From pli’s Course Handbook Communications Law in the Digital Age 2009


E. Maine Enacts Law to Restrict Marketing to



Download 445.44 Kb.
Page2/10
Date20.10.2016
Size445.44 Kb.
#6112
1   2   3   4   5   6   7   8   9   10

E. Maine Enacts Law to Restrict Marketing to

Minors
Maine has enacted a law that places limits on the collection of minors’ personal information and outlaws the use of such information for marketing purposes.37 The Act to Prevent Predatory Marketing Practices Against Minors was set to take effect on Sept. 1, 2009. Section 9552 of the law prohibits knowingly collecting or receiving “health-related information or personal information for marketing purposes from a minor without first obtaining verifiable parental consent.” Section 9553 prohibits using any “health-related information or personal information regarding a minor for the purpose of marketing a product or service to that minor.”

Harry A. Valetk, a New York City Internet safety and consumer privacy attorney, believes ambiguities in the law pose some challenges. For example, does the law prohibit any Maine resident under age 18 from receiving materials about college prep services or military service?38 Also, although Facebook bars minors age 12 and younger from using the site, it requires all users to agree to terms that consent to Facebook collecting some of their personal information. The Maine law could require Facebook to alter how it treats the personal information of many of its teenage users.

The law authorizes the Maine Attorney General’s Office to establish procedures for investigating alleged violations. A person about whom information is unlawfully collected can seek an injunction prohibiting the collection and recover damages up to $250 per violation. Civil penalties may also be assessed.
F. Google Has Up and Down Battle in AdWords

Lawsuits

Lawsuits against Google Inc. accusing the company of selling trademarked keywords that affect the display of advertisements have become more popular after an April 2009 court ruling, but Google has stepped up its defense of the accusations. Known as AdWords suits after the name of Google’s targeted advertising program, plaintiffs claim that Google’s sale of trademarked keywords constitutes infringement because Google users who search for a particular term could then be shown competitors’ ads alongside results for the trademarked name.39

Google suffered a setback in April when the Second Circuit reinstated Rescuecom Corp.’s AdWords case that a district court had dismissed. 40 Rescuecom alleged violations under §§ 32 and 43 of the Lanham Act, 15 U.S.C. §§ 1114, 1125, for trademark infringement, false designation of origin, and dilution of Rescuecom’s eponymous trademark. The reversal inspired several more lawsuits, so that there were at least seven pending AdWords cases as of early August.41 However, in response to a class action complaint filed by John Beck Amazing Profits LLC in federal court in Texas seeking to represent all trademark owners who have had their words sold,42 Google countersued, seeking a declaration that its practices do not infringe on trademarks.43

Eric Goldman, a Santa Clara University School of Law professor who follows the AdWords litigation on his Technology & Marketing blog, said the plaintiffs face a difficult battle in proving trademark infringement, including having to combat Google’s extensive financial resources to defend the suits. In addition to the other elements of infringement, Goldman said plaintiffs will have to show that consumers were confused by the appearance of the ad next to a search term so that they believed the two companies were connected.44 Google scored victories in July 2009 when Daniel Jurin45 and Ascentive,46 a software company, dropped their AdWords suits.47


G. FTC Seeks to Monitor Blogs for Endorsements
The FTC has proposed guidelines that would enable the agency to go after bloggers for false advertisements for failing to disclose conflicts of interest, such as being paid or receiving a free product in exchange for writing a review.48 The FTC is concerned that many consumers may not realize that online authors of product reviews are being compensated for their opinions. This knowledge could affect whether to buy an item or guide how much credibility to give an endorsement. “If you walk into a department store, you know the (sales) clerk is a clerk,” said Rich Cleland, assistant director in the FTC’s division of advertising practices. “Online, if you think that somebody is providing you with independent advice and . . . they have an economic motive for what they’re saying, that’s information a consumer should know.”49

The FTC’s proposal to monitor blogs raises questions about what constitutes an advertisement, the extent to which a reviewer must disclose a relationship with a company, and how far the agency will go to police online reviews and advertisements. Specific enforcement measures were not included in a draft of the guidelines published in November 2008. Some bloggers are concerned that even a casual mention of a product could grab the agency’s attention. Cleland said that the FTC would most likely rely on Internet users to judge what constitutes fair disclosure in lieu of spelling out specific requirements.50 A final version of the guidelines could be approved by the end of 2009.

