Illinois Bars Employers from Requesting Social Media Passwords

On August 1, Illinois became the second state to amend its workplace privacy law to prohibit employers from asking employees and job applicants for their social media passwords. The change to the state’s Right to Privacy in the Workplace Act goes into effect on January 1, 2013.  Maryland was the first to pass a similar law in April.  Other states like California, Minnesota, Michigan, Massachusetts, New Jersey and New York have similar laws pending. The laws are designed to curb employers’ use of social media accounts to assess the online behavior of a potential new hire or existing employee.

Microsoft Leans Pro-Privacy With Its Do Not Track Browser Settings

Microsoft has caused quite a stir regarding an updated product that hasn’t yet shipped. The new version of its Explorer web browser will be preset to reject tracking of a person’s online movements. The company’s Chief Privacy Officer, Brendon Lynch, confirmed in a blog post that Windows 8 (containing Explorer 10 web browser) will have Do Not Track (DNT) enabled as the default setting.  DNT tells advertising and analytics companies that an individual does not want to have their information collected or used.  Naturally, if your company’s business model relies of being able to track users, having the world’s most popular web browser (ostensibly) make that choice for its users, doesn’t sit well. By default, users would be opted-out of tracking. Opponents of Microsoft’s decision include the influential World Wide Web Consortium (W3C), which had asked the company to make it an option rather than a preset. Others theorize that advertisers may simply ignore users’ preference arguing that Microsoft, not the individual consumer, chosen not be to tracked. This is topical and raises several very interesting privacy questions that may lead to legislative initiatives or legal challenges.

Google to Pay $22.5 Million Record Fine to FTC over Safari Tracking

Google agreed to pay a record $22.5 million to settle claims levied by the Federal Trade Commission (FTC) that Google violated an earlier privacy settlement it had with the agency.

Google placed advertising tracking cookies on the computers of Apple’s Safari browser who visited sites within Google’s advertising network for several months in 2011 and 2012. (Safari is the browser used in Macs, iPhones and iPads. Google’s ad network is DoubleClick.) This misled consumers who were assured that they were automatically opted out of tracking because Safari’s default setting blocks most cookies coming from third parties.

The Commission said Google’s misrepresentation to Safari users broke the terms of a 2011 FTC settlement decree relating to privacy problems with Google’s now defunct Buzz social networking tool. Google did not admit to violating the 2011 decree, but agreed to disable all the tracking cookies it said it would not place on consumers’ computers.

Jon Leibowitz, Chairman of the FTC, reaffirmed the Commission’s commitment to enforce consumer privacy rights, saying “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”

California Attorney General Forms New Privacy Unit With A-Team Prosecutors

California’s top attorney, Kamala Harris, announced the launch of the Department of Justice’s Privacy Enforcement and Protection Unit, being formed to guard the privacy of Californians by prosecuting violators of state and federal laws.  The press release says “The Privacy Unit will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others.”  The new department, with six veteran prosecutors, will wield broad enforcement powers over cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches. It will operate within the eCrime Unit that Harris created in 2011.

Congress Probes Leading Data Brokers on Dossiers

On Tuesday, the Congressional Privacy Caucus sent inquiry letters to nine of the largest data brokers regarding their privacy practices, including how they collect, analyze and sell consumer information.  Data brokers are organizations that compile data on consumers and sell that data to third parties for marketing and other purposes.  “By combining data from numerous offline and online sources, data brokers have developed hidden dossiers on almost every US consumer,” the letters said.  This practice is worrisome to privacy advocates and particularly the Federal Trade Commission (FTC), which has been candid in its statements and in its March report on consumer privacy, stating that the FTC intends to crack down on these unregulated data aggregators.  The settlement with Spokeo last month is reportedly the first with others to follow this year. The Privacy Caucus, co-chaired by Reps. Ed Markey (D-Mass.) and Joe Barton (R-Texas), seems to be weighing legislative action to demand oversight and industry accountability.  Companies receiving the letter were Axciom, Epsilon (Alliance Data Systems), Equifax, Experian, Harte-Hanks, Intelius, Fair Isaac, Markle and Meredith Corp.  The companies have until August 15 to respond.

Privacy Basics: Phishing. How Not To Be the Bait

Phishing is a deceptive method in which a criminal sends an email or text that mimics or claims to be from a trusted source (such as a bank, or the Internal Revenue Service, or the Better Business Bureau, or the Federal Trade Commission) in an attempt to steal personal and financial information from you – such as a social security number, credit card number, account number or password.

This scheme only works if the perpetrator convinces you to go from the email or text to a bogus website.  Below are some tips on how to spot a phishing email.  Once you spot it, delete it.

  • You’ve Got (an Unexpected) Email!  Let common sense be your guide. Legitimate companies don’t ask for personal information via email or text.
  • Act Now!  Online scammers prey on vulnerabilities. One trick is to create a sense of urgency by convincing you that something bad has happened (or will happen) and you need to act quickly or there will be dire consequences. For example, they might threaten to close your account or take other action against you if you don’t act quickly.
  • “Dear Account Holder.”  Most phishing emails have generic salutations like “Dear Account Holder” or “Our Valued Customer” or “Dear Client” or “Greetings [email protected]
  • Phishing Expeditions Request Your Personal Information.  Remember, the aim of a phishing expedition is to get you to surrender your personal information. Be especially suspicious if you are asked to update your information; that’s a very common ploy.
  • Link is Forged. Don’t be duped by a web link that appears to be legitimate just because you may recognize some part of the business name in it. That doesn’t mean it links to an official website. One trick to ferret this out is to scroll over the link and see if it matches the sender’s email address.  If not, that’s your answer.
  • “S” stands for “Secure.”  Only provide personal or financial information through a website if you have personally typed in the web address directly into the browser yourself, and the site appears to be secure.  Tip:  Websites that are safe start with “https:” – where the “s” stands for secure. If you don’t see “https:” it’s probably not a legitimate website.

