Apr
18
2014

FTC v. Wyndham – What Does it Mean for Your Data Governance Programs?

Joanne Furtsch, Director of Product Policy
@privacygeek

Saira Nayak, Director of Policy
@SairaNayak


Part I: The Legal Stuff

Since June 2012, Wyndham Hotels has been the focus of an FTC complaint, alleging that the company acted “unfairly” when it failed to provide “reasonable” measures to secure customer data (Wyndham had suffered three data breaches in two years).  In response, Wyndham filed a motion to dismiss – challenging the FTC’s authority to even bring such an action under Section 5 of the FTC Act which prohibits “unfair” and “deceptive” actions (Covington & Burling has an excellent summary of the case so far, available here.).

Last week, Judge Salas (District of New Jersey) dismissed Wyndham’s motion, and allowed the FTC’s case to proceed.  Her decision was significant, because it was the first time that a federal judge has weighed in on the scope of the FTC’s unfairness authority under Section 5.

For privacy watchers (including several of us at TRUSTe), this is an important case.  The question of whether the FTC has the authority to regulate data security practices, and what that standard should be, has also received its fair share of attention from industry, prompting several amicus briefs (including this must read from US Chamber of Commerce et al.).

One of the central questions in this case is what constitutes “reasonable” when it comes to data security standards.  As both Wyndham and the Chamber point out, the FTC has not articulated what this standard should be (the FTC has stated it can’t articulate such guidance, because industry standards change constantly in response to evolving threats and vulnerabilities).

Wyndham’s argument in response is that the FTC’s lack of guidance is essentially a constitutional violation of due process – because there’s no “fair notice” of the prohibited conduct. Judge Salas rejected that particular argument from Wyndham, stating that there was enough guidance in recent FTC complaints and orders for companies to develop reasonable data security practices.   However, her ruling was in the context of whether the case should proceed – the issue will still need to be litigated.  And we may not get a comprehensive answer, or the answer to other important issues in this case, if Judge Salas is reversed on appeal, or if Wyndham settles.

But one thing is clear.  The FTC has emerged as the leading enforcer of data security practices (don’t forget the 4th Circuit’s recent decision in FTC v. Ross, affirming the FTC’s Section 5 authority in cybersecurity cases, including holding defendants personally liable for unfair and deceptive practices).

Plus, the lack of FTC guidance does not mean that there aren’t industry defined best practices  - including several embodied in TRUSTe’s own program requirements – for implementing reasonable data security measures.  These are best practices that you should already be including in your data governance programs.

In the second part of this post, we outline 6 simple steps that are a must for any company that considers their customer’s personal data an asset.

Part II: The Best Practices

1.     Make sure that your privacy disclosures reflect your actual practice.
If you talk the talk, then you need to walk the walk. Make sure you are doing what you say – especially when it comes to promises you are making in your privacy statement about how you manage the information you collect, process, share, and retain.

Look at the scope of your company’s privacy statement and how it is defined.  Assess what the scope means and what aspects of your business it applies to.  Take steps to verify that all your online properties (web site, mobile app), products, services, business units and parties covered under the defined scope comply with your privacy disclosures and statements.  When a company fails to abide by its stated privacy disclosures, it can open itself up to Section 5 liability.  Just ask Goldenshores Technologies, maker of the popular “Brightest Flashlight” app, which failed to disclose that it was collecting and sharing consumer data – and now find themselves the subject of a 20 year FTC decree.

2.     Be proactive and actively identify, monitor and address vulnerabilities.
Through proactive management, and a plan of action to address vulnerabilities, steps can be taken to help prevent a data breach or escalate a solution. Part of having a plan in place in the event of a data breach is a swift plan of action – to quickly identify and remedy a problem to make sure the problem doesn’t happen again.  One good resource to help you start creating such a plan is the 2014 Data Protection & Breach Readiness Guide, published by our friends at the Online Trust Alliance.  And if you want to learn more about how not “patching” vulnerabilities can get you into Section 5 trouble, take a look at the FTC’s settlement with HTC over lack of “reasonable” data security practices.

