Nowhere to Run, Nowhere to Hide: in the Age of Big Data Is Data Security Possible and Can the Enforcement Agencies and Private Litigation Ensure Your Online Information Remains Safe and Private? a Roundtable

• Publication year: 2015
• Author: Moderated by Niall E. Lynch

NOWHERE TO RUN, NOWHERE TO HIDE: IN THE AGE OF BIG DATA IS DATA SECURITY POSSIBLE AND CAN THE ENFORCEMENT AGENCIES AND PRIVATE LITIGATION ENSURE YOUR ONLINE INFORMATION REMAINS SAFE AND PRIVATE? A ROUNDTABLE

Moderated by Niall E. Lynch¹

We have a distinguished group of panelists to discuss the very topical issue of privacy, computer security and data breaches. It is certainly interesting and encouraging to hear Judge Kathryn Mickle Werdegar, Justice of the California Supreme Court, say that privacy law will be a major legal issue in the next decade in California and the United States.

The title of today's program is "Nowhere to Run, Nowhere to Hide: In the Age of Big Data Is Data Security Possible and Can the Enforcement Agencies and Private Litigation Ensure Your Online Information Remains Safe and Private?" Every day we open the newspaper there are stories about data breaches. We are constantly being told to change our password, which is inconvenient. Apparently the number one password used in the United States is the word "password." In this country, we obviously have a problem with privacy and keeping our data secure.

We have a great list of panelists for this discussion who come from a variety of backgrounds, all of whom have experience in the privacy area. Our illustrious panel consists of:

• Laura Berger is an attorney in the Division of Privacy and Identity Protection at the Federal Trade Commission ("FTC"). She enforces federal laws that protect consumer privacy. Recently her law-enforcement work has focused on the privacy and security standards applicable to social media and the Internet of Things. She also has worked on the agency's efforts to educate app developers about privacy including the recent guide "Marketing your Mobile App: Get It Right from the Start." In addition, she was the author of the Commission's safeguards rule. She works in the FTC regional office in San Francisco. The FTC does a substantial amount of work in this area, and has a useful website with all sorts of tools and resources. The FTC has filed cases against every single major Internet company or computer company in the last couple years.
• Adam Miller is from the California State Attorney General's office. Adam has worked for the California Attorney General's office in San Francisco since 1997. He is the inaugural supervising Deputy Attorney General for the Privacy

[Page 178]

• Enforcement and Protection Unit that was created in 2012. From 1997 until 2001, he worked in the licensing section where he prosecuted hundreds of vocational licenses for professional misconduct. From 2001 through 2012, he worked in the Antitrust Law Section where he investigated and prosecuted mergers and anti-competitive conduct involving markets such as computer software, Microsoft and hardware, flat panels, search advertising, oil and gas and film exhibition. Adam, too, comes from an enforcement agency that's been very, very active in this area and they have a host of resources on their website.
• Ara Jabagchourian is a partner at Cotchett, Pitre & McCarthy, where he has litigated and tried cases in numerous areas. A class action he tried was selected as one of the top verdicts by impact by the Daily Journal, and one of the Top 100 verdicts in the United States by the National Law Journal. He has been selected as a finalist for the Trial Lawyer of the Year of the Consumer Attorneys of California in 2011 and 2012. Ara was formerly a staff attorney with the Federal Trade Commission's Bureau of Competition in Washington, D.C. Ara has had experience in private litigation in the privacy area, and he'll talk a little bit about that.
• Jim Snell is a partner at Perkins Coie. Jim represents and counsels clients on a wide range of complex commercial matters including privacy and security, Internet and marketing and intellectual property litigation matters. Jim's extensive experience includes counseling and defense of class action and other litigation relating to privacy policies, terms of use, behavioral advertising, data collection and use, Telephone Consumer Protection Act ("TCPA"), call recording statutes, commercial e-mails, spyware and adware, data breach investigations and responses, data security, social media and computer crime statutes, including many different industries.

