California AG Reports on Data Breaches
In a new report, California Attorney General Kamala Harris revealed that 2.5 million state residents were the victims of a data breach in 2012, with the average breach involving the personal information of 22,500 individuals.
The report details the 131 data breaches reported last year, the first in which companies were required to report breaches to the AG’s office. Although California enacted the first data breach notification law in 2003 which mandated that businesses and state agencies notify state residents when their personal information is compromised, an amendment took effect in 2012 that required covered entities to report to Harris’s office a breach involving more than 500 Californians.
Based on the first year of numbers, Harris said the retail industry suffered the most data breaches with 34, followed by finance and insurance, each with 30 breaches. Five breaches involved the personal information of 100,000 or more individuals, while more than half of all breaches included Social Security numbers, which the report said “pose the greatest risk of the most serious types of identity theft.” More than half – 55 percent – of the breaches were caused by unauthorized users or intentional intrusions; the rest were a result of lackadaisical security measures.
“Data breaches are a serious threat to individuals’ privacy, finances and even personal security,” Attorney General Harris said in a statement. “Companies and government agencies must do more to protect people by protecting data.”
To that end, the report also made recommendations for improving data security, particularly the use of encryption. While California law does not mandate encryption, entities that encrypt data for transmission are protected by a safe harbor in the event of a breach. But the report said this incentive was not motivating enough covered entities. The report concluded that had companies encrypted data during transmission, 1.4 million Californians would not have had their information revealed (28 percent of all breaches).
Therefore, Harris suggested updating the data breach law to require the use of encryption for personal information in transit.
“It is my strong recommendation that companies and agencies implement encryption as a basic protection and reasonable security measure to help them meet their obligation to safeguard personal information entrusted to them.”
Other recommendations included that companies should review and tighten security controls on personal information, offer mitigation products or provide information about a “security freeze” to breach victims, and improve breach notices to make them easier for consumers to read. According to the report, the average reading level of the notices provided to consumers was 14th grade – higher than the average U.S. reading level of 8th grade. “Recipients need to be able to understand the notices so that they can take appropriate action to protect their information,” Harris said.
The AG also threw her support behind SB 46, legislation that would broaden notification requirements to breaches involving a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
To read the 2012 California Breach Report, click here.
Why it matters: AG Harris noted that the issuance of the report is not required by state law, but she chose to make the information public – including a list of all entities that suffered a data breach – in part to make recommendations about how to improve data security. In addition, Harris announced her support not only for best practices and more help for consumers, but also for law enforcement “to more aggressively target breaches involving unencrypted personal information” and legislation that would expand notification requirements.
back to top
Mobile Carriers Must Protect Consumer Data, FCC rules
In a declaratory ruling, the Federal Communications Commission called upon mobile carriers to protect the information collected about mobile consumers, including the phone numbers a customer has called and received calls from, the duration of the calls, and the location at the beginning and end of each call.
While carriers are allowed to collect such information – and use it to improve their own networks or provide customer support – the data is vulnerable to acquisition by others, the FCC said. Absent the adoption of adequate security safeguards, such personal information “can be disclosed to third parties without consumers’ knowledge or consent,” the agency cautioned.
The ruling clarified the agency’s position about whether Section 222 of the Communications Act applies to customer proprietary network information (“CPNI”) on mobile devices; the provision already applies to consumers’ landline data and VOIP. Section 222 contains “three fundamental principles to protect all consumers,” according to the ruling: “(1) the right of consumers to know the specific information that is being collected about them; (2) the right of consumers to have proper notice that such information is being used for other purposes; and (3) the right of consumers to stop the reuse or sale of that information.”
The FCC concluded that data collected by mobile carriers may constitute CPNI, and therefore, the existing requirements of Section 222 apply. The ruling emphasized that no new obligations were imposed on carriers.
“For example, Section 222(a) of the Act provides that ‘Every telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to…customers,’ Section 222(c)(1)’s restriction on ‘disclos[ure]’ of ‘individually identifiable’ CPNI would appear to make carriers liable for inadvertent disclosures,” the agency wrote. “Such obligations apply equally to CPNI that carriers collect via their customers’ devices.”
The agency dismissed concerns from carriers that Section 222 was “too rigid or outdated” to apply to mobile devices, and shot down an argument that the defense of location data would be a burden on carriers because it warrants different protections.
Carriers also lost their fight to be governed by industry-developed best practices or codes of conduct. The FCC stated that it must fulfill its statutory responsibilities to enforce the Communications Act. According to the ruling, “Although we welcome these other complementary initiatives, none of them is a substitute for the Commission.”
Non carrier, third-party app developers escaped coverage under the ruling, which was limited strictly to mobile carriers. And the agency’s oversight does not appear to extend to other data transmitted by carriers, like text messages and e-mail.
To read the FCC’s declaratory ruling, click here.
Why it matters: The FCC’s declaratory ruling demonstrates the interest of yet another federal agency focused on mobile privacy issues, following the Federal Trade Commission and the Commerce Department’s National Telecommunications and Information Administration. Mobile carriers should take note of the ruling, which included a warning from the FCC that enforcement action is possible in the event a carrier fails to take reasonable precautions and causes a compromise of personal information on a device.
back to top
FTC Targets Mortgage Relief Scam
Seven companies and three individual defendants are facing a restraining order after the Federal Trade Commission filed suit, alleging they “preyed” on distressed homeowners by peddling a deceptive mortgage relief scheme.
Using an “official looking mailer,” television and radio ads, and telemarketing calls, the defendants told homeowners over the last three years that for $2,000 to $4,000 they could help them avoid foreclosure with lower monthly payments and interest rates or conversion from an adjustable-rate to a fixed-rate mortgage. But according to the agency’s complaint, the defendants took the up-front fees and then delivered “little or no help.” As a result, victims were driven even deeper into debt.
In addition to mortgage adjustments, the Web sites offered bankruptcy advice, credit counseling, and “forensic mortgage audits” that could be used “to gain leverage in a successful loan modification.” They promised results within 60 to 90 days and claimed that the mortgage payments of “thousands of homeowners” have been reduced by 30-60 percent. Their mailer warned that “YOU MAY FORFEIT LEGAL RIGHTS IF YOU DO NOT TAKE PROMPT ACTION” and “WE CAN HELP SAVE YOUR HOME.”
The agency alleged that the defendants – Apex Solutions, Inc., William D. Goodrich, Attorney, Inc., A to Z Marketing, Inc., Apex Members, LLC, Backend Inc., Expert Processing Center, Inc., and Smart Funding Corp., as well as individuals Ratan Baid, Madhulika Baid, and William D. Goodrich – violated Section 5 of the FTC Act and ran afoul of the Mortgage Assistance Relief Services Rule, which prohibits up-front fees until homeowners have in hand a written offer from a lender or mortgage servicer.
A federal court judge in California found good cause to believe “immediate and irreparable harm will result from defendants’ continuing violations.” He halted defendants’ operations and froze their assets pending trial.
To read the complaint in FTC v. A to Z Marketing, click here.
To read the temporary restraining order, click here.
Why it matters: The agency has been aggressive in using its new powers under the Mortgage Assistance Relief Services Rule to prosecute alleged scams targeting distressed homeowners. Last year, the FTC announced a partnership with the Consumer Financial Protection Bureau to fight deceptive and misleading mortgage advertisements and sent more than 30 warning letters. And just last month, the agency announced a $7.5 million fine, the largest civil fine ever collected by the agency for alleged violations of the Telemarketing Sales Rule, in a suit where the FTC said the defendant scammed service members with misleading mortgage claims.
back to top
Settlements Over “Work From Home” Scam and Security Failure
The Federal Trade Commission reached two settlement agreements this week in suits alleging deceptive conduct.
In the first group of cases, the agency reached a deal with 20 corporate and individual defendants that promised to help consumers launch online businesses in “work from home” scams. According to the FTC, beginning in 2006, the defendants offered to build and host Web sites for fees from $100 to $400, so consumers could receive commissions when people clicked through their sites to make purchases at major retail sites like Best Buy. They promised profits of $3,000 to $20,000 per month.
Using Web site marketing and telemarketing, the defendants also offered to provide marketing expertise, the agency said. But instead of guidance, the marketing coach tried to upsell various services such as an advertising package intended to promote the consumer’s site, for an additional $5,000 to $20,000.
The defendants failed to fulfill their promises, the agency said, and are now subject to a ban on selling work-at-home business opportunities. They were prohibiting from committing future violations of the Telemarketing Sales Rule and from misrepresenting material facts about products or services. Suspended money judgments of $17.9 million were levied against each defendant, pending the surrender of frozen funds.
In the second settlement, the FTC approved a final order settling charges that HTC America, Inc. failed “to take reasonable steps to secure the software it developed for its smartphones and tablet computers by introducing security flaws that placed sensitive information about millions of consumers at risk.”
In February, the agency said HTC violated Section 5 of the FTC Act because it neglected to review or test its software on the mobile devices to detect potential security vulnerabilities, it failed to provide its engineering staff with adequate training on security issues, it failed to follow well-known and commonly accepted secure coding practices, and it failed to formulate a process for handling security problems when the company received reports about vulnerabilities.
Under the terms of the settlement, HTC agreed to develop and release software patches to fix the vulnerabilities found in millions of devices, providing users with “clear and prominent notice” about the availability of the patches and instructions on how to install them. A comprehensive security program must also be established and maintained by the Washington-based defendant. The proposed agreement was published in the Federal Register and open for public comment.
After reviewing the comments – and providing copies of letters to five commenters on the settlement, including Adam Browning of California, who suggested that HTC “offer a full refund to the defrauded customers, and a nice chunk of change to compensate everyone for their troubles, not to mention wasted time” – the agency said it had determined that “the public interest would best be served” by not making any modifications to the settlement.
To read the complaint and stipulated final orders in the “work from home” cases, click here.
To read the complaint, stipulated final order, and letters from the FTC to commenters on the HTC settlement, click here.