3.     Understand your data flows
By understanding how data flows throughout your organization, and with third parties, a data flow map can be developed. A data flow map should be the first step when conducting a privacy assessment as it helps to identify where potential risks exist and where additional in-depth assessments are needed.

4.     Put password management rules in place and reinforce them frequently.
Review your password protocols and rules for customers, employees and vendors who have access to your information systems.  Assess what type of information is accessed and put protocols and policies in place to manage which information is available to users.

Sensitive data will require stricter protocols – such as the use of stronger passwords e.g. rules for minimum password length and complexity (e.g. not allowing dictionary words and requiring the use of special characters).  Passwords should have a set expiration period (e.g. six months) requiring users to update their password.  It may also be worth looking at the guidance on passwords in the FTC’s guidance to consumers on keeping personal data secure.

5. Manage access to data.
Plug the holes within your company’s system to restrict/manage vendor access to data, and have processes in place to revoke vendor access when it is no longer required. Assess servers connecting to your network to verify those servers do not have commonly known default IDs enable that could leave systems vulnerable to unauthorized access.

By reviewing your system, you will also learn how business units within your organization or vendors use customer data.  Assess who has access to customer data, what information they have access to and why they’re using it.  Take steps, such as employing firewalls, to restrict access only to what is necessary for the business unit or vendor’s needs.

6.  Encrypt sensitive data
Review how your organization classifies data it collects and retains, and assess whether data classified as sensitive data is transmitted and stored using encryption mechanisms.  This also includes login credentials customers, employees, and vendors may use to access collected information.  This provides an extra layer of protection in the event in of data breach where it is less likely sensitive data such as financial information including credit card numbers will be compromised.  The FTC recently addressed the importance of protecting data in transit in its consent decrees against Fandango and Credit Karma.

Companies – including those that are certified by TRUSTe – are already using the steps outlined above to protect valuable customer data. For more information on how you can integrate similar best practices into your data governance programs, contact us today

Apr
14
2014

TRUSTe Welcomes Privacy Expert Ray Everett and Customer Operations Leader Elizabeth Blass

TRUSTe today announced the appointment of privacy expert Ray Everett CIPP/US as Director of Product for Compliance Solutions and Elizabeth Blass as Vice President for Client Services.

Everett has significant experience in the privacy industry gained from working in the sector for the past 15 years. He was one of the first US corporate privacy officers, an original founding board member of IAPP.  Most recently, Everett managed global advertising and search privacy issue for Yahoo, and served as general manager for the privacy monitoring business at Keynote Systems.

Blass has developed a passion for excellence in customer operations and brings her leadership expertise to TRUSTe, where she will lead a team of more than 30 global privacy consultants and analysts.  Most recently, she was the Senior Director of Co-Location Customer Service Operations at CME Group and, prior to that, was the Regional Senior Vice President at Verizon Business.

These appointments will further help TRUSTe support growth in demand for comprehensive privacy solutions from enterprise clients and we’re delighted to have them on board.

Apr
09
2014

TRUSTe Doubles Mobile Ad Partner Base

Today, TRUSTe announced that the global adoption of TRUSTed Ads has expanded with its mobile advertising partner base having more than doubled within the last year to include 33 leading mobile ad partners. Since it was first to market in 2012, TRUSTed Ads has powered billions of privacy safe mobile ads to help our clients deliver innovative advertising campaigns and build trust with their target audience while adhering to industry-leading standards of privacy in the U.S. and Europe.

TRUSTed Ads is a comprehensive mobile advertising privacy solution for both mobile web and mobile apps, which adheres to the DAA Mobile Guidelines and the EU Self Regulatory Program for OBA and offers consumers transparency and choice.  TRUSTed Ads includes an easy-to-use preference management system accessible through the AdChoices icon that enables consumers to manage their personal privacy settings across mobile devices and websites, as well as a mobile app SDK for iOS and Android.

