E. Maine Enacts Law to Restrict Marketing to

Harry A. Valetk, a New York City Internet safety and consumer privacy attorney, believes ambiguities in the law pose some challenges. For example, does the law prohibit any Maine resident under age 18 from receiving materials about college prep services or military service?³⁸ Also, although Facebook bars minors age 12 and younger from using the site, it requires all users to agree to terms that consent to Facebook collecting some of their personal information. The Maine law could require Facebook to alter how it treats the personal information of many of its teenage users.

The law authorizes the Maine Attorney General’s Office to establish procedures for investigating alleged violations. A person about whom information is unlawfully collected can seek an injunction prohibiting the collection and recover damages up to $250 per violation. Civil penalties may also be assessed.
F. Google Has Up and Down Battle in AdWords

Lawsuits

Lawsuits against Google Inc. accusing the company of selling trademarked keywords that affect the display of advertisements have become more popular after an April 2009 court ruling, but Google has stepped up its defense of the accusations. Known as AdWords suits after the name of Google’s targeted advertising program, plaintiffs claim that Google’s sale of trademarked keywords constitutes infringement because Google users who search for a particular term could then be shown competitors’ ads alongside results for the trademarked name.³⁹

Google suffered a setback in April when the Second Circuit reinstated Rescuecom Corp.’s AdWords case that a district court had dismissed. ⁴⁰ Rescuecom alleged violations under §§ 32 and 43 of the Lanham Act, 15 U.S.C. §§ 1114, 1125, for trademark infringement, false designation of origin, and dilution of Rescuecom’s eponymous trademark. The reversal inspired several more lawsuits, so that there were at least seven pending AdWords cases as of early August.⁴¹ However, in response to a class action complaint filed by John Beck Amazing Profits LLC in federal court in Texas seeking to represent all trademark owners who have had their words sold,⁴² Google countersued, seeking a declaration that its practices do not infringe on trademarks.⁴³

Eric Goldman, a Santa Clara University School of Law professor who follows the AdWords litigation on his Technology & Marketing blog, said the plaintiffs face a difficult battle in proving trademark infringement, including having to combat Google’s extensive financial resources to defend the suits. In addition to the other elements of infringement, Goldman said plaintiffs will have to show that consumers were confused by the appearance of the ad next to a search term so that they believed the two companies were connected.⁴⁴ Google scored victories in July 2009 when Daniel Jurin⁴⁵ and Ascentive,⁴⁶ a software company, dropped their AdWords suits.⁴⁷

The FTC’s proposal to monitor blogs raises questions about what constitutes an advertisement, the extent to which a reviewer must disclose a relationship with a company, and how far the agency will go to police online reviews and advertisements. Specific enforcement measures were not included in a draft of the guidelines published in November 2008. Some bloggers are concerned that even a casual mention of a product could grab the agency’s attention. Cleland said that the FTC would most likely rely on Internet users to judge what constitutes fair disclosure in lieu of spelling out specific requirements.⁵⁰ A final version of the guidelines could be approved by the end of 2009.

The guidelines would extend beyond basic reviews on blogs to cover affiliate marketing, in which bloggers and other Web sites get a commission when a user clicks on a link that leads to a purchase on a retailer’s site. In addition, arrangements where advertisers pay users of Twitter to post short items would also need to be disclosed.⁵¹

The FTC’s attempt to monitor the content of online reviews contrasts with the media industry, in which newspapers and broadcasters have traditionally self-policed their employees by prohibiting the acceptance of free products in exchange for reviews. However, just as a blogger needs to have used a product in order to write an informed review, some blurring of this ethical line may be unavoidable, such as when a film critic attends a free advance screening of a movie’s widespread release.

Certain law firms with individual clients, such as matrimonial and trust and estate clients, who bill at the end of a period rather through an initial retainer, were scheduled to be covered by the rule.⁵⁵ The American Bar Association in July threatened to file a lawsuit seeking to have lawyers exempted from the rule on the grounds that compliance would be burdensome and establish a precedent for federal agencies to set other requirements for lawyers.⁵⁶ At the time of the threatened litigation, the rule was set to take effect on Aug. 1, 2009. ABA President H. Thomas Wells Jr. called the delay to November a “temporary reprieve,” but said the ABA will continue to lobby Congress to permanently exempt lawyers from the rule.⁵⁷

A creditor is any entity that regularly extends, renews, or continues credit. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies and telecommunications companies. If non-profit and government entities defer payment for goods or services, they are also considered creditors. Accepting credit cards as payment does not, by itself, make an entity a creditor.