Why it matters: The two settlements reflect the spectrum of enforcement actions taken by the FTC, from more traditional deceptive marketing scams – albeit in the context of the Internet – to a first-of-its-kind agreement by a defendant to provide security patches for software glitches. The case against HTC also reminds companies about the agency’s focus on data security and privacy in the mobile ecosystem, an issue clearly on the FTC’s radar.
back to top
Kraft Cheese Wins Injunction Against Cracker Barrel Meat
Confused by cheese? You may not be alone. U.S. District Court Judge Robert W. Gettleman granted Kraft Foods a preliminary injunction on July 1 that blocks Cracker Barrel Old Country Store restaurant from making, marketing, or selling a new line of hams and other meats.
Kraft filed a trademark infringement suit against Cracker Barrel, alleging that consumers would be confused by the restaurant chain’s about-to-launch line of retail products – including ham, bacon, lunch meat, glazes for meat, jerky, and summer sausage – since Kraft has been selling cheese under the “Cracker Barrel” trademark since 1957. Today it has more than 20 cheese products.
Cracker Barrel Old Country Store, or CBOCS, was established in 1969 and has 620 locations around the country. Although CBOCS’ products are not identical to Kraft’s cheese, the court said that the products were “complementary to and in close proximity” to each other and the distance between the dairy case and meat section was not sufficient to eliminate consumer confusion.
Because Kraft need only show that it had a “better than negligible” chance of success on the merits, Judge Gettleman found that the company “is likely to prevail on the merits of its trademark infringement and unfair competition claims.” Kraft’s mark “is indisputably strong,” he noted, with annual sales in excess of $130 million and a presence in more than 16,000 stores across the country.
The marks themselves are not identical – the font and style of the packaging text is different and the Cracker Barrel mark includes a pictorial representation of a barrel and a figure of “Uncle Herschel.” But the court found enough similarity that a “consumer who views the Kraft mark briefly in the dairy section of the grocery store and subsequently views the CBOCS mark in the deli or meat section of the same store may not distinguish between the two brands.”
Judge Gettleman focused on the “somewhat complementary nature” of the products. CBOCS contracted with John Morrell to sell a line of meats, including whole hams. It argued that whole hams and snacking cheeses are not served together and therefore not complementary. But the court said other items in the line, like deli meats, are complementary to cheese, finding “a substantial risk that consumers will believe Kraft cheese and CBOCS licensed meats come from the same source.”
The intended markets for the products overlap, as CBOCS planned to sell its meat products in nationwide grocery stores and the placement of various CBOCS branded food items would contribute to consumer confusion (food products in the refrigerated meat section and gift cards in the checkout area). Retailers will likely add to the problem, as Kraft provided evidence that some stores describe the CBOCS products simply as “Cracker Barrel” without more detail.
Judge Gettleman also relied upon national survey evidence presented by Kraft, which found an 18.8 percent confusion rate among consumers. Although CBOCS presented its own evidence, the court said it was “not convinced” by the defendant’s survey because it was conducted primarily in locations with a heavy CBOCS presence and not on a national scale.
Finally, the court determined that the release of the CBOCS products would result in irreparable harm to Kraft, as its Cracker Barrel brand “will be overwhelmed and diluted.” Any potential harm to CBOCS and John Morrell would not outweigh the potential damage to Kraft, Judge Gettleman wrote, and the public interest would be served by keeping the marketplace free of confusion.
CBOCS’ argument that Kraft acquiesced to its expansion into food products was without merit, he added. Acquiescence cannot be inferred by a failure to object, the court said, particularly where CBOCS’ initial expansion was limited to its own restaurants, stores, Internet site, and catalog. Only CBOCS gift cards were sold in grocery stores, and those are redeemable only in Old Country stores and restaurants.
“This limited encroachment is not sufficient to demonstrate that Kraft acquiesced in CBOCS’ expansion of food products into retail grocery stores,” Judge Gettleman concluded.
Therefore, the court enjoined CBOCS (and John Morrell) “from manufacturing, advertising, distributing, shipping, promoting, offering for sale, selling or licensing third parties…to use the Cracker Barrel mark on food products in retail or wholesale trade other than through CBOCS’ traditional trade channels consisting of CBOCS’ restaurants, adjoining CBOCS stores, CBOCS catalogs, CBOCS’ Internet sites, and CBOCS gift cards as currently distributed.”
To read the court’s preliminary injunction order in Kraft Foods v. Cracker Barrel, click here.
Why it matters: In a statement to USA Today, Cracker Barrel said it plans to appeal the ruling. “While we respect the court’s ruling, we will explore all of our legal options, including a possible appeal of the preliminary injunction,” according to the statement. “We continue to stand firm in our belief of the merits of our case. We are convinced the marketplace understands and recognizes the differences in the Cracker Barrel Old Country Store brand and Kraft’s Cracker Barrel cheese. We are not selling cheese or any cheese-related products.” The company faces an uphill battle as Judge Gettleman already predicted a victory for Kraft, finding that the company “is likely to prevail on the merits of its trademark infringement and unfair competition claims.”
back to top