Sunday, December 14, 2008

Self Inflicted Wounds

Massive data security breaches get lots of headlines, which makes sense, since big numbers (e.g., 94 million records stolen) are an easy way to capture attention. Similarly, security breaches also come with a built in and easily understandable storyline - hackers from somewhere breached the (usually poorly implemented or obsolete) defenses of some large company, exposing large numbers of innocent consumers to an increased risk of losing money due to various forms of fraud. However, while security breaches generate easy headlines and narratives, it's important to remember that, totally independent of hackers, companies can get in trouble for improperly collecting or exploiting user data.

The newest object lesson on this point is Sony, which has agreed to pay a $1,000,000 penalty to settle charges that it violated the Children's Online Privacy Protection Act and section 5 of the FTC act (FTC press release here, via this story from Computer World). The upshot of the complaint filed by the FTC was that Sony knowingly obtained personal information from at least 30,000 children without their parents' consent (alleged COPPA violation) and falsely stated that it restricted children under the age of 13 from participating in Sony's online activities (alleged FTC act violation). Thus, it was Sony's websites functioning for their intended purpose, not hackers, that hurt Sony in this case.

So how can companies avoid being in the position to pay seven figure settlements? My recommendation is to talk to a lawyer in the area who knows what he/she is doing, and to have that lawyer stay in contact with the marketing people who are responsible for the design and operation of a website. The staying in contact part can be particularly important. For example, as shown in the Gateway Learning case, even if a company is acting properly when an information collection program is first launched, changes made later on (e.g., starting to sell consumer data in violation of a privacy policy that said consumer data would not be sold) can expose a company to liability. My guess is that something similar happened with Sony, where the lawyers were probably consulted early in the process, but, later on, changes were made which weren't run by the lawyers first. Hopefully, settlements like Sony's will provide an incentive for other companies not to follow that same path.

No comments: