Internet Lawyer Blog

Cyberattacks can hit businesses of any size, causing catastrophic damage to a business's finances and to the integrity of its information security. Hundreds of breaches occurred at large corporations during 2011, affecting over thirty million sensitive or confidential records. Hackers went after Sony, NASDAQ, and other giant businesses, but small companies are also vulnerable to attack. According to a report in the Business Journals, as many as eighty-five percent of small business owners do not see cyberattacks, which may include hackers or malicious software, as a serious threat. Heightened security at these big companies, though, could lead hackers and other cyber criminals to focus their attacks on smaller businesses who may not be so prepared.

Guarding against cybercrime is simply good business for small companies. A hacker targeting a small business can cripple the business or even force it to shut down with a very simple series of hacks or viruses. If a cyber criminal targets a small business' banking system, it could empty its cash reserves and leave it unable to operate. A hacker who compromises a business' confidential client data could expose the business to enough liability to put it out of business.

The "Common Sense Guide to Cyber Security," published by a coalition of government agencies and organizations, including the Federal Emergency Management Agency and the U.S. Chamber of Commerce, offers a set of security practices small businesses can use to protect themselves from cyberattack. After an initial set-up period, most practices involve simple daily maintenance and monitoring.

Risk Management Planning. Businesses should carefully assess the risks and weaknesses in their computing systems to see where protection is most needed. They should prepare contingency plans in case a breach or loss occurs, including how to continue business operations with alternate computing systems or at an alternate location.

Access Control and Accountability. A business's network security plan should include access controls that limit who may access critical systems and information. A single department or officer should have responsibility for information security and for approving new hardware and software, thus ensuring accountability for decisions and errors. At the same time, a business should educate all employees and officers as a means of creating a "culture of security." All employees should sign an agreement committing to the company's cybersecurity policies.

Firewalls and Other Security Measures. Firewalls can protect businesses from many common attacks, particularly from viruses and malware. Companies should also encourage use of complex passwords that combine upper- and lowercase letters, numbers, and other symbols; avoid common words and phrases; and change at least every three months.

Continue reading "Protecting Your Company's Data from Cybercrime" »

Computers and computing activities play an increasingly integral role in daily life in America, affecting our financial activity, social interactions, and more. With an increased level of dependence on networked devices comes the risk of theft, or even attacks, on and through our computer networks. While the business community has already recognized the importance of cybersecurity, the government and legal system are finally responding in five key areas.

National security. The federal government has made cybersecurity a central feature of its national security strategy. Recognizing the risk of an attack on the nation's computer networks by a foreign power or sub-national group, the Department of Defense created a comprehensive strategy for cybersecurity (PDF file) in 2011. The strategy treats "cyberspace" as its own "operational domain," requiring specialized training and organization. The government has also taken steps to combat online theft, which can include not only monetary theft but theft of intellectual property and identity theft. The latter has become more and more sophisticated as thieves find ways to exploit personally identifiable information (PII) stored online.

Federal legislation. The Obama administration proposed legislation outlining ten points for cybersecurity protection. These generally included protection of the American people, the nation's infrastructure, and the federal government's networks and computer systems. Several bills pending in Congress address aspects of cybersecurity. The controversial Cyber Intelligence Sharing and Protection Act (CISPA), for example, allows sharing of data between companies and the National Security Agency in order to investigate and combat cybersecurity threats.

State legislation. Protection of government data, PII, and personal privacy have informed numerous state statutes enacted in the past ten years. California passed a law requiring notification of cybersecurity breaches in 2003, and forty-six other states and the District of Columbia followed suit. Laws requiring "reasonable" levels of security for protected information exist in at least ten states, and numerous states are enacting statutes protecting people from wiretapping and other monitoring of electronic activity.

Regulatory initiatives. Multiple regulatory agencies have addressed cybersecurity concerns through additional regulations, guidelines, and enforcement actions. The U.S. Security and Exchange Commission (SEC), for example, recently issued a new set of guidelines for publicly-traded companies. The guidelines address disclosure of cybersecurity breaches as a means of making information available to investors. The FBI, meanwhile, established a joint task force to investigate cyber threats.