The guidelines would extend beyond basic reviews on blogs to cover affiliate marketing, in which bloggers and other Web sites get a commission when a user clicks on a link that leads to a purchase on a retailer’s site. In addition, arrangements where advertisers pay users of Twitter to post short items would also need to be disclosed.51

The FTC’s attempt to monitor the content of online reviews contrasts with the media industry, in which newspapers and broadcasters have traditionally self-policed their employees by prohibiting the acceptance of free products in exchange for reviews. However, just as a blogger needs to have used a product in order to write an informed review, some blurring of this ethical line may be unavoidable, such as when a film critic attends a free advance screening of a movie’s widespread release.



The New York Times took a firm stand in defense of objectivity in August 2009, when the newspaper stripped economist and TV personality Ben Stein of his Sunday business column. Stein also serves as a pitchman for FreeScore.com, a credit monitoring company, and a spokeswoman for the Times said it would not be appropriate for Stein to pitch for the company while writing his column.52


II. IDENTITY THEFT AND DATA PROTECTION LAWS
A. ‘Red Flags Rule’ Set to Take Effect
The ‘Red Flags Rule’53 promulgated by the Federal Trade Commission to combat identity theft was scheduled to take effect on Nov. 1, 2009. The rule requires financial institutions and creditors to develop written procedures on how to identify and react to relevant warnings – or ‘red flags’ – of identity theft. In most cases, this means tracking discrepancies between credit reports and information provided by or about an individual. Originally set to take effect on Nov. 1, 2008, the FTC delayed enforcement of the rule three times due to uncertainty over what industries and entities were covered by the rule.54
1. Who Must Comply with the Rule?
The rule applies to “financial institutions” and “creditors” with “covered accounts.” This includes entities that regularly permit deferred payments for goods or services, including health care providers, some retailers, colleges, and a wide range of businesses that invoice their customers.

Certain law firms with individual clients, such as matrimonial and trust and estate clients, who bill at the end of a period rather through an initial retainer, were scheduled to be covered by the rule.55 The American Bar Association in July threatened to file a lawsuit seeking to have lawyers exempted from the rule on the grounds that compliance would be burdensome and establish a precedent for federal agencies to set other requirements for lawyers.56 At the time of the threatened litigation, the rule was set to take effect on Aug. 1, 2009. ABA President H. Thomas Wells Jr. called the delay to November a “temporary reprieve,” but said the ABA will continue to lobby Congress to permanently exempt lawyers from the rule.57



a. Financial institutions
Under the rule, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a customer. Most of these institutions are regulated by the federal bank regulatory agencies and the National Credit Union Administration (NCUA). A transaction account is a deposit or other account from which the owner makes payments or transfers.
b. Creditors

A creditor is any entity that regularly extends, renews, or continues credit. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies and telecommunications companies. If non-profit and government entities defer payment for goods or services, they are also considered creditors. Accepting credit cards as payment does not, by itself, make an entity a creditor.


c. Covered accounts
A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. These include credit card accounts, mortgage loans, automobile loans, cell phones accounts, utility accounts, checking accounts and savings accounts.
2. How to Comply with the Rule

The FTC says the rule was designed to be risk-based so that the complexity of an entity’s program would be proportional with the identity theft risk it encounters. The Commission suspects that most high-risk entities, such as financial institutions, already take steps to minimize losses due to fraud. It estimated nearly 270,000 high-risk entities and 1.6 million low-risk entities will be subject to the rule. According to the same estimates, high-risk entities can create and implement a written program in 25 hours while those at low-risk should be able to develop a streamlined program in about an hour.58

To aid low-risk entities in the process, the FTC developed a model six-page policy in PDF format. A template of the model policy is available at www.ftc.gov/redflagsrule and by clicking on the “Create Your Program” tab.59 A company must identify red flags, describe how the flags will be detected, offer a planned response when flags are found and describe how relevant staff will be trained to implement the program. A board of directors or senior-level employee must approve the program, which is required to be updated periodically.

Failure to comply with the rules can lead to civil penalties, such as monetary sanctions and enforcement action by the FTC. However, the FTC said it is unlikely to bring action against entities that “know their customers or clients individually, or if they perform services in or around their customers’ homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft.”60


B. Proposed Federal Legislation to Protect Personal Data, Require Notification
Two separate, but similar, data privacy bills were introduced in 2009 that seek to preempt the existing data breach notification laws in 45 states and the District of Columbia.61 Both bills propose requiring entities that possess personal information and engage in interstate commerce to institute various safeguards to protect the data and notify individuals when a breach or a suspected breach has occurred. Both bills would also give state attorneys general the authority to pursue civil penalties for data breaches in certain instances. As of early August, it appeared unlikely that either bill would be passed this year, at least in their proposed form.
1. Personal Privacy and Security Act
Sen. Patrick Leahy (D-Vt.), chairman of the Judiciary Committee, introduced the Personal Privacy and Security Act, S. 1490, 111th Cong. (2009), on July 22. Leahy introduced similar legislation that was reported by the committee in the previous two Congressional sessions.62 This casts doubt on whether this version will have enough momentum to become law, particularly as House subcommittees continue to gather information on deep packet inspection with an eye toward enacting a comprehensive data security and Internet privacy law.

