be a subjective expectation of confidentiality that is found to be objectively reasonable…. [Four factors to determine reasonableness are] ‘(1) does the corporation maintain a policy banning personal or other objectionable use, (2) does the company monitor the use of the employee’s computer or e-mail, (3) do third parties have a right of access to the computer or e-mails, and (4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?’ … Each case should be given an individualized look to see if the party requesting the protection of the privilege was reasonable in its actions….

“On the facts of this case, Mr. Tukel’s expectation of privacy was reasonable. The DOJ maintains a policy that does not ban personal use of the company e-mail. Although the DOJ does have access to personal e-mails sent through this account, Mr. Tukel was unaware that they would regularly access and save e-mails sent from his account…. Because his expectations were reasonable, Mr. Tukel’s private e-mails will remain protected by the attorney-client privilege.”

As with Stengart (which was recently argued before the New Jersey Supreme Court), I am unconvinced that rulings like this create a broad right of privacy in personal communications sent through an employer’s IT resources. For one thing, the Internet use policy in Stengart as well as the DOJ’s policy in Convertino explicitly permitted personal use but were less than clear that ALL communications (personal as well as work-related) were subject to monitoring. Had the policies contained language like the following, the results might have been different: “We reserve the right to monitor, and periodically monitor, ALL communications sent using our computers and Internet access, whether personal or work-related, and including personal e-mails sent using your web-accessed e-mail (e.g., gmail, hotmail) account. You agree that you have no expectation of privacy in these e-mails and other communications. You should NOT send sensitive personal e-mails from a work e-mail account or a work computer.”

Secondly, I maintain that the attorney-client privilege is something special. If it’s held to be waived, the legal effect on a litigant — loss of or inability to implement legal strategy or exercise legal rights — is potentially catastrophic. Privileged e-mails are different from, say, embarrassing e-mails or e-mails that could get you into trouble with your boss. My sense is that courts will strain to avoid piercing such a hallowed privilege, except where a litigant has acted in a totally cavalier manner with regard to secrecy. I don’t agree with those legal commentators who claim the Convertino case actually reflects a dawning recognition that, due to the timing constraints in our harried modern lives, personal e-mails MUST be sent from work and should be shielded for that reason (regardless of how an employer’s computer/Internet use policy is worded or distributed). The court didn’t say this. In its own words, the case was about what the employee did and did not know about monitoring, pure and simple.

This battle will continue, of course. In the meantime, employers should think carefully about what personal uses of company Internet access and IT resources they wish to permit and make sure their approach to monitoring is clearly explained, particularly when read together with the sections of the policy detailing any approval of personal use.

Carpenters Hall at Yuletide

According to the PTO, the average time between filing and the first office action (PTO response) on a green technology patent application is 30 months, with the final action on the applications coming after 40 months on average. The PTO estimates that participation in the pilot program will shave a year off the time to get a green technology patent. Green technology eligible for the pilot program is defined as patent applications relating to environmental quality, energy conservation, development of renewable energy resources or greenhouse gas emissions reductions. You can download detailed eligibility and petition requirements on the PTO website here.

2. Online Privacy and Behavioral Advertising. Check out Yahoo!’s new Ad Interest Manager, which enables you to see information about your online browsing activities that Yahoo collects for targeted advertising purposes. The new site feature was unveiled with great fanfare on December 7, which — coincidentally? — was the same day the FTC kicked off the first of three new Privacy Roundtables examining online data collection for behavioral advertising and similar topics and the adequacy of current privacy rules and industry self-regulation.

Yahoo! may be ahead of the curve. The noises the FTC is making seem to indicate impatience and dissatisfaction with the current state of self-regulation in behavioral advertising (supposedly based on notice and choice, as provided in the behavioral advertising self-regulatory guidelines issued by the FTC in February 2009). More aggressive privacy regulation, as well as stepped-up administrative enforcement, may be on the way. Of course, this is exactly what I predicted last summer.

