Posted on November 29, 2011 by HL Chronicle of Data Protection

FTC Announces Settlement with Facebook

This blog entry was contributed by Steven Spagnolo, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office

The Federal Trade Commission (FTC) this afternoon announced a proposed consent decree with the prominent social network Facebook, settling allegations that Facebook violated Section 5 of the FTC Act by failing to live up to representations made to consumers regarding its privacy practices.  The settlement imposes a series of measures that Facebook must undertake to better protect the privacy of its users, including the development of a written comprehensive privacy program.  The FTC also required Facebook to obtain independent privacy compliance assessments initially and on a bi-annual basis for the next 20 years.  Given the FTC's recent consent decrees with Google and Twitter and associated audit and record-keeping obligations, the FTC now effectively has regulatory oversight over the privacy and data security practices of the three most prominent social networking companies in the United States.

The FTC’s complaint (PDF) alleges that Facebook violated Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices, by repeatedly failing to live up to the privacy promises it made to its now approximately 750 million users. The complaint sets forth the following instances in which Facebook allegedly made unfair or deceptive promises concerning its privacy practices:

  • Deceptive Privacy Settings:  Although Facebook informed users that they could “control who can see” their profile information by using privacy settings to restrict access to their profiles, these settings did not prevent certain third party applications from accessing users’ profile information.
  • Unfair and Deceptive Privacy Changes:  Facebook made changes to its website that made public information that users previously designated as private, without adequate notice to the users (much like what was alleged in the Google Buzz consent decree).
  • Deception Regarding Application Access:  Facebook represented to users that third-party applications would only be able to access such user profile information that was necessary to operate the application, but in some instances applications were given nearly unlimited access to users’ profile information.
  • Deception Regarding Sharing with Advertisers:  Facebook promised that it would not share users’ information with third-party advertisers, but it provided advertisers with information about its users.
  • Deception Regarding “Verified Apps” Program:  Facebook claimed that it verified the security of applications that sought certification through the “Verified Apps” program, but it took no steps to verify the security of a “Verified” application beyond those which it may have taken regarding any other application.
  • Deception Regarding Deletion of User Content:  Facebook represented to its users that their profile information, including photos and videos, would be inaccessible upon the deletion of their accounts, but Facebook continued to allow third parties to access this content after the users’ accounts were deleted or deactivated.

The FTC’s enforcement action against Facebook is yet another example of the FTC’s ongoing effort to ensure that websites live up to the privacy promises they make to consumers. Jon Leibowitz, Chairman of the FTC, remarked that “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” and noted that the “FTC action will ensure” that Facebook’s innovations will not come at the expense of consumer privacy.

US-EU Safe Harbor Framework Violations

The alleged violations of Section 5 of the FTC Act also include a failure to comply with the substantive privacy requirements of the US-EU Safe Harbor Framework ("Safe Harbor").  The Safe Harbor is a voluntary framework that allows companies to transfer personal data from the EU to the US in compliance with EU law.  Since at least 2009, Facebook has maintained self-certification with the Department of Commerce under the Safe Harbor program, under which it has declared its compliance with the seven Safe Harbor privacy principles in its public Privacy Policy and on the US Department of Commerce website.  In its complaint, the FTC alleged that Facebook, due to the failure to live up to many of the representations it made about its privacy practices, failed to comply with the Safe Harbor principles of Notice and Choice that required it to inform individuals about all the purposes for which it collected their data and to give those individuals a choice about how their information would be used.  

Terms of Proposed Settlement 

Under the consent decree (PDF), the FTC bars Facebook from further misrepresenting its privacy practices and requires it to: (i) obtain opt-in consent from users prior to making changes that override their privacy preferences; (ii) ensure that a user’s information cannot be accessed by anyone after a reasonable period of time, not to exceed 30 days, following the user’s deletion of his or her account; (iii) establish and maintain a written comprehensive privacy program that addresses the privacy risks related to the development and management of new and existing products and services and protects the privacy and confidentiality of users’ information; and (iv) obtain audits performed by an independent, third-party professional every two years for the next 20 years certifying that it has a privacy program in place that satisfies the requirements of the FTC consent decree. 

In advance of the FTC’s announcement, Mark Zuckerberg, founder and CEO of Facebook, today posted an entry on The Facebook Blog detailing the measures that Facebook will take to protect the privacy of its users. These measures include the creation of two new corporate officer roles:  Chief Privacy Officer – Policy, and Chief Privacy Officer – Products. Zuckerberg stated that the new corporate officer positions “will further strengthen the processes that ensure that privacy control is built into our products and policies.”
Tags: , , , , , , , , , ,
Posted on November 9, 2011 by HL Chronicle of Data Protection

FTC Announces First Flash Cookie Enforcement and Settlement with Child Social Network

This blog entry was contributed by Steven Spagnolo, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office

The Federal Trade Commission (FTC) yesterday announced settlements with two online companies for deceptively collecting personal information from consumers.  In the first enforcement action against the use of Flash cookies, the FTC alleged that ScanScout, an online behavioral advertiser that was recently acquired by Tremor Video, circumvented user choice by collecting information through Flash cookies even while telling consumers they could opt out of this collection through other means. In the case of Skid-e-Kids, a social networking website that targets children, the FTC alleged violations of both the FTC Act and Children’s Online Privacy Protection Act (“COPPA”) for the collection of personal information from children without parental consent. 