Continue reading "Legal Developments and Trends in Cybersecurity for 2012" »

When hackers breached the e-commerce firm Zappos in January, they may have compromised the personal information of as many as 24 million users. Legislatures in several states, including California, have responded to attacks such as this one by passing laws enhancing cybersecurity investigation and enforcement, and increasing requirements for disclosure of cyberattacks. The U.S. Securities and Exchange Commission (SEC) has also issued new guidelines for businesses and individuals under attack. The key issue to consider, in light of these new laws and regulations, is how much disclosure is not enough, and how much is too much.

The SEC is recommending disclosure of cyberattacks to an unprecedented degree. A new set of guidelines issued in October 2011 advises publicly-traded companies to disclose details of cybersecurity breaches as part of the quarterly 10-K report. Companies should disclose any and all cyberattacks, regardless of whether they caused a loss. The SEC even encourages companies to disclose "cyberrisks," even in the absence of a breach. This potentially benefits investors, the SEC says, by providing comprehensive information about both actual and potential losses due to hacking and other cyberattacks. At the same time, extensive disclosure could put companies at greater risk by exposing weaknesses to hackers. Companies must carefully consider how much, or how little, to disclose. Too much disclosure could make them vulnerable to attack. Too little disclosure could make them vulnerable to lawsuits by investors.

State laws regarding cybersecurity disclosures are typically not as stringent as the SEC's guidelines. California passed the first such law a decade ago. That law applies to any person or business that owns or licenses computer data containing a California resident's "personal information," such as social security number, home address, driver's license number, and so forth. In the event of a breach that would reasonably lead to an unauthorized person obtaining the personal information, an owner or licensor of personal data must notify the person whose personal information may have been breached.

Forty-six states have followed California's lead and passed similar laws. California has actually fallen behind some states that have passed laws with stricter disclosure requirements. A new law that took effect on January 1, 2012, requires an individual or business to notify the state attorney general of a cybersecurity breach if the breach affects more than five hundred California residents. The notice must include specific details of the type and size of the breach, and a toll-free number to allow users to contact credit agencies.

Continue reading "New Laws and Guidelines on Cybersecurity Disclosures Both Protect and Endanger Personal Information" »

In California, the stalking laws are included under Section 646.9 of the Penal Code, which states that any person who willfully and maliciously, and repeatedly follows or harasses another person and who makes a credible threat with the intent to place that person in reasonable fear for his or her safety or that of an immediate family member is guilty of stalking. Stalking cases may include additional related charges such as: (1) Trespassing; (2) Vandalism; (3) Burglary; (4) Criminal Threats; and (5) Obscene, Threatening, or Annoying Phone Calls.

Please keep in mind that willfulness is a standard related to the culprit's state of mind. For example, when the person is acting purposefully, then he/she has the "conscious object" of engaging in conduct and believes or hopes that the attendant circumstances exist. If the person is acting knowingly, then he/she is practically certain that his conduct will lead to the result. If the person is acting recklessly, then he/she is aware that the attendant circumstances exist, but nevertheless engages in the conduct that a "law-abiding person" would have refrained from. If the person acts negligently, then he/she is unaware of the attendant circumstances and the consequences of his conduct, but a "reasonable person" would have been aware. Finally, if the person acts with strict liability, then mental state is irrelevant and he/she is strictly liable.

In the last few years and with the emerging of the world wide web, a new kind of stalking has developed which is also called "cyber stalking." This type of misconduct occurs when the violator utilizes the Internet, electronic mail (e-mail) or other communication devices to harass and stalk others. For example, it can occur by sending e-mails to the victim, impersonating another person in online chat rooms and e-mail messages, and disseminating lies in cyberspace. It is also important to note that the Internet is a cheap and efficient method for "cyber stalkers" to anonymously cause harm to their victims.

If you have any questions, contact me, Salar Atrizadeh, Esq. to discuss your options.

