Investigative & Security Professionals for Legislative Action

Current Legislative News

  • 20 Jul 2011 9:27 AM | Anonymous member (Administrator)

    Today, Representative Mary Bono Mack [R-CA-45], Subcommittee Chair of House Energy and Commerce Committee is expected to mark up her H.R. 2577, the Secure and Fortify Electronic (SAFE) Data Act which will require companies to notify law enforcement of security data breaches without "unreasonable delay" and  notify each person affected by such breaches within 48 hours. Her bill would preempt a patchwork of state data breach security laws, setting one national standard. As written, it is the best one presently being offered from the perspective of investigative and security professionals. It does not reference pretexting, as others do. ISPLA and other like-minded stakeholders are lobbying to ensure that any onerous amendments offered to this bill fail. We also note that our NCISS-PAC colleagues have recently contributed to the re-election campaign of Congresswoman Mary Bono Mack, their first and only PAC contribution since forming their PAC last year.

    As a follow-up to ISPLA's ongoing comments about the phone hacking scandal in the U.K. a further example of how that scandal has implications here in the U.S. and elsewhere is reflected in a letter written yesterday by Representative Bono to telecommunication industry groups. She posed a number of questions to which she seeks answers. She wrote:

    "We have all seen the headlines about the rapidly spreading phone hacking and police bribery scandal in the United Kingdom. According to press reports, a growing number of individuals in the United Kingdom are accused of unscrupulous and potentially illegal activities. Understanding that the events in the United Kingdom have not been connected to any activity within the United States, I nonetheless believe it’s critically important to ask American industries involved in all parts of the communications stream of commerce from device manufacturers to fixed wire and wireless providers whether they are satisfied that sufficient safeguards are in place to prevent similar privacy breaches here in the United States. As a result, I respectfully request an answer to the following questions no later than August 2, 2011.

    1. As communications through voice over internet protocol (VOIP), smartphones and other mobile devices become more integrated in our daily lives, do you expect to see a rise in phone hacking here in the United States (involving both personal conversations and voicemails) as criminals search for new ways to steal valuable information such as credit card numbers, bank account numbers and Social Security numbers?

    2. At present, what safeguards do your member companies employ to ensure that American consumers are adequately protected against the type of phone hacking scandal currently being investigated in the United Kingdom?

    3. In the wake of this scandal, do your member companies believe it is necessary to adopt new practices to ensure that consumers in the United States are better protected in the future?

    4. Do you believe existing laws and regulations adequately protect consumers in the United States from phone hacking and similar privacy breaches?

    5. Approximately how many phone hacking incidents are reported by your member companies in a year? Are the number of incidents growing or declining?

    6. As a matter of practice, are phone hacking incidents, or suspected incidents, reported to law enforcement agencies and regulatory agencies?

    7. From a technological standpoint, how difficult is it to hack into cell phones or other mobile devices?

    8. What steps can consumers take on their own to better protect their personally identifiable information when communicating through either fixed wire or wireless devices?"

    ISPLA's belief is that this issue involving the Murdoch media empire has the potential for creating regulatory and legislative ramifications having detrimental consequences for professional investigators. It will adversely affect some of the proactive work ISPLA has been undertaking these past two years in Washington.

    To support the ongoing work of Investigative & Security Professionals for Legislative Action please visit

    To donate to ISPLA-PAC only personal check or personal credit card accounts may be used.

    Thank you.

    Bruce Hulme

    ISPLA Director of Government Affairs

    235 N. Pine Street

    Lansing, Michigan 48933

    Tel: (212) 962 4054

  • 19 Jul 2011 9:23 AM | Anonymous member (Administrator)
    The phone hacking episode rocking the Murdoch Empire and widely covered by
    the media in the UK and Europe has finally crossed the Atlantic. With the
    permission of the investigative reporting organization ProPublica, below is
    an item by Braden Goyette. There is no doubt that increased media coverage
    of this scandal will provide fodder for proposed privacy legislation,
    including anti-pretexting legislation. The FBI has opened a preliminary
    investigation here in the U.S. at the request of members of Congress. We
    can expect that there will be call for hearings -- similar to what is
    presently taking place by Parliament. The criminal acts of a private
    investigator in Great Britain may also have been requested by Newscorp of an
    American PI regarding the deaths of 9/11 victims as well.

    The Phone Hacking Scandal By The Numbers

    The U.K.'s phone hacking scandal seems to keep getting bigger, with more
    revelations, resignations and arrests. Here's a quick breakdown of some
    important stats in the scandal so far. For background on how the scandal
    developed, see our reader's guide [1] and our collection of related
    MuckReads [2].

    The number of people who have been arrested [3] in the current
    investigation: 10. (It's worth noting that an arrest means something a bit
    different in the U.K. [4] than it does in the U.S.)

    The number of people who have resigned over the scandal [5]: 7, including 4
    top News International executives and 2 Scotland Yard officers.

    The estimated amount of money Rebekah Brooks reportedly received as a
    severance package [6]: 3.5 million pounds ($5.6 million)

    Number of Murdoch sons [7] who has admitted to misleading parliament: 1

    The number of people on Scotland Yard's press team [8] who used to work for
    News International: 10, out of a total 45 staffers

    Amount of email investigators suspect was deleted by a News International
    executive: according to The Guardian, about half a terabyte's worth,
    "equivalent to 500 editions of Encyclopedia Britannica [9]."

    Number of pages of information about the phone hacking scandal that were
    sitting in a Scotland Yard evidence room [10]: 11,000. The documents were
    seized from the home of the private investigator who hacked phones for NotW,
    Glenn Mulcaire, during the first phone hacking investigation.

    Number of hours the head of Scotland Yard's first phone hacking
    investigation, John Yates, spent reviewing the documents [11] before
    deciding they weren't worth looking into: 8

    Number of years before that evidence was thoroughly examined: almost 4

    Number of phone numbers [12] listed in those documents: 5,000 landlines and
    4,000 cell phones

    Number of phone hacking victims prosecutors initially identified in 2007: 8

    Estimated number of total phone hacking victims [13]: about 4,000

    The number of phone hacking victims who've been notified so far [10]: 170

    Number of detectives now working on the investigation: 45

    The number of phone hacking victims Scotland Yard is now contacting per
    week: 30

    Estimated time it will take Scotland Yard to contact all phone hacking
    victims: 2 years

    The value of private investigator Glenn Mulcaire's original year-long
    contract with NotW [14], for providing "information and research": 104,988
    pounds ($169,167 at today's exchange rate)

    The amount of money that News International has reportedly paid [15] to
    settle lawsuits from phone hacking victims [16]: at least 2 million pounds
    ($3.2 million). The documents in these cases were sealed, and some of the
    plaintiffs agreed to stay quiet.

