Archives: Children

Written by Julia Siripurapu, CIPP/US

Just two months after Apple’s settlement with the FTC over lax parental controls over children’s in-app purchases (see our prior blog post), Google takes the spotlight with claims of unauthorized children’s in-app purchases in the Google Play Store! This time, it’s not an FTC action, but a class action. The suit was filed on ­March 7 in the U.S. District Court for the Northern District of California.  The suit was brought by a New York mother (“Plaintiff”) on behalf of herself and other parents whose minor children downloaded free or relatively inexpensive child-directed games from the Google Play store and then incurred charges for purchasing items that cost money within the app without parental consent or authorization. For example, the Plaintiff’s five year old son spent over $65 dollars on virtual Crystals while playing the game “Marvel Run Jump Smash!” on an Android device.

According to the complaint, the apps directed to children that are offered for sale in the Google Play store are “designed to induce purchases of what Google refers to as ‘In-App Purchases’ or ‘In-App Content,’ i.e. virtual supplies, ammunition, fruits and vegetables, cash, and other fake  ‘currency,’ etc. within the game  in order to play the game as it was designed to be played (‘Game Currency’)”. As noted in the complaint, while Google required users to enter a password to authenticate their account before purchasing and downloading an app or Game Currency, once the account is authenticated, the user, including children, could purchase “several hundreds of dollars” in Game Currency during a 30 minute window without having to re-enter a password. This billing practice allowed Google to automatically charge the account holder’s credit or debit card or PayPal account, without notifying the account holder or obtaining further consent of the account holder. Continue Reading Unauthorized Children’s In-App Purchases Round Two: Google Faces Class Action

Written by Julia Siripurapu

The Children’s Advertising Review Unit (CARU) announced (press release) that  it has recommended that HarperCollins Publishers Ltd. (the “Company”) modify its information collection practices on its Ruby Redfort child-directed website (the “Site”) to better protect the privacy of children under 13  (“Children”) and that the  Company has agreed to do so. CARU is the children’s arm of the advertising industry’s self-regulation system and is administered by the Council for Better Business Bureau.

The Site, and the Company’s faulty information collection practices, came to CARU attention in the course of CARU’s routine monitoring of websites for compliance with CARU’s Self-Regulatory Program for Children’s Advertising, including guidelines on Online Privacy Protection, as well as with the Children’s Online Privacy Protection Act (COPPA). As described in CARU’s press release, in order to become a Site user and enter to win prizes on the Site, children were asked to provide personal information such as their first and last name, e-mail address, full street address and a username and to check a box to indicate whether: (1) they are over 16, (2) they are under 16 but have permission from a parent or guardian to sign up as  a user of the Site and enter the competition, or (3) they are under 16 and a parent is not aware of their signing up as a Site user and entering the competition. However, the Company did not take any additional steps to verify parental consent for children that selected option 2, as required by COPPA. The fact that the Company is a U.K.- based entity does not affect its COPPA-compliance obligations: the  Site is not only directed to Children located in the U.S. (among children from other countries), but the Company is also knowingly collecting information from Children located the U.S. 

In response to CARU’s investigation, the Company agreed to take steps to comply with COPPA, including to implement a system for obtaining verifiable parental consent. When we visited the Site today, we noticed that the Company has implemented an age-neutral verification mechanism and is currently blocking the collection of information from Children on the Site. If a prospective user indicates that she/he is under 13 and then selects either the “My parent or guardian has given me permission to sign up to this” button or the “My parent or guardian does not know I’m signing up for this” button, the individual receives the following message: “ERROR: Sorry, but you are not eligible to sign up at this time.” The Company has also implemented a session cookie to prevent Children from going back and changing their age.

Is you COPPA-compliance house in order? We can help!

Written by Julia Siripurapu

The FTC has announced its unanimous approval for the kidSAFE Seal Program proposed by Samet Privacy, LLC under the “safe harbor” provision of the COPPA Rule (the “kidSAFE Seal Program”). The Commission’s decision comes after an extended public comment period due to the agency’s shutdown last year.  For more information regarding the kidSAFE Seal Program please see our prior blog post.

