Communications Litigation Today was a Warren News publication.
Greater Honeypot, Greater Target

Mobile Payment Services Introduce Security, Privacy Concerns, Say Stakeholders, Regulators

Mobile payment services have the potential to become more widespread in a few years, but industry standards may be needed to assuage consumers’ concerns about data security and other issues, said Jamie Barnett, co-chair of Venable’s telecom law practice, at a Law Seminars International event Tuesday. Barnett previously was the FCC’s Public Safety Bureau chief. A recent Federal Reserve study found that 42 percent of surveyed consumers said concerns about data security were the main reason they didn’t use mobile payment services -- the top reason given in the survey, Barnett said. Other barriers to adoption include network security, consumer privacy, liability, dispute resolution and a lack of uniform standards, he said. There’s no single legal framework that deals with mobile payment services, though 19 federal agencies have some regulatory interest in the sector (CD Sept 10 p9).

A combination of industry-created standards and consumer education would reduce consumers’ concerns about mobile payment services and could ultimately increase their use of such services, Barnett said. Those standards could deal with authentication and the security of payment transmissions and transaction records, he said. The standards could also address privacy protections related to customer information, create rules related to minors’ use of mobile payment services, institute fraud and identity theft protections, and standardize disclaimers, Barnett said.

Industry-created standards would also forestall the need for more regulation of the mobile payment sector, Barnett said. Heightened consumer concerns about the sector could invite the government to explore such regulations, he said. The Cybersecurity Framework being co-developed by the National Institute of Standards and Technology (NIST) and critical infrastructure industries has thus far been a voluntary process, though there are questions about whether incentives meant to encourage industry adoption of the framework could make them “de facto” standards, Barnett said. President Barack Obama ordered the framework’s development as part of his cybersecurity executive order (CD Feb 14 p1). Participation in such processes could be vital to keeping part of a sector off the “menu,” Barnett said.

Mobile payments also raise significant privacy concerns, said FTC attorney Katherine White, Division of Privacy and Identity Protection, and others at a separate panel Tuesday. White said when multiple companies are involved in data collection from the same set of users -- from merchants to credit card companies to payment processors -- all the companies should be aware of what the others do with the data collected, and that liability is shared. “There’s not going to be a way for people to say, ‘Hey, I'm just the payment processor, I couldn’t possibly know what my client is doing,'” she said. “Everyone needs to be aware of who’s collecting what.” White said despite the potential privacy concerns, the FTC still sees substantial benefits for consumers using mobile payments. “We just think that in the mobile payment space, there are key privacy questions you should be asking,” she said. The many forms of mobile payments available have increased the number of players who might have sensitive information, including carriers, financial institutions, app developers and merchants, she said. The FTC’s efforts in mobile privacy encourage institutions to simplify consumer’s privacy choices and give them context for how the information will be used, she said. It also wants institutions to improve the transparency surrounding their data collection and privacy protections, and to make things as simple as possible, she said.

NIST has taken pains to ensure consumer privacy, at the same time it works on data security, said Jeremy Grant, senior executive adviser for identity management. NIST has worked to support a private-public partnership to develop standards for identifying personal information online, the National Strategy for Trusted Identities in Cyberspace (NSTIC), he said. “You now have every agency basically paying the same vendor to identify the same people three or four times,” he said. “A lot of what we're doing … is working with the different agencies to be able to reuse those identity vetting services across agencies.” NIST is funding specific pilot programs in industry to develop secure, reliable methods for identifying consumers online, to minimize the sharing of unnecessary information and to reduce the need to register identifying information with multiple enterprises and government agencies, he said. Its best solution would allow users to choose how much information to reveal -- making a purchase from a government website would require customers to share payment information and perhaps identity verification, while leaving a comment on a news website could be done without even offering a name, he said -- all using the same NSTIC credential. To further those goals, NIST set up an Identity Ecosystem Steering Group to work with industry to develop the credential, he said.

Consumers must try to protect their information, and enterprises must take steps to protect their customer’s information, said Juli Greenberg, corporate counsel for the payment processing firm Heartland Payments, which supports several mobile applications. She said she checks every potential app with a “data collection checklist,” asking developers and security professionals multiple times what kind of data an app will collect and what it will do with that data. Developers should take care to inform the legal team each time an app is even updated, she said, since the smallest tweak can have important legal ramifications. Heartland has been involved in several settlements over its data security. It agreed in January 2010 to pay up to $59.22 million to Visa issuers who lost money when it was hacked in 2008, and said in 2009 it would pay $2.4 million to settle a cardholder class-action lawsuit

Privacy liabilities can arise from multiple regulatory bodies, said Heather Federman, an attorney at the Future of Privacy Forum. The FTC, FCC, Department of Commerce and California attorney general have all involved themselves in privacy regulation, she said. Those considering payment apps can’t look to one regulatory agency or law to consider their comprehensive privacy liability, she said.

Developments in GPS technology and location targeting offer impressive new opportunities and benefits for speed and personalization for consumers, but they also come with substantial concerns, said Timothy Sparapani, vice president-government relations for the Application Developers Alliance. Sparapani said improvements to apps will require more personally identifying information and more types of services. Moreover, he said, as apps get more intelligent, they also get more opaque to the average user, making it difficult for consumers to understand how their information is being used or how to change it. Sparapani said personalization could bring a new wave of apps that target consumers in personal, engaging and beneficial ways, but that same personalization could lead to increasingly massive problems for consumers if the apps are compromised. “More data means more mistakes,” he said. “The greater the honeypot, the greater the target will be.”