InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Massachusetts High Court Holds State Credit Card Law Intended to Protect against Invasion of Privacy, ZIP Codes Protected
On March 11, the Massachusetts Supreme Judicial Court held that a credit card holder may bring an action for violation of a state law prohibiting businesses from requiring personal identification information as part of a credit card transaction, even in the absence of identity fraud. Tyler v. Michaels Stores, Inc., No. SJC-11145, 2013 WL 854097 (Mass. Mar. 11, 2013). The card holder moved the Massachusetts Supreme Judicial Court to certify three questions interpreting the statute after a case she brought against the retailer in federal court was dismissed. The U.S. District Court for the District of Massachusetts had held that a retailer’s collection of ZIP codes during a credit card transaction can constitute a violation of the credit card law, but that the card holder failed to allege actual harm. The Massachusetts Supreme Judicial Court agreed that a ZIP code amounts to personal information under the statute, and found that the law is “intended primarily” to protect card holders from invasion of privacy by merchants, not against credit card identity fraud. However, the court noted that the statute did not contain an express limitation barring card holders who were not the victim of fraud. On a third question, the court held that the term "credit card transaction form" refers equally to electronic and paper transaction forms.
FTC Issues Report on Mobile Payment Consumer Protections
On March 8, the FTC released a report on mobile payments by consumers. The report, based on a FTC workshop held in April 2012, focuses on financial, security, and privacy consumer protections. The FTC encourages companies to develop clear dispute resolution policies to address customer claims of fraudulent mobile payments or unauthorized charges. The report highlights “special concerns” with mobile carrier billings, in which mobile carriers place charges on phone bills on behalf of third-parties, based on the FTC’s concern that there are no federal statutory protections governing consumer disputes about fraudulent or unauthorized charges placed on mobile carrier bills. The FTC also encourages industry-wide adoption of strong security measures and suggests ways sensitive financial information can be kept secure during the mobile payment process, including end-to-end encryption. The report highlights the need for mobile payment companies to practice “privacy by design,” incorporating strong privacy practices, consumer choice, and transparency into their products from the outset. Finally, the report notes privacy issues arising from the consolidation of consumers’ personal information in the mobile payment process.
Texas Appeals Court Affirms Holding that Certain Emails Read Together Can Be Construed as One Contract
On March 7, the Texas Court of Appeals of the Thirteenth District affirmed a trial court’s holding that the essential terms of an option contract for the purchase of real estate were present when three e-mail messages exchanged by the parties were read together. Dittman v. Cerone, No. 13-11-00196-CV, 2013 WL 865423 (Mar. 7, 2013). The defendant sued for specific performance pursuant to the terms of the three emails, and the trial court ultimately concluded that the e-mails constituted a valid option contract and ordered the plaintiffs to convey the property. The Texas Court of Appeals affirmed the trial court’s holding that the option contract complied with the statute of frauds because (i) the emails construed together provided the essential terms of the contract, (ii) the property was sufficiently identified and confirmed by extrinsic evidence, (iii) the parties’ actions evidenced an intent to conduct certain business electronically, and (iv) the real estate broker had authority to act for the sellers.
FTC Updates Guidance for Mobile and Internet Advertising Disclosures
Yesterday, the FTC released guidance for mobile and other online advertisers. The new guidance, “.com Disclosures: How to Make Effective Disclosures in Digital Advertising,” adapts and expands prior FTC guidance to account for a decade’s worth of additional experience with online marketing practices, consumers’ increasing use of smartphones, and merchants’ increasing use of social media marketing.
The new guidance highlights several key considerations for businesses as they develop advertisements for online and mobile media:
- The same consumer protection laws – e.g. UDAP – that apply to commercial activities in other media apply online and in the mobile marketplace.
- Limitations and qualifying information should be incorporated into any underlying claim, rather than provided as a separate disclosure qualifying the claim.
- Marketing materials that may be viewed on a variety of platforms, including handheld devices, should be designed so that required disclosures are effectively delivered on all of the platforms.
- Required disclosures must be clear and conspicuous, as determined by numerous factors.
- If a disclosure is necessary to prevent an advertisement from being deceptive, unfair, or otherwise violative of a FTC rule, and it is not possible to make the disclosure clearly and conspicuously, then that ad should not be disseminated.
To meet the clear and conspicuous standard, the FTC reminds advertisers that, generally, a disclosure should be placed as close as possible to the trigger claim, and that they should take account of the devices and platforms consumers may use to view the advertisement and disclosure. The FTC offers other specific guidance, with corresponding examples, for complying with the clear and conspicuous standard in online and mobile advertisements:
- When a space-constrained ad requires a disclosure, incorporate the disclosure into the ad whenever possible. When it is not possible it may be acceptable to make the disclosure clearly and conspicuously on the page to which the ad links.
- Hyperlinks used to lead to a disclosure should (i) be obvious, (ii) be labeled appropriately to convey the importance and relevance of the information it leads to, and consistently formatted, (iii) be placed as close as possible to the relevant information it qualifies, (iv) take consumers directly to the disclosure on the click-through page, and (v) be monitored for effectiveness and changed, if necessary.
- Avoid requiring consumers to “scroll” in order to find a disclosure, or, when necessary, use text or visual cues to encourage consumers to scroll to view the disclosure.
- Determine screen placement based on empirical research about where consumers do and do not look.
- Recognize and respond to any technological limitations or unique characteristics of a communication method.
- Display disclosures before consumers make a decision to buy, and consider repeating disclosures before a purchase is finalized.
- Repeat disclosures, as needed, on lengthy websites and in connection with repeated claims.
- For products intended or able to be purchased from “brick and mortar” stores or from online retailers other than the advertiser itself, the disclosure should be presented in the ad itself.
- Prominently display disclosures, based on an evaluation of the size, color, and graphic treatment of the disclosure in relation to other parts of the webpage. Do not relegate disclosures to “terms of use” and similar contractual agreements.
- Review the entire ad to assess whether the disclosure is effective in light of other elements that might distract consumers’ attention from the disclosure.
- Use audio disclosures when making audio claims, and present them in a volume and cadence so that consumers can hear and understand them.
- Display visual disclosures for a duration sufficient for consumers to notice, read, and understand them.
- Use plain language and syntax so that consumers understand the disclosures.
The updated guidance, and especially the FTC’s emphasis on the ability of marketing materials to effectively deliver disclosures across multiple platforms, should lead businesses with online marketing programs to carefully review and re-assess their marketing materials and methods of presentation.
Ramirez Expected to Chair FTC
On February 28, the FTC announced that President Obama will designate Edith Ramirez as Chairman of the FTC, effective March 4, 2013. Ms. Ramirez became an FTC commissioner on April 5, 2010, and has focused on promoting competition and innovation in the technology and healthcare sectors, protecting vulnerable consumers from deceptive and unfair practices, and safeguarding consumer privacy. Prior to joining the FTC, Ms. Ramirez was a lawyer in private practice, and before that served as the Vice President on the Board of Commissioners for the Los Angeles Department of Water and Power.
NIST Requests Information Regarding Cybersecurity Framework
On February 26, the National Institute of Standards and Technology (NIST), issued a request for information to begin developing the “Cybersecurity Framework” required by a recent executive order directing NIST to develop a framework to reduce cyber risks to critical infrastructure. The request explains that the framework will incorporate voluntary consensus standards and industry best practices to the fullest extent possible, and should include flexible standards, guidelines, and best practices that provide (i) a consultative process to assess the cybersecurity-related risks to organizational missions and business functions, (ii) a menu of management, operational, and technical security controls, including policies and processes, available to address a range of threats, (iii) a consultative process to identify adequate security controls, (iv) metrics to assess and monitor the effectiveness of security controls, (v) a comprehensive risk management approach that provides the ability to assess, respond to, and monitor information security-related risks and provide industry leadership with necessary information to help make ongoing risk-based decisions, and (vi) a menu of privacy controls. The goal of the framework development process is to (i) identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities, (ii) specify high-priority gaps for which new or revised standards are needed, and (iii) collaboratively develop action plans by which those gaps can be addressed. NIST asks that comments be provided by April 8, 2013.