    The amount of money that News of the World allegedly spent bribing Scotland
    Yard officers [17]: 100,000 pounds ($161,130), paid to up to five officers.

    Number of News of the World whistleblowers found dead [18]: 1. Sean Hoare,
    the first News of the World journalist who came out and said that former
    Editor Andy Coulson knew about phone hacking, was found dead in his home
    yesterday. Hoare previously had drug and alcohol problems and police said
    that while his death is so far "unexplained" it's not "suspicious."

    The number of people working at News of the World [19] when it closed: 200

    Number of people pied in the face [20] during today's parliamentary hearing:

    See anything we missed? Send your favorite stats about the phone hacking
    scandal to [21].

    Stay tuned as more developments unfold.

    Bruce Hulme
    ISPLA Director of Government Affairs

  • 23 May 2011 9:04 PM | Anonymous member (Administrator)

    S 1011, the Electronic Communications Privacy Act Amendments of 2011, which was finally introduced May 17 by Senator Patrick J. Leahy [D-VT], is a 25-page bill that ISPLA is presently reviewing. It is an extensive amendment to the ECPA since it was first introduced in 1986.  However, that law did not address social networking sites and smartphones. The Senator, who is chairman of the Senate Judiciary Committee, stated: "Updating this law to reflect the realities of our time is essential to ensuring that our federal privacy laws keep pace with new technologies and the new threats to our security." Although this bill is directed primarily at law enforcement, ISPLA will be watching how Section 2713 – Location tracking of electronic communication devices or use of such devices to acquire geolocation information might in the future impact private sector investigations in some areas.

    Comments by Senator Leahy on the Senate floor included the recent data breaches involving Sony and Epsilon that impacted the privacy of millions of American consumers. “We are also learning that smartphones and other new mobile technologies may be using and storing our location and other sensitive information posing other new risks to privacy.  When I led the effort to write the ECPA 25 years ago, no one could have contemplated these and other emerging threats to our digital privacy. Updating this law to reflect the realities of our time is essential to ensuring that our Federal privacy laws keep pace with new technologies and the new threats to our security.”

    Under the current ECPA law, a single e-mail could be subject to as many a four different levels of privacy protections, depending upon where it is stored and when it was sent. The proposed bill gets rid of the so-called “180-day rule'' and “replaces this confusing mosaic with one clear legal standard for the protection of the content of e-mails and other electronic communications.” Under the proposed bill, service providers are expressly prohibited from disclosing customer content and the government must obtain a search warrant, based on probable cause, to compel a service provider to disclose the content of a customer's electronic communications to the government.

    The bill also provides consumer privacy protections for location information that is collected, used, or stored by service providers, smartphones, or other mobile technologies. It will require that the government obtain either a search warrant, or a court order under the Foreign Intelligence Surveillance Act, in order to access or use an individual's smartphone or other electronic communications device to obtain geolocation information. Senator Leahy stated there are well-balanced exceptions to the warrant requirement if the government needs to obtain location information to address an immediate threat to safety or national security, or when there is user consent or a call for emergency services. The bill also requires that the government obtain a search warrant in order to obtain contemporaneous, real-time, location information from a provider. There is an exception to the warrant requirement for emergency calls for service.

    To address the role of new technologies in the changing mission of law enforcement, the bill also provides new tools to law enforcement to fight crime. It clarifies the authority under the ECPA for the government to temporarily delay notifying an individual of that fact the fact that the government has accessed the contents of their electronic communications, to protect the integrity of a government investigation. The bill also gives new authority to the government to delay notification in order to protect national security.

    The ECPA Amendments Act, according to Leahy, strengthens the tools available in ECPA to protect national security and the security of computer networks. It creates a new limited exception to the nondisclosure requirements under the ECPA, so that a service provider can voluntarily disclose content to the government that is pertinent to addressing a cyberattack. To protect privacy and civil liberties, the bill also requires that, among other things, the Attorney General and the Secretary of Homeland Security submit an annual report to Congress detailing the number of accounts from which their departments received voluntary disclosures under this new cybersecurity exception.

    S 1011 defines the kinds of subscriber records that the Federal Bureau of Investigations may obtain from a provider in connection with a counterintelligence investigation. This reform will help to make the process for obtaining this information more certain and efficient for both the government and providers. The Electronic Communication Privacy Act must carefully balance the interests and needs of consumers, law enforcement, and our Nation's thriving technology sector. The balanced reforms in this bill will help ensure that our Federal privacy laws address the many dangers to personal privacy posed by the rapid advances in electronic communications technologies” stated Senator Leahy.

    H. R. 1841, the Data Accountability and Trust Act (DATA) of 2011, introduced May 11 by Representatives Cliff Stearns [R-FL-6] and Jim Matheson [D-UT-2] seeks to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach. This 17-page bill has been referred to the Committee on Energy and Commerce.  If passed, it will seriously affect information brokers.  Some investigative colleagues fear that investigators fall under this definition, even if they are not customarily viewed as being information brokers. ISPLA takes exception to that view, especially when one carefully reviews the Congressional intent and various specific provisions of the proposed bill. The following is the bill’s definition of an information broker.

    INFORMATION BROKER- The term `information broker' means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any nonaffiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity.

    LIMITATIONS- An information broker may limit the access to information required under subparagraph (B) in the following circumstances:

    (I) If access of the individual to the information is limited by law or legally recognized privilege.

    (II) If the information is used for a legitimate governmental or fraud prevention purpose that would be compromised by such access.

    H.R. 1895, the Do Not Track Kids Act of 2011 a 32-page bill to amend the “Children’s Online Privacy Protection Act of 1998 (COPPA)” was introduced on May 13 by Representatives Edward J. Markey [D-MA-7] and Joe Barton [R-TX-6], Co-Chairman of the Bi-Partisan Congressional Privacy Caucus.

    This bill will extend, enhance and update the provisions relating to the collection, use and disclosure of children’s personal information and establishes new protections for personal information of children and teens. Currently, COPPA covers children age 12 and younger, and it requires operators of commercial websites and online services directed to children 12 and younger to abide by various privacy safeguards as they collect, use, or disclose personal information about kids.
    “Over the past several months, there has been a deluge of data leaks, breaches, and other exposures of children’s personal information,” said Rep. Markey. “When it comes to kids and their use of the Internet, it is particularly important that stringent privacy protections are applied so that children do not have their online behavior tracked or their personal information collected or disclosed.
    “Since 1998 when I was the House author of COPPA, children are more likely to be poked, liked and friended online than on the playground. Now is the time for new legislation to protect kids and prevent them from being tracked online.
    “The 'Do Not Track Kids Act of 2011' will ensure that kids are protected and that sensitive personal information isn't collected or used without express permission,” said Markey. “I have long believed that consumers – not corporations – should have control over their personal information, and this legislation will protect parents and kids from the dangers that can lurk in the online environment.  The Internet is like online oxygen for many kids – they can’t live without it.  We want kids to have Internet access; we also want to ensure there are appropriate safeguards. I look forward to working with Rep. Barton and my colleagues to move this much-needed legislation forward.”