The safe harbor provision of the COPPA Rule enables interested entities to submit to the FTC for approval self-regulatory guidelines that implement the protections of the COPPA Rule. The FTC determined that the kidSAFE Seal Program meets the following key criteria for a COPPA safe harbor program:

  1. provides “the same or greater protections for children” as the standards set forth in Sections 312.2 – 312.10 of the COPPA Rule;
  2. includes effective mechanisms to assess members’ compliance with the program guidelines, including, at a minimum, a comprehensive annual review of each member’s information practices, and whether such mechanisms are effective;
  3. includes  effective disciplinary actions for member non-compliance with the program guidelines; and
  4. provides adequate means for resolving consumer complaints.

To date, five other organizations have received FTC approval for COPPA safe harbor programs: Aristotle, Inc., the Children’s Advertising Review Unit of the Council of Better Business Bureaus, the Entertainment Software Rating Board, TrustE, and PRIVO.

 If you are operating an online site or service required to comply with COPPA, participation in an approved COPPA safe harbor program will, in most circumstances, be subject to the review and disciplinary procedures provided in the safe harbor’s guidelines in lieu of formal FTC investigation and law enforcement.

Written by Julia Siripurapu and Cynthia Larose

Apple Agrees to Pay Consumers At Least $32.5 Million to Settle Complaint of Unfair Billing Related to Children’s In-App Charges

FTC Chairwoman Edith Ramirez just announced (press conference) that Apple, Inc. (“Apple”) has agreed to provide consumers full refunds of at least  $32.5 Million Dollars to settle the Commission’s complaint alleging that Apple billed consumers millions of dollars in charges incurred by children in purchasing items that costs money within mobile apps for kids (“children’s in-app charges”), without parental consent.  While Apple sometimes requests a parent’s iTunes password when billing for children’s in-app charges, in many instances, Apple “caches” the iTunes password for 15 minutes after it is first entered and does not inform the parent that by entering the password, they are approving a charge or initiating a 15-minute window during which children using the app can make unauthorized purchases without further action by the parent. The FTC alleged that Apple’s failure to inform parents of this billing practice is a violation Section 5 of the FTC Act, 15 U.S.C. §45(a) and (n).  According to the complaint, Apple has been aware of these practices at least since March 2011 and the Commission has received tens of thousands of consumer complaints related to unauthorized charges for children’s in-app purchases.   The financial injury in this case isn’t speculative.  According to the complaint, one mother reported that her daughter’s clicks resulted in $2600 in unauthorized purchases in the “Tap Pet Hotel” app.  Others reported $500 in surprise in-app charges when kids played “Dragon Story” and “Tiny Zoo Friends.”

The settlement agreement requires Apple to send an electronic notice within 15 days after March 31, 2014 to all consumers who have been charged for in-app purchases prior to March 31, 2014 and who believe that the charge was incurred by a minor. As part of the settlement, Apple has also agreed to change its billing practices by March 31, 2014 to ensure that it obtains express, informed consent from consumers prior to charging for items sold within mobile apps. The settlement agreement is subject to public comment until February 14, 2014 after which the FTC will enter the final order. The FTC is also hosting a Twitter chat on the subject today at 2:00 PM.

Chairwoman Ramirez emphasized during the press conference that the $32.5 Million Dollars figure is only a floor and that there is no maximum penalty that Apple may be required to pay to achieve consumer redress. The Chairwoman also stated that the Commission’s settlement with Apple does not mean that the FTC is finished with Apple and that it will continue to actively monitor Apple’s practices as well as the mobile sphere in general.