The threats from cyberspace grow more powerful and pernicious. Companies like Sony Corporation, Google Inc., and Lockheed Martin have admitted startling security lapses. The International Monetary Fund, last month suffered a breach leading to the loss of highly sensitive data. The United States Congress and executive branch agencies face approximately 2 billion attacks in cyberspace per month in 2010.

FTC PROPOSES SWEEPING NEW CONSUMER PRIVACY PROTECTION FRAMEWORK, INCLUDING NEW ON-LINE "DO NOT TRACK" MECHANISM

By Jason Sweeney, Esq.

INTRODUCTION

The Federal Trade Commission released on December 1, 2010 its highly anticipated consumer privacy protection framework titled "Protecting Consumer Privacy in an Era of Rapid Change" ("Privacy Report"). A PDF copy of the Privacy Report may be obtained on the FTC website: http://www.ftc.gov/os/2010/12/101201privacyreport.pdf. The FTC seeks public comment on the proposed privacy framework by January 31, 2011.

The FTC's proposed privacy framework has three major components: (1) "privacy by design," (2) expansion of consumer choices about how companies collect and use certain types of consumer information, and (3) increased transparency of data collection practices. All three components have already ignited a lively debate among consumer advocates, businesses, advertisers and policy makers. Although stated as tasks that a company "should do," there is worry the FTC could take steps to use its enforcement powers against a noncompliant company.

SCOPE

All three of the privacy framework components would apply broadly to "commercial entities that collect, maintain, share or otherwise use consumer data that can be reasonably linked to a specific consumer." (Privacy Report, p. 42.) Notably, the FTC proposes to largely do away with the dichotomy between personally identifiable information and non-personally identifiable information, instead changing the focus to any consumer information that "can be reasonably linked to a specific consumer, computer, or other device." (Privacy Report, p. 43.)

PRIVACY BY DESIGN

The first component of the FTC's proposal is a "privacy by design" process which suggests businesses should implement four broad substantive privacy protections. First, companies that keep consumer information should employ reasonable safeguards to prevent unauthorized disclosure. (See Privacy Report, p. 44-45.) Second, companies should collect only the consumer information needed to fulfill a specific, legitimate business need. (See Privacy Report, p. 46.) Third, companies should implement "reasonable data retention periods," retaining consumer data for only as long as there is a specific and legitimate business need to do so. (See Privacy Report, p. 46.) Location-based data, a form of data that is increasingly common in the mobile device community, was used by the FTC as an exemplar of data for which long-term retention presents significant consumer privacy concerns. (See Privacy Report, p. 47.) Finally, companies should take reasonable steps to ensure the accuracy of collected data, particularly "data that can be used to deny consumers benefits or cause significant harm." (Privacy Report, p. 48.)

EXPANSION OF CONSUMER CHOICE ABOUT HOW COMPANIES COLLECT AND USE CERTAIN TYPES OF CONSUMER INFORMATION

The second component of the FTC's privacy framework includes the highly publicized "Do Not Track" mechanism targeted at behavioral advertising (i.e., collection of a user's on-line browsing data to serve targeted advertisements to the user). Companies would also have to provide consumers a conspicuous "choice mechanism" to opt-out of having certain types of his or her information collected, used or shared.

Citing the lack of consumer control and "invisibility" of the uses of consumer information, the FTC privacy framework creates two categories of data practices: "commonly accepted data practices" and everything else. A company's use of "commonly accepted data practices" would not require consumer consent. Only five types of data practices qualify, however, as "commonly accepted data practices." These include data collection for product fulfillment services, fraud prevention and first-party marketing. (Privacy Report, pp. 53-54). First-party marketing would "include only the collection of data from a consumer with whom the company interacts directly for purposes of marketing to that consumer." (Privacy Report, p. 55.) For all other types of data practices, companies would have to give consumers the ability to make informed choices about the collection, use and sharing of consumer information. (See Privacy Report, pp. 53; 57-63.) The "Do Not Track" mechanism would be an additional layer of consumer protection specifically targeted at on-line behavioral advertising. Essentially, the mechanism would allow consumers to limit or block on-line tracking through their browsers, probably by way of a persistent cookie on a consumer's browser that conveys a setting to sites the browser visits to signal whether or not the consumer wants to be tracked or receive targeted advertisements. (See Privacy Report, p. 66-67.)

