Group items tagged

On September 12, 2009, Maine's Act to Prevent Predatory Marketing Practices Against Minors (the "Act") will take effect. The Act prohibits businesses from knowingly collecting or receiving a minor's health-related information or personal information for marketing purposes without first obtaining verifiable parental consent. Businesses are also prohibited from using any health-related information or personal information regarding a minor for the purpose of marketing a product or service to the minor. Pursuant to the Act, the use of information in such a manner is a predatory marketing practice, which may be sanctioned as an unfair trade practice. The law also allows individuals subject to unlawful data collection or predatory marketing practices to bring a private right of action against violators. For businesses, the implications of Maine's new data collection and marketing restrictions are far-reaching. The scope of the law covers both online and off-line marketing activities, and the broad definition of personal information includes a minor's name in combination with any information concerning the minor. In light of the Act's restrictive requirements and considerable scope, businesses would be well-advised to evaluate their current marketing practices and age verification mechanisms. The text of the law is available here.

The largest threat to online advertising is growing as the economy declines. More individuals will turn criminal, purchasing products or generating income through fraudulent means. Billions of dollars are stolen from businesses each year, and in 2009 companies will fight fraud with fewer resources.According to CyberSource, an estimated $4 billion dollars was lost to fraud in 2008 up from $3.7 billion in 2007, and 87% of merchants must fight fraud with the same or less staff in 2009. The increase in eCommerce fraud from 2007 to 2008 (and one can expect, in 2009) follows the advertisers' shift to spend more of their budget online. Much like crime statistics, one has to wonder how much fraud is not being reported because, among many reasons, commission-driven employees are not motivated or your company lacks resources.In early 2008, I was approached by our CEO to start a new division that would address our partners' fraud concerns-both real and perceived. He said, "I'm not going to lie to you. It's a SOB job." I was sold, and the Best Practices Division began.My team establishes best practices (measurable, repeatable events, processes, and procedures) and applies them internally and externally (to our partners' online marketing practices). At its core, best practices (BPs) are a set of standards that provide transparency and clear expectations of behavior and results to everyone involved in the business process. This accountability will drive the long-term performance of the online advertising industry while maintaining profitability without additional federal regulation.The BP approach can be applied to every business model and used to fight fraud-wherever you find it. Industry norm places the onus on the advertiser to successfully qualify inbound leads as well as identify fraudulent traffic. In the past, advertisers had only two options: become an online fraud expert, or hire a vendor.Only a small percentage of companies will be successful with the

"A new study from the Pew Charitable Trust has found that every one of the credit cards offered by the country's 12 largest credit card issuers are bad deals for consumers and have practices the Federal Reserve has defined as "unfair or deceptive." The Trusts' Health Group's Safe Credit Cards Project, titled STILL WAITING: "Unfair or Deceptive" Credit Card Practices Continue as Americans Wait for New Reforms to Take Effect also compared credit union card programs and found them sharply better. "Although credit unions control only a small portion of credit card outstandings, comparisons between credit union and bank product models illustrate options available to consumers and potential benchmarks for future regulatory rulemaking efforts," the organization said. The observed credit unions presented a distinct alternative to credit card pricing and other practices of the observed banks, the report said. "In July 2009, median advertised interest rates on cards from the 12 largest credit unions were between 9.90 and 13.75% annually, depending on a consumer's credit profile-approximately 20% lower than comparable bank rates," the report said. "Meanwhile, credit union penalties were generally less severe than those of banks." "

In order to comply with Canadian privacy law, Facebook must take greater responsibility for the personal information in its care, the Privacy Commissioner of Canada said today in announcing the results of an investigation into the popular social networking site's privacy policies and practices. "It's clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates," says Privacy Commissioner Jennifer Stoddart. The investigation, prompted by a complaint from the Canadian Internet Policy and Public Interest Clinic, identified several areas where Facebook needs to better address privacy issues and bring its practices in line with Canadian privacy law. An overarching concern was that, although Facebook provides information about its privacy practices, it is often confusing or incomplete. For example, the "account settings" page describes how to deactivate accounts, but not how to delete them, which actually removes personal data from Facebook's servers. The Privacy Commissioner's report recommends more transparency, to ensure that the social networking site's nearly 12 million Canadian users have the information they need to make meaningful decisions about how widely they share personal information.