 

Written by Julia Siripurapu

As we predicted in our prior blog post reviewing the key children’s privacy developments of the past year, 2014 is turning out to be the year of enforcement of children’s privacy regulations! The first two requests for investigation under the Amended COPPA Rule have been filed with the FTC by the Center for Digital Democracy (“CDD”), a consumer rights organization.  The CDD is claiming that two of the major players in the children’s online market place, Marvel Entertainment (“Marvel”) and Sanrio Co., Ltd. (“Sanrio”) failed to comply with the Amended COPPA Rule’s parental notice and verifiable consent requirements as well as with the requirement that the privacy policy is clearly written and accurate.

In its complaint against Sanrio (the “Sanrio Complaint”), the CDD asked the FTC to investigate Sanrio for operating its Hello Kitty Carnival mobile application in violation of the Amended COPPA Rule. Hello Kitty Carnival is a free mobile app for children that, as of the date of the Sanrio Complaint, has been downloaded more than a million times. The CDD alleged that Sanrio as well as several third-party advertising companies listed on Appendix A to the Sanrio Complaint access and collect via the Hello Kity Carnival app, and likely disclose, at least four categories of personal information from children under 13 (unique device identifiers, photos of children, geolocation information, and online contact information such as e-mail addresses) without providing COPPA-compliant notice to parents and obtaining verifiable parental consent in advance, as required by the Amended COPPA Rule. Further, the complaint alleges that Sanrio’s privacy policy does not accurately reflect Sanrio’s actual information collection and privacy practices contrary to the requirements of the Amended COPPA Rule and provides several examples of inconsistencies between the written policy and the Sanrio’s actual practices.  The CDD used a mobile and web privacy expert to monitor and identify the data flow between various user devices (Motorola Droid 2 and Apple iPad 2) and the Hello Kitty Carnival app to determine compliance with the Amended COPPA Rule and attached the expert’s written declaration to the Sanrio Complaint.

In its complaint against Marvel (the “Marvel Complaint”), the CDD asked the FTC to investigate Marvel for operating its Marvelkids.com website in violation of the Amended COPPA Rule. The CDD also requested that the FTC investigate Marvel’s parent company, Disney Corporation, and several third parties collecting information on Marvelkids.com for violating the Amended COPPA Rule.  Marvelkids.com (the “Site”) is a child-directed website where children can access content and videos about the Marvel superheroes and play games. The Site also contains ads for children’s toys and games. The Marvel Complaint alleges that Marvel and various third parties, including Google, BlueKai, DataXu, and Turn, collect via the Site and use and disclose personal information (including IP addresses and browsing history) of children under 13 through the use of various tracking technologies without providing notice and obtaining verifiable parental consent prior to engaging in such activities, as required by the Amended COPPA Rule. The Marvel Complaint also alleges that the privacy policy for the Site is inadequate, despite the fact that Marvel is a certified participant of the CARU ®Kid’s Privacy Safe Harbor Program since 2009.  Lastly, the CDD urges the FTC in the Marvel Complaint to investigate the effectiveness of COPPA safe harbor programs. As with the Sanrio Complaint, the CDD used a mobile and web privacy expert to monitor and identify the data flow between a user’s computer and the Site to determine compliance with the Amended COPPA Rule and attached the expert’s written declaration to the Marvel Complaint.

Sanrio has not yet commented on the allegations, however, the Walt Disney Company issued a statement denying the allegations in the Marvel Complaint shortly after it was filed. If found to have violated the Amended COPPA Rule, the accused parties could face penalties of up to $16,000 per violation if found guilty. Is your COPPA compliance house in order? Your Mintz Levin privacy team is here to help!

Written by Julia Siripurapu

The FTC has announced (press release) that it has unanimously approved the knowledge-based authentication method proposed by Imperium, LLC (“Imperium”) as a COPPA-compliant method of obtaining verifiable parental consent (“VPC”). Knowledge-based authentication has been used by entities in the financial services industry to authenticate users for several years. For more information regarding the Imperium VPC solution called ChildGuardOnline™ please see our prior blog post.

