Posted on July 15, 2011 by Elizabeth Khalil

Financial Services Industry Group Issues Social Media Guidance

A financial services industry group released guidance this week on managing the risks associated with using social media, including data protection concerns.  The guidance, titled "Social Media Risks and Mitigation," was released this week by BITS, a division of the Financial Services Roundtable, which represents 100 of the largest financial services companies.  The 71-page report details numerous risks that banks and other financial companies may face when using social media, including compliance, legal, operational and reputational risks.  These risks are discussed in the context of three types of social media use:

  • By a financial institution to communicate with or service the financial institution's customers
  • By the financial institution's employees in their personal or professional capacities
  • By the financial institution's employees or contractors outside the office

The guidance thus addresses sector-specific regulatory requirements, such as Gramm-Leach-Bliley Act compliance and FINRA rules applicable to securities firms.  It also addresses concerns that are relevant to financial institutions as employers, such as bank employees' personal use of social media.

The BITS report is particularly significant because it responds to a need for guidance in an industry that is increasingly using social media, but still lacks clear rules from regulators regarding such activities.  While FINRA has issued guidance on use of social media by firms subject to FINRA's oversight, the federal banking agencies have not , to date, issued detailed guidance to the banking industry on banking compliance issues raised by use of social media.  

Also, while targeted at the financial services sector, the report also has relevance to many other types of users of social media.  It gives guidance, for instance, on coordinating a company's social media policies with its other policies, and performing a risk assessment to determine the risks a company's social media activities could pose.

Tags: , , , , , , , , , , , ,
Posted on April 1, 2011 by Timothy Tobin

CAN-SPAM Held to Apply to Social Media Messaging

On March 28, 2011, the U.S. District Court for the Northern District of California held, in Facebook, Inc. v. MAXBOUNTY, Inc., case no. CV-10-4712-JF, that messages sent by Facebook users to their Facebook friends’ walls, news feeds or home pages are “electronic mail messages” under the CAN-SPAM Act. The court, in denying the defendant MAXBOUNTY’s motion to dismiss, rejected that CAN-SPAM applies only to traditional e-mail as it is commonly understood. The ruling is the most expansive judicial interpretation to date of the types of messages falling within the purview of the CAN-SPAM Act. The court did not reach or otherwise address the underlying merits of the CAN-SPAM claims.

In its complaint, Facebook alleged that MAXBOUNTY engaged in a misleading and deceptive advertising scheme affecting Facebook users. Facebook alleged that in furtherance of that scheme, Defendant “procure[d] Facebook users to send, or t[ook] actions that cause commercial electronic messages to be sent, to all the Facebook users’ friends on Facebook.” By procuring the messages, MAXBOUNTY would be an “initiator” under CAN-SPAM and therefore responsible for various CAN-SPAM obligations. 

In focusing on whether the messages at issue are even covered by CAN-SPAM, the court considered CAN-SPAM’s definition of “electronic mail message” which is “a message that is sent to a unique electronic mail address.” CAN-SPAM in turn defines “electronic mail address” as “a destination, commonly expressed as a string of characters, consisting of a unique user name or mailbox (commonly referred to as the ‘local part’) and a reference to an Internet domain (commonly referred to as the ‘domain part’), whether or not displayed, to which an electronic mail message can be sent or delivered.” 15 U.S.C. § 7702(5).

 

Because the references to the “local part,” the “domain part” and the other items are set off by commas, the court concluded that the only requirement for a message to be considered an “electronic mail message” under CAN-SPAM is a “destination . . . to which an electronic mail message can be sent.” Accordingly, the court found that messages posted to another user’s Facebook wall, news feeds or home pages are covered by the statute. The court also found it significant that the messages at issue involved “routing activity on the part of Facebook” and concluded that its interpretation was consistent with Congressional intent, which was to reduce the burden of misleading communications on the Internet.

 

In reaching its decision, the court relied on two U.S. District Court cases from the Central District of California involving the social networking site MySpace. Those cases involved entities establishing large numbers of MySpace profiles to send commercial and phishing “e-messages” to other MySpace users wholly within the “walled garden” or domain of the MySpace service. Unlike in MAXBOUNTY though, the messages in those cases were sent to an inbox that resembled traditional email inboxes. 

 

In both cases, the Central District of California concluded that the e-messages at issue were electronic mail messages under CAN-SPAM. In MySpace Inc. v. The Globe.com, Inc., No. 06-3391 (C.D. Cal. 2007), the court concluded that the definition was met because each user’s mail resided at a unique URL and the Internet destination www.myspace.com.  The court concluded that it was irrelevant that the messages were sent only within the “walled garden” of MySpace. The court in MySpace Inc. v. Wallace, 498 F. Supp. 2d 1293 (C.D. Cal. 2007) adopted the same reasoning, but went further in rejecting the defendant’s arguments that electronic mail messages must include a domain name and an external route for the message to travel. The definitional reasoning set forth in Wallace was subsequently adopted by the court in MAXBOUNTY.       

 

Facebook brought the suit against MAXBOUNTY in the social networking site’s capacity as a provider of “Internet access service,” the only type of entity afforded a private right of action under the CAN-SPAM Act. Under the court’s decision, even a single message posted by one Facebook user to a friend’s wall that promotes a home business could potentially be construed as an electronic mail message under CAN-SPAM. If so, these individuals would be subject to CAN-SPAM's various requirements for such messages, including identification of the message as an advertisement or solicitation, the inclusion of a return address or other conspicuously displayed mechanism for opting out of future commercial messages, and listing a physical mailing address. However, the likely of Facebook or other social networking sites suing their users under CAN-SPAM for small numbers of such individual messages seems quite low (although there might other ramifications if the activities violate a service’s terms of use). In the instant case, it appears Facebook was acting to address the broad-based deceptive activities by a third party impacting its users.  It is those entities and high volume spammers on social media sites that are likely most impacted by this decision.
Tags: , , , , , , , , ,
Posted on July 1, 2010 by Mark Paulding

Twitter Consent Order Evidences Broader Scope of FTC Information Security Enforcement

On June 24, the FTC announced a proposed consent order with social networking service provider Twitter, Inc. The Twitter investigation is consistent with the FTC’s longstanding interest in policing the data privacy and security practices of social networking services, dating back to the FTC’s first online privacy case against Geocities in 1998.  