“Our market-leading mobile advertising privacy solution TRUSTed Ads, has proved to be ahead of the game in anticipating self-regulatory guidelines and delivering mobile privacy best practices making it a clear choice for forward-thinking ad networks such as Millennial Media, StrikeAd and byyd.” Rich Qiu, Vice President Business Development, Mobile at TRUSTe

Mobile continues to be the fastest growing online advertising industry and advertisers, publishers and networks are eager to increase their mobile ads volume and performance. Behavioral advertising is a proven strategy to improve performance, but it also raises increased privacy concerns with consumers and regulators. TRUSTed Ads enables all players in the mobile ecosystem to build trust with consumers and meet regulatory and industry compliance requirements – powering privacy safe advertising and helping to drive innovations.

Before Millennial Media continued the global roll out of its Mobile Audience Solutions (MAS) behavioural targeting solution in the UK in January 2013, it wanted to be certain that it continued to be a leader in offering products that reflect industry best practices when it comes to mobile privacy. Read the case study online for the further details.

“We process massive amounts of data to provide comprehensive advertising solutions, making it vital that we build trust for the advertising community by giving consumers control to engage in an increasingly mobile world. With global compatibility, TRUSTed Ads also supports our customers’ worldwide mobile marketing objectives by adhering to industry-leading standards of privacy in the U.S. as well as internationally.” Ho Shin, General Counsel and Chief Privacy Officer, Millennial Media

To learn more about TRUSTed Ads, please visit http://www.truste.com/ads

 

Apr
08
2014

DAA Releases Technical Guidelines for Implementing AdChoices Icon in Mobile

Joanne Furtsch
Director of Product Policy
@privacygeek

Helen Huang
Product Manager

This week, the Digital Advertising Alliance (DAA) announced the first version of its DAA Ad Marker Guidelines for Mobile on how to comply with the enhanced notice requirements of the DAA Mobile Principles – The Application of Self-Regulatory Principles to the Mobile Environment. TRUSTe played an active role in drafting the guidelines, working with other companies involved with the DAA Mobile Technical Working Group, and is attributed as an author. We shared insights from real-time experience from running the TRUSTe implementation of the solution to our clients.  

The Ad Marker Guidelines provide guidance to app developers, mobile web publishers, and third party ad networks on how to implement the AdChoices icon (Ad Marker) in both the mobile application and web environments. 

Key highlights from the guidelines include:

  • Ad Marker (the DAA AdChoices icon) must include an invisible touchpad area of between 20×20 and 40×40 to enable consumers to easily press the icon, access the enhanced notice, and exercise a preference.
  • Non-prescriptive corner default for the in-ad display of the Ad Marker. It is noted that companies will need to pay attention to any close event that is prescribed to be on the top right corner such as in a video ad.  Guidance around close events can be found in the IAB MRAID and Video guidelines.
  • In-Ad experience options providing companies multiple options around the consumer experience when the consumer interacts with the AdChoices icon that include: 1) Opening of an interstitial allowing the consumer the choice to return to the ad in the case of mistakenly pressing on the icon or accessing a preference mechanism; 2) Expansion of the icon to display full AdChoices text; or 3) Taking the consumer directly to a preference mechanism or instructions for device specific controls
  • App Developer implementation guidance illustrating how the Ad Marker should be included in an app’s Settings menu.

This first release of the guidelines is a big step towards ensuring consistency and standardization of the consumer experience when interacting with the AdChoices icon in both the desktop and mobile environments. At the same time, the guidelines address issues specific to the mobile environment to enable consumers to easily access and interact with the AdChoices icon and exercise their preference.

Stay tuned for news on our mobile ad privacy solution, TRUSTed Ads, tomorrow.