    “Today, I am proud reach across the aisle and join with Rep. Markey to officially introduce the Do Not Track Kids Act of 2011,” said Rep. Barton. “I believe that every American has the right to choose what they believe to be best for themselves and their children. But often times in our digital world that right is lost because your personal information is collected and stored without you ever knowing.

    “This bill is a first step in putting consumers back in control.  It lets you know what types of information are being collected about your kids online and how it is being used. If you don’t like what you learn – you will now have the authority to change it with just the click of a mouse.”

    “It is unacceptable for a website operator to act as a dictator with no consequences, and this bill ensures this type of behavior will not be directed toward our children,” said Rep. Barton. “I look forward to the next steps in the legislative process, and I look forward to future proposals to ensure protections of all Americans.”

    The “Do Not Track Kids Act of 2011” strengthens privacy protections for children and teens by:

    Requiring online companies to explain the types of personal information collected, how that information is used and disclosed, and the policies for collection of personal information;

    Requiring online companies to obtain parental consent for collection of children’s personal information;

    Prohibiting online companies from using personal information of children and teens for targeted marketing purposes;

    Establishing a “Digital Marketing Bill of Rights for Teens” that limits the collection of personal information of teens, including geolocation information of children and teens;

    Creating an “Eraser Button” for parents and children by requiring companies to permit users to eliminate publicly available personal information content when technologically feasible.

    “We commend Representatives Markey and Barton for listening to the concerns of families and taking action by introducing a ‘Do Not Track Kids’ privacy bill that places kids and teens front and center,” said Jim Steyer, CEO of Common Sense Media. “As it stands now, the nation’s tech privacy policies are outdated, as they do not include protections for mobile and geolocation technologies. Kids and teens are being tracked even more than adults, and marketed to without permission while companies make huge profits off the data – and that is wrong. It is promising to see leaders of both parties come together to address these issues on behalf of children and families, and we hope the bill continues to gain bipartisan support.”

    “Today’s teenagers are growing up in a ubiquitous digital media environment, where mobile devices, social networks, virtual reality, interactive games, and online video have become ingrained in their personal and social experience,” said Dr. Kathryn C. Montgomery, Ph.D., Professor, School of Communication American University. “Members of this generation are, in many ways, living their lives online. But while youth have embraced new media, they cannot be expected to understand the subtle, often covert techniques that digital marketers use to track and influence their behaviors. Many teens go online to seek help for their personal problems, to explore their own identities, to find support groups for handling emotional crises in their lives, and sometimes to talk about things they do not feel comfortable or safe discussing with their own parents. Yet, this increased reliance on the Internet subjects them to wholesale data collection and profiling.  By instituting fair information practices for teens now, we can help ensure they are treated with respect in the rapidly growing digital marketplace.”

    “Today’s youth and their parents confront a pervasive and unaccountable digital data collection system,” said Jeff Chester, Executive Director, Center for Digital Democracy. “When young people are online, including on mobile phones, playing games, or using social media, they are subject to a wide-range of stealth practices that can threaten their privacy and health. Congressmen Ed Markey and Joe Barton’s Do-Not-Track Kids bill will create much-needed safeguards for both children and adolescents. It will usher in a new Internet era for America’s youth, where their privacy is protected and marketers cannot take unfair advantage of them.”

    “In today’s world many children spend as much time on the Internet as they do on the playground,” said Jim Pierce, President, Childhelp. “The Markey-Barton Do Not Track Kids Bill is an important first step in protecting our children from predatory tracking – giving them the freedom to be children not consumers.”

    ISPLA notes through its state legislative tracking system that similar legislation was offered in California in February and recent amendments to that state’s bill have now stricken reference to children and made their proposed legislation applicable to all citizens of all ages of

    California.  From our past dealings with the offices of both Markey and Barton, we find that they are very much in the camp of privacy advocates and that any legislation offered by them should be carefully scrutinized.  Both congressmen are very influential on the House Energy and Commerce Committee, before which much privacy legislation reviewed.

    Bruce Hulme, ISPLA Director of Government Affairs

    To support the proactive work of ISPLA from State Capitols to the Nation’s Capitol please visit

    “Doing more than just keeping the profession informed”

  • 05 May 2011 3:19 PM | Anonymous member (Administrator)

    A long-awaited bill has finally been introduced by Rep. Bobby L. Rush [D-IL-1] relating to information brokers and security breaches. The 38-page HR 1707, the "Data Accountability and Trust Act" introduced May 4 pertains to information brokers and is cosponsored by Rep. Joe Barton [R-TX-1] and Rep. Janice D. Schakowsky [D-IL-9]. All three sponsors are members of the House Committee on Energy and Commerce to which this bill has been referred.

    Some of the pertinent areas of the bill which ISPLA has concerns are contained in portions of the language which follows:

    (b) Special Requirements for Information Brokers-

    (1) SUBMISSION OF POLICIES TO THE FTC- The regulations promulgated under subsection (a) shall require each information broker to submit its security policies to the Commission in conjunction with a notification of a breach of security under section 3 or upon request of the Commission.

    (2) POST-BREACH AUDIT- For any information broker required to provide notification under section 3, the Commission may conduct audits of the information security practices of such information broker, or require the information broker to conduct independent audits of such practices (by an independent auditor who has not audited such information broker's security practices during the preceding 5 years).



    (i) IN GENERAL- Each information broker shall establish reasonable procedures to assure the maximum possible accuracy of the personal information it collects, assembles, or maintains, and any other information it collects, assembles, or maintains that specifically identifies an individual, other than information which merely identifies an individual's name or address.

    (ii) LIMITED EXCEPTION FOR FRAUD DATABASES- The requirement in clause (i) shall not prevent the collection or maintenance of information that may be inaccurate with respect to a particular individual when that information is being collected or maintained solely--

    (I) for the purpose of indicating whether there may be a discrepancy or irregularity in the personal information that is associated with an individual; and

    (II) to help identify, or authenticate the identity of, an individual, or to protect against or investigate fraud or other unlawful conduct.