"In light of a spike in identity theft and the frequency with which personal information is stored on portable devices, the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) have expanded Generally Accepted Privacy Principles (GAPP) to include protocols for securing and disposing of personal information. "Safeguarding personal information is one of the most challenging responsibilities facing an organization, whether such information pertains to employees or customers," said Everett C. Johnson, CPA, chair of AICPA/CICA Privacy Task Force and a past international president of ISACA, a global information technology association. "We've updated the criteria of our privacy principles to minimize the risks to personal information." GAPP offers guidance and best practices on securing portable devices, breach management and ensuring continued effectiveness of privacy controls. The guidance additionally covers disposal and destruction of personal information. The principles are designed for chief privacy officers, executive management, compliance officers, legal counsel, CPAs and CAs offering technology advisory services. "Portable tools such as laptops and memory sticks provide convenience to employees but appropriate measures must be put in place to secure them and the data they contain," said Donald Sheehy, CA.CISA, CIPP/C, associate partner with Deloitte (Canada) and a member of the AICPA/CICA Privacy Task Force. "We must stay abreast of technological advances to assure that proper measures are put into place to defend against any new threats." Created by the AICPA/CICA Privacy Task Force, GAPP is designed to help an organization's management team assess an existing privacy program or address privacy obligations and risks. The principles provide a framework for CPAs and CAs to offer privacy services to their clients and employers, such as advisory services, privacy risk assessments and attestation or

The Homeland Security Department's privacy office will hold a conference to explore the use of social media as if affects security and privacy. The "Government 2.0: Privacy and Best Practices" conference will be held June 22 to June 23 in Washington and is open to the public. The workshop is meant to help agencies use Web 2.0 technologies in ways to protect privacy and security, and to explore the best practices for implementing President Barack Obama's memo on open government that was released in January, according to a notice published in the federal register April 17. Panelists will discuss topics such as transparency and participation in government, privacy and legal concerns brought by the government's use of social media, and how the government can best use the technologies while protecting privacy rights during the conference, DHS officials said. DHS is asking for comments by June 1 on topics such as: * How the government is using social media. * The risks, benefits and operational concerns that come from government use of the technologies. * Privacy, security and legal issues raised by the government's use of social media. * Recommendations on best practices for government use of the technologies.

Federal Trade Commission staff today issued a report describing its ongoing examination of online behavioral advertising and setting forth revisions to proposed principles to govern self-regulatory efforts in this area. The key issue concerns how online advertisers can best protect consumers' privacy while collecting information about their online activities. Over the last decade, the FTC has periodically examined the consumer privacy issues raised by online behavioral advertising - which is the practice of tracking an individual's online activities in order to deliver advertising tailored to his or her interests. The FTC examined this practice most recently at its November 2007 "Behavioral Advertising" Town Hall. The following month, in response to public discussion about the need to address privacy concerns in this area, FTC staff issued a set of proposed principles to encourage and guide industry self-regulation for public comment. Today's report, titled "Self-Regulatory Principles for Online Behavioral Advertising," summarizes and responds to the main issues raised by more than 60 comments received. It also sets forth revised principles. The report discusses the potential benefits of behavioral advertising to consumers, including the free online content that advertising generally supports and personalization that many consumers appear to value. It also discusses the privacy concerns that the practice raises, including the invisibility of the data collection to consumers and the risk that the information collected - including sensitive information regarding health, finances, or children - could fall into the wrong hands or be used for unanticipated purposes. Consistent with the FTC's overall approach to consumer privacy, the report seeks to balance the potential benefits of behavioral advertising against the privacy concerns it raises, and to encourage privacy protections while maintaining a competitive marketplace. The report points ou

Wal-Mart Stores is striding into the market for electronic health records, seeking to bring the technology into the mainstream for physicians in small offices, where most of America's doctors practice medicine. Wal-Mart's move comes as the Obama administration is trying to jump-start the adoption of digital medical records with $19 billion of incentives in the economic stimulus package. The company plans to team its Sam's Club division with Dell for computers and eClinicalWorks, a fast-growing private company, for software. Wal-Mart says its package deal of hardware, software, installation, maintenance and training will make the technology more accessible and affordable, undercutting rival health information technology suppliers by as much as half. "We're a high-volume, low-cost company," said Marcus Osborne, senior director for health care business development at Wal-Mart. "And I would argue that mentality is sorely lacking in the health care industry." The Sam's Club offering, to be made available this spring, will be under $25,000 for the first physician in a practice, and about $10,000 for each additional doctor. After the installation and training, continuing annual costs for maintenance and support will be $4,000 to $6,500 a year, the company estimates. Wal-Mart says it had explored the opportunity in health information technology long before the presidential election. About 200,000 health care providers, mostly doctors, are among Sam Club's 47 million members. And the company's research showed the technology was becoming less costly and interest was rising among small physician practices, according to Todd Matherly, vice president for health and wellness at Sam's Club. The financial incentives in the administration plan - more than $40,000 per physician over a few years, to install and use electronic health records - could accelerate adoption. When used properly, most health experts agree, digital records can curb costs and i