FTC Announces First Settlement of Privacy-By-Design Case against Device Manufacturer
On February 22, the FTC announced that a mobile device manufacturer agreed to settle charges that it failed to employ reasonable and appropriate security practices in the design and customization of the software on its mobile devices. The settlement is the first of its kind obtained by the FTC. The FTC’s complaint alleged that the manufacturer failed to (i) provide its engineering staff with adequate security training, (ii) review or test the software on its mobile devices for potential security vulnerabilities, (iii) follow well-known and commonly accepted secure coding practices, and (iv) establish a process for receiving and addressing vulnerability reports from third parties. The complaint further described several resulting vulnerabilities that allegedly compromised sensitive device functionality and could have permitted malicious applications to send text messages, record audio, and install additional malware onto a consumer’s device. Such malware, according to the FTC, could be used to record and transmit information entered into or stored on the device. The settlement requires the device manufacturer to establish a comprehensive security program and deploy security patches to consumers’ devices. The manufacturer also is prohibited from making any false or misleading statements about the security and privacy of consumers’ data on its devices.
Electronic Transactions Association Releases Resources for Mobile Payment Solutions
On February 19, the Electronic Transactions Association’s (ETA) Mobile Payments Committee released three resources to help firms navigate emerging issues in the mobile payments market. The Committee is an industry-wide task force of representatives from credit card networks, processors, mobile network operators, developers, financial institutions, and device manufacturers. The first resource, “Best Practices and Guidelines for Mobile Payment Solutions,” addresses security, privacy and competition issues relevant to merchants, consumers, federal and state legislators, federal regulators, merchant acquirers, credit card issuers, and infrastructure providers. In the second, a white paper entitled “Beyond the Hype: Mobile Payments for Merchants,” the Committee provides a comprehensive overview of the current state of mobile payments, as well as analysis of the risks and costs for merchants to consider before deploying mobile payments solutions. Finally, the Committee issued a “Mobile Payments Glossary of Terms.”
PCI Security Standards Council Offers Guidance for Protecting Payment Card Data
On February 14, the PCI Security Standards Council, the open global forum responsible for setting payment security standards, issued guidelines for merchants on the factors and risks they must address to protect card data when using mobile devices. The guidance addresses the three main risks associated with mobile payment transactions: account data entering the device, account data residing in the device, and account data leaving the device. The guidance also (i) provides recommended measures for merchants regarding the physical and logical security of mobile devices used for payment acceptance, and (ii) recommendations regarding the different components of the payment acceptance solution, including the hardware, software, the use of the payment acceptance solution, and the relationship with the customer. The PCI Security Standards Council also recently released guidance for securing payment card data in cloud environments, and guidance regarding security for payment transactions conducted over the Internet.
FTC Obtains Settlement from Cord Blood Bank in Data Theft Action
On February 5, a federal district court in California approved a settlement recently obtained by the FTC, which (i) requires a California-based firm that operates a cord blood bank to establish a comprehensive information security program and submit to security audits by independent auditors every other year for 20 years, and (ii) prohibits the company from misrepresenting its privacy and security practices. The FTC alleged that the firm violated the FTC Act by failing to use reasonable and appropriate procedures for handling customers’ personal information, despite its privacy policy claims to the contrary. Further, the FTC charged that the firm created unnecessary risks to personal information by transporting portable data storage devices containing personal information in a way that made the information vulnerable to theft, and failed to prevent, detect, and investigate unauthorized access to computer networks. According to the FTC, this resulted in a December 2010 breach in which certain portable devices were stolen from an employee’s personal vehicle and the names, gender, Social Security numbers, dates and times of birth, drivers’ license numbers, credit and debit card numbers, and other personal information of nearly 300,000 customers were compromised. The FTC also alleged that certain of the portable devices could have permitted an intruder to access the firm’s network, which contained sensitive personal health information.