Reward Service Deceived Consumers About Online Data Collection: FTC

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

The provider of a membership reward service aimed at consumers trying to save money for college has agreed to settle FTC charges that it deceived consumers by using a web-browser toolbar to collect their personal information without making adequate disclosures about the information collected, the Commission announced yesterday.

The service provided by Upromise Inc. allowed member consumers to receive rebates when they buy goods or services from Upromise partner merchants. These rebates were placed into the consumers' college saving accounts.

According to the FTC, Upromise's website offered consumers a "TurboSaver Toolbar" download that would highlight participating merchants in consumers' search results. When downloading the toolbar, consumers saw a message that encouraged them to enable the "Personalized Offers" feature of the Toolbar, which Upromise allegedly claimed would collect information about the websites they visited "to provide college savings opportunities tailored to you."

Collection, Transmission of Personal Information

This feature allegedly collected and transmitted, in clear text, the names of all websites consumers visited and which links they clicked on, as well as information they entered into some webpages, such as search terms, user names, and passwords.

In some cases, the information collected included credit card and financial account numbers, user names and passwords used to access secured websites, security codes and expiration dates, and any Social Security numbers consumers entered into the webpages. The Toolbar transmitted consumers' information without encryption.

Privacy Statement

According to the FTC, the privacy statement associated with the toolbar stated that the toolbar would collect and transmit information about websites consumers visited, and that "infrequently" the collection might "inadvertently" collect a "name, address, email address or similar information," but that any personally identifying information would be removed before the data was transmitted.

Upromise, the FTC alleged, failed to disclose the extent of information collected by the toolbar and deceptively misrepresented that it encrypted data and took reasonable data security measures. The failure to protect consumers’ data from unauthorized access was itself an unfair practice, the FTC said.

Settlement

The proposed settlement order, if made final, will require Upromise Inc. to clearly disclose its data collection practices and to obtain consumers' consent before installing or re-enabling any such toolbar products. Upromise also would have to tell consumers how to uninstall the toolbars already on their computers. The settlement will bar misrepresentations about the extent to which the company maintains the privacy and security of consumers' personal information.

Destruction of Data

Upromise agreed to destroy the data collected through the Personalized Offers feature of the toolbar, to provide clear and prominent disclosures to consumers, and to receive their affirmative consent before installing any similar product. In addition, the agreement requires Upromise to establish a comprehensive information security program and to obtain biennial independent security assessments for the next 20 years.

The Commission vote to issue the administrative complaint and accept the consent agreement package containing the proposed consent order for public comment was 4-0.

The action is In the Matter of Upromise Inc., FTC File. No. 102 3116. The complaint and an agreement containing consent order appear on the FTC website. A news release appears here.

Further information will be reported in the CCH Trade Regulation Reporter.

FTC Finds Sensitive Data Leaked from Organizations to P2P Networks

This posting was written by Cheryl Beise, Editor of CCH Guide to Computer Law.

The Federal Trade Commission announced on February 22 that it has notified nearly 100 organizations that personal information emanating from the organizations' computer networks had been shared and was available on peer-to-peer (P2P) file-sharing networks where it could be accessed and used to commit identity theft or fraud. The information included sensitive data about customers and/or employees.

Notices Sent to Private, Public Entities

The notices went to both private and public entities, including schools and local governments, the agency said. Entities contacted ranged in size from businesses with as few as eight employees to publicly-held corporations employing tens of thousands. The agency also said it opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks.

The notification letters urged the entities to review their security practices—and. if appropriate, the practices of contractors and vendors—to ensure that they are reasonable, appropriate, and in compliance with the law. The agency posted samples of the letters (Letter A, Letter B, and Letter C), which advise recipients, “It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers.”

The FTC warned that failure to prevent such information from being shared to a P2P network may constitute a violation of law, including the Gramm-Leach-Bliley Act and Section 5 of the FTC Act.

“Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk,” said FTC Chairman Jon Leibowitz.

“Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure,” Leibowitz counseled.

Notification of Customers, Employees

The FTC also recommended that the entities identify affected customers and employees and consider whether to notify them that their information is available on P2P networks. Many states and federal regulatory agencies have laws or guidelines about businesses notification responsibilities in these circumstances, the agency noted.

Text of the announcement appears here on the FTC website.