    (i) ACCESS- Each information broker shall--

    (I) provide to each individual whose personal information it maintains, at the individual's request at least 1 time per year and at no cost to the individual, and after verifying the identity of such individual, a means for the individual to review any personal information regarding such individual maintained by the information broker and any other information maintained by the information broker that specifically identifies such individual, other than information which merely identifies an individual's name or address; and

    (II) place a conspicuous notice on its Internet website (if the information broker maintains such a website) instructing individuals how to request access to the information required to be provided under subclause (I), and, as applicable, how to express a preference with respect to the use of personal information for marketing purposes under clause (iii).

    (ii) DISPUTED INFORMATION- Whenever an individual whose information the information broker maintains makes a written request disputing the accuracy of any such information, the information broker, after verifying the identity of the individual making such request and unless there are reasonable grounds to believe such request is frivolous or irrelevant, shall--

    (I) correct any inaccuracy; or

    (II)(aa) in the case of information that is public record information, inform the individual of the source of the information, and, if reasonably available, where a request for correction may be directed and, if the individual provides proof that the public record has been corrected or that the information broker was reporting the information incorrectly, correct the inaccuracy in the information broker's records; or

    (bb) in the case of information that is non-public information, note the information that is disputed, including the individual's statement disputing such information, and take reasonable steps to independently verify such information under the procedures outlined in subparagraph (A) if such information can be independently verified.

    (iii) ALTERNATIVE PROCEDURE FOR CERTAIN MARKETING INFORMATION- In accordance with regulations issued under clause (v), an information broker that maintains any information described in clause (i) which is used, shared, or sold by such information broker for marketing purposes, may, in lieu of complying with the access and dispute requirements set forth in clauses (i) and (ii), provide each individual whose information it maintains with a reasonable means of expressing a preference not to have his or her information used for such purposes. If the individual expresses such a preference, the information broker may not use, share, or sell the individual's information for marketing purposes.

    (iv) LIMITATIONS- An information broker may limit the access to information required under clause (i)(I) and is not required to provide notice to individuals as required under clause (i)(II) in the following circumstances:

    (I) If access of the individual to the information is limited by law or legally recognized privilege.

    (II) If the information is used for a legitimate governmental or fraud prevention purpose that would be compromised by such access.

    (III) If the information consists of a published media record, unless that record has been included in a report about an individual shared with a third party.

    (v) RULEMAKING- Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to carry out this paragraph and to facilitate the purposes of this Act. In addition, the Commission shall issue regulations, as necessary, under section 553 of title 5, United States Code, on the scope of the application of the limitations in clause (iv), including any additional circumstances in which an information broker may limit access to information under such clause that the Commission determines to be appropriate.

    (C) FCRA REGULATED PERSONS- Any information broker who is engaged in activities subject to the Fair Credit Reporting Act and who is in compliance with sections 609, 610, and 611 of such Act (15 U.S.C. 1681g; 1681h; 1681i) with respect to information subject to such Act, shall be deemed to be in compliance with this paragraph with respect to such information.

    (4) REQUIREMENT OF AUDIT LOG OF ACCESSED AND TRANSMITTED INFORMATION- Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to require information brokers to establish measures which facilitate the auditing or retracing of any internal or external access to, or transmissions of, any data containing personal information collected, assembled, or maintained by such information broker.


    (A) PROHIBITION ON OBTAINING PERSONAL INFORMATION BY FALSE PRETENSES- It shall be unlawful for an information broker to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, personal information or any other information relating to any person by--

    (i) making a false, fictitious, or fraudulent statement or representation to any person; or

    (ii) providing any document or other information to any person that the information broker knows or should know to be forged, counterfeit, lost, stolen, or fraudulently obtained, or to contain a false, fictitious, or fraudulent statement or representation.

    (B) PROHIBITION ON SOLICITATION TO OBTAIN PERSONAL INFORMATION UNDER FALSE PRETENSES- It shall be unlawful for an information broker to request a person to obtain personal information or any other information relating to any other person, if the information broker knew or should have known that the person to whom such a request is made will obtain or attempt to obtain such information in the manner described in subparagraph (A).

    (c) Exemption for Certain Service Providers- Nothing in this section shall apply to a service provider for any electronic communication by a third party that is transmitted, routed, or stored in intermediate or transient storage by such service provider.

    In this Act, the following definitions apply:

    (1) BREACH OF SECURITY- The term `breach of security' means unauthorized access to or acquisition of data in electronic form containing personal information.

    (2) COMMISSION- The term `Commission' means the Federal Trade Commission.

    (3) DATA IN ELECTRONIC FORM- The term `data in electronic form' means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices.

    (4) ENCRYPTION- The term `encryption' means the protection of data in electronic form in storage or in transit using an encryption technology that has been adopted by an established standards setting body which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.

    (5) IDENTITY THEFT- The term `identity theft' means the unauthorized use of another person's personal information for the purpose of engaging in commercial transactions under the name of such other person.

    (6) INFORMATION BROKER- The term `information broker'--

    (A) means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any nonaffiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity; and

    (B) does not include a commercial entity to the extent that such entity processes information collected by and received from a nonaffiliated third party concerning individuals who are current or former customers or employees of such third party to enable such third party to (1) provide benefits for its employees or (2) directly transact business with its customers.


    (A) DEFINITION- The term `personal information' means an individual's first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:

    (i) Social Security number.

    (ii) Driver's license number, passport number, military identification number, or other similar number issued on a government document used to verify identity.

    (iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual's financial account.

    (B) MODIFIED DEFINITION BY RULEMAKING- The Commission may, by rule promulgated under section 553 of title 5, United States Code, modify the definition of `personal information' under subparagraph (A)--

    (i) for the purpose of section 2 to the extent that such modification will not unreasonably impede interstate commerce, and will accomplish the purposes of this Act; or

    (ii) for the purpose of section 3, to the extent that such modification is necessary to accommodate changes in technology or practices, will not unreasonably impede interstate commerce, and will accomplish the purposes of this Act.

    (8) PUBLIC RECORD INFORMATION- The term `public record information' means information about an individual which has been obtained originally from records of a Federal, State, or local government entity that are available for public inspection.

    (9) NON-PUBLIC INFORMATION- The term `non-public information' means information about an individual that is of a private nature and neither available to the general public nor obtained from a public record.

    (10) SERVICE PROVIDER- The term `service provider' means an entity that provides to a user transmission, routing, intermediate and transient storage, or connections to its system or network, for electronic communications, between or among points specified by such user of material of the user's choosing, without modification to the content of the material as sent or received. Any such entity shall be treated as a service provider under this Act only to the extent that it is engaged in the provision of such transmission, routing, intermediate and transient storage or connections.