INCREASED TRANSPARENCY OF DATA PRACTICES

The third component of the FTC's privacy proposal targets the form and content of off- and on-line privacy notices and seeks to grant consumers greater access and control over information that can reasonably indentify them. (See Privacy Report, pp. 69-78.) The FTC's privacy framework states that (1) privacy notices should be "clearer, shorter and more standardized" (Privacy Report, p. 70-72), (2) companies should provide "reasonable access" to the consumer data they maintain (Privacy Report, p. 72-76), and (3) companies should provide prominent disclosures and obtain affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected (Privacy Report, p. 76-77.)

CONCLUSION

The FTC is not the only government entity considering consumer privacy changes in the near term. The United States Commerce Department is widely expected to release its own privacy report in the coming weeks and the Obama administration's Office of Science Technology Policy is developing broad-based on-line privacy principles. In short, practitioners need to be aware that significant changes in consumer privacy protections appear to be coming soon.

For more go to businesslaw.calbar.ca.gov.

The Data Security and Breach Notification Act of 2010

To help protect personal information on the Internet and elsewhere, California enacted seminal legislation in 2000, which was significantly strengthened with the passage of SB 1386 in 2002. Since then, other states have enacted similar legislation.

State activity, however, may be preempted by proposed federal legislation. On August 5, 2010, S. 3742, the Data Security and Breach Notification Act of 2010 (the "Act"), (http://thomas.loc.gov/cgi-bin/query/z?c111:S.3742:), the most recent federal effort to preempt state laws on the subject, was introduced by Sen. Mark Pryor (D,AeeArk), chairman of the Subcommittee on Consumer Protection, Product Safety, and Insurance, and co-sponsored by Sen. John D. Rockefeller IV (D,AeeW.Va.), Chairman of the Senate Commerce Committee. Less protective of consumers than California law, among other things, the Act:

(1) Preempts any state or local law or regulation covering the same subject matter and the entities subject to regulation by the FTC and non-profits;

(2) Creates a "risk of harm threshold," so that, if a covered entity determines that there is "no reasonable risk of identity theft, fraud, or other unlawful conduct" resulting from the breach, no notification or other action is required;

(3) Eliminates the private right of action for victims afforded by California law and the laws of other states;

(4) Precludes any action by state or local law enforcement agencies during the pendency of an FTC enforcement action; and,

(5) Caps the exposure of violators to $5,000,000 for each violation of the information security provisions of the Act, and to $5,000,000 for all violations of the notification provisions of the Act arising from a single data breach.

The Act also vests the FTC with primary jurisdiction and the right to engage in extensive rulemaking to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information taking into consideration (A) the size of, and the nature, scope, and complexity of the activities engaged in by, such covered entity; (B) the current state of the art in administrative, technical, and physical safeguards for protecting such information; and (C) the cost of implementing such safeguards;

The Act also defines "personal information" more narrowly than Cal. Civ. Code § 1798.80 by, among other things, eliminating personal health information from the definition although it does grant the FTC rulemaking authority to expand the definition. In an August 19, 2010 letter, a coalition of business interests including the U.S. Chamber of Commerce, the Financial Services Roundtable, the National Retail Federation, the American Financial Services Association, and the Consumer Data Industry, raised concerns over the proposed FTC rulemaking authority.

According to media reports of the August 19 letter, the objecting coalition of business interests is concerned that the breach notification requirements of the measure, when applied to "minor" breaches, would unnecessarily alarm unaffected consumers and could unreasonably impede interstate commerce. The letter goes on to state that permitting the FTC to expand a definition that is at the core of the applicability of the proposed federal statute is an inappropriate delegation of Congressional authority to the rulemaking capacity of an enforcement agency, and that this critical function should require Congressional action and not be abdicated to unelected officials.

The Act has the qualified support of Consumers Union (see letter to Chairman Rockefeller at http://www.defendyourdollars.org/pdf/Support-Ltr-S-3742.pdf).

There is a remote possibility that floor action on the Act may take place toward the end of this year.