To help businesses manage the security risks presented by file-sharing software, the FTC released a new business education brochure, “Peer-to-Peer File Sharing: A Guide for Business,” describing the risks and recommend ways to manage them.

Further information about the FTC’s privacy and data security enforcement actions can be found here.

FTC Testifies on Data Security Bill, Peer-to-Peer File Sharing

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

The Federal Trade Commission strongly supports the goals of H.R. 2221, the proposed "Data Accountability and Trust Act," according to Acting Director of the Bureau of Consumer Protection Eileen Harrington, who testified May 5 before the House Energy and Commerce Committee Subcommittee on Commerce, Trade and Consumer.

If enacted, the new law would require companies to implement reasonable data security policies and procedures and to notify consumers when there has been a data security breach that affects them. The legislation also would give the Commission the authority to obtain civil penalties for violations.

Coverage of Data Stored on Paper

The FTC suggested that the data security legislation be extended to cover data stored on paper, as well as electronic data. It also recommended that certain provisions imposing obligations on information brokers be targeted specifically to address harms consumers may face when brokers sell information about them. These provisions should not displace existing legal protections, according to the agency.

For more information on the proposed "Data Accountability and Trust Act," see the May 7, 2009 entry, of Trade Regulation Talk.

Data Sharing Over P2P Networks

The agency's testimony also focused on the Commission's efforts to promote better security for sensitive consumer information and to prevent the inadvertent sharing of consumers' personal or sensitive data over Peer-to-Peer Internet (P2P) file-sharing networks.

Although P2P technologies hold potential benefits for computer users and businesses, the FTC said, they also can raise the risk that sensitive information will be made available over P2P networks, either through inadvertent sharing or through malware.

Enforcement Efforts

The FTC noted that the agency had brought cases related to P2P file sharing, had helped P2P software developers devise voluntary best practices to help consumers prevent inadvertent file sharing, and had continued to monitor efforts by companies to comply with these practices.

P2P File-Sharing Bill

Finally, Harrington stated that the Commission supports legislation placing restrictions on P2P file-sharing programs.

The proposed "Informed P2P User Act" (H.R. 1319) would prevent the inadvertent disclosure of information on a computer through the use of P2P file sharing software without first providing notice and obtaining consent from the owner or authorized user of the computer. The bill, introduced by Rep. Mary Bono Mack (R-Calif.), would authorize the FTC to enforce the law and to seek civil penalties for violations.

Text of the FTC's testimony is available here.

Privacy Laws Proposed in Congress, Canadian Parliament

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Federal laws addressing privacy concerns have been introduced recently in both Congress and Canada’s Parliament.

Data Security, Breach Notification

The Congressional proposal would regulate information security standards and breach notification procedures. The proposed “Data Accountability and Trust Act” (H.R. 2221) would require persons engaged in interstate commerce that own or possess data in electronic form containing personal information—or that contract to have a third-party maintain such data—to establish and implement reasonable security policies and procedures to protect that data. The measure would also provide for nationwide notice in the event of a security breach.

The proposed law would be enforced by the Federal Trade Commission and state attorneys general. A private right of action would not be available, and the federal statute would preempt state data security and breach notification laws and regulations.

The bill, introduced April 30, was sponsored by Rep. Bobby Rush (D-Ill.) and co-sponsored by Reps. Cliff Stearns (R-Fla.), Joe Barton (R-Tex.), Jan Schakowsky (D-Ill.), and George Radanovich (R-Calif.). Further information—and text of the bill—appears at the Thomas site of the Library of Congress.

Spam, Phishing

The Canadian legislation is aimed at deterring “the most dangerous forms of spam” and threats posed to privacy and personal security by Internet fraud.

The proposed “Electronic Commerce Protection Act” (ECPA) would prohibit the sending of commercial electronic messages without the prior consent of the recipient and would provide rules regulating the sending of such messages, including a mechanism for withdrawal of consent. It would also prohibit the alternation of e-commerce data transmissions and the unauthorized installation of computer addresses.

Persons injured by violations would have a private right of action for actual and statutory damages. The Canadian Radio-television and Telecommunications Commission and the Competition Bureau would also be authorized to impose administrative monetary penalties of up to $1 million Canadian for individuals and $10 million Canadian for all other offenders.

The proposal (Bill C-27) was introduced in the House of Commons of Canada on April 24. Text of the bill is available here.