Retailers are reporting that the Black Friday shopping events and the historic Cyber Monday follow up event may be on the decline. This does not necessarily signal an overall decline in holiday season shopping trends but a shift in the habits and tools utilized by shoppers. A retail consulting firm is publishing fresh results from the 2014 holiday shopping “opening weekend:”
Online shopping was up almost 20% in Thanksgiving 2014 compared to Thanksgiving 2013, driven by mobile shopping and promotions.
Despite this growth, Thanksgiving – contrary to some predictions – is nowhere near Black Friday or Cyber Monday in terms of online shopping. Revenue on Black Friday 2013 was almost 2.5X higher than Thanksgiving 2014, and revenue on Cyber Monday was three times as high.
Meanwhile, the cyber event reporting from the weekend so far is that the Syrian Electronic Army “hacked” some pop-up ads for retailers over the Thanksgiving weekend but no consumer account or personally identifiable information was affected – instead of seeing ads, the SEA logo was substituted on Web sites for Forbes, The Chicago Tribune, CNBC, PC World, the NHL and Canadian broadcaster CBC. It’s believed that the SEA’s route of attack was through the popular commenting platform Gigya.
On June 20, 2014, Florida Governor Rick Scott signed into law the Florida Information Protection Act of 2014. The legislation beefs up the definition of what will trigger a notification response. The definition of personal information is now defined as an individual’s first name, first initial and last name, or any middle name and last name, in combination with any one or more of these data elements:
-DL number or ID number, passport number, military ID number or other similar number issued on a government document
-Financial account number or credit/debit card number in combination with security/access code or password
-Any information regarding a person’s medical history, mental/physical condition or treatment/diagnosis
-Health insurance policy number or subscriber number
-User name or email address, in combination with a password or security question (that would permit access)
The law requires notification following a breach “without unreasonable delay,” and no later than 30 days following the determination of a breach (with certain exceptions). If the notification affects more than 1,000 persons at a single time, notice must also be given to consumer reporting agencies. The act now uses the definition “covered entity” to describe the organizations impacted; covered entity includes a sole proprietorship, partnership, corporation, trust, estate, cooperative, association or other commercial entity that acquires, maintains, stores, or uses personal information. (For certain purposes, this includes governmental entities). The act addresses customer records and data (electronic format). Notice is to be provided to the Department of Legal Affairs of any breach affecting 500 or more individuals, no later than 30 days after the determination of a breach (or reason to believe there was a breach).
In addition to describing the incident and who was affected, the reporting entity must include a police or incident report or computer forensics report, a copy of policies in place regarding breaches, and steps taken to rectify the breach.
The law provides quite a few more rigorous requirements involving security and how entities are to provide a breach response. The Attorney General “thanked” the Governor for enacting the law quoting other legislators who commented that the act “will better protect the confidential personal information of Floridians and hold accountable those who attempt to compromise the security of that information.” The AG notes that the law also requires covered entities “to take reasonable measures to protect Floridians’ personal information and [to] properly dispose of customer records.”
See also commentary about why this law could be model for a comprehensive federal law (reasonable data protection; secure disposal; unauthorized access triggers notification; scale of notification requirements; PII includes medical history, insurance ID; 30-day notification deadline; documentation of investigation; schedule for penalties).
AG Kamala Harris Issues Guide on Privacy Policies/Do-Not-Track Disclosures
In a press release issued May 21, 2014, the Attorney General for California, Kamala Harris, issued a series of recommendations for businesses that address changes to California privacy law. Key recommendations include:
Prominent labeling for sections dealing with online tracking, e.g., “California Do Not Track Disclosures”
Describe how you respond to a browser’s Do Not Track signal (or similar mechanisms)
Are third parties collecting personally identifiable information? If yes, say so
Explain uses of personally identifiable information
Describe what you collect, how you use it, how long you retain it
Describe choices the consumer has regarding use/sharing of PII
Use plain language – use graphics/icons
The guide includes summaries of relevant CA statutes (CalOPPA, – broad requirement for privacy policies; AB 370 – tracking transparency). And, while there are no new regulations or enforcement mechanisms provided in the “guide,” obviously, entities doing business in California, and those entities previously under scrutiny by the AG (e.g.,g Amazon, Apple, Facebook, etc.) will likely pay close attention to ensure compliance. The guide is called, Making Your Privacy Practices Public and you can see it at:
Kentucky is now the 47th state to enact a data breach notification law.
Identity Theft/Fraud Trigger
The bill was signed into law by Governor Steve Beshear earlier this month and requires notification following an event “that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud. Kentucky’s law defines “personally identifiable information” as an individual’s first name or first initial and last name in combination with any one or more of the following data elements (when not redacted):
Account number, credit or debit number, in combination with any required security code, access code or password permit[ing]access to an individual’s financial account.
