New Report On Identity Theft

US AG, Michael B. Mukasey, and FTC Chairman William Kovacic recently announced the publication of a new report on identity theft. In April of '07, the President's Identity Theft Task Force published a strategic plan, listing 31 recommendations, for combating identity theft. This new report details the steps the government has taken to accomplish the recommendations set out in the original report.

Net Neutrality As An Anitrust Issue

I recently came across this article discussing the FCC's Comcast ruling. The article, which references a journal article written by Cornell professor Alfred Kahn, suggests that the issue of net neutrality should best be dealt with by the antitrust courts.

VA Spam Law Overturned

The Virginia Supreme Court recently ruled that the state's anti-spam law is unconstitutional. The Court wrote that: "the statute is unconstitutionally overbroad on its face because it prohibits the anonymous transmission of all unsolicited bulk e-mails including those containing political, religious or other speech protected by the First Amendment to the United States Constitution." See this Washington Post article for more.

Compliance With The Red Flag Rules

This article reports that less than-third of US banks will be compliant with the Red Flag rules by the November 1 deadline. All told, U.S. financial institutions are expected to spend more than $200 million on compliance with the rules. For more on the Red Flag rules, see these posts.

Comcast Appeals FCC Decision

Following on a previous post, Comcast yesterday appealed the FCC ruling that it violated the Agency's net-neutrality principles. Take a look at the petition for review filed with the US Court of Appeals for the DC Circuit.

ABA Issues Outsourcing Ethics Opinion

Just yesteday, the ABA issued Ethics Opinion opinion 08-451 (not available online) dealing with the outsourcing of legal services. In brief, the Opinion permits outsourcing assuming both the attorney and the outsourcees adhere to certain standards of ethics and competence. See this ABA Journal article as well as this Daily Record article (subscription) for more.

FCC's Ruling On Net Neutrality

Following on my post from a little while back, the FCC finally published their Order regarding Comcast's violation of the Agency's net neutrality principles. The Order gives Comcast 30 days to disclose their method for managing internet traffic.

ID Theft Ring Uncovered

Prosecutors announced that they have uncovered the identities of the thieves behind the T.J. Max, Barnes & Noble, and The Sports Authority identity theft cases. The case, which involves 11 people, is being dubbed the largest identity theft case ever prosecuted. The thieves reportedly stole 40 million confidential records. Investigators say the suspects obtained their information largely through hacking into wireless networks. See here for a copy of the indictment.

New Copyright Suit Against YouTube

YouTube now faces a new copyright suit. Italian media company Mediaset has sued YouTube, alleging the video-sharing website unlawfully made use of thousands of copyrighted video clips. This latest suit comes after a similar suit by Viacom for $1 billion.

FCC Rules On Net Neutrality

The FCC issued its much anticipated ruling today on net-neutrality, alleging that Comcast interfered with the free nature of the web when it wrongly slowed some of its customers' Internet traffic. Consumer groups had initially sued Comcast but then later asked the FCC for a declaratory ruling on the matter. The FCC's opinion effectively changes the playing field by making the US government a regulator of the internet. The FCC's Memorandum Opinion and Order (FCC 08-183) is not yet available online.

Identity Theft Monitoring Services

Many companies offer these services as additional protection for identity theft. Are they worth purchasing? Are they effective? Privacy Rights Clearinghouse recently published this new guide: "Straight Talk about Identity Theft Monitoring Services."

Unsolicited Text Message Suit Given Go Ahead

TMobile's attempt to dismiss a class action suit filed by disgruntled TMobile users has been dismissed. The suit, Zaldivar v. T-Mobile USA, alleges that TMobile forces cell phone users to pay for unsolicited text messages. Filed on July 15 in the Federal District Court for the Western District of Washington state, the suit alleges breach of contract, unjust enrichment, and violations of Washington’s Consumer Protection Act.

Net Neutrality Suit On Hold

Jon Hart's suit against Comcast has been put on hold. Hart, a Comcast subscriber had sued Comcast alleging that the company is violating FCC net neutrality principles by interfering with certain types of internet traffic. The case has been put on hold until an FCC investigation into the matter has been concluded. The suit, originally filed in California Superior Court, has since been removed to federal court.

Deadline For Red Flag Rules Approaching

With the so-called Red Flag rules set to become effective on Nov. 1, the FTC is beginning a campaign to help educate the public on the details of the new regs. The FTC recently published an Alert to help companies better understand the law. The Red Flag rules require certain types of companies to implement identity theft prevention programs. See this previous post for more info.