As noted in its letter to Imperium, under the Voluntary Commission Approval Process of the COPPA Rule, the FTC will consider for approval new verifiable parental consent methods that not currently enumerated in Section § 312.5(b) of the COPPA Rule, and not a party’s specific implementation of such methods. In fact, if a VPC method is approved by the FTC, the method can be used by any party, not just by the applicant. In its letter to Imperium, the Commission has therefore approved knowledge-based authentication as a method that satisfies Section 312.5(b)(1) of the COPPA Rule when “appropriately implemented based on factors including: 1) the use of dynamic, multiple-choice questions, where there are a reasonable number of questions with an adequate number of possible answers such that the probability of correctly guessing the answers is low; and 2) the use of questions of sufficient difficulty that a child age 12 or under in the parent’s household could not reasonably ascertain the answers.”

Significant compliance obligations with children’s privacy rules! 

Written by Julia Siripurapu, CIPP/US

Last December, the FTC gave to us the long awaited (or maybe not so much by covered entities!) final amendments to the 14-year old Children’s Online Privacy Protection Act (COPPA) Rule (the “COPPA Rule,” and as amended, the “Amended COPPA Rule”). Published in the Federal Register on January 17th of this year and effective as of July 1st, the Amended COPPA Rule puts in place additional children’s privacy protections and imposes significant compliance obligations on websites and online services (including mobile applications) that collect personal information (including by passively tracking personal information through persistent identifiers and not just active collection) from children under 13. The Amended COPPA Rule also extends to plug-ins and online advertising services with “actual knowledge” that they are collecting personal information from children under 13.  You can access our prior blog posts on the Amended COPPA Rule as well as our compliance guide with the Amended Rule here.

Since July 1, the FTC has been busy educating businesses and consumers on the Amended COPPA Rule and reviewing applications and public comments on verifiable parental consent methods submitted under the Voluntary Commission Approval Process provision of the Amended COPPA Rule and a safe harbor program submitted under the “safe harbor” provision of the Amended COPPA Rule. You can access our blog posts on the various applications here. As of this date, the Commission has not approved the applications submitted this year.

Looking Forward to 2014

If you are covered by COPPA, one your top resolutions for 2014 should be to make sure that your compliance house is in order.  In 2013 the FTC was busy making children’s privacy rules and reviewing applications submitted under the Amended COPPA Rule and we expect that in 2014 the Commission will be busy monitoring compliance and enforcing these rules.    Penalties for violations of the Amended COPPA Rule can be steep and go up to $16,000 per violation. Stay tuned for news on FTC children’s privacy enforcement actions!

In 2014, we will also be monitoring the “Do Not Track Kids Act of 2013”  (S. 1700 and H.R. 3481, the “Bill”) introduced in the House and Senate on November 14th by Sens. Ed Markey (D-Massachusetts) and Mark Kirk (R-Illinois) and Reps. Joe Barton (R-Texas) and Bobby Rush (D-Illinois). Senator Markey and Representative Barton introduced a similar bill in 2011, the “Do Not Track Kids Act Of 2011” (H.R. 1895), which did not pass.

The Bill has been endorsed by the American Academy of Pediatrics as well as by child advocacy and privacy groups such as the Center for Digital Democracy, Center for Science in the Public Interest, Communication Workers of America, Consumer Watchdog, and Consumer Union.

In a nutshell, the Bill (1) restricts the collection, use, and disclosure of personal information from children under 13 (“children”) and from minors over the age of 12 and under the age of 16 (“minors”) by websites, online applications, mobile applications, and online services, (2) prohibits behavioral advertising to children and minors, and (3) requires covered entities to establish a mechanism that permits the deletion of personal information of children and minors when requested. The Bill would also expand COPPA’s coverage and the FTC’s enforcement authority to telecommunication carriers and broadband Internet access services (as defined in the FCC’s Net Neutrality Order).

Last but not least, as mentioned in our prior blog post on privacy developments in California, we will be tracking preparations for California’s S.B. 568, which addresses the collection and deletion of information posted online by minors under the age of 18 and will be effective January 1, 2015.

Well, the headlines don’t exactly work with the traditional tune, but blame the editor for that…..