Within the general framework of FTC information security jurisprudence, this investigation reflects three noteworthy developments. First, the investigation demonstrates the broad reach of FTC Act § 5 concerning data security, extending well beyond protection of the kinds of data traditionally considered sensitive (e.g., Social Security Numbers and payment card numbers). Second, the complaint introduces security expectations, concerning controlling administrator-level access to information systems, that had not been previously expressed by the FTC. Third, this enforcement action appears to show that the FTC considers the protection of personal information critical at all stages of the business lifecycle, from start-up to wind-down.

A. Data Security Obligations Are Not Limited to Sensitive Personal Information

The FTC alleges that lapses in Twitter’s data security practices resulted in unauthorized person’s gaining access to user accounts containing mobile telephone numbers, email addresses, and IP addresses. Unlike prior data security investigations, there is no allegation that unauthorized persons gained access to the traditionally identified forms of sensitive personal information, such as SSNs, financial account numbers, government ID numbers, or consumer reports. Nor is there any allegation that the affected information revealed sensitive personal characteristics (e.g., medical conditions) either directly or as revealed by purchases. There may be a number of explanations for this departure from past precedent.  

1. Consumer Expectations Influence Security Obligations

All the data types affected by the security incidents suffered by Twitter were stored in areas that were allegedly described by Twitter as non-public. Hence, the FTC concerns appear to stem in part from the fact that consumers submitted such information to Twitter under the impression that Twitter would prevent unauthorized sharing. Accordingly, consumer expectations, rather than any fixed list of data elements, may dictate the steps that a company is expected to take to protect such data. Such a standard may have far reaching implications for websites, particularly those that encourage visitors to build profiles that are not intended for public display, including social networking services that offer users the option of maintaining “private” (or otherwise limited access) profiles.  

2. Fraud Prevention

Among the consequences of Twitter’s alleged failure to secure its systems was the misuse of existing Twitter accounts to transmit fraudulent messages. The FTC does not discuss the public policy concerns posed by the transmission of fraudulent messages in any great detail. Nonetheless, concerns likely include reputational damage, particularly for public figures and businesses (e.g., the Twitter incident resulted in fraudulent tweets transmitted from the accounts of President Barack Obama and Fox News). In addition, recent press reports indicate that criminals have used compromised social network accounts to attack the account holder’s friends list with messages containing malicious software or fraudulent pleas for money.  

B. Securing Administrator Level System Access

The attacks perpetrated against Twitter allegedly exploited weaknesses in the security measures used to limit administrator level access. Because administrator level privileges allow users to manipulate the settings and content of individual user accounts, the attackers were then able to take control of numerous accounts to view private information and engage in fraudulent activity.  

The specific security lapses cited by the FTC included the failure to:

  • establish or enforce strong password policies;
  • prevent the storage of administrative passwords in plaintext in employees’ private email accounts;
  • suspend or disable administrative accounts after a number of failed login attempts;
  • provide a separate login page for administrative access the address of which was made known only to authorized users;
  • enforce periodic changes of administrative passwords (e.g., 90-day expiration);
  • restrict access to administrative controls based on employees’ job functions; and
  • impose other restrictions on administrative access, such as by restricting access to specified IP addresses.

Many of these lapses are inconsistent with well established information security practices established in prior FTC enforcement actions and commonly-followed industry standards such as ISO 270002 and NIST Special Publication 800-53. However, two issues identified by the FTC may indicate new obligations for entities that handle or process personal information.

1. Separate Administrator Level User Access Points

The FTC indicates that website administrator login pages should be maintained separate from general published login pages and that these pages be made known only to authorized users. While this is a best practice for information security, it is not common today. Even websites that provide a link on certain pages that lead to the administrator access page would likely be expected to remove any such links from webpages commonly viewed by visitors. 

2. Heightened Authentication Requirements for Administrator Level Users

Second, the FTC refers to the use of IP restrictions as an example of reasonable restrictions on administrative access. It Is not clear this means that all systems are expected to implement IP address restrictions (which may not be a particularly reasonable measure for many businesses). Nevertheless, it does appear that the FTC believes simple single factor authentication of users (such as requiring only a password) to be inadequate for administrator level access to systems containing personal information. Alternative measures to ensure that only authorized persons can gain administrator level access may include implementation of multifactor authentication, such as requiring the use of a password in combination with a biometric scanner (e.g., fingerprint scanner or voice print scanner), smart card scanner, or physical token (e.g., RSA’s SecurID products).

C. Data Protection is Important Throughout the Life of a Business 

It should be noted that during most of the time period during which the events leading to this enforcement action occurred, Twitter was a start up venture. Accordingly, the company did not necessarily possess all the resources and organizational structure of a longstanding enterprise. The FTC appears to be unconcerned by this distinction. In light of the FTC’s previous enforcement action arising from the bankruptcy dissolution of Toysmart, it appears that the FTC has adopted the position that protection of personal information is a critical responsibility at every stage of a business’ life – from initial market entry to ultimate exit.
Tags: , ,