McAfee's Spam Experiment

In an effort to better understand spam, McAfee recently commissioned 50 people to surf the net without any anti-spam/spyware protection for a period of a month. At the end of a month, the 50 participants had received 104,000 unsolicited messages, totalling around 70 messages a day for each participant. One of the findings was the amount emanating from outside the US. Of the 104,000 letters, only 23,233 were in English. During the month-long experiment, McAfee encouraged the participants to log their experiences in a blog. Check out the blog here.

New Spam Rules Go Into Effect

New CAN-SPAM rules, published in May, went into effect yesterday. Among other things, the new rules clarify who is obligated to comply with CAN-SPAM, clarify the definition of “sender,” and include new unsubscribe requirements. See this article for more info. For help complying with CAN-SPAM, including the new rules, see this White Paper from ExactTarget (free registration required).

2008 Security Breach Report

The Identity Theft Resource Center recently published their 2008 security breach incidence report. For each incident the report provides the number the exposed records, the breach type (print or electronic), and a link to a news article about the incident. So far in '08, the report counts 346 security breach incidents totalling upwards of 16 million exposed records.

California Expands Identity Theft Law

California Governor Arnold Schwartzenegger recently signed into law SB 612 which makes it easier to prosecute identity theft crimes in California. Under the old system, prosecutions could only take place where the crime occurred, which is usually in the perpetrators' towns or cities. With the passage of this bill, prosecutors can now charge people with identity theft in the jurisdictions where the victims live. This is significant because prosecutors are generally more aggressive when they're fighting criminals in their home town.

New Guidelines To Deal With SPAM

This article discusses new guidelines released by The Messaging Anti-Abuse Working Group (MAAWG) intended to reduce spam. According to the article, the new guidelines (which do not appear to be available online) recommend that ISPs use separate servers for received and forwarded e-mails, and that they block port 25, through which spam travels. Even if the guidelines were successfully adopted, though, there's no indication that they would be successful. Still, this might be a start.

Texas AG Settles With EZCORP Over Identity Theft

The Texas Attorney General's Office announced a settlement yesterday with EZCORP over the company's failure to adequately safeguard customer's personal information. Apparently, the company had simply dumped 483 customer records laden with social security numbers and other highly sensitive information in the trash. The AG's office filed suit under Texas Business & Comm. Code Section 48-102, claiming the company had failed to implement "reasonable procedures" to safeguard customers personal information. The AG's website includes a picture of a credit application that was found in the trash.

Web Site Liability For Third Party Content

The question of when a website owner becomes liable for content posted by third parties has been around for some time. As far back as 1997, the Courts were already dealing with this issue (See Zeran v. AOL). In the past several months a number of new opinions on this issue have appeared. In May of this year, the 9th Circuit case Fair Housing Council v. Roommates.com tackled the issue of whether an online roommate matching website should be held liable for violation of the federal housing discrimination laws, since certain postings discriminated against particular groups. The Court held that the website could be held liable because it used drop-down menus to limit users' choice as to the content of their listing. As a result, the safeharbor provisions of the Communications Deceny Act (CDA) did not apply. On the other hand, in March of this year, the 7th Circuit in Chicago Lawyer's Committee v. Craigslist found Craigslist immune under the CDA for user posted listings which likewise discriminated against certain groups. The distinction between the two rulings appears to be that once a website operator takes an active involvement in the generation of content (as was the case in the Fair Housing decision), the safeharbor provisions of the CDA no longer apply.

Suing For Identity Theft Using RICO

Check out this National Law Journal article, "RICO And Data Thieves" (subscription). Historically, data theft has been largely prosecuted using the Computer Fraud and Abuse Act (CFAA). The author, Nick Akerman, suggests that filing suit under the Racketeer Influenced and Currupt Organizations (RICO) statute might have some advantages. As the author points out, RICO, unlike the CFAA, provides for treble damages and attorney fees.

The Ethics of Viewing Metadata

The controversy over whether an attorney is permitted to view the metadata of documents they receive from opposing counsel has been ongoing for some time. A number of jurisdictions--including Florida (Ethics Opinion 06-2) and New York (Ethics Opinion 749)--prohibit an attorney from making use of the metadata. The ABA (Ethics Opinion 06-442), on the other hand, permits it. Boris Reznikov recently published this excellent article on the current state of the legal ethics debate on metadata.

