Self Inflicted Wounds

Massive data security breaches get lots of headlines, which makes sense, since big numbers (e.g., 94 million records stolen) are an easy way to capture attention. Similarly, security breaches also come with a built in and easily understandable storyline - hackers from somewhere breached the (usually poorly implemented or obsolete) defenses of some large company, exposing large numbers of innocent consumers to an increased risk of losing money due to various forms of fraud. However, while security breaches generate easy headlines and narratives, it's important to remember that, totally independent of hackers, companies can get in trouble for improperly collecting or exploiting user data.

The newest object lesson on this point is Sony, which has agreed to pay a $1,000,000 penalty to settle charges that it violated the Children's Online Privacy Protection Act and section 5 of the FTC act (FTC press release here, via this story from Computer World). The upshot of the complaint filed by the FTC was that Sony knowingly obtained personal information from at least 30,000 children without their parents' consent (alleged COPPA violation) and falsely stated that it restricted children under the age of 13 from participating in Sony's online activities (alleged FTC act violation). Thus, it was Sony's websites functioning for their intended purpose, not hackers, that hurt Sony in this case.

So how can companies avoid being in the position to pay seven figure settlements? My recommendation is to talk to a lawyer in the area who knows what he/she is doing, and to have that lawyer stay in contact with the marketing people who are responsible for the design and operation of a website. The staying in contact part can be particularly important. For example, as shown in the Gateway Learning case, even if a company is acting properly when an information collection program is first launched, changes made later on (e.g., starting to sell consumer data in violation of a privacy policy that said consumer data would not be sold) can expose a company to liability. My guess is that something similar happened with Sony, where the lawyers were probably consulted early in the process, but, later on, changes were made which weren't run by the lawyers first. Hopefully, settlements like Sony's will provide an incentive for other companies not to follow that same path.

Children's Online Privacy Protection Act Enforcement in Texas

As described in this article from Computer World, the Texas attorney general has sued two web sites for violations of the Children's Online Privacy Protection Act (COPPA). According to the article, the two sites collected personal information from children under the age of 13 without obtaining sufficient verification of parental consent, and without giving the children the opportunity to review or pull back the data.
There are two things I find particularly interesting about the article. First, this article is another demonstration (to me) that law enforcement in Texas is taking its responsibilities regarding individual privacy relatively seriously. As described previously here, this year the Texas attorney general has repeatedly brought suit based on violations of privacy law, for example, for improper disposal of customer records. Thus, the actions by the Texas attorney general show what can be done if state law enforcement is willing to take an active role. The second thing I found interesting about the article was it stated that this enforcement by the Texas attorney general was the first to be brought under COPPA. COPPA was passed in 1998. To me, that shows just how far we have to go in terms of actually enforcing even the (relatively minimial) privacy protections that the law does provide.