ScanScout

ScanScout, which claims it is the “web’s largest in-stream video ad network,” agreed to settle FTC charges that it violated Section 5 of the FTC Act by failing to live up to representations made in its website privacy policy. The FTC’s complaint states that ScanScout’s privacy policy claimed that users could “opt out of receiving a cookie by changing [their] browser settings to prevent the receipt of cookies.”  Despite this representation, ScanScout used Flash cookies—which are locally stored files associated with the Adobe Flash Player—to track user behavior, which could not be blocked by changing browser settings as indicated in the privacy policy. The FTC deemed ScanScout’s inaccurate description of the ways that consumers could opt out of tracking to be a deceptive act or practice that violated Section 5 of the FTC Act.  The privacy policies of many websites and Internet-based applications state that consumers can opt out of tracking by disabling cookies, so these companies should reexamine whether they (or their web vendors) also use Flash cookies, HTML5, ETags, or any other methods to track website users that would not cease when users disable traditional HTML cookies.

Under the consent decree (PDF), the FTC barred ScanScout from misrepresenting its online information practices, including how consumers’ data is collected, used, shared, and disclosed, and required ScanScout to implement measures aimed at providing consumers with more effective notice of how their data is used and simplified methods by which consumers may opt out of such use. 

As a corollary, the FTC yesterday released a consumer education article, entitled “Cookies: Leaving a Trail on the Web (PDF),” which explains how cookies can monitor online activity and how users can control this monitoring, including a section on controlling Flash cookies.

Skid-e-Kids

Skid-e-Kids, the self-proclaimed “Facebook and Myspace for kids,” agreed to settle FTC charges that it violated the COPPA Rule and made deceptive claims in violation of Section 5 of the FTC Act. 

The COPPA Rule requires that any collection, use, or disclosure of personally identifiable information of a child under 13 be preceded by verifiable parental consent. The FTC’s complaint (PDF) alleges that Skid-e-Kids collected personally identifiable information from approximately 5,600 underage users without first obtaining parental consent, a violation of the COPPA Rule. This enforcement action comes on the heels of the FTC’s recent proposal to amend the COPPA Rule aimed at keeping pace with developments in the online world, including the advent of social networks and the development of smartphone and geolocation technology.

The complaint also alleges that Skid-e-Kids represented in its privacy policy that a child’s account would not be activated until it received parental consent. Nevertheless, Skid-e-Kids registered children and activated their accounts without parental consent, and subsequently collected personally identifiable information from those registered child users. The FTC found that Skid-e-Kids’ failure to live up to the representations made in its privacy policy constituted a deceptive act or practice that violated Section 5 of the FTC Act.   

Under the consent decree (PDF), the FTC barred Skid-e-Kids from misrepresenting the details of its collection, use, and disclosure of children’s personal information. The settlement also required Skid-e-Kids to delete the information collected; provide links to a government website that educates consumers on children’s privacy issues on the Skid-e-Kids website, in notices sent to parents, and in its privacy policy; and employ a third-party oversight mechanism that will ensure future compliance with COPPA. In addition, the settlement imposed a civil penalty of $100,000 on the operator of the website, though all but $1,000 of which was suspended.
Tags: , , , , , , , , ,
Posted on September 26, 2011 by Winston Maxwell

CNIL Cites French Yellow Pages Operator for Illegal Use of Social Media Data

France's Data Protection Authority, the Commission Nationale de l’Informatique et des Libertés (CNIL) announced on September 23, 2011 that it had found the French provider of universal telephone directory services, “Pages Jaunes,” guilty of violating several provisions of the French data protection law. The CNIL did not fine Pages Jaunes, but published a detailed warning, listing each privacy violation that the CNIL had identified during its investigation of Pages Jaunes’s activities. 

At issue was Pages Jaunes’s web crawler function, which Pages Jaunes has discontinued. The crawler captured information contained in Facebook, Twitter and LinkedIn profiles of persons having the same name as the person being looked up in the directory service. For example, if someone were to look up the telephone number of Pierre Dupont. Pages Jaunes would show Mr. Dupont’s phone number, and would also show information on social media sites relating to persons named Pierre Dupont. The information may include photos, the name of Dupont’s employer, the schools he attended, his geographic location, his profession, etc.

Pages Jaunes argued that the persons whose profiles were copied had been duly informed and consented, because the general terms and conditions of the social media sites indicate that information posted on public profiles may be accessible to search engines. 

The CNIL dismissed this argument. First, a number of the profiles that were being accessed were profiles of minors, and the informed consent of minors for this type of activity cannot be deemed to exist in these circumstances. Second, the reference to “search engines” in the social media sites’ general terms and conditions cannot be deemed to extend to companies whose principal activities are not that of a search engine. The CNIL pointed out that Pages Jaunes is a telephone directory and not a search engine. According to the CNIL, if the terms of use of the social media sites expressly mentioned that data in public profiles could be re-used by Pages Jaunes, that might constitute sufficient information and consent to allow Pages Jaunes to extract data from those sites. The CNIL pointed out that Pages Jaunes had entered into an agreement with one social media site called Trombi pursuant to which Trombi expressly mentioned on its site that data could be accessed and used by Pages Jaunes. For the major social media sites, however, no such agreement with Pages Jaunes existed. 

The CNIL also found that Pages Jaunes had breached its obligation to ensure that only accurate and updated data are processed. According to the CNIL, the profile data that was presented by Pages Jaunes was in many cases outdated by 4 to 12 months.

Pages Jaunes argued that it provided data subjects with the ability, on the Pages Jaunes website, to ask that their profile data not be accessed by Pages Jaunes, but the CNIL found that the procedures put in place by Pages Jaunes were too burdensome. A person must fill out a form and submit to Pages Jaunes proof of his or her identity for each social media site that the person wants to block. The CNIL also criticized Pages Jaunes for keeping logs of IP addresses and the time and date of queries made on the Pages Jaunes site. According to the CNIL, the retention of these data is excessive and not required under French law because Pages Jaunes is neither a telecommunications operator nor a hosting provider. Finally, the CNIL found that Pages Jaunes had violated its obligations with respect to the telephone directory data that it processes, because Pages Jaunes used that data to help refine the results of the social media profile searches. Under French law, universal directory providers are prohibited from using telephone directory data for any purpose other than providing a universal directory service. Pages Jaunes’s use of these data exceeded the scope permitted under French law.

The CNIL’s decision is a useful analysis of issues that are arising when collecting data publicly available on social media sites.
Tags: , , , , , , , , , , , ,
Posted on July 15, 2011 by Elizabeth Khalil

Financial Services Industry Group Issues Social Media Guidance

A financial services industry group released guidance this week on managing the risks associated with using social media, including data protection concerns.  The guidance, titled "Social Media Risks and Mitigation," was released this week by BITS, a division of the Financial Services Roundtable, which represents 100 of the largest financial services companies.  The 71-page report details numerous risks that banks and other financial companies may face when using social media, including compliance, legal, operational and reputational risks.  These risks are discussed in the context of three types of social media use:

  • By a financial institution to communicate with or service the financial institution's customers
  • By the financial institution's employees in their personal or professional capacities
  • By the financial institution's employees or contractors outside the office

The guidance thus addresses sector-specific regulatory requirements, such as Gramm-Leach-Bliley Act compliance and FINRA rules applicable to securities firms.  It also addresses concerns that are relevant to financial institutions as employers, such as bank employees' personal use of social media.

The BITS report is particularly significant because it responds to a need for guidance in an industry that is increasingly using social media, but still lacks clear rules from regulators regarding such activities.  While FINRA has issued guidance on use of social media by firms subject to FINRA's oversight, the federal banking agencies have not , to date, issued detailed guidance to the banking industry on banking compliance issues raised by use of social media.  

Also, while targeted at the financial services sector, the report also has relevance to many other types of users of social media.  It gives guidance, for instance, on coordinating a company's social media policies with its other policies, and performing a risk assessment to determine the risks a company's social media activities could pose.

Tags: , , , , , , , , , , , ,
Posted on July 8, 2011 by HL Chronicle of Data Protection

Privacy Blog Content Now Available on Facebook, Twitter and Through Mobile Apps

Social media icons on iphone screen

Whether you keep up with breaking news through social media or always have your mobile device handy, now you can access the latest privacy and data protection news in your favorite way. On Facebook, visit our page at www.facebook.com/hldataprotection and click the “Like” button, or follow @HLPrivacy on Twitter, to receive notice of new blog posts and upcoming Hogan Lovells privacy events. And for on-the-go reading there’s also our mobile web app, which you can access from most tablets and mobile devices, including iPad, iPhone, and Droid, at http://mobapp.hoganlovells.com/privacy.  (This entry tells you how to create an icon for the mobile app on your iPhone.)
 

Tags: , , ,
Posted on July 5, 2011 by Bret Cohen

Round Up of Developments in Social Media Law

Social media has been a hot topic of late.  Companies are debating the official use of social media for marketing purposes, social networking privacy has been the subject of recent (failed)  legislation, and the EU has been ratcheting up pressure on prominent social networking sites to enhance privacy protections.  Social media was even a topic of discussion at this May's "eG8" in Paris, an event blogged about recently by Chris Wolf.

The Hogan Lovells Chronicle of Data Protection have covered social media developments over the past year or so, and provide a summary of our coverage for you here in one place, allowing you to take stock:

  • NLRB Increases Enforcement Activity Against Discipline of Employees for Use of Social Media (May 26, 2011):  The National Labor Relations Board (NLRB) has recently expressed an interest in investigating actions taken against employees for their use of social media, including issuing administrative complaints against a car dealer that fired an employee for posting concerns on his Facebook page about the dealer's handling of a sales event, and against a nonprofit social services organization for terminating five employees that commented on Facebook about the organization's work load, staffing issues, and commitment to its clients.  These contrast against a memorandum issued by the NLRB that advised that a discharge of a newspaper reporter for posting "unprofessional and inappropriate" social networking messages to a work-related social media account did not violate the law.
  • CAN-SPAM Held to Apply to Social Media Messaging (April 1, 2011):  The U.S. District Court for the Northern District of California's issued an opinion in Facebook v. MaxBounty that held that messages sent through social networking sites must comply with the federal CAN-SPAM law regulating commercial email advertising.
  • FTC Announces Proposed Google Buzz Settlement:  First Time FTC Requires Comprehensive Privacy Program (March 30, 2011):  The Federal Trade Commission (FTC) announced a proposed settlement with Google relating to charges that Google used deceptive practices and violated its own privacy policies when it launched its social network Google Buzz.  For the first time ever, the FTC required that a company institute a "comprehensive privacy program" and to receive affirmative consent from consumers to any new or additional uses of previously collected data.
  • FTC Enforces Against Obscure Privacy Disclosures in New Consent Decree (December 6, 2010):  The FTC entered into a consent decree with a developer of parental web-monitoring software that, without consent from parents, captured childrens' website history, chat conversations, and instant messages and incorporated them into a marketing service that provided companies with the ability to access what consumers are saying or thinking by providing aggregate consumer opinions from user-generated social media websites.  Though the company disclosed that information may be used to "improve our services" and "conduct research," the language was in the thirtieth paragraph of a policy that was contained in a small scroll box, and the FTC took the position that the failure to clearly notify parents of the usage of their childrens' data constituted a deceptive trade practice.
  • NLRB Files Complaint for Employer's Allegedly Overbroad Social Media Policy (November 8, 2010):  The NLRB kicked off its recent flurry of social media activity by issuing an administrative complaint against a company for terminating an employee who, after an incident at work, criticized her supervisor on her Facebook page.  Lafe Solomon, the NLRB's acting general counsel, said, "This is a fairly straightforward case under the National Labor Relations Act -- whether it takes place on Facebook or at the water cooler, it was employees talking jointly about working conditions, in this case about their supervisor, and they have a right to do that."  The case settled early this year.
  • Twitter Consent Order Evidences Broader Scope of FTC Information Security Enforcement (July 1, 2010):  The FTC entered into a consent order with social networking service provider Twitter, alleging that lapses in Twitter's data security practices resulted in unauthorized individuals gaining access to user accounts containing mobile telephone numbers, email addresses, and IP addresses.  Unlike the FTC's prior data security consent orders under the FTC Act, there was no allegation of any unauthorized access to traditionally identified forms of sensitive personal information, such as Social Security numbers, financial account numbers, government ID numbers, consumer reports, or medical conditions.
  • FINRA Issues Guidance on Social Networking Sites (February 9, 2010):  The Financial Industry Regulatory Authority (FINRA), an industry self-regulatory orgnaization, issued guidance to member companies on the use of blogs and social networking sites to engage in company-sponsored communications with the public.  While FINRA exercises oversight of the securities industry, the recommendations are good advice for any business that is considering communicating with or marketing to consumers through social media.
  • Two Hogan & Hartson Advisories on the Use of Social Media (September 28, 2009):  We were even covering social media back before we were Hogan Lovells!  We issued an update (PDF), still relevant today, setting forth the considerations that arise when social media is used by three different groups -- an entity itself, the employees of that entity, and third parties in reference to the entity.  Also, the FDA in 2009 held a two-day public hearing at the end of that year on how pharmaceutical companies use the web and social media.  Despite it being almost two years since that hearing, the FDA just this March delayed an expected guidance on the use of social media to market pharmaceuticals.  News earlier this week that Facebook will prevent pharmaceutical companies from disabling the comments feature on their pages has caused consternation, as the FDA has implied in past statements that user comments maybe able to be ascribed to pharmaceutical companies for regulatory purposes.  Stay tuned.
Tags: , , , , , , , , , , , ,
Posted on May 26, 2011 by Bret Cohen

NLRB Increases Enforcement Activity Against Discipline of Employees for Use of Social Media

The National Labor Relations Board (NLRB) has social media in its sights.  We last reported on the NLRB  social media agenda when its Harford Regional Office issued a complaint last year against a company that terminated an employee for posting disparaging comments about her supervisor after an incident at work. That case settled earlier this year, with the company agreeing to change provisions in its social media policy that prohibited employees from making any online remarks about the company or its supervisors. Those statements, according to the NLRB, violated the National Labor Relations Act (NLRA), which prohibits employers from restricting their employees from discussing terms and conditions of employment.

Since then, there has been a spate of activity at the NLRB on the social media front, including the issuing of two new complaints in the last three weeks.

Most recently, on May 20 the Chicago regional office issued a complaint (PDF) against a car dealer for discharging a salesman for his posting of concerns on his Facebook page about the dealer’s handling of a sales event. According to the NLRB, the employee posted photos and commentary critical of the quality of food and beverages at the event to promote a new car model, complaining that sales commissions could suffer as a result. The following week, management asked the salesman to remove the posts, which he did. Still, the employee was discharged for his actions.

This came on the heels of a complaint issued by the Buffalo regional office (PDF) on May 9 against a nonprofit social services organization for terminating five employees for allegedly commenting on one of the employee’s Facebook page about working conditions. According to the NLRB, the employee posted to her Facebook page a coworker’s allegation that employees did not do enough to help the organization’s clients. The initial post generated responses from other employees who defended their job performance and criticized working conditions, including work load and staffing issues. After learning of the posts, the nonprofit discharged the five employees who participated, claiming that their comments constituted harassment of the employee originally mentioned in the post.

Yet another complaint was averted in late April when a media company and its union settled after the NLRB had indicated that it would file a complaint in response to an accusation by the union that the employer reprimanded an employee who discussed work-related issues online. In response to a "tweet" (a post to the social networking site Twitter) by a manager asking employees to respond about how to make the company "the best place to work," the top employee union representative tweeted: “One way to make this the best place to work is to deal honestly with Guild members.” According to the employee, the next day the company’s bureau chief called her at home and menacingly told her that the company had a policy that employees were not supposed to say anything that would damage the company’s reputation.

 

These positions are contrasted somewhat by an April 21 memorandum issued by the NLRB’s Division of Advice (PDF) that advised the Phoenix regional office that a discharge of a newspaper reporter for posting “unprofessional and inappropriate tweets” to a work-related Twitter account did not violate the NLRA. Through his Twitter feed, which identified him as an employee of his newspaper, the reporter poked fun at his newspaper’s sports headlines, made unprofessional comments about his public safety beat (such as “What?!?!? No overnight homicide? WTF? You’re slacking Tucson”), and criticizing a misspelling in a local TV station’s tweet by writing “Stupid TV people.” The Division of Advice stated that even if the newspaper’s policy on employee communications were unlawfully overbroad, the newspaper had not violated the NLRA because the tweets for which the employee was discharged did not relate to the terms and conditions of employment or seek to involve other employees in issues related to employment. This was the case even though in response to his earlier unprofessional tweets the company orally warned the employee that he was to refrain from all work-related Internet postings, as the ultimate discharge was not due to postings protected by the NLRA.

 

Noteworthy is the subtle conflict in the approach taken by different factions of the NLRB.  In the April 21 memorandum, the Division of Advice rejected an unfair labor practice charge even where the newspaper orally warned its reporter that he should refrain from all work-related Internet postings, whereas in the case against the other media company, the NLRB office was poised to bring a complaint based on a phone call to an employee about her union-related tweet. Indeed, based on the novelty of the issue and lack of precedent, the NLRB’s Acting General Counsel distributed an internal memorandum last month (PDF) stating that regional offices are required to consult with the Division of Advice before proceeding against employer rules prohibiting, or discipline of employees engaging in, social media. That said, no case involving social media has yet been adjudicated even by an administrative law judge, so there is uncertainty as to the exact legal standard that will govern.

 

The take-away here is that the NLRB, as well as unions, are being vigilant in investigating and bringing complaints against companies who discipline employees based on comments they make on social media that can be construed to be about terms and conditions of employment. This is the case even where the social media posts at issue have been critical of or embarrassing to the company. The NLRB has taken the position that employee discussions that take place online are no different than discussions around the water cooler, and that employees are protected from discipline for any comments in which they criticize or vent about their jobs. This presents a real issue for employers, as unlike fleeting water cooler conversations, postings on social media are forever fixed in the annals of the Internet and can be retrievable and searchable by others, airing and maintaining a company’s petty internal disputes and dirty laundry for the world to read. As a result, companies should examine their social media policies to ensure that employees cannot be sanctioned for Internet posts protected by the NLRA, and should consult with counsel before disciplining an employee based on any post to social media or the Internet, especially where the post can be interpreted as relating to union activity or terms and conditions of employment.
Tags: , ,
Posted on November 8, 2010 by Bret Cohen

NLRB Files Complaint for Employer's Allegedly Overbroad Social Media Policy

Employees who claim a Facebook "zone of privacy" from their employers for complaints about working conditions got a boost recently from the National Labor Relations Board’s (NLRB).

As reported in today's New York Times, on October 27 the NLRB Hartford Regional Office issued a complaint against an ambulance service provider, American Medical Response (AMR), for terminating an employee for posting disparaging comments about her employer on Facebook.  When the employee was denied union representation by a supervisor after an incident at work, she posted negative comments about the supervisor on her Facebook page from her home computer. After discovering the posts, AMR suspended and later terminated the employee for violating a few of the company’s blogging and Internet posting policies. 

Lafe Solomon, the board’s acting general counsel, said, “This is a fairly straightforward case under the National Labor Relations Act — whether it takes place on Facebook or at the water cooler, it was employees talking jointly about working conditions, in this case about their supervisor, and they have a right to do that.”

That act gives workers a federally protected right to form unions, and it prohibits employers from punishing workers — whether union or nonunion — for discussing working conditions or unionization. The labor board said the company’s Facebook rule was “overly broad” and improperly limited employees’ rights to discuss working conditions among themselves.

New York Times

A November 2 press release explained the NLRB’s position that AMR’s policies illegally interfered with its employees’ right to engage in protected activity under the National Labor Relations Act (NLRA) – specifically, policies that prohibited employees from (1) making disparaging remarks about the company or supervisors and (2) depicting the company on the Internet without permission. Under the NLRA, an employer cannot unduly restrict its employees’ ability to discuss terms and conditions of employment, regardless of whether a union exists, for fear that such restriction will impede employees’ ability to fairly unionize. At the same time, the NLRA does not provide carte blanche for employees to criticize or disparage their employers.

Employers should keep an eye on this case and how it may affect their policies regarding employee use of the Internet and social media. Many companies have drafted broad policies like the ones cited here that purport to greatly restrict what employees can say about the company. Though such policies are most likely to be invoked when employees post material to the Internet or social media sites that exhibit clear insubordination or disloyalty to the company, the NLRB was clear in expressing its concern for the possibility for companies to use the policies to stifle union-related employee communications.

As social networking continues to grow in popularity, it is inevitable that employees will post material that criticizes or otherwise goes against the interests of their employers. For example, this past August a Massachusetts teacher was fired for comments she posted on her Facebook page after calling residents of her school district “arrogant and snobby” and her students “germ bags.” And in a recent federal case out of New Jersey that has led to discussion over employer monitoring of employee social networking sites, employees sued their employer after they were fired for starting a Facebook group to vent about work.

When employees are disciplined or terminated for material they post to the Internet, employers will need to demonstrated that their actions did not unduly restrict the employees’ ability to discuss their terms and conditions employment. To bolster this argument, employers should make clear in their Internet, blogging, or social media policies that whatever restrictions there are on employee Internet postings, employees will not be disciplined for activity protected under the NLRA.  

Tags: , ,
Posted on July 1, 2010 by Mark Paulding

Twitter Consent Order Evidences Broader Scope of FTC Information Security Enforcement

On June 24, the FTC announced a proposed consent order with social networking service provider Twitter, Inc. The Twitter investigation is consistent with the FTC’s longstanding interest in policing the data privacy and security practices of social networking services, dating back to the FTC’s first online privacy case against Geocities in 1998.  

Within the general framework of FTC information security jurisprudence, this investigation reflects three noteworthy developments. First, the investigation demonstrates the broad reach of FTC Act § 5 concerning data security, extending well beyond protection of the kinds of data traditionally considered sensitive (e.g., Social Security Numbers and payment card numbers). Second, the complaint introduces security expectations, concerning controlling administrator-level access to information systems, that had not been previously expressed by the FTC. Third, this enforcement action appears to show that the FTC considers the protection of personal information critical at all stages of the business lifecycle, from start-up to wind-down.

A. Data Security Obligations Are Not Limited to Sensitive Personal Information

The FTC alleges that lapses in Twitter’s data security practices resulted in unauthorized person’s gaining access to user accounts containing mobile telephone numbers, email addresses, and IP addresses. Unlike prior data security investigations, there is no allegation that unauthorized persons gained access to the traditionally identified forms of sensitive personal information, such as SSNs, financial account numbers, government ID numbers, or consumer reports. Nor is there any allegation that the affected information revealed sensitive personal characteristics (e.g., medical conditions) either directly or as revealed by purchases. There may be a number of explanations for this departure from past precedent.  

1. Consumer Expectations Influence Security Obligations

All the data types affected by the security incidents suffered by Twitter were stored in areas that were allegedly described by Twitter as non-public. Hence, the FTC concerns appear to stem in part from the fact that consumers submitted such information to Twitter under the impression that Twitter would prevent unauthorized sharing. Accordingly, consumer expectations, rather than any fixed list of data elements, may dictate the steps that a company is expected to take to protect such data. Such a standard may have far reaching implications for websites, particularly those that encourage visitors to build profiles that are not intended for public display, including social networking services that offer users the option of maintaining “private” (or otherwise limited access) profiles.  

2. Fraud Prevention

Among the consequences of Twitter’s alleged failure to secure its systems was the misuse of existing Twitter accounts to transmit fraudulent messages. The FTC does not discuss the public policy concerns posed by the transmission of fraudulent messages in any great detail. Nonetheless, concerns likely include reputational damage, particularly for public figures and businesses (e.g., the Twitter incident resulted in fraudulent tweets transmitted from the accounts of President Barack Obama and Fox News). In addition, recent press reports indicate that criminals have used compromised social network accounts to attack the account holder’s friends list with messages containing malicious software or fraudulent pleas for money.  

B. Securing Administrator Level System Access

The attacks perpetrated against Twitter allegedly exploited weaknesses in the security measures used to limit administrator level access. Because administrator level privileges allow users to manipulate the settings and content of individual user accounts, the attackers were then able to take control of numerous accounts to view private information and engage in fraudulent activity.  