Written by Jake Romero, CIPP/US

2013 was a busy year for California.  We passed a budget with a surplus, let Kim and Kanye get engaged in one of our stadiums and panicked over possibly losing Sriracha sauce.  At the same time, we also passed a number of significant pieces of legislation related to data privacy, the effects of which will be felt throughout the year.

  • Happy New Year!  Consumer Notification Laws Effective as of January 1, 2014 – “Do Not Track” and Data Breach Notification

Two laws going into effect on the first of the year will require additional notifications to consumers.  The first, A.B. 370, amends Section 22575 of California’s Business and Professions Code to require any operator of an online service to disclose in its privacy policy (1) how it responds to “Do Not Track” signals or similar tools and settings and (2) whether third parties are permitted to collect personally identifiable information about consumer online activities over time and across different websites when a consumer uses that online service.

As we discussed earlier this year, the absence of a universal industry standard for “Do Not Track” (which is not defined in the statute), may create pitfalls for unwary online service operators as they attempt to comply with the law’s requirements.  A full, clear and accurate description of an online service’s interpretation of Do Not Track signals will likely require significant review and diligence by, among others, that service’s operational and technical managers and support staff.  An online service that inaccurately describes the additional disclosures required by A.B. 370, or fails to update those disclosures in a timely manner following operational changes, may incur liability for engaging in deceptive practices.  On the other hand, a blanket disclosure stating that the service does not honor Do Not Track signals may ward off potential customers and damage the service’s reputation.

Under A.B. 370, online service operators are deemed to have satisfied the requirement to disclose the service’s interpretation of Do Not Track signals (but not the required disclosure regarding tracking by third parties), by linking to a description of a program or protocol that the operator follows that allows the consumer to exercise choice regarding collection of personally identifiable information.  Note that this option is only effective if the operator follows and complies with the protocol to which it directs consumers.  This may be problematic because many protocols, including the Digital Advertising Alliance (previously discussed here), require that all third party advertisers on the service be members of the program.  An online service operator hoping to take advantage of this option will need to have policies in place to assess compliance on an ongoing basis, including with respect to its third party advertisers.

The other consumer notification law going into effect is S.B. 46, which expands California’s data breach notification requirements to include incidents involving certain types of online data.  S.B. 46 amends Sections 1798.29 and 1798.82 of the California Civil Code to expand the definition of “personal information” to include “[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account.”

As we previously discussed, this expansion of California’s notification requirement could significantly increase the number of reportable incidents in two ways.  First, California’s data breach notification requirements will apply to many more online service providers, as this type of online account information is commonly collected by websites.  Second, websites that only collect online account information may not have the type of robust safeguards and policies that an online service that collects other types of personal information, such as social security numbers, driver’s license numbers or credit card, medical or health insurance information, has already put in place.  We recommend that online services that collect “personal identification” as defined under that term’s expanded definition review our recommendations for preparing to comply with the new law here.

  • Sector-Specific Regulations Effective as of January 1, 2014 – Medical Information and Customer Electrical or National Gas Usage Data

In addition to the generally applicable laws described above, two pieces of industry-specific legislation will also go in effect.  A.B. 658 amends Section 56.06 of the California Civil Code, which is part of the “Confidentiality of Medical Information Act” (or “CMIA”).  The CMIA prohibits providers of health care or recipients of individually identifiable medical information from using or disclosing medical information for any purpose not necessary to provide health care services to patients, without first obtaining authorization.  A.B. 658 will expand the definition of “provider of health care” so that this prohibition will also apply to “[a]ny business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information . . . in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual . . .”  This change to the CMIA should be of particular concern to mobile application developers and operators.  With the use of mobile applications generally on the rise, health care related applications are expected to play a part in promoting wellness and addressing a number of issues, including rural access to health care.  However, as compared to the average website, mobile applications typically require a more complex system of third party service providers that may have access to data, and can be an inherently challenging platform for displaying notices.