    Although HR 1707 would preempt state information security laws, there are still avenues for State attorneys general to direct their activity, such as consumer protection laws. ISPLA will be working to insure that the activities of investigators do not fall under the definition of an information broker under the provision in this proposed legislation. ISPLA is carefully reviewing all aspects of this bill and will keep you apprised of further developments and our ongoing lobbying work in Washington, DC.

    Bruce Hulme
    ISPLA Director of Government Affairs
    To join us and support our proactive efforts please visit
    We do much more than just keeping the profession informed!

  • 04 May 2011 4:45 PM | Anonymous member (Administrator)


    A Pennsylvania federal lawsuit filed May 2 and reported in today’s Washington Post claims that Aaron’s Inc., a large furniture rental chain store based out of

    Atlanta, Georgia , placed spyware on computers they rented to track their customers’ keystrokes, take screenshots and even transmit webcam images of users at their homes. The case was brought by a young couple, Brian and Crystal Byrd. The lawsuit is reminiscent of the Lower Merion School District matter which last year brought about the introduction of anti-surreptitious video surveillance legislation by then Pennsylvania Senator Arlen Specter which ISPLA in Washington worked hard to successfully defeat.

    Privacy experts contend that Aaron’s has the right to equip its computers with such software to shut off the devices remotely if customers stop paying their bills.  However, customers must be notified of such monitoring. “If I’m renting a computer ... then I have a right to know what the limitations are and I have a right to know if they’re going to be collecting data from my computer,” said Annie Anton, a professor and computer privacy expert with North Carolina State University.

    But the couple who sued Aaron’s said they had no knowledge that the computer they rented came equipped with a device that could spy on them. It was not until December 22, 2010 when an Aaron’s manager came to their home to repossess the computer because he mistakenly believed the Byrds had not paid off their “rent-to-own” agreement. However, after they produced a paid receipt the manager showed them a picture of them using the computer that had been taken by the computer’s webcam.

    Aaron’s claims it hasn’t authorized any of its corporate stores to install the software described in the lawsuit. Police were contacted by the customer who ascertained the image had been taken by software of Designerware LLC and installed on all Aaron’s rental computers. Designerware is a codefendant in this matter. The Byrds leased their computer from an independently owned and operated franchisee. Aaron’s believes that none of its more than 1,140 company-operated stores had used Designerware’s product or had done any business with it.

    It remains to be seen if the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act were violated. If either law was broken then Aaron’s went too far.

    Former FTC Commissioner, Peter Swire, an

    Ohio State professor, is quoted in an AP item that using a software "kill switch" is legal because companies can protect themselves from fraud and other crimes.  "But this action sounds like it's stretching the self-defense exception pretty far," he said, because the software "was gathering lots of data that isn't needed for self-protection."  He is also quoted as indicating the Computer Fraud and Abuse Act "prohibits unauthorized access to my computer over the Internet. The renter here didn't authorize this kind of access."

    Fred Cate, an information law professor at

    Indiana University agrees that consent is required but said the real question might be: "Whose consent?"  Courts have allowed employers to record employee phone calls because the employers own the phones. Similar questions arise as digital technology becomes more omnipresent, Cate said. "We always talk about deterrence value. Well it doesn't make sense to put (the software) on there" without telling people what it can do," according to Cate. "That's why we all put alarm signs in front of our houses, even if we don't have alarms."

    According to the lawsuit, components were soldered into the computer's motherboard or otherwise physically attached to the PC's electronics. It can only be uninstalled and deactivated using a wand.  John Robinson, the plaintiffs’ attorney, indicated the computer is currently held as police evidence. His clients want the federal court to declare their case a class action and are seeking unspecified damages and attorneys' fees. They contend the privacy act allows for a penalty of $10,000 or $100 per day per violation, plus punitive damages and other costs.

    PRNewswire released an Aaron's, Inc. item that the lawsuit regarding a violation of privacy relating to a computer rented from an Aaron's franchise store is without merit against Aaron's, Inc.

    “The Company believes that none of its over 1,140 Company-operated stores have used the product developed or provided by PC Rental Agent or Designerware LLC, the two vendors named in the lawsuit, and neither vendor is approved or have done any business with Aaron's, Inc.

    “Aaron's, Inc. respects its customers' privacy and has not authorized any of its corporate stores to install software that can activate a customer's webcam, capture screenshots, or track keystrokes.  The named plaintiffs leased the computer at issue from an independently owned and operated franchisee.  Aaron's, Inc. intends to vigorously defend itself against these allegations.

    Aaron's, Inc. has company-operated and franchised stores in 48 states and

    Canada . It also manufactures furniture and bedding at 12 facilities in seven states. Information related above is a compilation of reports from the Washington Post, Associated Press, PRNewswire, the American Bar Association, and ISPLA privacy reference material.

    ISPLA expects that this revelation, along with recent coverage of Internet tracking by Google, and several Congressional hearings scheduled for next week, will keep our profession busy during the 112th Congress.

    Bruce Hulme

    ISPLA Director of Government Affairs

    To join us and support our proactive efforts please visit

    We do much more than just keeping the profession informed!

  • 25 Apr 2011 12:53 PM | Anonymous member (Administrator)

    ISPLA Hits the Hill, Harnesses Support, Pursues PAC Activity, and Supports INTELLENET Conference

    It was a busy week for executive committee members of ISPLA who walked the halls of Congress, promoted ISPLA-PAC activities at a fundraiser, and joined other members who were attending the 28th Intellenet Annual Conference. 

    Our thanks to our Nicole Bocra, who not only hosted a successful PAC fundraiser at Morton’s Steakhouse in Washington, DC, but also assisted in organizing one of the most successful Intellenet conferences, which was held in Crystal City, Virginia, this past week. Nicole also gave an expert presentation on the use of “Social Media” in conducting investigations. Chairman Peter Psarouthakis presented a well-received talk on Ethics, and Bruce Hulme filled-in for the luncheon speaker who had to cancel at the last minute.

    ISPLA board member Jim Olsen, of Texas, Psarouthakis of Michigan, and ISPLA Director of Government Affairs, Hulme, of

    New York , attended the April 13, 2011 hearing on “The Role of Social Security Numbers in Identity Theft” held before the House Committee on Ways and Means Subcommittee on Social Security chaired by Rep. Sam Johnson [R-TX- 3].  Hulme had previously testified before this same subcommittee on SSN-use issues associated with ID Theft. Testifying witnesses appeared on behalf of the Office of Administration and the Inspector General of the Social Security Administration, and the Division of Privacy and Identity Protection of the Federal Trade Commission.