For more information please see www.businesslaw.calbar.ca.gov.

Our nation can be threatened not only by physical attacks on terra firma, but also in Cyberspace. Indeed, Cyber attacks could threaten all sorts of mission critical systems.

For this reason, aides to Senator Jay Rockefeller reportedly have been working recently on a revised draft Senate bill that would give the President broad powers in the event of a Cybersecurity emergency, and that apparently would go so far as allowing the President to temporarily seize control over computer networks in the private sector.

This power is akin to the power President Bush exerted when he grounded commercial aircraft in the wake of the September 11, 2001 World Trade Center and Pentagon attacks, according to a reported Senate source.

The revised draft Senate bill calls on the President, within 180 days of enactment, to develop and implement a comprehensive national Cybersecurity strategy. This strategy is to provide a "long-term vision of the Nation's Cybersecurity future" and a plan that "encompasses all aspects of national security," which would include private sector involvement.

Importantly, the revised draft Senate bill sets forth that "in the event of an immediate threat to strategic national interests involving a compromised Federal Government or United States critical infrastructure information system or network," the President may declare "a Cybersecuirty emergency" and may, if deemed necessary by the President for "the national defense and security," direct "the national response to the Cyber threat" and the "timely restoration of the affected critical infrastructure information system or network."

This is a mouthful, of course. But what it boils down to is that, if this becomes law, the President will be able to declare a Cybersecurity emergency and then direct the response to that threat. This would give the President very broad power.

Some might argue that this open-ended power and flexibility are exactly what the President would need to cope with the unusual circumstances that could be encountered by various types of Cyber attacks.

Others might argue that the revised draft Senate bill is too vague in terms of the scope of authority ceded to the President, and that there should be greater specificity to ensure that unbridled power is not abused potentially in the future.

Plainly, the United States needs a chain of authority and plans and measures designed to prevent and then cope with possible Cyber attacks. However, whether the revised draft Senate bills gets off the ground and becomes law as is remains to be seen.

For more information go to www.findlaw.com

Associated Press: India may ask Google and Skype for greater access to encrypted information once it resolves security concerns with BlackBerrys, which are now under threat of a ban, according to a government document and two people familiar with the discussions.

The 2008 terror attacks in Mumbai, which were coordinated with satellite and cell phones, helped prompt a sweeping security review of telecommunications ahead of the Commonwealth Games, to be held in New Delhi in October.

On July 12, officials from India's Department of Telecommunications met with representatives of three telecom service provider groups to discuss interception and monitoring of encrypted communications by security agencies.

"There was consensus that there are more than one type of service for which solutions are to be explored," according to a copy of the minutes of the meeting obtained by The Associated Press. "Some of them are BlackBerry, Skype, Google etc. It was decided first to undertake the issue of BlackBerry and then the other services."

"They have clearly instructed us that after BlackBerry, they are going to take to task Google, Skype and similar services that bypass the monitoring department of India," said Rajesh Chharia, president of the Internet Service Providers Association of India, who attended the meeting. "According to the law, they have to allow monitoring."

The officials' immediate concern was the BlackBerry, but they also plan to look at Google and other companies that use encryption for e-mail and messaging services, said Rajan Mathews, director general of the Cellular Operators Association of India, who was briefed on the meeting.

Google and Skype said Friday they haven't received any notices from the government.

The Home Ministry said present talks involve only BlackBerry maker, Canada-based Research In Motion.

"We are talking only to BlackBerry," ministry spokesman D.R.S. Chaudhary said Friday. "Not to Google or others."

On Thursday, India threatened to ban BlackBerry services unless the device's manufacturer makes them accessible to its security agencies by Aug. 31.

On Friday, Research In Motion Vice President Robert E. Crowe met with Home Ministry officials in New Delhi to try to avoid the ban. No details of the outcome of the meeting were immediately available.

For more information go to www.associatedpress.com

WASHINGTON ,— Invasion of privacy in the Internet age. Expanding the reach of law enforcement to snoop on e-mail traffic or on Web surfing. Those are among the criticisms being aimed at the FBI as it tries to update a key surveillance law.

