Privacy Seal Provider ControlScan Settles FTC Charges

The FTC announced on Thursday that it had reached a settlement with ControlScan, a provider of so-called “privacy seals”—those small-ish images certifying a website’s security or privacy practices.

The FTC charged that ControlScan had “misled consumers about how often it monitored the sites and the steps it took to verify their privacy and security practices.” Although the seals claimed that ControlScan had verified the site’s privacy practices, ControlScan did “little or no verification” of those practices, according to the FTC. The FTC also took issue with the fact that the seals had current date stamps even though ControlScan did no daily reviews.

The settlement agreement required ControlScan’s former CEO to give up $102,000 in profits. It also suspended a $750,000 penalty against the company for inability to pay.

It’s uncertain whether privacy or security seals mean much. Even when providers scan daily, how much assurance can one expect for $71.50 per month? McAfee, the big player in the market after it bought (and renamed) the “HackerSafe” seal, had its own bit of bad press a couple of years ago when it turned out that several “Hacker Safe” sites were vulnerable to cross-site scripting attacks.

Even though ControlScan appears to have been in a different category than legitimate privacy seal vendors, the FTC settlement highlights a classic reputation problem with these seals. The seals look like they mean something, but the only way to know for sure is to check the seal provider’s practices—which undermines the point of the badge in the first place.

Published in:  on February 27, 2010 at 2:36 pm Comments (1)

U.S. Supreme Court to Hear Government Employer Privacy Case

The U.S. Supreme Court has granted certiorari in City of Ontario v. Quon. That’s the new name for Quon v. Arch Wireless Operating Company, the Ninth Circuit case that found that a police officer had a reasonable expectation of privacy in his text pager messages.

This should be an interesting case to watch. For a discussion of how this case might affect privacy for government employees, see Orin Kerr’s post over at the Volokh Conspiracy.

Published in:  on December 15, 2009 at 11:38 am Leave a Comment

Cost of Disclosing 179 Social Security Numbers in a Court Filing: $5000

Here’s a new way of holding someone directly liable for a data breach. A Minnesota attorney was fined $5000 for filing a federal court document containing the social security numbers and birth dates of 179 people. Court filings are public, which is why Federal Rule of Civil Procedure 5.2(a) says that a court filing may only contain the year of birth or last four digits of a social security number. As Judge Davis wrote in his order:

The Court is deeply concerned with the harmful and widespread ramifications associated with negligent and inattentive electronic filing of court documents. Although electronic filing significantly improves the efficiency and accessibility of our court system, it also elevates the likelihood of identity theft and damage to personal privacy when lawyers fail to follow federal and local rules.

Published in:  on October 23, 2009 at 10:04 pm Leave a Comment

Ninth Circuit Adopts Plain-Language View of “Authorization” in CFAA Decision

The Computer Fraud and Abuse Act (CFAA) creates criminal penalties for doing various bad things by intentionally accessing a computer without authorization or by exceeding authorized access. There’s been a some debate recently over just what “authorization” means. For example, one of the issues in the Lori Drew case was whether Drew had exceeded authorized access, and thus committed a federal crime, by violating MySpace’s terms of service. Another frequent issue comes up in employment contexts: is it unauthorized access to use company computers for purposes other than those intended?

For example, suppose an employee has access to an employer’s computers for regular business purposes, but e-mails confidential data to an outside account. Later, he leaves the company and uses that confidential data to set up a competing business. Did the employee access that confidential data without authorization? The simple answer would be “no”: he had an account, he was allowed to use it, that permission had not been revoked, so any access was authorized.

The Ninth Circuit Court of Appeals recently adopted essentially this definition. LVRC Holdings, LLC v. Brekka said that such conduct is not unauthorized for purposes of the CFAA. The court looked at the language of the statute and a dictionary, and held that an employee has authorization to access a computer when the employer has given permission to use it. Because Brekka’s permission to use the computer had not been revoked when he accessed and mailed data to an outside account, the court held that his access was not unauthorized.

The Ninth Circuit rejected the agency-law analysis from a 2006 Seventh Circuit decision, International Airport Centers, LLC v. Citrin. That case had held that an employee’s authorization to access a computer ended the moment he breached his duty of loyalty to his employer—in that case, by wiping data from a laptop to hide evidence of misconduct. But in LVRC, the Ninth Circuit stuck to the text of the CFAA, noting that the CFAA is a criminal statute and should be interpreted in favor of lenience. Because the Ninth Circuit could find no agency law principles in the text of the CFAA, it held that a person uses a computer without authorization “when the person has not received permission to use the computer for any purpose . . . or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.”

An aspect of this case that might be of interest to employers is that Brekka did not have a written employment agreement and LVRC had no policies against e-mailing documents to outside accounts. Such a policy would presumably have made Brekka’s actions unauthorized. But it’s hard to write policies that cover every single thing an employee is not allowed to do. If a company wrote a policy that “employees are only authorized to use company computers to the extent that such use is consistent with company interests,” would that create the Seventh Circuit agency-law definition of unauthorized access? It seems like it might, but, as always, This Is Not Legal Advice.

Published in:  on September 30, 2009 at 5:34 pm Leave a Comment

Minnesota’s Other Data Breach Notification Statute?

Just about anyone who cares knows by now that most states have data breach notification statutes. What’s not as well known, even among security professionals, is that Minnesota has long had another statute that could require reporting of data breaches. Taken literally, the statute would require reporting even when Minnesota’s data breach notification law does not.

The law is in Minnesota Statutes section 609.8911, which was added in 1994. It reads:

A person who has reason to believe that any provision of section 609.88, 609.89, or 609.891 is being or has been violated shall report the suspected violation to the prosecuting authority in the county in which all or part of the suspected violation occurred. A person who makes a report under this section is immune from any criminal or civil liability that otherwise might result from the person’s action, if the person is acting in good faith.

Chapter 609 is Minnesota’s criminal code, and sections 609.88, 609.89, and 609.891 are Minnesota’s computer crime statutes. Section 609.8911 therefore says that anyone who “has reason to believe” that any successful or attempted unauthorized computer access, damage, or theft has taken place must notify the county prosecutor.

Note what the statute does not say:

  • It’s not limited to data an organization “owns or licenses,” as section 325E.61 is for data breach notification.

  • It does not limit the reporting duty to situations where there’s a reasonable chance that the data was obtained by a third party. Because Minnesota’s computer crime statute outlaws attempted acts of computer crime, it seems to be irrelevant whether the attempted computer theft, damage, or unauthorized access was successful.
  • It’s not even limited to data the organization handles—the language of the statute would seem to require telling the county attorney that someone else was hacked.

That’s broad. For example, a literal reading of the statute’s language would require calling the county prosecutor every time a virus scanner finds a virus. A virus either accesses a computer without authorization or damages it. As soon as the virus scanner alerts the user to the the presence of the virus, that user has reason to know that someone committed a computer crime. Does it matter that the user doesn’t know who committed the crime, that the county prosecutor can’t do anything with the information, or that universal compliance with the letter of the law would flood the prosecutor’s phone line with nothing but “I just got a virus” calls? Maybe in the real world, but there’s nothing in the statute to suggest that these concerns relieve anyone of the duty to report.

The statute is missing something else: penalty provisions. Any self-respecting criminal statute has two parts: (1) a list of things not to do, and (2) the penalties for doing those things. Criminal penalties can be specific, or they can just categorize the crime (as a felony, misdemeanor, etc.), but to have any force, they have to say what the cost of violating the law would be. There’s some question whether this is even a criminal statute—it’s in the criminal code, but it states an affirmative duty, not a prohibition, and it has no penalty provision. If it is a criminal statute, it’s mostly toothless.

It also appears that the statute has never been used. A search of Minnesota cases reveals no instance in which the statute was even cited, much less used to convict someone.

Becuase the statute has no penalties and has never been enforced, can you ignore it? Maybe. The stakes of doing so certainly seem low. But just try to find a lawyer who will say it’s okay to ignore any statute, even a toothless unenforced statute.

One reason to comply with the statute is that even a statute without penalty provisions can form the basis of a negligence per se claim. Negligence per se is a way for a plaintiff to use a statutory requirement to skip the usual inquiry into whether the defendant used reasonable care. There are technical requirements for negligence per se claims, but if those are met, a plaintiff’s case is made much easier. Here’s how it might work with section 609.8911:

  1. A company sees an attempted attack, but doesn’t reasonably believe the attacker obtained any personal information, so does not report it.

  2. The attacker, who actually did obtain data, misuses it, harming one of the data subjects.
  3. The data subjects file a class-action against the company, claiming that the company was negligent in not telling them about the breach. To establish negligence, the plaintiffs point to section 609.8911, which says the company should have reported the attempted breach to the county prosecutor.

And—voila—a statute with no penalty provision has just become a problem for the company. Admittedly, that’s a stretch, and there are those “technical requirements” referred to earlier, but lawyers have advised their clients to avoid less probable risks.

The language of the statute, the lack of a penalty, and its immunity provision might make one wonder about the original purpose of the statute. It turns out that it was actually an early attempt at requiring data breach notification. In Minnesota House Judiciary Committee hearings held March 18, 1994, Rep. Phyllis Kahn, author of the original Minnesota computer crime law and the duty-to-report provision, said that her bill was an attempt to force banks and financial institutions to report computer crimes they might otherwise prefer to hide. It was “generally believed,” she said, that computer crimes were under-reported because these institutions preferred maintaining an appearance of security that could be hurt by disclosing a breach. She acknowledged that the section did not include any penalties for failing to report, but said that her bill would be a “good step forward,” and that she couldn’t imagine what a good penalty would be.

A few states have similar duties to report computer crimes, including Ohio and Utah. Georgia had a similar statute that was repealed in 1991. A handful of other states have general duties to report any crimes (or sometimes felonies), but in most states, there is no duty to report that one has seen a crime. The computer duty-to-report statutes appear to be isolated exceptions to this general rule.

Minnesota has a real data breach notification statute for a few years now. Perhaps it is time for the legislature to repeal or substantially modify section 609.8911. But until that happens, the safest course for any organization is to send the county prosecutor notice of any attempted data breach. It may seem silly (partly because, in many cases, it is), but that’s the letter of the law. With any luck, the busy prosecutor will respond with, “Thanks, but please don’t bother me again.”

Published in:  on August 25, 2009 at 11:33 am Leave a Comment
« Older Entries