Spear phishing is a more sophisticated form of phishing.  In the case of spear phishing, the presumed sender of the email an individual within your company and it’s generally someone with authority like a “System Specialist” or “Network Administrator.”  Spear phishers target sensitive confidential information of the company. Frequently, the email or text will request you to either log in to a bogus web page that requires the employee’s user name and password, or to click on a link (that will initiate the download of spyware or malware on your computer or the company’s network). 

  • Tip:  If you don’t recognize or have doubts about the identity of the email Sender, you should look them up on your company’s directory or contact your supervisor.


  • Once you’ve spotted a phishing message, delete it.
  • If you accidentally click on the phishing link and a program downloads on your computer or network, contact your tech support department right away.
  • Add signature blocks to your emails so that you’re easily identifiable as a company employee. Include name, title and phone number so you can be contacted directly.


Data Broker Spokeo to Pay $800,000 Under FTC Settlement

Online data broker Spokeo agreed to pay $800,000 to settle Federal Trade Commission (FTC) charges that it marketed information profiles on millions of consumers to companies that used them for employment screening, without taking necessary steps to protect consumers.  This misuse of data violated federal law, specifically the Fair Credit Reporting Act (FCRA), because Spokeo operated as a consumer reporting agency but it failed to disclose the source of its data or give consumers the chance to correct inaccurate information, among other things.  The conduct occurred between 2008 and 2010 when the company marketed the data on a subscription basis.  The settlement was announced by the FTC on June 12, 2012.

Spokeo is a data aggregator, merging personal information it collects about consumers from online and offline data sources to create detailed individual profiles of consumers.  A profile might include name, address, age range, email address, ethnicity, religion, photos, hobbies, and participation on social networking sites.  Spokeo describes itself as a “people search engine.”

This case is important because it’s the first FTC case to address the sale of Internet and social media data for employment screening.  The FTC also accused Spokeo of posting deceptive endorsements of their services on news and technology websites and blogs “portraying the endorsements as independent when in reality they were created by Spokeo’s own employees.”  These misleading endorsements violated the Federal Trade Commission Act.

Victims of Data Breach Would Take Action!

A recent Unisys Security Index survey asked 1,000 individuals in the U.S. what they would do if they learned that their personal information, stored by an organization that they were doing business with, had been accessed through a security breach.  Nearly all said they would take some form of action including:

   87% would change their passwords

   76% would stop dealing with the company by closing their account

   65% would publicly expose the data breach

   53% would take legal action

   31% would maintain their account with the company, but not engage in online transactions

   Only 3% of the respondents said they would do nothing at all!

E.U. Cookie Law: U.K.’s ICO Says “It’s Complicated”

 Starting today, U.K. websites must ask for and get the consent of their users before placing non-essential cookies on their computers.  (A “cookie” is a small text file that is served to a computer when you visit a website and can be used to recognize you when you return, or when you visit other websites.)  The so-called E.U. “Cookie Law” aims to protect website users from unwanted marketing by giving them more control over cookies.

The E.U. Commission implemented the Cookie Law on May 25, 2011, but the U.K.’s data protection authority, the Information Commissioner’s Office (ICO), gave companies one year to comply.  The deadline for compliance is technically today, May 26, 2012.  However, the ICO announced yesterday that compliance with the law is complicated and so it does not expect (or require) full compliance by today.  Instead, the ICO expects companies to have taken steps to comply, including the development of a plan to achieve compliance by a specific date.  The specific steps the ICO mentions include conducting a cookie audit to determine what types of cookies a website has and how they are used, making notices on the website about cookies more obvious to users, and determining the best method to get users’ permission.  A recent KPMG study found that 95% of companies have yet to comply with the law, so the Commission’s shift seems rooted in reality.

The guidance yesterday made an important clarification about getting users’ permission.  Contrary to its previous statement regarding consent, the ICO now says “implied consent” is a valid form of consent.  Previously, the ICO guided that once the law took effect, users would have to opt-in to all non-essential cookies, which critics pounced on as being impractical and burdensome.  In other words, before a cookie could be placed on a user’s computer, the user would have to agree.  This would have required users to, for example, click an icon, dismiss a banner, send an email or subscribe to a service.  Based on yesterday’s reversal, a company can now rely on implied consent, so long as it believes its visitors have a reasonable understanding that their actions will result in cookies being set or information being accessed on their mobile device.  This is a very significant change. 

Also in the good news column for website owners, the ICO said that failure of a company to comply with the new law will not likely result in fines — the maximum monetary penalty for non-compliance is £500,000 (which is not a small sum), but instead, the ICO would need to see a specific plan of action to bring the company into compliance. 

The law applies to all 27 Member states of the European Union.  Websites outside of the E.U. must comply with the law if they are targeting people within member states.  So, a website based in the U.S. that sells to users who residents in the U.K., for example, will also have to comply with the Cookie Law.  What this compliance looks like is certainly more reasonable today from a website owner’s perspective, than before the ICO’s announcement yesterday.


U.K.’s ICO Warns 75 Web Giants to Mind Their Cookies

75 of the U.K.’s largest online companies received letters of inquiry from the Information Commission Office (ICO) (i.e., the U.K.’s privacy watchdog) asking how those companies intend to comply with the new E.U. Cookie Directive which went into effect on May 25.  The ICO requested a response within 28 days.

Companies included on the list are: Amazon, AOL, Apple, Domino’s Pizza, eBay, Facebook, Google, Microsoft, Weightwatchers and Yahoo, among others.