The specific security lapses cited by the FTC included the failure to:

  • establish or enforce strong password policies;
  • prevent the storage of administrative passwords in plaintext in employees’ private email accounts;
  • suspend or disable administrative accounts after a number of failed login attempts;
  • provide a separate login page for administrative access the address of which was made known only to authorized users;
  • enforce periodic changes of administrative passwords (e.g., 90-day expiration);
  • restrict access to administrative controls based on employees’ job functions; and
  • impose other restrictions on administrative access, such as by restricting access to specified IP addresses.

Many of these lapses are inconsistent with well established information security practices established in prior FTC enforcement actions and commonly-followed industry standards such as ISO 270002 and NIST Special Publication 800-53. However, two issues identified by the FTC may indicate new obligations for entities that handle or process personal information.

1. Separate Administrator Level User Access Points

The FTC indicates that website administrator login pages should be maintained separate from general published login pages and that these pages be made known only to authorized users. While this is a best practice for information security, it is not common today. Even websites that provide a link on certain pages that lead to the administrator access page would likely be expected to remove any such links from webpages commonly viewed by visitors. 

2. Heightened Authentication Requirements for Administrator Level Users

Second, the FTC refers to the use of IP restrictions as an example of reasonable restrictions on administrative access. It Is not clear this means that all systems are expected to implement IP address restrictions (which may not be a particularly reasonable measure for many businesses). Nevertheless, it does appear that the FTC believes simple single factor authentication of users (such as requiring only a password) to be inadequate for administrator level access to systems containing personal information. Alternative measures to ensure that only authorized persons can gain administrator level access may include implementation of multifactor authentication, such as requiring the use of a password in combination with a biometric scanner (e.g., fingerprint scanner or voice print scanner), smart card scanner, or physical token (e.g., RSA’s SecurID products).

C. Data Protection is Important Throughout the Life of a Business 

It should be noted that during most of the time period during which the events leading to this enforcement action occurred, Twitter was a start up venture. Accordingly, the company did not necessarily possess all the resources and organizational structure of a longstanding enterprise. The FTC appears to be unconcerned by this distinction. In light of the FTC’s previous enforcement action arising from the bankruptcy dissolution of Toysmart, it appears that the FTC has adopted the position that protection of personal information is a critical responsibility at every stage of a business’ life – from initial market entry to ultimate exit.
Tags: , ,
Posted on April 9, 2010 by Bret Cohen

Hogan & Hartson Privacy Lawyers Featured in Chubb Online Innovation Event on Social Media Risk from April 26-29: You are invited to participate

Hogan & Hartson privacy attorneys, including Chris Wolf, will be participating in the Chubb Social Media Risk Innovation Event, hosted from April 26-29 by the Chubb Group of Insurance Companies and its technology partner, Imaginatik.  The event is an online, interactive session with risk managers, other business professionals, agents, and brokers in which pariticipants will collectively identify risks and potential mitigation strategies regarding the use and potential misuse of social media.  Hogan & Hartson attorneys will be on hand throughout the event to facilitate the discussion and contribute expertise regarding legal risks businesses face from sanctioned and unsanctioned corporate and employee use of social media.

Demonstrating the power of social media, musician Dave Carroll posted a video seen by millions of people on YouTube chastising an airline he accused of breaking his guitar. View an invitation from Dave to Chubb's Social Media Risk Innovation Event.

You may self-register on-line at https://chubbsocialmedia.imaginatik.com. The first 500 people to register will receive a free download of "Perfect Blue," Dave's new album.

Once registered, you may participate in this online event either remotely via your PC, laptop, smartphone, (e.g., BlackBerry, iPhone, etc.) or at Chubb booth #1511 at the RIMS Conference in Boston, MA. We also welcome you to invite clients you believe would be interested in participating in this event by forwarding this email and its self-registration link.

Chubb will award prizes to participants who submit the most ideas and whose ideas generate the greatest amount of collaboration. The prizes include cash donations to charities, ranging from $500 to $2,000, in the names of the top three scoring participants.

Tags: ,
Posted on February 9, 2010 by Bret Cohen

FINRA Issues Guidance on Social Networking Sites

The Hogan & Hartson privacy lawyers are counseling clients on the use of social media, as the legal risks are significant -- especially if employees use the shield of anonymity to protect their privacy but make representations on behalf of their employers without disclosing their affiliation.  The FTC and FDA recently have focused on social media.  And on January 25, the Financial Industry Regulatory Authority (FINRA), an industry self-regulatory organization, issued Regulatory Notice 10-6, which gives guidance to member companies on the use of blogs and social networking sites to engage in company-sponsored communications with the public. 