The FTC says the rule was designed to be risk-based so that the complexity of an entity’s program would be proportional with the identity theft risk it encounters. The Commission suspects that most high-risk entities, such as financial institutions, already take steps to minimize losses due to fraud. It estimated nearly 270,000 high-risk entities and 1.6 million low-risk entities will be subject to the rule. According to the same estimates, high-risk entities can create and implement a written program in 25 hours while those at low-risk should be able to develop a streamlined program in about an hour.⁵⁸

To aid low-risk entities in the process, the FTC developed a model six-page policy in PDF format. A template of the model policy is available at www.ftc.gov/redflagsrule and by clicking on the “Create Your Program” tab.⁵⁹ A company must identify red flags, describe how the flags will be detected, offer a planned response when flags are found and describe how relevant staff will be trained to implement the program. A board of directors or senior-level employee must approve the program, which is required to be updated periodically.

Failure to comply with the rules can lead to civil penalties, such as monetary sanctions and enforcement action by the FTC. However, the FTC said it is unlikely to bring action against entities that “know their customers or clients individually, or if they perform services in or around their customers’ homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft.”⁶⁰

In addition to the national data breach notification provision, the bill seeks to stiffen criminal penalties for identity theft by adding intentional access of a computer without authorization to the definition of racketeering under 18 U.S.C. § 1961(1) and requiring the U.S. Sentencing Commission to revisit its sentencing guidelines for identity theft crimes. The bill would give individuals access to any personal information held by commercial data brokers and impose penalties on government contractors who fail to meet data privacy and security requirements.

Rep. Bobby Rush (D-Ill.), chairman of the Subcommittee on Commerce, Trade, and Consumer Protection, introduced the Data Accountability and Trust Act, H.R. 2221, 111th Cong. (2009), on April 30. The bill is similar to the Personal Privacy and Security Act in its data protection and security requirements for businesses or entities that possess personal information. In addition, this version authorizes the FTC to require a standard method for destroying obsolete non-electronic data.

In addition, HHS also specified that covered entities who secure health information through encryption or destruction are exempt from the notification requirement if a breach does occur. This portion of the regulations was developed in response to public comment received from an April 2009 request⁶⁸ and after HHS consulted with the FTC, which has issued breach notification regulations that apply to vendors of personal health records and other entities not covered by HIPAA.⁶⁹ The regulations include other exemptions. For example, the definition of a breach is limited to instances where information is used or disclosed in a manner inconsistent with HIPAA. If the access to information is unauthorized, but use of the information does not violate HIPAA, it is not considered a reportable breach.⁷⁰

The regulations preempt contrary state laws, but HHS noted this only occurs when it is impossible to comply with both a state notification law and the HIPAA notification regulations. The regulations will become effective 30 days after publication in the Federal Register. HHS has said that it will not impose sanctions for violations during the first six months after the regulations take effect.⁷¹ Instead, HHS will work with the covered entities to bring them into compliance.
D. Supreme Court Requires a ‘Knowing Theft’ for

Aggravated Sentence

The Supreme Court on May 4 ruled unanimously that federal prosecutors must prove a defendant knew a stolen identity belonged to an actual person in order to secure a conviction for aggravated identity theft. ⁷² The Court rejected the government’s argument that it merely needed to show an offender knew he used an identity other than his own. The decision in Flores-Figueroa v. United States clarifies how the Identity Theft Penalty Enforcement Act⁷³ should be interpreted. The statute imposes a mandatory consecutive two-year prison term upon those convicted of certain crimes if, during the crime, the offender “knowingly transfers possesses, or uses, without lawful authority, a means of identification of another person.” The law applies to such predicate crimes as theft of government property, fraud and activities related to passports, visas and immigration.

The defendant in the case, Ignacio Flores-Figueroa, is a Mexican citizen who worked illegally at an Illinois steel plant. To gain employment, Flores-Figueroa first used a false name and Social Security number, one that did not belong to another person. He later wanted to use his real name and gave his employer counterfeit Social Security and alien registration cards bearing numbers assigned to real people. Customs officials discovered the discrepancy and charged Flores-Figueroa with entering the United States without inspection, 8 U.S.C. § 1325(a), and misusing immigration documents, 18 U.S.C. § 1546(a), in addition to aggravated identity theft.