Apr
01
2014

April Monthly Spotlight

 - April 3

Advertising Week Europe
London

TRUSTe is hosting a private dinner with TRUSTe including Rich Qiu, VP of Business Development, Mobile and Ken Parnham, Managing Director of Europe. For more details, please contact Eleanor Treharne-Jones – eleanor@truste.com

- April 15
Privacy Innovation Forum
San Francisco

TRUSTe is hosting an exclusive invitation-only event bringing together industry leaders and decision makers to discuss how privacy and compliance are becoming inter-connected and the use of GRC (Governance, Risk, and Compliance) tools to address enterprise privacy and compliance challenges. For more information, please contact Helen Dunavetsky at helend@truste.com

- April 29
IAPP Drinks
London

Join TRUSTe on the eve of the IAPP Data Protection Intensive for canapes and cocktails at the Malmaison London. A great way to catch up with fellow privacy colleagues in London in the luxurious setting of the newly created Mal Lounge at the Malmaison. Register to attend here.

-  April 30 – May 1
IAPP Europe Data Protection Intensive
London

Stop by the TRUSTe booth at the annual IAPP Europe Data Protection Intensive Summit to hear the latest insights in data protection as well as learn how TRUSTe’s data privacy management platform can help your business address these issues today. Register here.

Mar
25
2014

TRUSTe Unveils TRUSTed Interests – Puts Consumers in Control of Their Digital Experience

Ahead of ad:tech SF this week, TRUSTe launched TRUSTed Interests – the first privacy-friendly interests management solution which puts consumers in control of their ad experience. Today, consumers feel inundated with irrelevant advertising and are concerned about their activity being tracked online. But, it’s also not easy for consumers to consumers to navigate how to share their interests with the ad ecosystem in a simple manner.

TRUSTed Interests is an extension to the TRUSTe Data Privacy Management Platform which enables consumers to share and manage details of their interests across mobile and desktop devices. This has the potential to revolutionize the ad industry, addressing consumer and regulatory privacy concerns while putting consumers in control over their advertising experience and enabling advertisers to deliver more relevant ads.

“The promise of delivering custom-tailored advertising messages across devices is why advertisers work with us, and this innovative solution will bring added value to our clients’ campaigns. By delivering ads targeted towards known consumer interests, our whole industry will benefit.” – Eric Rosenblum, COO, Drawbridge

The TRUSTe Privacy Index, Advertising Edition Consumer Interests highlights findings from research conducted by Ipsos MORI which show that while 82% of consumers are concerned about the type of personal information collected through their web-browsing history, 39% of consumers are willing to share details of specific products and services they are interested in with advertisers in exchange for a more relevant ad experience. Additionally, field tests of TRUSTed Interests revealed 9 out of 10 consumers chose to share details of their interests instead of opting-out of online behavioral advertising.

“With TRUSTed Interests, we have witnessed high consumer engagement with setting interests, especially on mobile devices. Most important, the fact that half of these consumers selected multiple interests provides even more valuable information that will help our clients deliver more relevant ads to their audiences.” – Bob Walczak, General Manager of Mobile and Video at PubMatic

The initial implementations of TRUSTed Interests focus on creating a better consumer advertising experience to benefit the entire ad ecosystem through the delivery of privacy-friendly, relevant ads. To learn more about this first privacy-friendly interests management solution, visit http://www.truste.com/interests.

Mar
13
2014

Lynda.com and Yodlee are the latest companies to partner with TRUSTe to receive APEC Certification

Lynda.com and Yodlee are the two latest companies to receive certification that they are in compliance with the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules following on from IBM and Merck last year. TRUSTe, the first Accountability Agent for APEC’s privacy framework, worked closely with both companies to ensure their data collection practices were in compliance with the CBPR system. TRUSTe will monitor ongoing compliance and deliver consultative services throughout the partnership.

Commenting in a press release today on their APEC Certification, David Glaubke, Director of Corporate Communications at lynda.com, said:

“Lynda.com is committed to protecting the privacy of our users, and the APEC Privacy certification helps protect the exchange of personal information across borders, which is vital to our business. As we continue to grow in different regions throughout the world, we want to continue to build trust with our users, address concerns about privacy and be transparent about our data privacy practices.”

Brian Costello, Vice President, Information Security at Yodlee added:

“The APEC Certification of our privacy data handling is a key factor in our conversations and engagements with potential clients in the member countries.”