Google, Microsoft, Yahoo support self-regulation in the UK AOL, Google, Microsoft, NebuAd, Phorm, and Yahoo promise to behave. All of these companies - along with a few others - have volunteered to honor the Internet Advertising Bureau's just-announced set of Good Practice Principles. So on to the guts of the agreement. First, companies are supposed to tell users whenever they're collecting data for the sake of behavioral advertising. They're also expected to make sure users understand what the procedure entails. Then comes the key part: users should get the chance to opt out of the collection process. Ad companies are probably hoping that users will either be too lazy to take action or will actually prefer better-targeted ads. If so, the companies will continue to make money and improve their public image. But since privacy advocates may still complain that data collection isn't an opt-in matter, the issue isn't likely to go away. Mark Howe, the country sales director of Google UK, sidestepped the mess, simply stating, "Google believes in two core principles of transparency and choice when it comes to user privacy. That is why we are supportive of these new, self-regulatory principles for online advertising which will enable consumers to increase their understanding of their web surfing options." IAB described the Principles as "the UK's first self-regulatory guidelines to set good practice for companies that collect and use data for online behavioural advertising purposes." The Principles have been approved by the Information Commissioner's Office, which reports directly to Parliament.

Big Brother may be at it again. Behavioral advertising - the tracking of consumer's Internet surfing activity to create tailored ads - has triggered an intense legal controversy that has law firms scrambling to stay on top of a burgeoning practice. Attorneys say that behavioral advertising is raising privacy, litigation and regulation fears among consumer advocates, the electronic commerce and advertising industries and legislators. Law firms are busy helping companies come up with a transparent way of letting consumers know that their online activities are being tracked and possibly shared. "Lawmakers and companies are having a tough time keeping up with this new frontier of Internet privacy issues, and there is growing consumer unrest about behavioral advertising, leading in some cases to consumer rebellion," said Lisa Sotto, a partner and head of the privacy and security data group in the New York office of Richmond, Va.-based Hunton & Williams. "Consumers find this type of tracking intrusive, and businesses are starting to take the consumer reaction seriously," she said. The buzz over behavioral advertising has been building since congressional hearings that were held last year, during which Congress called on Internet service providers (ISPs) to testify about a highly controversial advertising practice known as "deep-packet inspection." The practice gives companies the ability to track every Web site consumers visit and provides a detailed look at everything they're doing, such as where they're going on vacation, who is going, how much they spent on the trip and what credit card was used. But then came the first class action targeting behavioral advertising, filed against Foster City, Calif.-based NebuAd Inc., an online advertising company accused of spying on consumers from several states and allegedly violating their privacy and computer security rights. The lawsuit specifically alleges that NebuAd engaged in deep-packet inspection. Valentine v. Ne

The dark figure of fraud drove the development of best practices at Memolink. I harnessed the fear of the unknown and used basic change management to gather support internally. I knew the approach would indefinitely change how we did business and alter our company's culture. Like many dot coms, my company has an entrepreneurial spirit, and like not-so-many dot coms, we have been in business for 15 years. The culture is well established and the work we do is exciting and fun. Would a company with an innovative and "don't-box-me-in" mentality openly receive a new set of standards and expectations? The implementation of the Best Practice approach required two important change management tactics: consistent messaging and constant and varied communication. It was not enough to tell associates that the proposed transition, which included separating processes that traditionally had been managed by a sales team, would benefit the company in the long term. The main component of the message had to be the "What's in it for me?" value proposition. At the time, the sales associates had nothing to gain, and, in fact, they would lose commission. For example, when my department rolled out the Best Practice approach to partner vetting, fewer partners would meet the standard and be accepted, which meant incremental commission loss for the sales team. Money matters create major stress and tension, so it was important that this conflict be addressed early in the implementation process. Management responded by restructuring commissions so that employee motivations were aligned with business goals. This move also made the adoption period for other processes and procedures shorter and less chaotic. In essence, align the money motivators and people will buy in more quickly. Associates were not reeling about their payment structure, but were they and other stakeholders, who were originally unaffected by the commission structure, truly behind the idea? In order to gain the