The statute specifies that any “information holder” shall disclose any breach of the security system following discovery or notification of the breach in the security of the data, to any resident of Kentucky whose unencrypted personal information was, or is reasonably believed to have been, acquired by an authorized person. The statute states disclosure “shall be made in the most expedient time possible…consistent with the legitimate needs of law enforcement.” The notification provisions shall not apply to any person subject to the provisions of Gramm-Leach Bliley, HIPAA or any state or local governmental agency.
In addition, the statute requires express parental permission for a cloud computing service provider to process student data, for any purpose other than for providing, improving, developing, or maintaining the integrity of the cloud computing services (or if done connection with educational research, per federal statute).
The state auditor had promoted enacting such legislation and released a report stating:
“Although auditors didn’t identify any cyber security breaches, they did find instances of state agencies failing to take the necessary steps to protect confidential or sensitive information,” Auditor Edelen said. “This further illustrates the need for legislation to incentivize state and local government to better secure the data it holds on us, as well as require them to notify us when it’s
lost or stolen.”
“The Kentucky Derby is a Grade I stakes race for three year-old Thoroughbred horses, held annually in Louisville, Kentucky, on the first Saturday in May. The race is one and a quarter miles at Churchill Downs. The race is known in the United States as “The Greatest Two Minutes in Sports™” for its approximate duration, and is also called “The Run for the Roses” for the blanket of roses draped over the winner. It is the first leg of the United States Triple Crown of Thoroughbred Racing and is followed by the Preakness Stakes and Belmont Stakes.”
Michaels Stores, Inc. is now reporting that two separate 8-month long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards. The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue. Reportedly, the security firms Michaels hired to investigate the “break-ins” found nothing but the ultimate analysis confirmed the attacks “using highly sophisticated malware that had not been encountered previously by either of the security firms.” In a press release dated April 17, 2014, the company states: “The Company has now identified and fully contained the incident, and the malware no longer presents a threat while shopping at Michaels or Aaron Brother.” Following the disclosures regarding Target and Neiman Marcus, in January of this year, Michaels Stores had previously reported that it was investigating a potential security breach involving customers’ credit card information.
The Target breach involved thieves planting malware on cash registers; the malware was designed to siphon card data when customers swiped the cards at the cash register. According to the information released by Michaels, it appears that the affected systems contained certain payment card information, card number and expiration date, but that there was no evidence that other customer personal information (name, address, debit card PIN) was at risk.
A Republican sponsor, Rep. Joe Barton (R-Tex.) says that “It is important that our teenagers receive protections. They are prone to mistakes; we need to make sure those mistakes aren’t exploited online.”
Meanwhile, California also just passed the online “eraser” law. California SB 568 requires “the operator of an Internet Web site, online service, online application, or mobile application to permit a minor who is a registered user of the operator’s Internet Web site, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted”. The law kicks in on January 1st. It also prohibits websites from targeting minors with products like e-cigarettes and tattoos.
“Operators” include website operators, and per the CA AG, that would be software operators and mobile apps that transmit and collect PII online. The law does not prohibit commercial websites or online services from tracking and gathering personal information from its users – just addresses notice policies and procedures. In that regard it does not prompt an “opt in” option on the operator’s website or app – which would require a consumer/customer to affirmatively allow the operator to share PII. It is an update to CalOPPA (“California Online Privacy Protection Act of 2003”).
And see also: The FTC has denied an application seeking approval of a proposed verifiable parental consent method submitted by AssertID, Inc., under COPPA.
In a letter to AssertID, the Commission notedthat the company’s proposal failed to provide sufficient evidence that its method would meet the requirements set out under the rule. Specifically, the Commission noted that there was not yet adequate research or market testing to show the effectiveness of the AssertID “social-graph verification” method.
Two headline grabbing criminal cases bring stark reminders that services and data remain vulnerable to unauthorized access, misuse and abuse.
In one case, Dutch authorities are holding a suspect on suspicion of participating in a distributed denial of service attack. Reportedly, the attacks slowed Internet service globally for several days in April (especially for Russia and other European countries). The authorities suspect that the attacks were in retaliation for postings by a spam-tracking service provider, which listed the accused’s web-hosting service as a suspected spammer.