I am monitoring this situation closely, and if there is a new rulemaking, I am considering participating in the public comment process. I acknowledge the concern in government and academic circles about the ability to build profiles and derive personal information by associating and combining data on the Internet and applying behavioral analytics (connecting the dots to tease out or guess specific attributes of an Internet user, such as demographic information, based on browsing activity and clickstream data). However, as a matter of personal opinion I tend to fall into the “what privacy?” camp and am not convinced we are dealing with a full-scale public emergency that warrants shackling innovative new technologies and communication channels.

3. Workplace Internet Privacy Before the NJ Supreme Court. Stengart v. Loving Care Agency, Inc., a New Jersey appellate court case I blogged about this past summer, was argued before the New Jersey Supreme Court on December 2. The issue in Stengart is whether an employee’s e-mails to her attorney using her personal web account are still covered by the attorney-client privilege in her suit against the employer where she accessed the account from a work computer. (The defendants’ counsel found the e-mails when imaging the computer’s hard drive during discovery.) The employer had a poorly drafted Internet use policy that (arguably) rendered all communications over the computer subject to monitoring, although the policy also allowed limited personal use of the computer.

The case is important, because if the Supreme Court agrees with the appellate court that the employee did have an expectation of privacy in the e-mails to her attorney, notwithstanding the Internet use policy, it could curtail employers’ previously untrammeled ability to regulate the use of their IT resources.

A finding for the employee seems likely, since the New Jersey Supreme Court is a liberal bench that has often taken a broadly protective approach to the attorney-client privilege. Also, at least two of the justices, including Chief Justice Rabner, seemed troubled by the employer’s reliance on the policy as support for its position that it could monitor anything transmitted using its computers.

The big question, then, is how broad or narrow the ruling will be. Was this a badly drafted policy that on its terms shouldn’t be construed to apply to such personal communications? Or going forward do all Internet use policies need to specifically call out the right to monitor communications using web-accessed personal e-mail accounts? Or (most radical) will an employer’s “unilateral” reservation of the right to monitor its IT resources be held unenforceable as a matter of public policy when applied to certain types of communications — such as e-mails to a “spouse, a physician or a cleric”? (The possibility of such employer monitoring appeared to disconcert Justice Albin.) If the court were to take the most radical approach, this might scare employers into slamming the door on ANY personal use of workplace computers and Internet access.

4. Data Breach Dixie-Style. Several restaurants in Louisiana and Mississippi, including the rustically named Mel’s Grill, Sammy’s Diner and Crawfish Town USA, have sued Radiant Systems, a provider of point-of-sale (POS) hardware and software, and the distributor Computer World, Inc. to recover fines and penalties imposed by Visa and MasterCard after a foreign hacker exploited security vulnerabilities to access the systems remotely. The plaintiffs, whose claims include negligence and breach of contract, allege that the POS solution was not compliant with the Payment Card Industry Data Security Standard (PCI DSS) and that the distributor also was also out of compliance (according to the plaintiffs, among other things, the system retained sensitive credit card information unnecessarily and the distributor used the same password for 200 different systems). The plaintiffs also alleged that Radiant had, in fact, been warned about by Visa about the vulnerability of the POS system in 2007.

The negligence claims are significant because of the plaintiffs’ attempt to use PCI compliance to set the baseline for reasonableness in order to show that the defendants’ behavior was negligent. However, the plaintiffs will face an uphill battle if their contracts with the defendants contain the typical technology vendor/service provider legalese limiting product- and service-related claims to breaches of the narrow warranties given in the contract, disclaiming damages for lost or stolen data, characterizing third-party criminal acts as force majeure for which the vendor is not responsible, and limiting the customer’s recoverable damages to direct damages no greater than the fees paid for the defective product or service.

However this case unfolds, the loss suffered by the restaurants highlights the need to carefully scrutinize and negotiate technology agreements covering products that store or process sensitive personal information. The customer should strongly consider requiring the vendor/service provider to warrant that they have validated compliance with PCI and will update their product or service as needed to maintain compliance. The customer should also seek indemnification against claims and losses resulting from a data breach where the breach is attributable to a defect in PCI compliance. (Many vendors/service providers will scream at this, protesting that their prices don’t reflect assumption of these risks. The proper response to this is “why not?”, especially if a vendor/service provider hypes itself as being PCI-certified.)