Do Data Breach Laws Reduce Identity Theft?

A new working paper entitled "Do Data Breach Laws Reduce Identity Theft?" (Carnegie Mellon University) analyzes the effect of data breach laws on the presence of identity theft. Although the authors acknowlege limitations to their study, they conclude that they found no statistically significant effect that data breach laws reduce identity theft. This is one more indication that an effective approach to tackling the problem of identity theft requires more than enacting legislation alone.

New York Internet Sales Tax Setting A Trend?

A highly controversial New York law recently went into effect. Under the new law (Chapter 57, Laws 2008, Part KK-1), New York becomes the first state to require internet sales companies to collect sales tax. Will this new law set a trend for other states? According to this National Law Journal article (subscription), legislators in Colorado, Florida, Illinois, Kansas and Minnesota are also considering passing similar laws. For a fuller explanation of the law, see this technical bulletin. A number of retailers--Amazon.com and Overstock.com--have already filed suit. See Overstock's Complaint here.

Vulnerabilities of Printers and Copiers

This AP article, quoting the European Network and Information Security Agency, warns that printers and copiers could be the weak link in a company's cyber defense program. For more on this, see this post by Bruce Schneier responding to a presentation by Brendan O'Connor.

Law Firm Suit For The Outsourcing of Litigation Support

The Annapolis, MD law firm of Newman McIntosh & Hennessey recently filed suit against a legal process outsourcer located in India. The case, filed in US District Court for DC, seeks a ruling from the court on the following question: “Given the pervasive nature of the signals intercept by the United StatesGovernment and UKUSA Allies, will the electronic transmission of data to foreign nationals residing overseas waive Fourth Amendment protections with respect to the data transmitted?” It appears that the law firm also submitted this question to the Ethics Committee of the DC Bar. See here for more info.

Maryland Identity Theft Statute Held Not To Apply To Fictitious Identities

Maryland's highest court recently published a surprising ruling: to be prosecuted under the Maryland identity theft statute (Criminal Law Article 8-301), one must have stolen the identity of an actual person. The statute does not apply, the court reasoned, in cases where an individual commits identity theft using a fictitious identity. The majority of the case centers on an analysis of the term "another" in the statute. After delving into the statute's legislative history, the court determined that "another" must refer to an actual person for the statute to apply.

New CAN-SPAM Rules

The FTC recently (May 12) recently published a new final rule implementing the CAN-SPAM Act (15 U.S.C. 7701-7713). For a brief overview of the new rules, see here. For the Press Release announcing the new rules, see here. For a more detailed overview of the rules, see this article from B2B.

New Net Neutrality Bill

Representative John Conyers (D-Mich) recently introduced (May 8th) a new bill (HR 5994) on net neutrality dubbed the ‘‘Internet Freedom and Nondiscrimination Act of 2008." This is the the most recent of a series of bills on this issue. Other notable bills dealing with net neutrality include HR 5353, S 215, HR 5417, and S.2917. For a list of net neutrality bills which have been introduced, see this Wikipedia article.

EDiscovery Vendor Suits

For those of you that missed the news a few months back, the law firm of Sullivan & Cromwell agreed to settle with ediscovery vendor Electronic Data Discovery. Sullivan & Cromwell had sued the vendor for alledly providing sub-par work. See this article for more info. The case is important because it could be the first of many similar suits.

Rambus Wins On Appeal

As this Law.com article reports, the ongoing litigation between Samsung and Rambus seems to have come to a close. The Rambus case had caught the attention of the legal community because of allegations that Rambus had shredded millions of documents prior to initiating a slew of litigation. The opinion published April 30 overturns previous decisions on the grounds that they did not have the requisit jurisdiction. For more on the history of the case, see the Rambus.org website.

The Future Of The Internet

The US Senate Committee on Commerce, Science and Transportation met recently to discuss a rather timely topic: "the future of the internet." You can see either a webcast of the hearing or read some of the prepared testimony (see FCC Chairman Kevin Martin's testimony, in particular).

New Suits Target Information On Store Receipts

This National Law Journal article discusses a recent increase in suits against companies who are alledgely failing to comply with the Fair Credit Reporting Act (FACTA). One of the provisions of FACTA prohibits a company from printing more than the last 5 digits of a credit card number on the customer's receipt. According to the article, more than 300 class actions have been filed against a number of companies, including Toys "R" Us Inc. and AMC Entertainment Holdings.