    Chairman Johnson and Rep. Lloyd Doggett [D-TX-25] then introduced HR 1509, the “Medicare Identity Theft Prevention Act of 2011” to amend Title II of the Social Security Act to prohibit the inclusion of Social Security account numbers on Medicare cards. As we expected, this legislation does not affect our profession. However, should ensuing legislation in this subcommittee be directed towards any restrictions that might affect the use of credit headers, we were assured that ISPLA would be provided an opportunity to give input.

    While “hitting Capitol Hill” we also met with staff of Senators John McCain [R-AZ] and John Kerry [D-MA] regarding their Kerry-McCain Bill, S 799, the “Commercial Privacy Bill of Rights Act of 2011.” This bill would apply to any firm that “collects, uses, transfers, or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period.”  Such information includes names or addresses or social security, credit card, or phone numbers or biometric data. The 44-page bill would require the notification of consumers in clear language whenever their data is being collected, and ensure that their information safe from hackers.

    Recently, millions of consumers were exposed to the risk of email swindles after a massive security breach by Epsilon, an online marketing firm that handles email marketing lists for hundreds of clients. Companies, including non-profits, that collect information about consumers over the Internet or otherwise, including search engines, telephone companies, and cable companies, will fall under the provisions of this proposed bill. The bill states "The ease of gathering and compiling personal information on the Internet and off, both overtly and surreptitiously, is becoming increasingly efficient and effortless."

    Should this bill be enacted, it would require companies to inform consumers the reason that data is being collected, with whom it will be shared, and how it will be safeguarded. The companies would also have to allow consumers to opt out of some data collection, and the consumers must agree, or opt in, to the collection of sensitive data such as medical conditions.

    Rep. Cliff Stearns [R-FL-6] has also introduced legislation on the same topic, but not as a companion bill to the above.

    ISPLA also met with staff of Representatives Hansen Clarke [D-MI-13] and Pete Sessions [R-TX-32].  They were each recipients of ISPLA-PAC donations in the 111th Congressional race this past fall. No other political action committee representing our profession made any donations during the 111th Congress according to FEC filings.  ISPLA’s present proactive legislative agenda included meetings with representatives of the Federal Law Enforcement Officers Association and the Society of Former Special Agents of the Federal Bureau of Investigation regarding several matters of mutual concern.

    In 2010, ISPLA partnered with INTELLENET Ltd, an international organization of investigative and security professionals, to handle lobbying and PAC activity.  It was fitting that ISPLA’s executive committee hold its third board meeting in Crystal City,

    Virginia , in conjunction with Intellenet’s annual conference. We also met with Kevin Whaley, LLC, producer for the ISPLA Insurance Plan, which is available only to members of ISPLA. Twenty percent of the attendees at the Intellenet conference are members of ISPLA. Many have enrolled in ISPLA’s member insurance program at an average annual cost of $600.  Go to to complete the application and submit online. All are invited to become part of a forward-thinking and proactive movement to protect your profession.


    Investigative & Security Professionals for Legislative Action

    Singularly focused on the legislative needs of the Investigative and Security professions

    Real Investigators – Real Professionals – Real Representation

  • 31 Mar 2011 7:17 PM | Anonymous member (Administrator)

    FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network

    Google Agrees to Implement Comprehensive Privacy Program to Protect Consumer Data

    March 31, 2011 - Google Inc. has agreed to settle Federal Trade Commission charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The agency alleges the practices violate the FTC Act. The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. In addition, this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States.

    “When companies make privacy pledges, they need to honor them,” said Jon Leibowitz, Chairman of the FTC. “This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations."

    According to the FTC complaint, Google launched its Buzz social network through its Gmail web-based email product. Although Google led Gmail users to believe that they could choose whether or not they wanted to join the network, the options for declining or leaving the social network were ineffective. For users who joined the Buzz network, the controls for limiting the sharing of their personal information were confusing and difficult to find, the agency alleged.

    On the day Buzz was launched, Gmail users got a message announcing the new service and were given two options: “Sweet! Check out Buzz,” and “Nah, go to my inbox.” However, the FTC complaint alleged that some Gmail users who clicked on “Nah...” were nonetheless enrolled in certain features of the Google Buzz social network. For those Gmail users who clicked on “Sweet!,” the FTC alleges that they were not adequately informed that the identity of individuals they emailed most frequently would be made public by default. Google also offered a “Turn Off Buzz” option that did not fully remove the user from the social network.

    In response to the Buzz launch, Google received thousands of complaints from consumers who were concerned about public disclosure of their email contacts which included, in some cases, ex-spouses, patients, students, employers, or competitors. According to the FTC complaint, Google made certain changes to the Buzz product in response to those complaints.

    When Google launched Buzz, its privacy policy stated that “When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.” The FTC complaint charges that Google violated its privacy policies by using information provided for Gmail for another purpose - social networking - without obtaining consumers’ permission in advance.

    The agency also alleges that by offering options like “Nah, go to my inbox,” and “Turn Off Buzz,” Google misrepresented that consumers who clicked on these options would not be enrolled in Buzz. In fact, they were enrolled in certain features of Buzz.

    The complaint further alleges that a screen that asked consumers enrolling in Buzz, “How do you want to appear to others?” indicated that consumers could exercise control over what personal information would be made public. The FTC charged that Google failed to disclose adequately that consumers’ frequent email contacts would become public by default.

    Finally, the agency alleges that Google misrepresented that it was treating personal information from the European Union in accordance with the U.S.-EU Safe Harbor privacy framework. The framework is a voluntary program administered by the U.S. Department of Commerce in consultation with the European Commission. To participate, a company must self-certify annually to the Department of Commerce that it complies with a defined set of privacy principles. The complaint alleges that Google’s assertion that it adhered to the Safe Harbor principles was false because the company failed to give consumers notice and choice before using their information for a purpose different from that for which it was collected.

    The proposed settlement bars Google from misrepresenting the privacy or confidentiality of individuals’ information or misrepresenting compliance with the U.S.-E.U Safe Harbor or other privacy, security, or compliance programs. The settlement requires the company to obtain users’ consent before sharing their information with third parties if Google changes its products or services in a way that results in information sharing that is contrary to any privacy promises made when the user’s information was collected. The settlement further requires Google to establish and maintain a comprehensive privacy program, and it requires that for the next 20 years, the company have audits conducted by independent third parties every two years to assess its privacy and data protection practices.

    Google’s data practices in connection with its launch of Google Buzz were the subject of a complaint filed with the FTC by the Electronic Privacy Information Center shortly after the service was launched.