Of course, don’t place absolute trust in having a strong contract; make sure you do your due diligence too.

On June 26, shortly after the Pietrylo verdict, another court (also in New Jersey) handed down a ruling which, at first glance, seems to be an even more emphatic vindication of employee online privacy rights against the prying eyes of Big Brother. You can check out the New Jersey Superior Court, Appellate Division’s opinion in Stengart v. Loving Care Agency, Inc., Docket No. A-3506-08T1, here.

In Stengart, an employee considering legal action against her employer used an employer-provided computer to send e-mails to her attorney through her personal Yahoo account. After the computer’s hard drive was imaged, the employer’s law firm read these e-mails but did not alert the plaintiff’s counsel that it had possession of them. A lower court ruled that, based on the employer’s purported adoption and distribution of an electronic communications policy which supposedly made all communications sent via corporate IT resources its “property,” the plaintiff had no expectation of privacy in the e-mails, and they were not protected by the attorney-client privilege.

The appellate court reversed, and in so doing, filled its opinion with lofty language sure to warm the hearts of privacy advocates and raise doubts about the effectiveness of Internet and computer use policies. For example:

“A policy imposed by an employer, purporting to transform all private communications into company property — merely because the company owned the computer used to make private communications or used to access such private information during work hours — furthers no legitimate business interest…. When an employee, at work, engages in personal communications via a company computer, the company’s interest — absent circumstances the same or similar to those that occurred in [certain cases involving a suspicion that the employee had committed fraud or accessed child pornography] — is not in the content of those communications; the company’s legitimate interest is in the fact that the employee is engaging in business other than the company’s business. Certainly, an employer may monitor whether an employee is distracted from the employer’s business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee’s personal communications.”

On closer examination, however, there is less here than meets the eye. On August 19, I made a guest post on Tech Target’s IT Knowledge Exchange giving a detailed legal analysis of the case. Let me just hit the high points here:

1. The employer’s electronic communications policy was badly drafted, made contradictory statements about the allowance of personal communications, and may not even have been in effect. The lower court did not conduct an evidentiary hearing about the adoption, applicability or objective interpretation of the policy.

3. The attorney-client privilege is sacred, particularly in New Jersey, as I know from prior work experience there. As the court admitted, the real issue in the case was not defining the scope of employee online privacy, but rather whether the plaintiff should suffer the draconian penalty of losing her attorney-client privilege in her e-mails with her attorney. Any broader reading of the language quoted above is legally non-binding.

While courts will probably strain to avoid finding a waiver of the attorney-client privilege, a properly drafted and disseminated Internet and computer use policy (for example, emphasizing the employer’s right to monitor and access both work-related and personal communications made using the employer’s IT resources, as opposed to claiming personal communications as the employer’s “property”) remains legal and enforceable. Where such a policy is in place, there is no all-encompassing right to privacy in personal communications transmitted through corporate IT resources.

Please understand where I am coming from: I am NOT advocating, as a normative principle, unlimited employer intrusion into private employee communications. (I have actually been criticized for supposedly being a legal apologist for Big Brother!) With the nine-to-five workday increasingly a thing of the past, most employees have a need to conduct a limited amount of personal business while at work. A well balanced Internet and computer use policy will acknowledge this reality.

With that said, however much I identify with Philadelphia’s heritage of individual liberty, I am not a paid professional civil libertarian. I am a technology lawyer engaged by businesses to help them sleep at night. In this capacity, I recommend that organizations adopt a reasonable Internet and computer use policy that clearly and unambiguously announces the scope of the employer’s monitoring/access rights and is carefully drafted to avoid or win litigation based on an asserted “expectation of privacy.” How much to monitor or access is a cultural and resource-driven decision that needs to be made by each organization.

The Pietrylo and Stengart cases are important pieces in the puzzle, but are more revealing as case studies in failure to use best practices than as some sort of Magna Carta of employee online privacy.