As of January 1, we will also see new regulations applicable to businesses that use “smart meter” data.  For the past three years, utilities have been prohibited from sharing or disclosing data regarding individual consumption or use of electricity or natural gas by an individual without that individual’s prior consent.  A.B. 1274, extends this prohibition to non-utility businesses, and requires that such businesses disclose any third parties with whom they share such information and how it will be used.  In addition, A.B. 1274 requires businesses to use reasonable security procedures and practices to protect usage data from unauthorized access or disclosure, and put in place contractual requirements with any third parties who receive usage data requiring those third parties to do the same.  A.B. 1274 also requires certain steps to be taken when disposing of usage data, and prohibits businesses from offering incentives to consumers who allow their information to be accessed without prior consent.

  • Looking Ahead – Children’s Privacy Rights

The supporters of the ballot initiative known as the California Personal Privacy Initiative may have dropped their efforts, but we expect that in 2014 California will continue its aggressive push to increase data privacy regulation and enforcement.  We will also be tracking preparations for S.B. 568, which goes into effect on January 1, 2015.  S.B. 568 prohibits operators of online services directed toward minors under the age of 18 (as well as online services not directed toward minors, if the operator of the service has actual knowledge of a minor using the service and advertisements are specifically directed to that minor based on information the minor has provided) from marketing certain products (including alcoholic beverages, firearms, ammunition, spray paint, cigarettes, fireworks, tanning devices, lottery tickets, tattoos, drug paraphernalia and obscene materials).  S.B. 568 also requires that these types of online services permit minors to remove or request the removal of content or information posted by that minor and provide certain specific disclosures regarding deletion of online information.  We discuss S.B. 568 in further detail and provide recommendations for preparing to comply with the new requirements here.

 

 

The month of November is quickly slipping by – this is the time to be looking at the 2014 cybersecurity and data privacy goals and updates and planning ahead.

Our selected bits and bytes for this Monday:

FTC Denies AssertID, Inc.’s Application for Obtaining Verifiable Consent Under the COPPA Rule

The FTC recently announced (press release) that the Commission voted 4-0 to deny AssertID, Inc.’s (“AssertID”or “Company”) application for a proposed verifiable parental consent (“VPC”) method submitted for approval under  the Voluntary Commission Approval Process provision of the COPPA Rule (“Rule”).  The Company submitted their proposed VPC method, ConsentID, for approval on July 1, 2013, the FTC published the application in the Federal Register on August 21, and the public comment period closed on September 20, 2013. The Commission received six (6) comments on the application and the commentators urged the FTC to deny AssertID’s application on the basis that the AssertID VPC method primarily because the proposed method is not “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent,” as required by Section 312.5(b)(1) of the Rule.   You can access our prior blog post describing the AssertID VPC method here.

In its letter to AssertID informing the Company of the Commission’s decision, the FTC stated that the Company has failed to show that its proposed VPC method satisfies the criteria required by Section 312.5(b)(1). Specifically, the Commission expressed concern about the reliability of the social-graph verification method proposed by AssertID, noting, as the commentators on the AssertID VPC method have, that (1) Facebook profiles can very easily be fabricated, in fact, according to Facebook’s 10-Q filing, there are 83 million fake Facebook accounts, and (2) many children under 13 have created social media accounts by falsifying age information. In the Commission’s view, AssertID’s limited beta testing of its VPC method was not sufficient to demonstrate that social-graph identity verification will be effective and sufficiently reliable in verifying in a live environment that the individual providing consent is in fact the child’s parent. The FTC declined to opine on whether the services that AssertID provides on behalf of Web site operators as part of the ConsentID service to satisfy their direct notice obligation under the Rule indeed satisfy the requirements of the Rule, as the Commission did not consider these services integral to the proposed VPC method.

SCOTUS Declines to Hear Electronic Privacy Information Center’s NSA Surveillance Challenge
The Supreme Court today refused to consider the challenge to the controversial NSA surveillance program filed by the Electronic Privacy Information Center.   For more, read Dennis Fisher’s post at threatpost.
Mintz Privacy in the Press

Wall Street Journal – NIST Cybersecurity Framework

http://blogs.wsj.com/riskandcompliance/2013/10/29/obama-meets-ceos-amid-privacy-criticism-of-nist-standards/

Excerpt:  “Lawyers say the document will be highly influential, but some have been raising concerns about the privacy portions of the preliminary framework since its release.