With its proposed amendment, is the Obama administration merely clarifying a statute or expanding it? Only time and a suddenly on guard Congress will tell.

Federal law requires communications providers to produce records in counterintelligence investigations to the FBI, which doesn't need a judge's approval and court order to get them.

They can be obtained merely with the signature of a special agent in charge of any FBI field office and there is no need even for a suspicion of wrongdoing, merely that the records would be relevant in a counterintelligence or counterterrorism investigation. The person whose records the government wants doesn't even need to be a suspect.

The bureau's use of these so-called national security letters to gather information has a checkered history.

The bureau engaged in widespread and serious misuse of its authority to issue the letters, illegally collecting data from Americans and foreigners, the Justice Department's inspector general concluded in 2007. The bureau issued 192,499 national security letter requests from 2003 to 2006.

Weathering that controversy, the FBI has continued its reliance on the letters to gather information from telephone companies, banks, credit bureaus and other businesses with personal records about their customers or subscribers ,— and Internet service providers.

Source: Google News (www.news.google.com)

WikiLeaks' chief claims his organization doesn't know who sent it some 91,000 secret U.S. military documents, telling journalists that the website is set up to hide the source of its data from those who receive it.

Editor-in-chief Julian Assange says the added layer of secrecy helps protect the site's sources from spy agencies and hostile corporations. He acknowledged that the site's anonymous submissions raised concerns about the authenticity of the material, but said the site has not yet been fooled by a bogus document.

Assange made the claim in a lengthy hour talk before London's Frontline Club late Tuesday, in which he outlined the workings of WikiLeaks and defended its mission.

In response to a report in the Wall Street Journal, the National Security Agency revealed some information about its plans for "Perfect Citizen," which it described as a research and engineering effort around vulnerability assessment and capabilities development. The National Security Agency revealed some information about the nature of its "Perfect Citizen" cyber-security program after a report about the agency's plans surfaced in the media. While the agency is unwilling to confirm or deny some details of the Wall Street Journal article, the agency described Perfect Citizen as a "vulnerabilities-assessment and capabilities-development" effort, and stressed that there is no monitoring activity involved. "Specifically, it does not involve the monitoring of communications or the placement of sensors on utility company systems," NSA spokesperson Judith Emmel said in a statement. "This contract provides a set of technical solutions that help the National Security Agency better understand the threats to national security networks, which is a critical part of NSA's mission of defending the nation." Defense contractor Raytheon was reported by the Journal to have received the contract for the project. According to the Journal, Perfect Citizen would involve placing sensors across a variety of computer networks belonging to government agencies and private sector companies involved in critical infrastructure in order to protect against cyber-attacks. The focus would be large, typically older systems designed without Internet connectivity or security in mind, the Journal reported.

See www.eweek.com/c/a/Security/NSA-Cyber-Security-Program-Details-Revealed-275248

Many Companies Continue to Ignore the Issue (Pittsburgh Post-Gazette, 22 June 2010) - After a year of high-tech breaches at some of the nation's biggest companies, a provision in a Senate bill calls on the White House to encourage a market for cybersecurity insurance to protect businesses from debilitating costs brought on by hacking and compromised information. The bill, introduced by Sens. Jay Rockefeller, D-W.V., and Olympia Snowe, R-Maine, says the president or his appointee must report to Congress on "the feasibility of creating a market for cybersecurity risk management" one year after the bill's passing. But a crashed server policy is not as easy to write as a crashed car policy. Many businesses are deterred by an application process described as appropriately exhaustive but forever imprecise. The process is complicated by the tricky nature of monetizing data. Web experts always have held that "information wants to be free." But how much is it worth when it's stolen? Companies lost an average of $234,000 per breach in 2009, a recent report by the Computer Security Institute in New York found. But a report released last Tuesday by the Carnegie Mellon CyLab found that 65 percent of its Fortune 1,000 respondents were not reviewing their companies' cybersecurity policies. Jody Westby, a researcher who worked on the CyLab report that indicated board negligence, said the insurance provision in the cybersecurity bill was a mandate by an ill-informed Congress. "This is interventionist, regulatory, heavy-handed action by Congress," said Ms. Westby from an technology best practices conference in Burkina Faso, West Africa. "This isn't anything that Congress is going to fix," she said. "It's something boards in America need to fix."