Hundreds of medical records kept by a longtime Acton family doctor who abruptly closed his practice last year are about to be destroyed, leaving patients without crucial information and exposing a gap in state law about who owns abandoned medical records. On April 8, a Lynn storage company is scheduled to discard the records and auction the equipment left by Dr. Ronald T. Moody, who was evicted from his office last September as state regulators pursued him, saying he was practicing without a license. Many of Moody's former patients have no idea that their records are slated for destruction: None has been notified, nor does the law require such notice. "We throw people's lives away on a daily basis, and, believe me, we go out of our way to try and find someone" to salvage belongings, said Jim Appleyard, owner of the storage company that was hired by Moody's former landlord to clean out the office and store the items for six months, as required by law. But the idea of dumping hundreds of patients' files without them knowing about it bothered Appleyard. Unable to find Moody, he contacted the state Board of Registration in Medicine and pleaded to take the dozens of boxes of records. The board regulates doctors and administers rules governing medical records of physicians in private and group practices.

Big Brother may be at it again. Behavioral advertising -- the tracking of consumer's Internet surfing activity to create tailored ads -- has triggered an intense legal controversy that has law firms scrambling to stay on top of a burgeoning practice. Attorneys say that behavioral advertising is raising privacy, litigation and regulation fears among consumer advocates, the electronic commerce and advertising industries and legislators. Law firms are busy helping companies come up with a transparent way of letting consumers know that their online activities are being tracked and possibly shared. "Lawmakers and companies are having a tough time keeping up with this new frontier of Internet privacy issues, and there is growing consumer unrest about behavioral advertising, leading in some cases to consumer rebellion," said Lisa Sotto, a partner and head of the privacy and security data group in the New York office of Richmond, Va.-based Hunton & Williams. "Consumers find this type of tracking intrusive, and businesses are starting to take the consumer reaction seriously," she said. The buzz over behavioral advertising has been building since congressional hearings that were held last year, during which Congress called on Internet service providers (ISPs) to testify about a highly controversial advertising practice known as "deep-packet inspection." The practice gives companies the ability to track every Web site consumers visit and provides a detailed look at everything they're doing, such as where they're going on vacation, who is going, how much they spent on the trip and what credit card was used. But then came the first class action targeting behavioral advertising, filed against Foster City, Calif.-based NebuAd Inc., an online advertising company accused of spying on consumers from several states and allegedly violating their privacy and computer security rights. The lawsuit specifically alleges that NebuAd engaged in deep-packet inspection. Valentine v. Ne

Heartland Payment Systems CEO discusses breach, previews speech Not a week had passed after the announcement of what some have described as the largest data breach ever, when the CEO of Heartland Payment Systems, Robert Carr, began calling for better industry cooperation and new efforts directed at preventing future breaches. Recently, Carr announced that trials will begin late this summer on an end end-to-end encryption system Heartland is developing with technology partners. It is expected to be the first system of its kind in the U.S. The company is also pushing for an end-to-end encryption standard. At the upcoming Practical Privacy Series in Silicon Valley, Carr will discuss the Heartland breach and the role industry, including privacy professionals, must play to prevent future breaches. Here's a preview: IAPP: Many companies have experienced breaches. What made yours different? Ours was different because we are a processor and had passed six years of PCI audits with no problems found. Yet, within days of the most recent audit, the damage had begun. IAPP: Did you have a chief privacy office or a privacy professional on staff before your breach? Do you now? Ironically, when we learned of the Hannaford's breach, we hired a Chief Security Officer who started just three weeks before the breach began. IAPP: In the era of mandatory breach reporting, what is the trajectory of consumer reaction? As a processor it is difficult to really know this. Our customers are merchants who accept card payments. IAPP: Do you think consumers will become numb to breach notices? I believe that many are numb to so many intrusion notices. IAPP: Are breach notices good public policy? Do the notices provide an incentive for companies to change or improve practices? I don't think so. Nobody wants to get breached and the damage caused by a breach is sufficient reason for most of us to do everything we can to prevent them. IAPP: What has Heartland done differentl