    The Commission vote to issue the administrative complaint and accept the consent agreement package containing the proposed consent order for public comment was 5-0. Commissioner Rosch concurs with accepting, subject to final approval, the consent order for the purpose of public comment. The reasons for his concurrence are described in a separate Statement.

    The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through May 2, 2011, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments in electronic form should be submitted using the following web link:
    and following the instructions on the web-based form. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

    NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the respondent has actually violated the law. A consent agreement is for settlement purposes only and does not constitute an admission by the respondent that the law has been violated. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.

  • 18 Mar 2011 9:34 AM | Anonymous member (Administrator)

    “In the past year, The Wall Street Journal's ‘What They Know’ series has revealed that popular websites install thousands of tracking technologies on people's computers without their knowledge, feeding an industry that gathers and sells information on their finances, political leanings and religious interests, among other things.” – March 16, 2011 WSJ

    On March 16, 2011, the Senate Committee on Commerce, Science, and Transportation heard testimony from its chairman Sen. Jay Rockefeller [D-WV] and witnesses from the Federal Trade Commission, Department of Commerce, Microsoft, GroupM Interaction, an independent researcher, Intuit, and the ACLU.  


    Testimony is available on line at the Commerce Committee’s website. The ACLU paper “The State of Online Consumer Privacy” is an excellent reference source for privacy issues material, especially the links identified in its footnotes. Over the years a number of ISPLA members, as well as I, have relied on much of the same material when meeting with legislators, privacy advocates, and business leaders or preparing testimony on issues affecting investigative and security professionals.


    The subject of consumer privacy relative to the Internet is one being closely monitored by ISPLA. However, this issue presently does not warrant excessive involvement of lobbying resources at the present time by our members. But the issue does bear watching.  The major players from all perspectives have far greater resources than our profession. What we must make certain is that the recommendations evolving from hearings such as this, as well as other pending legislation in the House and Senate do not expand beyond Internet tracking. ISPLA has previously reported on separate legislation offered by Rep. Bobby Rush [D-IL-1], Rep. Cliff Stearns [R-FL-6], Sen. John McCain [R-AZ] and Sen. John Kerry [D-MA], as well as proposed “Do Not Track” regulations by the FTC. Most of the Senate Commerce Committee excerpts below were prepared by the Democrat members of the committee.     

    Key Quotations from the Hearing:

    “Now, I appreciate that we live in a world in which online technology is rapidly evolving. I know some online companies have taken steps to address consumer privacy. And, I appreciate the need to proceed carefully when providing consumer protections that may disrupt the functionality of the Internet. But Congress can no longer sit on the sidelines. There is an online privacy war going on, and without help, consumers will lose. We must act to give Americans the basic online privacy protections they deserve.” - Chairman John D. (Jay) Rockefeller IV

    “In light of the concerns expressed about online tracking, the [Preliminary FTC] Staff Report recommended a Do Not Track mechanism. A robust, effective Do Not Track system would ensure that consumers can opt out once, rather than having to exercise choices on a company-by-company or transaction-by-transaction basis. Such a universal mechanism could be accomplished through legislation or potentially through robust, enforceable self-regulation.” -  Jon D. Leibowitz, Chairman, Federal Trade Commission

    “Having carefully reviewed all stakeholder comments to the Green Paper, the Department has concluded that the U.S. consumer data privacy framework will benefit from legislation to establish a clearer set of rules for the road for businesses and consumers, while preserving the innovation and free flow of information that are hallmarks of the Internet.” - Lawrence E. Strickling, Assistant Secretary of Commerce for Communications and Information, National Telecommunications and Information Administration, U.S. Department of Commerce 

    “In the digital era, privacy is no longer about being ‘let alone.’ Privacy is about knowing what data is being collected and what is happening to it, having choices about how it is collected and used, and being confident that it is secure.” - Erich D. Andersen, Vice President and Deputy General Counsel, Microsoft Corporation 

    “We want to build consumer trust in the online experience, and therefore we believe that consumers should be able to choose whether and how their data is collected or used for online behavioral advertising. Our clients also want to provide these choices to maintain the confidence of their customers. Global companies work hard every day to protect their brands, and they recognize that their customers may have different preferences about online advertising.”  - John Montgomery, Chief Operating Officer, GroupM Interaction

    “Consumers need more transparency into who is tracking them online, what data is being collected, and how this data is being used, shared or sold. Today’s technical defenses to online tracking are not able to stop the leading tracking technologies, and consumers often do not have meaningful ways to control them. To be effective, privacy protections for consumers online will likely require both a technical and policy component, working in tandem, and I believe these discussions here today are a great step in making that union a reality.”  - Ashkan Soltani, Researcher and Consultant 

    “As we enter this important discussion, it is necessary to further emphasize the importance of both respect for the consumer participation and control of information and the value and benefit of continued innovation, in particular where the future of economic growth is goingundefineddata driven innovation. The key to our success and to ensuring balance among these interests is earning the customers trust.” - Barbara Lawler, Chief Privacy Officer, Intuit, Inc.

    “If this collection of data is allowed to continue unchecked, then capitalism will build what the government never couldundefineda complete surveillance state online. Without government intervention, we may soon find the internet has been transformed from a library and playground to a fishbowl, and that we have unwittingly ceded core values of privacy and autonomy.” -  Chris Calabrese, Legislative Counsel, American Civil Liberties


    The Fair Information Practice Principles (FIPPs), written over thirty years ago, in the view of the ACLU has become the basis for comprehensive privacy laws in most of the industrialized world as well as sector specific privacy laws in the United States. In 2008 the Privacy Office of the Department of Homeland Security formally adopted them in its analysis of DHS programs. And in a recent report, the Department of Commerce recommended that the FIPPs as described by DHS be adopted as the basis for internet regulation. The FIPPs stand for eight relatively straightforward ideas:

    • Transparency: Individuals should have clear notice about the data collection practices involving them.
    • Individual Participation: Individuals should have the right to consent to the use of their information.
    • Purpose Specification: Data collectors should describe why they need particular information.
    • Data Minimization: Information should only be collected if it‘s needed.
    • Use Limitation: Information collected for one purpose shouldn‘t be used for another.
    • Data Quality and Integrity: Information should be accurate.
    • Security: Information should be kept secure.
    Accountability and Auditing: Data collectors should know who has accessed information and how it is used.

    While some adjustments will have to be made to conform to new technologies, international internet data collection practices, as well as the data collection practices of other sectors of the

    US economy, are already governed by the FIPPs. To imply as some have done that application of these regulations in this case would cause serious harm to the internet and e-commerce seems overstated at best. These protections must be embodied in law, not just in industry practice, according to the ACLU.