Life Sentence For Identity Theft?

According to this Baltimore Sun article, a Maryland woman indicted on identity theft charges could face life in prison. Belinda Marie Glock, 33, was indicted on counts of aggravated identity theft (18 USC 1028A(a)(1)) and fraud in connection with access devices (18 USC 1029(a)(2)).

2007 Internet Crime Report

The 2007 Internet Crime Report, published by the Internet Crime Complaint Center (a partnership among the FBI, the National White Collar Crime Center, and Bureau of Justice Assistance), includes some interesting findings. The report demonstrates (not suprisingly) that internet fraud is on the rise. Reported losses were $240 million compared to $200 million in 2006. Other notable findings include that the most common crime occurred through the use of email and that those affected were more likely to be males rather than females. For IC3's previous reports see here.

Country Cybercrime Reports

The Council of Europe has a great page on Cybercrime legislation for a number of countries. Each country report contains a listing of citations to cybercrime statutes for that country as well as english language excerpts of the actual statutes.

FTC Announces Settlement With TJX, Lexis

The FTC agreed to settle charges with discount retailer TJX and data broker Reed Elsevier. The FTC had sued each of the companies for failing to adequately protect the security of consumer data. Both of the FTC's suits were brought under the unfair trade practices theory under Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a). The TJX Complaint is available here; the Reed Elsevier Complaint is available here.

Patient Data Exposed Online

Today's Baltimore Sun reports on an incident involving Dental Network, a CareFirst BlueCross BlueShield dental HMO, in which the company accidentally exposed personal information, including Social Security numbers, of about 75,000 members on a public website. A Maryland Law (SB 194) enacted last year requires that businesses notify consumers of a breach of their personal information "as soon as reasonably practicable after the business discovers or is notified of the breach." In this case, it took 3 weeks before CareFirst notified customers of the breach.

Goal Financial Settles Charges Of Failing To Safeguard Sensitive Information

Student loan company Goal Financial LLC has agreed to settle with the FTC over charges that it failed to adequately safeguard sensitive customer information. The FTC's Complaint alleges a number of violations, including violations of the Commission’s Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, and the Commission’s Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313. Also see the Consent Order Agreement.

Identity Theft At Major Financial Institutions

Until recently, there has been no way to compare the relative incidence of identity theft at major financial institutions. Chris Hoofnagle's study "Measuring Identity Theft at Top Banks" uses a novel approach: he compared complaint data from various banks submitted by victims of identity theft, obtained through FOIA requests. The study makes clear that the incidence of identity theft is alarmingly high at our major financial institutions, but that some institutions faired better than others.

More Data Breach Resources

CSOonline has a number of interesting articles on the subject of security breach legislation. First, check out their interactive map of security breach legislation. Also see their articles "What's New With Disclosure Legislation?" (interview with Proskauer Rose attorney Tanya Forsheit) and "The Dos And Don'ts of Disclosure Letters." Finally, see this blog posting on what a federal databreach law would look like.

Anti Cybersquatting Suits Becoming Increasingly Popular

A recent article in the National Law Journal entitled "Suits a new weapon to fight cybersquatters" (subscription) reports that companies are increasingly filing suits under the Anticybersquatting Consumer Protection Act of 1999 (codified at 15 USC 1125(d)) to deal with cybersquatters who profit from their brand names. Traditionally, the preferred route for companies to resolve this type of dispute would have been through arbitration. That method has proved ineffective against increasingly sophisticated cybersquatters. As a results, many companies have begun filing law suits.

Wireless Security Whitepaper

Finish IT security firm Codenomicon recently posted this white paper on the current status of wireless security.

Businesses Generally Ignoring E-Discovery Rules

According to this article from eweek, a little over a year after the ediscovery rules went into effect, "about two-thirds of U.S. businesses remain unprepared to meet strict court requirements for the discovery and handling of electronic evidence."

E-Discovery Guidelines In US District Courts

The Electronic Discovery Law blog compiled a list of links to the 38 US District Courts that have adopted (or at least considered) local ediscovery rules and guidelines.

Identity Theft Tops FTC Complaint List

According to the FTC's annual report on the subject, identity theft topped the list of FTC complaints for the 7th year in a row. Roughly 32% (or over 260,000) of the Agency's 2007 complaints were due to identity theft. The report also demonstates that the most frequent type of identity theft complaint in 2007 was credit card fraud (23%). The metropolitan areas reporting the highest per capita rates of identity theft were Napa, California; Madera, California; and Greeley, Colorado.