In the other, old school meets new school. In February, thieves struck ATMs for over 10 hours, withdrawing $2.4 million in New York City alone. The thieves were part of an Internet hacking ring which was able to manipulate financial information through an unnamed Indian credit-card processing company that handles Visa and MasterCard prepaid debit cards. The hacking allowed the thieves to raise the withdrawal limits on the prepaid debit accounts issued by a bank in the United Arab Emirates, the National Bank of Ras Al-Khaimah, a/k/a Rak Bank. Using prepaid cards does not set off account alarms as quickly because no individual bank account is being compromised. With five account numbers, hackers distributed the information to individuals in 20 countries who then encoded the information on magnetic-stripe cards.
MasterCard alerted the Secret Service to the activity soon after the transactions were completed. The thieves first struck in December via the Indian processing company but by February, the hackers had infiltrated a card processing company based in the U.S. (name not yet disclosed). It remains unclear who ultimately is responsible for the losses.
Court Makes a Distinction between Brick-and-Mortar Transactions
by Peggy Reetz
On February 4, 2013, the Supreme Court of California issued its decision in the Apple v. Krescent case. In June 2011, David Krescent (the original plaintiff) sued Apple on behalf of himself and a putative class, alleging violations of California’s credit card act (The Song-Beverly Credit Card Act). The Act prohibits retailers from requesting or requiring as a condition to accepting credit card as payment that the cardholder write any personal identification information upon the credit card transaction form; and, the Act prohibits retailers from writing the personal information on the transaction form.
Krescent alleged that he purchased media downloads from Apple on various occasions and that, as a condition of receiving these downloads, he was required to provide his telephone number and address. Krescent also alleged that Apple records each customer’s personal information but Apple is not required to collect a customer’s telephone number or address in order to complete the credit card transaction. Even if a credit card processing company requires a valid billing address, under no circumstances would a customer’s telephone number be required to complete the transaction, Mr. Krescent argued.
Apple filed a demurrer arguing that the Credit Card Act does not apply to online transactions and also argued that a decision otherwise would undermine identity theft and fraud prevention measures. The trial court overruled the demurrer – “the Act itself is silent on exempting online credit card transactions… [the Court is] not prepared, at the pleading stage, to read the [Credit Card] Act as completely exempting online credit transactions…”
The Supreme Court reviewed various exceptions to the prohibition on collecting personal data: cash advances, contractual obligations, in order to prevent fraud/theft by collecting zip codes at a self-serve gas station, special purposes like shipping, installation. The Court noted that the Act does not prohibit requiring a cardholder to show a reasonable form of ID, as a condition to accepting credit card payments.
The Court noted that the Act makes no reference to online transactions, or even the Internet (having been enacted as of 1990). The Court stated that the text of the Act alone is not decisive. At the time the language was enacted, the Legislature did not contemplate commercial transactions over the Internet. The Court reviewed California appellate cases that dealt with whether shield laws apply to digital media; or whether an electronic signature was appropriate for an initiative petition. But, rather than analogizing too closely to the “new media” versus “old media” cases, the Court returned to the history/purpose of the Credit Card Act.
While the Act is intended to protect consumer privacy, the Legislature did not intend to achieve privacy goals without regard to risks for fraud. The Court reasoned that the fraud safeguards available to a brick-and-mortar retailer are not available to an online retailer (the shopkeeper can inspect the signature, photo ID, etc.) The Court ruled that the key antifraud provision in the Act has no practical application to online transactions involving electronically downloadable products. Krescent conceded that Apple may need a valid billing address, if not a telephone number, to verify the credit card. The Court believed the Legislature expressly authorized retailers to request additional information—a driver’s license, state ID card, or other form of photo ID- in order to combat fraud.
In that regard, the Court found it appropriate for Apple to collect such information to combat fraud (disagreeing with one of the dissenting justices, the majority found that the legislative history addresses the concern that there be some mechanism for verifying a cardholder’s identity). Ultimately, the majority found that the Act did not apply to online transactions. The Court was forced to reconcile these findings with its earlier decision in Pineda v. Williams-Sonoma, which decision found ZIP codes constitute personal identification information. The Court noted the legislature subsequently carved out exceptions to the collection of ZIP codes, if used for fraud prevention purposes (pay-at-the-pump transactions, for instance).
Finally, the Court noted that the California Legislature has weighed the goals of regulating online privacy with concerns unique to online commerce. COPPA, the California Online Privacy Protection Act of 2003, requires online services or Web site operators to post privacy policies and for those policies to address which categories of information the operator may collect. The Court also cited to the TCPA, stating that federal law likewise is supposed to protect the privacy interests of consumers (do-not-call registry and the like). The Court closed the decision with a recitation of how significant e-commerce has become since the enactment of these statutes and invited the Legislature to revisit the issue of consumer privacy and fraud prevention in online transactions (just as the Legislature did in response to the Pineda decision).