Technology Law Source : Technology Lawyers & Attorneys for Patents, Trademarks & Copyright Issues in Ohio, Washington DC, Florida

The study surveyed 843 senior-level persons with in-depth knowledge about their companies brand and reputation management objectives. Some of the highlights found, and resulting key take-aways from the study are:

• With an average economic value of corporate brand or reputation at $1.5 billion (ranging from less than $1 million to greater than $10 billion), the average loss in the value of the brand ranged from $184 million to more than $330 million, depending on the type of information lost in the breach.
• As a percentage of annual gross revenues, the economic value of corporate brand or reputation ranged from less than 10% to greater than 5 times annual gross revenue, and depending on the type of information lost in the breach, the value of brand and reputation could decline as much as 17% to 30%.
• Reputation and brand image are inextricably linked.
• In some cases it can take longer than a year to restore reputation and brand image.
• Some breaches are more devastating than others, with breach of customer information being most devastating.
• 82% of the respondents stated their organizations had a data breach involving sensitive or confidential customer information, on average, 2.7 breaches in the past 2 years. 76% say the customer data breaches had a significant or moderate impact on reputation.
• Before having a data breach, less than 50% had incident response plans in place for customer data breaches; after a breach over 75% put a plan in place.
• What you should do: respondents strongly believed the top two steps in responding to data breaches are: (i) conducting investigations and forensic evaluations; and (ii) working closely with law enforcement. Following those two steps: (iii) immediately respond to the incident, (iv) protect those affected from potential harms such as identity theft; and (v) conduct employee training and awareness programs.

As a lawyer who counsels clients in these matters, I'd also suggest now is the time to:

• Review and update your data breach response plan.
• If you don't have one, do one now! 
• Make sure you are in compliance with the laws enacted in 33 states with respect to protection of social security numbers.
• Make sure you are in compliance with the laws enacted in 10 states regarding security for personal information.

To access the study, click here: http://www.experian.com/data-breach/reputation-impact-study.html.

Since 2009, the importance of data privacy has gained much broader recognition, and privacy advocates will likely celebrate the FTC agreement as a victory. Facebook’s reluctance, however, to show adequate consideration for the concerns raised by European data protection agencies suggests that celebrations may be premature.

Considering what made Facebook’s business model so successful, it is hardly surprising that Facebook would be reluctant in addressing European privacy concerns. It will likely always be a struggle to reconcile the business model built on a global platform with 800 million users publicly sharing information with the right to the protection of personal data granted by Article 8 of the Charter of Fundamental Rights of the European Union. Two recent press releases by a German data protection agency highlight these conflicts.

Purpose and Function of Cookies
On November 2, 2011, the Hamburg Commissioner for Data Protection and Freedom of Information released the results of an investigation related to Facebook’s use of cookies. According to Facebook, these cookies serve as security mechanisms to allow the restoration of passwords or to prevent children from creating accounts. The investigation report (which, in its German version, can be downloaded here) demonstrated that these goals were accomplished only to a minimal extent in relation to some purely optional functions and only if the functions were set accordingly by the user.

From these results, the agency concluded that the cookies likely served, for Facebook, a different primary purpose altogether—namely to create tracking profiles of Facebook users. Should this suspicion be confirmed, and provided that German law is applicable to Facebook, the company would be in violation of the German Telemedia Act (“TMG”). Despite Facebook’s assertion that it does not fall under the jurisdiction of the TMG, it has nonetheless indicated a willingness to discuss the underlying technical processes and the Commissioner appears cautiously optimistic that a solution can be reached which will comply with the German data protection laws, including the TMG.

Facial Recognition
The most recent press release, again by the Hamburg Commissioner for Data Protection and Freedom Information, was issued on November 10, 2011 and addressed Facebook’s biometric database. Facebook is using a facial recognition feature which, according to the Commissioner, requires express user consent in order to comply with German and European data protection laws. The feature which Facebook calls “tag suggestions” uses a face-mapping technology to identify individuals in photos on the site.

To address the compliance issues raised by the agency, Facebook and the Commissioner discussed the implementation of a procedure through which Facebook could obtain valid, informed consent. Following the familiar pattern of past exchanges, Facebook entered negotiations on the premise that it was in full compliance with EU law, insisting that its current practice of an opt-out check box provided easy and sufficient notice to its users about the tag suggestions and individual user ability to disable the feature.

Not surprisingly, German authorities did not agree with Facebook’s assessment of current compliance and expressed concern especially related to those users whose biometric facial characteristics were incorporated into the database prior to the introduction of the feature. Any opt-out solution offered by Facebook would only apply to future use of the facial recognition feature and not address the need to obtain the retrospective, explicit and informed consent, which the German authorities clearly consider a prerequisite to meeting EU privacy law standards. 

While negotiations are currently at a stand-still, it seems that the German authorities ought to be able to take advantage of the timing and content of Facebook’s pending FTC settlement. The proposed FTC terms mirror the Working Party’s Consent Opinion to a remarkable degree as both focus on the data subject’s right to limit the scope of the collection and processing of personal data. If Facebook promises to the FTC that it will first obtain user consent before exposing previously collected data to a broader audience than initially intended by the user, the company must also acknowledge that, under EU privacy law, the same consent procedure is required for the introduction of features such as facial recognition.

Obviously, the Commissioner’s request that Facebook obtain retrospective consent is much more extensive than the purported FTC agreement. The burden associated with tracing all (approximately 20 million people) whose pictures were allegedly added prior to the introduction of the feature is onerous enough to explain Facebook’s unwillingness to negotiate. One has to wonder, however, whether the current impasse is not an indicator of more comprehensive developments in the relationship between Facebook and the German data protection agencies and whether both sides are finally preparing to square off in court.