April 13, 2010
Website privacy and data security violations continue to be the most critical legal concern for webmasters of software-as-a-service (SaaS) websites and ecommerce websites.
Just think about it – most marketing practices involve capturing data, including personal information about prospects, and using this data to market products or services.
How you collect, store, use, and share this information is now highly regulated, not only by the Federal Trade Commission (FTC), but also by various states. What you say in your website legal forms, website legal documents, and privacy policies is critical.
Three recent legal developments illustrate why webmasters of SaaS websites and ecommerce websites should monitor and stay current with these developments, or suffer severe consequences.
New Massachusetts Data Security Statute
Effective March 1, 2010, the Commonwealth of Massachusetts requires new data security requirements for personal information of Massachusetts residents (201 CMR 17.00). The new requirements apply to all persons or businesses that “own, license, store or maintain personal information about Massachusetts residents.
“Personal information” includes a Massachusetts resident’s name if linked to his/her social security number, driver’s license or state ID card number, or financial account/credit/debit card number that would allow access to the resident’s financial records.
If you’re regulated by the new statute, you’re required among other things to develop and maintain a data security policy and to require encryption “to the extent technically feasible” of the storage and transmittal of personal information regardless of whether the storage is electronic or the transmittal is by portable device (laptop or handheld device) or over public networks or the Internet.
Penalties and fines for violations are $100 per person affected with a maximum cap of $50,000.
FTC Issues Guides for Peer-to-Peer Networks
On February 22, 2010, the Federal Trade Commission (FTC) announced that it had notified almost 100 organizations — including large and small private and public companies, schools, and local governments – that their customers’ or employees’ personal information was vulnerable on peer-to-peer (P2P) networks.
The FTC was concerned that P2P networks operated by these organizations may inadvertently be providing an opening for unintentional access to personal information. According to FTC Chairman Jon Leibowitz, “Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.”
In addition to the notification letters, the FTC issued a guide on its ftc.gov website entitled “Peer-to-Peer File Sharing: A Guide For Business”. The guide provides data security recommendations including identification of security risks and steps to protect personal information from unauthorized access on P2P networks. are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.”
ControlScan CEO Pays $102,000 in FTC Settlement
On February 25, 2010 the FTC announced a settlement with ControlScan.com of FTC charges that ControlScan had misled consumers about how often ControlScan monitored websites, including steps taken by ControlScan to verify the websites’ privacy and security practices.
The founder and former CEO of ControlScan entered into a separate settlement requiring him to pay $102,000 in ill-gotten gains.
Privacy and security certification programs such as ControlScan are used by webmasters to provide assurance to consumers regarding how the website treats the privacy and security of personal information. The FTC alleged that ControlScan provided its certifications to websites with “little or no verification” of their privacy protections.
Most of these website documents and legal forms should be posted on the website, and therefore would be visible to any potential joint venture partner checking out your website.
This case underscores how seriously the FTC views privacy and security of personal information stored on websites, as well has how closely the FTC is observing representations regarding privacy and security. The FTC is on the lookout not only for websites that misrepresent what they do regarding privacy and security, but also what certification websites represent that other websites do about privacy and security.
The legal liability can be substantial.
This article is provided for educational and informative purposes only. This information does not constitute legal advice, and should not be construed as such.
Leading Internet, IP and software lawyer Chip Cooper has automated the process of drafting website legal forms, website legal contracts, and website documents online. Use his free online tool – Website Documents Determinator — to determine which documents your website really needs for website legal compliance. Discover how quick, easy, and cost-effective it is to draft your website legal forms at http://www.digicontracts.com/ .