This news follows the announcement last Thursday by the FTC, together with agency officials from the European Union and APEC economies, with the ultimate goal of helping businesses transfer data around the world in a safe way in compliance with global privacy frameworks.

The EU-APEC Referential maps together the requirements for APEC Cross Border Privacy Rules (CBPRs) and EU Binding Corporate Rules (BCRs). The document, jointly designed by APEC officials and the EU’s Article 29 Data Protection Working Party, is designed to be a practical reference tool for companies that seek “double certification” under these APEC and EU systems, and shows the substantial overlap between the two.

Chris Babel CEO TRUSTe welcomed the launch of the EU-APEC Referential as an important step towards global inter-operability of data privacy frameworks announcements saying:

“Through our work with Promontory providing BCR solutions and as the Accountability Agent for APEC in the US, we understand the practical challenges that these differing privacy frameworks create for companies looking to act responsibly in their use of customer data. We welcome the announcement made by EU agencies and APEC economies last week which will make it easier for companies to demonstrate global compliance under international standards and is an exciting step towards further interoperability of privacy frameworks worldwide.”

In order to help companies better understand the new EU-APEC Referential, and how they can achieve global privacy compliance via the APEC and BCR Frameworks, TRUSTe is hosting a webinar on March 25 with Josh Harris, Policy Director at the Future of Privacy Forum, Simon McDougall from Promontory and Saira Nayak, Policy Director at TRUSTe.

Register for the webinar here

Find out about the TRUSTe APEC Privacy program here

Find out about the TRUSTe Promontory BCR Management Program here

Mar
13
2014

European Parliament declares EU data protection reform irreversible after vote

© European Union 2014 - European Parliament

Yesterday, the European Parliament gave its backing to the European Commission’s data protection reform ahead of European elections in May, with 621 votes in favour, 10 against and 22 abstentions for the proposed Regulation. This vote means the position of the Parliament is now set in stone and will not change even if the composition of the Parliament changes following the elections.

For those struggling to keep track of exactly what stage the reform has reached, there is now just one final hurdle the proposed Regulation needs to clear to be become law –adoption by the Council of Ministers using the “ordinary legislative procedure” (co-decision).

In a press release, the European Parliament said it “stands ready to negotiate with the Council of the EU as soon as the Council defines its position”. Last Tuesday (4 March 2014) Justice Ministers in the Council met to discuss this issue amongst others and their next meeting on the data protection reform will take place in June 2014.

It has been a long and drawn out process since 25th January 2012 when the Commission first proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online data protection rights and boost Europe’s digital economy (see IP/12/46). There have been many delays and over 3000 amendments, however there appears to be no lack of momentum at this stage and businesses in the EU and the US should continue to pay close attention to the debate and the potential consequences for their business.

TRUSTe Policy Director Saira Nayak shared her thoughts on the EU Data Protection reform in a blog after the LIBE Committee vote last October in which she listed the key highlights of the LIBE proposals:

  • Data transfers to non-EU countries – these could only happened if approved by the national data protection authority of the EU member country in question. If approved, it is unclear whether the EU Safe Harbor agreement will still be valid for EU-US data protection transfers.
  • Explicit consent for all processing of personal data.  Explicit consent is defined as the “freely given, specific, informed and explicit indication” of a user’s wishes, either by a statement or a clear affirmative action.
  • A Right to Erasure – a right to have personal data erased if requested by the user.
  • Profiling – Profiling includes analyzing a user’s online behavior for the purposes or marketing and advertising.  The LIBE proposals restricted profiling based on personal data, but exempts profiling based on “pseudonymous data” (which is defined as “personal data that cannot be attributed to a specific data subject without the use of additional information.”)
  • Sanctions – For data protection violations, the LIBE Committee proposed 5% of annual turnover or $100 million euros whichever is greater.

At TRUSTe we will closely follow all of these important developments in the EU, and offer privacy solutions to businesses looking to stay ahead of the proposed changes

Older posts «