For more information please visit: http://www.post-gazette.com/pg/10173/1067262-96.stm AND/OR http://www.knowconnect.com/mirln/current/

AT&T Inc. acknowledged Wednesday that a security hole in its website had exposed iPad users' email addresses, a breach that highlights how corporations still have problems protecting private information.

A small group of computer experts that calls itself Goatse Security claimed responsibility for the intrusion, saying the group had exploited an opening in AT&T's website to find numbers that identify iPads connected to AT&T's mobile network.

Those numbers allowed the group to uncover 114,000 email addresses of thousands of iPad customers, including prominent officials in companies, politics and the military, the group said. Gawker Media LLC reported the breach Wednesday. It doesn't appear any financial or billing information was made public.

AT&T, the sole U.S. provider of wireless service for the Apple Inc. tablets, said it had fixed the security problem by Tuesday. It said it would inform all customers whose email addresses and iPad IDs may have been obtained. Apple didn't reply to requests for comment.

"At this point, there is no evidence that any other customer information was shared," AT&T said. "We take customer privacy very seriously, and while we have fixed this problem, we apologize to our customers who were impacted."

To obtain additional information visit http://online.wsj.com

Date: June 10, 2010

The Federal Trade Commission (FTC) recently filed a series of comment letters with the Federal Communications Commission (FCC) supporting that agency's consideration of privacy and data security in the development of its Broadband Plan. The first of these letters,[1] dated December 9, 2009, highlights the extent to which federal agencies, including the FTC and FCC, are focusing their resources on privacy and data security issues in response to the rapid expansion in recent years of Internet-based software and data services (commonly referred to as "cloud computing"), and the growing dependence by businesses on authentication and credentialing (what the FTC terms "identity management").

By way of background, the FCC's National Broadband Plan[2] sets various goals aimed at providing affordable broadband coverage to areas of the U.S. that go underserved in the current market, including homes, schools, hospitals and local government. The plan also focuses on improving public safety, both through expanding or enhancing broadband services, and promoting cybersecurity and the protection of critical broadband infrastructure. In this respect, the plan makes a number the recommendations, including the creation by the FCC of a "cybersecurity certification regime" and (in conjunction with the Department of Homeland Security) "a cybersecurity information reporting system." The depth and breadth of these recommendations appears to move the FCC closer to the regulation of data security, an area where activity at the federal level, at least with respect to consumers, has generally fallen under either the Justice Department through criminal investigations, or the FTC via enforcement actions and various other initiatives.

The letter goes on to emphasize some of the FTC's more significant efforts in this regard, including a 2007 workshop on customer authentication technology and policy, followed by a 2008 report on the same topic, and most notably, the Commission's enforcement action and $15 million settlement against ChoicePoint for failure to follow reasonable data protection procedures ,— the largest civil money penalty in FTC history. The letter also mentions some of the Commission's more recent efforts to address privacy challenges surrounding cloud computing, including three roundtable forums on privacy in the age of cloud computing and social networking, the last of which took place in March of 2010.

The letter concludes by recommending that the FCC's Broadband Plan recognize the FTC's continued devotion of substantial resources to privacy and data security. Whether the letter will enhance cooperation between these agencies remains to be seen. The efficacy of the FCC's effort to expand its authority over Internet regulation was further complicated after a federal court held in March that the agency lacked the ability to punish Comcast for violating open-Internet guidelines. Furthermore, under a provision in the financial reform legislation currently before Congress, the FTC would gain the power to issue rules and impose civil penalties on companies that harm consumers on the Internet. Regardless, an increased focus by the federal government on privacy and data security, not to mention broadband infrastructure, is worth noting given the current patchwork of laws and regulations, both state and federal, that make privacy compliance an on-going challenge for many companies.

For more information visit http://calbar.ca.gov/state/calbar/calbar_sections_generic.jsp?cid=11372