Niall E. Lynch, a partner in Latham & Watkins's Antitrust and Competition Practice Group, moderated this discussion. This discussion builds upon the recent panel discussion at the Antitrust Section's 2014 Golden State Institute in San Francisco. Mr. Lynch moderated the combined panel discussion and was joined by Messrs. Berger, Miller, Jabagchourian, and Snell.

Moderator: Let me begin with Ms. Berger. What has been happening at FTC in terms of enforcement in the area of data security, privacy and data breaches?

Ms. Berger: Well, I want to say how much I appreciate the chance to be here and just, of course, say that while I'm going to be speaking as a staff person and not on behalf of the Commission or any particular commissioner, I'm excited to talk to all of you about what the Commission has been up to lately in the area of privacy and data security.

With an audience like this — and I'm always excited to talk to an audience that is not primarily focused in their professional careers on the issues that I am immersed in — so I'd love to see if folks are willing at this late hour do a show of hands. How many of you have a professional focus on privacy or data security?

[No hands raised]

[Page 179]

That's amazing. A show of fatigue or actual audience makeup.

So let me just say cover a few basics. As many of you may know from your other work, our primary authority is Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices.² And we use this tool a lot in the private and data security context. As Niall pointed out, we've been extremely active. Privacy and data security are for everybody. They are relevant even to companies that you represent that may not be technology companies or may not be on the cutting edge of developing technologies.

So, we've continued to focus on enforcing the deceptive or unfair standard, but we've started to apply that concept to lots of new technology. If time permits, I'll talk about a few of these cases.

With deception, we're looking at the truthfulness of what you say to consumers about your privacy or data security practices, which may entail evaluating whether your privacy settings live up to what they are supposed to do or may entail looking at a document like a privacy policy. Adam will tell you that you absolutely have to have a privacy policy here in California if you collect personally identifiable information.

But even if you think: "You know what? We don't have to have a privacy policy and we don't make any promises about privacy," chances are, you still say something to consumers about privacy. We look at a website and we look at the signs that companies post in their storefronts and we look at settings and at other communications with consumers. And we may think your statements give consumers reasonable expectations about privacy, even if those statements don't take the form of a privacy policy.

We have been applying these principles regarding deception or unfair conduct to some key areas, which I'll highlight for you. So, this is what we've been up to lately.

One of those areas, of course, is Big Data. And there some of you may know, we issued a report on the activities of data brokers in May. I won't have time to get into the details of that report, but it recommended, among other things, that Congress consider legislation in this area so that consumers can be more aware of data brokers' activities and possibly exercise some control over those activities.

But that's also been an area—Big Data has also been a key area for us in law enforcement. And these cases will highlight another law that we enforce, the Fair Credit Reporting Act ("FRCA").³ There are cases where, depending on what a data broker is doing, if they are doing something that bears on your eligibility for employment or a credit decision or other FCRA-protected activity, they are going to be subject to the requirements of that law.

Moderator: Can you define "data broker"?

Ms. Berger: A data broker for easy reference is a company that's in the business of collecting or compiling information about consumers. And if you are engaged in FCRA-covered activities, you're going to be subject to the specific requirements of that law.

[Page 180]

Recently, we have alleged that a couple of companies that tell merchants whether or not to cash a consumer's check, based on their past financial transactions, failed to live up to their obligation under the FCRA to make sure the information they are using is accurate.

By comparison, you might not need accurate information to make a decision about marketing. But if you're making a decision that is covered by the FCRA, you need to take steps to maintain the accuracy of the information you are using. So, we alleged that, in the check cashing context, these companies were not living up to their accuracy obligations. We also had four recent cases in the employment context, where we alleged that data brokers who sold information to employers, to help them make hiring decisions, weren't living up to their obligations to make sure that the information they provided was accurate and to make sure that the people that they provided it to had the right kind purpose, known as a "permissible purpose," to acquire it.

Moderator: So they passed on false information, and someone didn't get a job as a result?

Ms. Berger: That's exactly the type of the things that can happen. So the FCRA requires companies that are engaged in the business of providing information that is used or expected to be used for certain purposes — like employment screening or making decisions about credit or insurance — to need to have procedures to maintain its accuracy and to fulfill other obligations...