In his majority opinion, Justice Stephen G. Breyer wrote that the case should be decided by applying “ordinary English grammar” to the text of the law, which applies “knowingly” to all of the elements of the crime that follow.⁷⁴ Interpreting the statute that way avoids subjecting offenders to additional penalties for liability that turns on chance. Justice Samuel A. Alito Jr., in his concurring opinion, considered a defendant who chooses a Social Security number at random. “If it turns out that the number belongs to a real person,” Alito wrote, “two years will be added to the defendant’s sentence, but if the defendant is lucky and the number does not belong to another person, the statute is not violated.”⁷⁵

The Obama administration previously announced plans to target employers who knowingly hire workers who are in the country illegally rather than arrest the workers for eventual deportation.⁷⁸ In a sign of furthering this strategy, U.S. Immigration and Customs Enforcement (ICE) announced on July 1 that it issued notices of inspection to 652 businesses nationwide.⁷⁹ ICE issued 503 similar notices during the entire previous fiscal year. The notices alert business owners that ICE will be inspecting their hiring records to determine whether or not they are complying with employment eligibility and verification laws and regulations.

The Employment Eligibility Verification and Anti-Identity Theft Act would require an employer to take certain measures after receiving official notice that an employee’s name and social security number does not match Social Security Administration records.⁸⁰ The bill, introduced by Rep. Elton Gallegly (R-Calif.), proposes that once an employer receives official notice about such a discrepancy, the employer has to verify employment eligibility within three business days through a system established by the Secretary of Homeland Security.

The ultimate responsibility to verify proper documentation would fall on the worker, but the proposal requires an employer to terminate an employee once a final notice of non-verification is received. An employer could be found to violate the Immigration and Nationality Act, 8 U.S.C. § 1324a(a)(1)(A), for not dismissing the worker. The bill is co-sponsored by nineteen Republicans.
E. Social Security Numbers Can Be Guessed
Researchers at Carnegie Mellon University concluded that it is relatively easy to figure out the precise nine digits of a person’s Social Security number. Many numbers can be accurately predicted by knowing a person’s birth data, the researchers found in the study published in the Proceedings of the National Academy of Sciences.⁸¹

Alessandro Acquisti and Ralph Gross relied on publicly available information for their study, principally what is known as the “Death Master File.” The file lists the SSNs, dates of birth and death, and the states of application for all individuals whose deaths have been reported to the Social Security Administration (SSA). Acquisti and Gross also used data from social networking sites, where users often list their place of birth and birth date in their profile.

Those born after 1988 – when the government altered its practice and began issuing numbers at birth – are the most susceptible to having their numbers discovered because of the method used to assign SSNs, according to the study. Among people born from 1989 to 2003, the researchers identified the first five SSN digits for 44 percent of individuals on a single attempt. They got all nine digits correct for 8.5 percent of those people in fewer than 1,000 attempts.

Acquisti and Gross set out to exploit what is known about how SSNs are assigned. The first three SSN digits are called its “area number” and are assigned based on the zip code of the mailing address provided on the application form. The next two digits are its “group number,” which transitions slowly and often remains constant in a given region over a number of years. As a result, applicants in the same state born on consecutive days are likely to have the same first four or five digits. The last four digits are its “serial number” and are assigned sequentially.

The study found that the SSN assignment scheme discriminates against younger individuals born in less populous states by exposing them to a higher risk of identity theft. For example, the study accurately predicted the first five digits of two percent of California records with 1980 birthdays, and 90 percent of Vermont records with 1995 birthdays.


1. Changes to SSNs
The identity theft risks SSNs now pose could not have been foreseen when the system was devised in the 1930s, but measures to further protect the numbers are in the works. For reasons unrelated to the report, the SSA is in the process of developing a system to randomly assign the numbers that it expects to be in place in 2010.⁸² Earlier this year, Sen. Dianne Feinstein (D-Calif.) and Rep. Rodney Frelinghuysen (R-N.J.) introduced legislation that would prohibit the display, sale, or purchase of Social Security numbers without consent, and would bar businesses from requiring people to provide their number.⁸³