The unique nature of social networking sites and the speed and fluidity with which communications can be made to the public have presented challenges in the implementation of existing FINRA rules.  Some recommendations made in the guidance includes:

  • Supervising interactive communications made through social networking sites in a manner reasonably designed to ensure that they do not violate the content requirements of FINRA's communications rules or other securities laws, and instituting policies and procedures for this supervision
  • Instituting a policy prohibiting business communications by employees through social networking sites that are not subject to the company's supervision
  • Requiring employees posting content to social networking sites to undergo training
  • Establishing appropriate usage guidelines for customers and other third parties that are permitted to post on company-sponsored web sites
  • Adopting disclaimers to help ensure that third-party content posted to blogs or social networking sites is not attributed to the company
  • Monitoring third-party posts to mitigate the perception that the company is adopting the content of the post or to assist compliance with the "Good Samaritan" safe harbor for blocking and screening offensive material under Section 230 of the Communications Decency Act.

While FINRA exercises oversight of the securities industry, the recommendations in Notice 10-6 are good advice for any business that is considering communicating or marketing with consumers through social media, whether hosted by the company or on a third-party social networking site such as MySpace or Twitter.  In addition to the recommendations listed here, businesses seeking to enter the social networking space should also institute policies that ensure that its representatives don't deceive consumers and that the content posted complies with all applicable laws and regulations, such as defamation and intellectual property laws.

The fact that FINRA is looking into this issue -- in September 2009, FINRA organized a Social Networking Task Force from which these guidelines were generated -- highlights the importance of social networking as a marketing tool, along with the accompanying risks.  Other industries are also considering these issues; for example, in November 2009 the FDA held a well-attended public hearing about the use of social media as a marketing tool for FDA-regulated entities.  For more information about legal risks that can arise through business use of social networking sites and how to address these risks, check out Hogan & Hartson's recent guidance on the topic.

Tags: , , ,
Posted on November 23, 2009 by Bret Cohen

FTC Releases Details About December 7, January 28 Privacy Roundtables

On November 17, the Federal Trade Commission released the agenda of the first of three privacy round tables it will hold over the course of the next few months.  The first round table will occur on December 7 at the FTC Conference Center in Washington, DC, and will feature four panels entitled "Benefits and Risks of Collecting, Using, and Retaining Consumer Data," "Consumer Expectations and Disclosures," "Online Behavioral Advertising," and "Exploring Existing Regulatory Frameworks."

The FTC also announced that its second privacy round table will be held on January 28, 2010 at the University of California, Berkeley, School of Law.  The round table will focus on how technology affects consumer privacy, including its role in both raising privacy concerns and enhancing privacy protections, and will include specific discussions on cloud computing, mobile computing, and social networking.  The FTC has posed two questions for comment in advance of this round table:

  1. What role do privacy enhancing technologies play in addressing Internet-related privacy concerns?  Consider the efficacy of technological innovations in areas such as identity management systems, new means of providing consumer notice and choice, and emerging methods of ensuring accountability in data usage.  In framing comments, consider the costs and benefits of privacy-enhancing technologies in the following contexts:  cloud computing services; social networking sites; online behavioral advertising; the mobile environment; services that collect sensitive data, such as location-based information; and any other contexts you wish to address.  If privacy enhancing technologies do play a role in resolving privacy concerns, discuss whether and how to create incentives for the development and adoption of such technologies, and ways to ensure they are effective and useful to consumers.
  2. What challenges do innovations in the digital environment pose for consumer privacy, and how can those challenges be addressed without stifling innovation or otherwise undermining benefits to consumers?  For example, consider the technology and business practices that enable greater collection, use, and distribution of consumer data, including evolving methods of observation and tracking; techniques for correlating data, including the re-identification of anonymized data; the merging of data between on-line and off-line environments; and the emergence of third-party application developers in online platform environments.

The FTC currently is soliciting requests to participate as panelists in this second round table, as well as recommendations for topics for inclusion in the agenda, which are due by December 9.  Comments or additional research on the topics will be considered prior to the second round table if they are received by December 21.

Details have not yet been released for the third and final privacy round table, which is to be held on March 17, 2010 in Washington.

Tags: , , , , , , , , , ,
Posted on September 28, 2009 by Christopher Wolf

Two Hogan & Hartson Advisories on the Use of Social Media

Many people remember the now-dated cartoon from the New Yorker magazine showing two dogs sitting in front of a computer, with one observing to the other "the best part about the Internet is that no one knows you are a dog".  Even today, many people feel they enjoy complete privacy when interacting online, especially with certain social media sites.  But times have changed from when anonymity meant there were no obvious consequences to online conduct.  The proliferation of the use of social media is much in the news, and the legal issues also are proliferating.

Hogan & Hartson has just authored an advisory, available by clicking here, setting forth the considerations that arise when social media is used by three different groups — an entity itself, the employees of that entity, and third parties in reference to the entity. We discuss the benefits of social media, as well as issues and risks, from each of these three angles.

Also, the U.S. Food and Drug Administration recently announced that it will hold a two-day public hearing in November on how pharmaceutical companies use the web and social-media tools to market their products.  This is the first step in a process that will establish guidelines for drug makers using the tools of social networking.  The Hogan & Hartson advisory on this development is available by clicking here.

 

Tags: , , , , ,