In earlier iterations of the framework, “scant attention” was paid to the need for critical infrastructure organizations to address privacy as part of cybersecurity plans, according to a client alert from Mintz Levin.

“That nod to the importance of privacy has been replaced with a detailed methodology to protect privacy and civil liberties,” the alert said, briefly explaining the changes. “These added standards should receive close attention by industry reviewers.””

Law360 – New PCI-DSS Standards

Payment Card Industry Group Retools Data Security Rules

http://www.law360.com/articles/487487/payment-card-industry-group-retools-data-security-rules

By Allison Grande

Excerpt: “Companies that process credit card data are required to comply with the standard, which is incorporated by reference in every merchant agreement. A failure to comply could expose the merchant to fines imposed by the card brands, the inability to accept a particular brand, or breach of contract claims, according to Cynthia Larose, the privacy and security practice chair for Mintz Levin Cohn Ferris Glovsky & Popeo PC.

While the changes contained in the latest version of the standard “are not dramatic,” the new version “benefits from many clarifications, real-life examples and flexibility built in to enable merchants to meet the intent of the requirements,” Larose told Law360 on Friday.

For example, the new version adds a “best practices for implementing PCI DSS” section that aims to push companies to make compliance “’continuous’ rather than an annual validation exercise.” It also adds guidance for cloud providers and merchants to clarify that there is “shared responsibility” for complying with the requirements, according to Larose.

“The merchant cannot outsource accountability, as it has shared responsibility with the service provider to comply,” she said. “You can outsource the functionality, but you cannot outsource the potential for liability.””

Law360 – Security Flaws Land ACA Contractors In Legal Crosshairs

By Allison Grande

Excerpt:
The report prompted Sen. Orrin Hatch, R-Utah, and others to push legislation that would delay the launch of the exchanges until the government could ensure they had strong protections. But the Internet-based hubs opened for business as scheduled Oct. 1, and their operators have done little in the past month to dispel privacy concerns, according to attorneys.

“We don’t have the information yet to know whether or not the data security risks are real or worse than expected or have been fixed, so our assessment of the privacy risks associated with having so much incredibly sensitive information passing through these systems has not changed since they went live,” said Cynthia Larose, the privacy and security practice chair for Mintz Levin Cohn Ferris Glovsky & Popeo PC.

….Attorneys pointed out that consumers might face an uphill battle in pursuing their claims, given the hurdles plaintiffs have traditionally faced in proving that a loss of sensitive data caused them actual harm.

“It’s been notoriously hard for plaintiffs in data security class actions to maintain their claims, so unless the private cause of action is related to certain information that was compromised, it would be pretty difficult to initiate an action for a breach of the system,” Larose said.

Plaintiffs might also have difficulty pinning liability for the data loss on a responsible entity in the vast web of the exchanges, according to attorneys.

However, some attorneys doubted whether federal and state enforcers would pursue data security violations very aggressively, given their close ties with the exchanges.

“The question becomes, who regulates the regulator?” Larose said.

The FTC has announced (press release) that, as a result of the recent shut down of the agency, the Commission has voted unanimously to extend the public comment periods for two recent proposals under the COPPA Rule. Specifically, the public comment period for the verifiable parental consent solution proposed by Imperium, LLC (“Imperium VPC Method”) scheduled to end on October 9 of this year and the public comment period for the kidSAFE Seal Program proposed by Samet Privacy, LLC under the “safe harbor” provision of the COPPA Rule (“kidSAFE Seal Program”) scheduled to end on October 18 of this year have been extended until November 4. The FTC’s 120-day period to review proposed verifiable parental consent programs has also been extended.

Please click here to access our blog post on the Imperium VPC Method and here to access our blog post on the kidSAFE Seal Program.