Annonymity On The Net

Is there a First Amendment right to speak annonymously on the internet? A recent California Appellate (Krinsky v. Doe 6) case holds that, under certain circumstances, there is. In that case, plaintiffs argued that the identity of a individual who posted "scathing verbal attacks" on an online message board against corporate officers of a Florida company should be exposed. Plaintiffs served a subpoena to have the identity of "Doe 6" disclosed but the request was denied.

Spam Ring Indicted

A federal indictment was recently unsealed in Detroit, charging 11 people with violations of the CAN SPAM Act. The DOJ release alleges that the defendants set up "an international scheme to make money by manipulating stock prices through illegal spam e-mail promotions." The indictment also alleges that the defendants tried to send their spam through the use of botnets.

Red Flag Regulations

The most recent National Law Journal features an article entitled "Scrambing With ID Theft Programs" (subscription) discussing the so-called "Red Flag Regulations" which implement two sections of the Fair and Accurate Credit Transactions Act. The regulations, formally termed
"Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003," require financial institutions and companies offering consumer credit to institute identity theft prevention programs to detect "red flags" which might signal possible foul play. The regs go into effect Nov. 1 of this year.

FTC Settlement With Life Is Good, Inc.

The FTC recently announced a Proposed Settlement with clothing company Life Is Good, Inc. The FTC's Complaint against the company had alleged that the company, contrary to it's privacy policy, failed to adequately protect and secure the sensitive information it maintained about its customers. The proposed settlement requires, among other things, that the company designate at least one employee to coordinate the security program and that the company develop reasonable procedures for selecting and supervising service providers that handle customers’ personal information.

Preparing For A Data Breach

Philip Gordon of the Workplace Privacy Counsel blog provides 5 key points for employers to consider as they prepare for the possibility of a data breach: be prepared, train your HR professionals, determine your notice obligations, help your employees, and learn from your mistakes.

MD Identity Theft Task Force Issues Report

The Maryland Task Force to study Identity Theft recent published it's report. Over 230 pages, the report recommends, among other things, that the penalties for felony identity theft be increased, that the State ban credit card skimming devices, and that the State should enact legislation to enable a court to order the forfeiture of all property of a criminal convicted of identity theft obtained from the crime.

EDD In Criminal Investigations

The DOJ's publication, "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations," provides a comprehensive guide to the legal issues that arise when federal law enforcement agents search and seize computers during criminal investigations. Topics covered include the Electronic Communications Privacy Act, workplace privacy, and the law of electronic surveillance.

EDD Opinions By Judge Grimm

In the past few years, Judge Paul W. Grimm of the US District Court in Maryland has issued a couple of groundbreaking electronic discovery opinions: Lorraine v. Markel American Insurance Company (DMd May 4, 2007) and Hopson v. Mayor and City Council of Baltimore (D.Md.2005). For more on Lorraine see here and here. For a summary of the Hopson decision see here. Judge Grimm has also authored a Suggested Protocol For Discovery of Electronically Stored Information discussed in an earlier post.

Sears Sued For Failing To Adequately Protect Website

This Washington Post article reports on a class action suit against Sears for failing to adequately secure the personal information on its website managemyhome.com. The site's security vulnerabilities came to light after Ben Edelman pointed out the ease with which anyone could access the purchase history of the site's users. See here for a copy of the Complaint filed in Cook County, Illinois.

Google Not Required To Disclose Identity of Blogger

Google has no obligation to disclose the identity of a blogger who used Blogger.com to allegedly defame a Long Island school board member. Judge Marcy S. Friedman of the New York County Supreme Court called the blogger's statements opinions rather than actionable statements of fact. As such, there is no case for defamation and Google has no obligation to turn over the records. Greenbaum v. Google Inc. (N.Y. Sup. Ct., N.Y. County Oct. 23, 2007).

Security Breach Laws

The National Conference of State Legislatures site contains a list of all state security breach notification laws. The Maryland Statute (Commercial Law 14-3501 et. seq.) was recently amended by SB 194 which went into effect Jan. 1 of '08.

Maryland Computer Services Tax

In a special session, the Maryland legislature recently increased taxes for the first time since 1977. Included in the tax bill is a special tax on computer services. Although critics vow to get the bill repealed, barring any actions by the courts or legislature, the bill is scheduled to go into effect July 1. The bill is Section 3 (p. 24) of Senate Bill 2.