    The ACLU written testimony indicates that the rapid adoption of new testimony has not eliminated Americans’ expectations of privacy. They reference a 2009 study by Joseph Turow, et al, which indicates that 69% of Internet users want the legal right to know everything that a Web site knows about them and 92% want the right to require websites to delete information about them.


    Consumers also oppose Internet tracking according to a 2010 study by Lymari Morale which indicates that 67% reject the idea that advertisers should be able to match ads based on specific websites consumers visit, and 61% believe these practices were not justified even if they kept costs down and allowed consumers to visit websites for free. Thus, Americans, although making great use of the Internet are still very concerned over their privacy and troubled by the practice of behavioral targeting.  They expect their online activities will remain private, hence the ongoing efforts by Congress and regulators to propose solutions to protect consumers’ Internet privacy.


    In closing, the recent Wall Street Journal article states:


    “The administration's plan to push for legislation reflects a shifting attitude by the government, which for more than a decade favored a hands-off approach to the Internet. Officials have said the increasing intrusiveness of online tracking has forced them to reassess that approach.”


    ISPLA’s mission is help contain such government regulatory efforts to just Internet activities and make certain such legislation does not expand to data collected or disseminated by investigators.    


    Bruce Hulme

    ISPLA Director of Government Affairs

    Investigative & Security Professionals for Legislative Action


    "Real Investigators, Real Professionals, Real Representation"

  • 16 Mar 2011 2:08 PM | Anonymous member (Administrator)
    California “Personal Identification Information” to include ZIP codes

    Effects of last month’s California Supreme Court decision in Pineda v. Williams-Somona Stores, Inc. are bringing forth unexpected litigation.

    In California, stores are prohibited from soliciting from their customers ZIP code information and storing such information in connection with credit card transactions which occur within their establishments. This ruling may expand the general definition of “personal identification information” or what is now commonly referred to as “PII” by including consumers’ ZIP codes in the classification. California’s Song-Beverly Credit Card Act prohibits retailers in that state from these business practices.

    In a privacy alert from Ropes & Gray furnished to ISPLA, they note that the effect of this ruling “is compounded by the fact that in 2008, this practice was considered exempt from the Act by California’s 4th District Court of Appeals holding in Party City Corp. v. Superior Court which held that ZIP codes were too general to be covered by the Act because they pertain to a group of individuals, unlike an address or telephone number that is specific in nature regarding an individual.” The firm indicates it is not clear as to those states having similar statutes upon which the Act was based, namely New York, Massachusetts, Rhode Island, Delaware, Maryland and Nevada. However, these states do not expressly prohibit acquiring ZIP codes.

    In California alone, since the February 10 decision, lawsuits have been filed against Bed Bath & Beyond, Cost Plus Inc., Crate & Barrel, Macy’s, Old Navy LLC, Target, Victoria’s Secret and Wal-Mart. Violations of the Act call for a maximum fine of $250 for the first violation and $1,000 for each subsequent one. Thus, large retailers may have considerable financial exposure.

    This report should not be construed as legal advice. Privacy is not really dead and there are many out there who are not going to get over it. Remember - it was the violation of a California security data breach law in 2004 which created havoc with the major information data providers resulting in redacted SSNs and numerous unsuccessful ensuing attempts by Congress to deny private investigators access to “credit headers” and other personal identification information.

    Bruce Hulme
    Director of Government Affairs
    Investigative & Security Professionals for Legislative Action – Real Investigators, Real Professionals, Real Representation!

  • 28 Oct 2010 7:36 PM | Anonymous member (Administrator)

    ISPLA Endorses Hansen Clarke for Congress

    Michigan State Senator Hansen Clarke has received the endorsement of Investigative & Security Professionals for Legislative Action. In August he defeated seven-term incumbent Congresswoman Carolyn Cheeks Kilpatrick in the Democratic primary for the 13th Congressional District in

    Michigan . The district covers about half of Detroit, the Grosse Pointe communities, Harper Woods and the Downriver cities of Ecorse, Lincoln Park, River Rouge and Wyandotte .

    Clarke, a resident of Detroit, has been a
    Michigan state senator since 2002. He served as a state representative prior to his time in the Michigan Senate. ISPLA chairman Peter Psarouthakis, of EWI Associates, Inc., this week presented Senator Clarke with a donation from our federal nonpartisan ISPLAPAC. Peter, and ISPLA secretary Al Cavasin, owner of Great Northern Sentry Co., in Jackson, Michigan, have observed the excellent work of the Senator in Michigan over the years. They feel that he knows the problems facing the investigative and security professions and that his legislative experience in Michigan will serve us well in Washington .

    ISPLA discussed with the senator how we might serve as a resource regarding investigative and security matters in the private sector including: privacy issues, Social Security Number limitations, indigent defense, identity theft, infrastructure security, and public record access. Although still a young and fast-growing professional association, ISPLA’s organizers have a wealth of knowledge and experience having testified on GLBA implementation, ID theft, and indigent defense issues before the House Finance, Ways and Means, and Judiciary Committees.  We advised Senator Clarke that ISPLA is experienced in working with committee staff and regulatory agencies and providing testimony and public comment. We assured him that if ISPLA can ever lend him support on any public safety issues, he should feel free to call upon us. Michigan State Senator Clarke, who we hope will soon become Congressman Clarke, holds a BFA degree from Cornell University and a JD degree from

    Georgetown University Law Center .

    ISPLA administers a nonpartisan federal political action committee and disburses ALL of its funds in each two-year Congressional cycle. All PAC monies of ISPLA have now been disbursed to worthy Congressional candidates. It is fulfilling a need at the federal level that has not been addressed by any national association until now.  It has created a mechanism for investigative and security professionals having mutual interests to participate in lobbying and financially support qualified political candidates for office.  The leadership of ISPLA is deeply committed to providing legislative expertise and financial resources to accomplish this important mission. 

    You are invited to help us protect your interests in

    Washington by contributing to ISPLAPAC. Please visit Join us in our efforts now! In accordance with Federal Election Law, financial PAC contributions by investigative and security professionals may be paid online with a personal credit card or by personal check payable to ISPLAPAC and mailed to the address below. Feel free to forward this message to your colleagues and ask them to protect their interests and join ISPLA too. Annual dues are $99 and the annual membership runs for one year from the date of joining. Thank you.

    Bruce Hulme

    ISPLA Director of Government Affairs

    235 N. Pine Street

    Lansing, Michigan 48933   


Powered by Wild Apricot. Try our all-in-one platform for easy membership management