A recent talk by some Federal Trade Commission officials confirms that the agency is taking a hard look at online advertising practices. Speaking at an American Bar Association conference, new consumer protection chief David Vladeck had harsh words for the behavioral targeting industry's current privacy practices. The "current approach is not working," he said, according to the law firm Arnold & Porter, which blogged about the speech. Vladeck reportedly said many companies' current practice of notifying users about online ad targeting and allowing them to opt out is inadequate, largely because people don't understand the policies. He's not the first to make this observation. Advocates and policymakers have said for years that privacy policies are incomprehensible even to sophisticated users. A recent study by UC Berkeley School also shows that the policies are filled with enough loopholes as to be meaningless. Meanwhile, consumer protection deputy Eileen Harrington, who also talked at the same event, reportedly called deep packet inspection the most dangerous form of data collection, according to a blog post by the law firm Perkins Coie.

Beyond PCI: Other Regulations to Look For in 2009 Just a few days ago, the Federal Reserve, the Office of Thrift Supervision and the National Credit Union Administration announced the enactment of comprehensive new rules regarding card practices. These rules, which will not take effect until July 1, 2010, impose restrictions on a number of controversial issuer practices, including interest rate increases, late fees and double-cycle billing. Many industry observers predict that the rules will result in less credit being made available, and on stricter terms, than has been the case over the last several years. These rules may not be the end of the matter. Rep. Carolyn Maloney (D-NY), who in 2008 introduced the Credit Cardholders' Bill of Rights Act of 2008 (which sought to regulate many of the same practices as the then-proposed Fed rules), stated that she was disappointed in the delayed effectiveness of the Fed rules and promised to revive the Credit Cardholders' Bill of Rights in 2009 to, as she put it, "bridge the gap" between now and the effective date of the Fed rules.

The Web safety and online identity protection experts at SafetyWeb.com and myID.com helped put together a list of ten different data and privacy breach scenarios, along with suggestions and best practices to avoid them.

Enforcing Privacy Promises: Section 5 of the FTC Act A key part of the Commission's privacy program is making sure companies keep the promises they make to consumers about privacy, including the precautions they take to secure consumers' personal information. To respond to consumers' concerns about privacy, many Web sites post privacy policies that describe how consumers' personal information is collected, used, shared, and secured. Indeed, almost all the top 100 commercial sites now post privacy policies. Using its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers' personal information. The Commission has also used its unfairness authority to challenge information practices that cause substantial consumer injury.

Online fraud is a $4 billion dollar a year industry. It grows as the unemployment rate increases and the jobless attempt to earn a living through whatever means necessary. Meanwhile, the Internet's footprint on the global economy and culture becomes larger every day. The expansion of fraud and the identification of this risk will create more jobs in the fields of compliance, risk management, and best practices. Who will fill these positions? For many companies looking to take action, the initial move will be to consolidate roles. Individuals in areas such as sales and marketing will absorb fraud identification, reporting, and prevention responsibilities. This will prove to be ineffective for the following reasons: 1. The sales and marketing staffs are not trained to identify fraud and they cannot keep up with the ever-changing tactics. 2. Associates are conflicted when faced with a fraud incident. They are not motivated to report fraud and their compensation structure dissuades them from reporting incidents. 3. Business goals are not aligned appropriately, which naturally moved fraud last on the priority list for the associates assigned the additional responsibilities. 4. While the internal attempt is made, no time is spent on partner due diligence and monitoring. Organizations will benefit in the long term by hiring dedicated staff. This tactic is one component of my company's Best Practice approach to doing business. My dedicated team helped realign business goals and create a culture that now embraces a higher set of standards and expectations. Staffing and training were the largest challenges I have faced in the last year. The positions were new, the skill set was specific, and as a result we received a dichotomous set of resumes. Applicants with online marketing experience had little to no experience with fraud, or they came from companies where more unscrupulous methods were used, and I was not confident those habits would be easily kicked. The app

The Federal Trade Commission, continuing its focus on behavioral advertising practices and online consumer privacy, has hired Harvard researcher Christopher Soghoian as a technical consultant. Soghoian, currently with Harvard's Berkman Center for Internet & Society and a noted researcher and blogger on online privacy, will work with the FTC's Bureau of Consumer Protection, Division of Privacy and Identity Protection. He has been particularly critical about the length of time major Internet service providers and companies keep and use customer data Last month, several marketing and advertising industry associations, including the Direct Marketing Association and the American Association of Advertising Agencies, issued self-regulatory principles to govern the online practices of their members, in an attempt to stave off federal regulation of behaviorally targeted advertising.