In addition to the national data breach notification provision, the bill seeks to stiffen criminal penalties for identity theft by adding intentional access of a computer without authorization to the definition of racketeering under 18 U.S.C. § 1961(1) and requiring the U.S. Sentencing Commission to revisit its sentencing guidelines for identity theft crimes. The bill would give individuals access to any personal information held by commercial data brokers and impose penalties on government contractors who fail to meet data privacy and security requirements.


2. Data Accountability and Trust Act

Rep. Bobby Rush (D-Ill.), chairman of the Subcommittee on Commerce, Trade, and Consumer Protection, introduced the Data Accountability and Trust Act, H.R. 2221, 111th Cong. (2009), on April 30. The bill is similar to the Personal Privacy and Security Act in its data protection and security requirements for businesses or entities that possess personal information. In addition, this version authorizes the FTC to require a standard method for destroying obsolete non-electronic data.


C. HIPAA Breach Notification Rule Issued
On Aug. 19, 2009, the U.S. Department of Health and Human Services (HHS) issued new regulations that require entities covered by the Health Insurance Portability and Accountability Act (HIPAA)63 to notify individuals when their unsecured personal health information has been breached.64 The regulations,65 which could go into effect as early as Sept. 23, 2009, refine key concepts in a manner that limits the notification obligations of covered entities.66 In cases where a breach affects more than 500 individuals, the HHS Secretary and the media must also be notified. Entities will report to the HHS Secretary breaches that affect fewer than 500 individuals on an annual basis.67

In addition, HHS also specified that covered entities who secure health information through encryption or destruction are exempt from the notification requirement if a breach does occur. This portion of the regulations was developed in response to public comment received from an April 2009 request68 and after HHS consulted with the FTC, which has issued breach notification regulations that apply to vendors of personal health records and other entities not covered by HIPAA.69 The regulations include other exemptions. For example, the definition of a breach is limited to instances where information is used or disclosed in a manner inconsistent with HIPAA. If the access to information is unauthorized, but use of the information does not violate HIPAA, it is not considered a reportable breach.70

The regulations preempt contrary state laws, but HHS noted this only occurs when it is impossible to comply with both a state notification law and the HIPAA notification regulations. The regulations will become effective 30 days after publication in the Federal Register. HHS has said that it will not impose sanctions for violations during the first six months after the regulations take effect.71 Instead, HHS will work with the covered entities to bring them into compliance.
D. Supreme Court Requires a ‘Knowing Theft’ for

Aggravated Sentence

The Supreme Court on May 4 ruled unanimously that federal prosecutors must prove a defendant knew a stolen identity belonged to an actual person in order to secure a conviction for aggravated identity theft. 72 The Court rejected the government’s argument that it merely needed to show an offender knew he used an identity other than his own. The decision in Flores-Figueroa v. United States clarifies how the Identity Theft Penalty Enforcement Act73 should be interpreted. The statute imposes a mandatory consecutive two-year prison term upon those convicted of certain crimes if, during the crime, the offender “knowingly transfers possesses, or uses, without lawful authority, a means of identification of another person.” The law applies to such predicate crimes as theft of government property, fraud and activities related to passports, visas and immigration.

The defendant in the case, Ignacio Flores-Figueroa, is a Mexican citizen who worked illegally at an Illinois steel plant. To gain employment, Flores-Figueroa first used a false name and Social Security number, one that did not belong to another person. He later wanted to use his real name and gave his employer counterfeit Social Security and alien registration cards bearing numbers assigned to real people. Customs officials discovered the discrepancy and charged Flores-Figueroa with entering the United States without inspection, 8 U.S.C. § 1325(a), and misusing immigration documents, 18 U.S.C. § 1546(a), in addition to aggravated identity theft.

In his majority opinion, Justice Stephen G. Breyer wrote that the case should be decided by applying “ordinary English grammar” to the text of the law, which applies “knowingly” to all of the elements of the crime that follow.74 Interpreting the statute that way avoids subjecting offenders to additional penalties for liability that turns on chance. Justice Samuel A. Alito Jr., in his concurring opinion, considered a defendant who chooses a Social Security number at random. “If it turns out that the number belongs to a real person,” Alito wrote, “two years will be added to the defendant’s sentence, but if the defendant is lucky and the number does not belong to another person, the statute is not violated.”75


1. Effect of Decision
The ruling in Flores-Figueroa will probably be most consequential in guiding the government’s strategy in combating illegal immigration rather than prosecutions of traditional identity theft cases. Breyer noted that proving intent is generally not difficult in such classic identity theft cases as using a person’s identification information to gain access to a bank account or “dumpster diving” to find discarded credit card and bank statements.76 Now faced with a diminished threat of a mandatory and consecutive two-year prison term, the government loses the possibility of securing an aggravated felony conviction that often leads to quicker deportations. This could result in fewer mass criminal prosecutions against illegal workers following workplace enforcement actions.77

The Obama administration previously announced plans to target employers who knowingly hire workers who are in the country illegally rather than arrest the workers for eventual deportation.78 In a sign of furthering this strategy, U.S. Immigration and Customs Enforcement (ICE) announced on July 1 that it issued notices of inspection to 652 businesses nationwide.79 ICE issued 503 similar notices during the entire previous fiscal year. The notices alert business owners that ICE will be inspecting their hiring records to determine whether or not they are complying with employment eligibility and verification laws and regulations.


2. Proposed Legislation

The Employment Eligibility Verification and Anti-Identity Theft Act would require an employer to take certain measures after receiving official notice that an employee’s name and social security number does not match Social Security Administration records.80 The bill, introduced by Rep. Elton Gallegly (R-Calif.), proposes that once an employer receives official notice about such a discrepancy, the employer has to verify employment eligibility within three business days through a system established by the Secretary of Homeland Security.

The ultimate responsibility to verify proper documentation would fall on the worker, but the proposal requires an employer to terminate an employee once a final notice of non-verification is received. An employer could be found to violate the Immigration and Nationality Act, 8 U.S.C. § 1324a(a)(1)(A), for not dismissing the worker. The bill is co-sponsored by nineteen Republicans.
E. Social Security Numbers Can Be Guessed
Researchers at Carnegie Mellon University concluded that it is relatively easy to figure out the precise nine digits of a person’s Social Security number. Many numbers can be accurately predicted by knowing a person’s birth data, the researchers found in the study published in the Proceedings of the National Academy of Sciences.81

Alessandro Acquisti and Ralph Gross relied on publicly available information for their study, principally what is known as the “Death Master File.” The file lists the SSNs, dates of birth and death, and the states of application for all individuals whose deaths have been reported to the Social Security Administration (SSA). Acquisti and Gross also used data from social networking sites, where users often list their place of birth and birth date in their profile.

Those born after 1988 – when the government altered its practice and began issuing numbers at birth – are the most susceptible to having their numbers discovered because of the method used to assign SSNs, according to the study. Among people born from 1989 to 2003, the researchers identified the first five SSN digits for 44 percent of individuals on a single attempt. They got all nine digits correct for 8.5 percent of those people in fewer than 1,000 attempts.

Acquisti and Gross set out to exploit what is known about how SSNs are assigned. The first three SSN digits are called its “area number” and are assigned based on the zip code of the mailing address provided on the application form. The next two digits are its “group number,” which transitions slowly and often remains constant in a given region over a number of years. As a result, applicants in the same state born on consecutive days are likely to have the same first four or five digits. The last four digits are its “serial number” and are assigned sequentially.

The study found that the SSN assignment scheme discriminates against younger individuals born in less populous states by exposing them to a higher risk of identity theft. For example, the study accurately predicted the first five digits of two percent of California records with 1980 birthdays, and 90 percent of Vermont records with 1995 birthdays.


1. Changes to SSNs
The identity theft risks SSNs now pose could not have been foreseen when the system was devised in the 1930s, but measures to further protect the numbers are in the works. For reasons unrelated to the report, the SSA is in the process of developing a system to randomly assign the numbers that it expects to be in place in 2010.82 Earlier this year, Sen. Dianne Feinstein (D-Calif.) and Rep. Rodney Frelinghuysen (R-N.J.) introduced legislation that would prohibit the display, sale, or purchase of Social Security numbers without consent, and would bar businesses from requiring people to provide their number.83



Download 445.44 Kb.

Share with your friends:
1   2   3   4   5   6   7   8   9   10




The database is protected by copyright ©ininet.org 2024
send message

    Main page