Beginning in 2020, California residents will have the right to opt out of the sale of their personal information under the California Consumer Privacy Act of 2018 (CaCPA or also called CCPA). It is time to revisit your third-party service provider agreements. Companies now have two reasons to ensure that service provider agreements restrict the use or sale of personal information: to comply with CaCPA and to reduce risk of an FTC enforcement action. Continue Reading Preparing for 2020: Check In On Your Vendors
In the matter of LabMD Inc. v. Federal Trade Commission, case number 16-16270, the U.S. Court of Appeals for the Eleventh Circuit ruled against the FTC, finding that the order against LabMD for lax data security measures was not enforceable.
The FTC’s original order against LabMD was due to a 2008 security incident where a LabMD employee downloaded a program which exposed customer information over the internet. Although customer harm was never shown by FTC, in 2016 the agency issued a Final Order against LabMD for unreasonable data security practices. The case was eventually brought before the Eleventh Circuit by LabMD to determine if the alleged failure to implement reasonable data security measures in 2008 was an unfair practice under Section 5(a) of the FTC Act.
U.S. Senate leaders may be close to reaching an agreement on a legislative proposal that would establish a national data breach notification and security standard (the Data Acquisition and Technology Accountability and Security Act) which would streamline nationwide reporting requirements for businesses. However, there are a plethora of reasons it may not make much progress through Congress this year. The current 49-state, soon to be 50-state, patchwork of breach notification laws that are all different in various meaningful ways makes compliance with a nationwide breach (which is what typically occurs in companies) quite tedious. This proposed federal legislation would set a national standard for securing customer data and reporting data breaches.
Similar legislation has stalled in Congress for nearly a decade, but recent events, including numerous high profile data breaches and other events where data was misused, the EU Parliament’s approval of the General Data Protection Regulation (GDPR) with an enforcement date of May 25, 2018, and California’s proposed ballot initiative on privacy (improving consumers’ rights regarding collection and usage of their data), have catalyzed Congress once more. Last week, senators introduced legislation called Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT Act). The bill requires explicit opt-in consent from users to share, use, or sell any personal information, notification any time data is collected, shared, or used, and new security and breach reporting requirements. The CONSENT Act relies on the Federal Trade Commission to enforce any violations of those new rules.
There are many obstacles to enacting federal data privacy and security legislation, including disputes over preemption of state law, reasonable security standards, penalties, and exemptions. After Republicans took control of the White House and both chambers of Congress last year, federal regulatory activity diminished, and cities and states have stepped in to fill the void. The attorneys general of 31 states are pressing lawmakers to scrap the Data Acquisition and Technology Accountability and Security Act, arguing that it waters down more stringent state laws requiring prompt notification of breaches to consumers. Since South Dakota passed a new law in March, every state but Alabama has data breach laws in effect which require companies to notify consumers when their personal information hacked. And last week Alabama’s governor signed the final state data breach law which goes into effect on May 1, 2018. The attorneys general argue that these state laws have catalyzed greater transparency about data breaches and improved steps companies can take to prevent breaches from occurring again.
In addition to state laws, some cities have taken affirmative steps regarding data security. NYC Mayor de Blasio announced the launch of a cybersecurity initiative, NYC Secure, which is supposed to defend New Yorkers from malicious cyber activity on mobile devices, public Wi-Fi networks, and beyond. The first program is a smartphone protection app which issues warnings to users when suspicious activity is detected on their mobile devices.
Stay tuned to see who wins the state versus federal power struggle over data privacy and security—exciting times are ahead!
On January 8, 2018, the FTC announced that VTech, maker of electronic toys for children, agreed to settle charges that it violated the law by collecting personal information without parental consent.
In the complaint made public along with the settlement, the FTC alleged that VTech violated COPPA by collecting personal information on children without parental consent through the Kid Connect and other applications sold with its internet-connected toys, since there wasn’t a mechanism in place to verify that the parent registering for a Kid Connect account was actually a parent. The FTC also alleged that VTech failed to provide direct notice of its information collection practices to parents and failed to take reasonable steps to protect the information it had collected, which included full names, email addresses, mailing addresses, usernames, and passwords. Finally, the FTC alleged that VTech violated the FTC Act by falsely stating that personal information submitted by users would be encrypted when in fact none of the information, except for photo and audio files, was encrypted. In November 2015, VTech learned through a journalist that hackers had accessed its computer network and stolen personal information about parents and children. Decryption keys for the photo and audio files were included in the hacked database.
Hong Kong-based company VTech Electronics Limited and its US subsidiary agreed to pay $650,000 to resolve the charges brought by the FTC. This settlement marks the FTC’s first privacy case involving internet-connected toys.
Since its passage, COPPA has been actively enforced by the FTC, with recent settlements including a mobile advertiser tracking children’s locations and app developers that allowed third-party advertisers to collect children’s information.
The Federal Trade Commission (FTC) and U.S. Department of Education (ED) increasingly are responding to concerns about educational technology and its ability to capture and manipulate massive quantities of private student and parent data. “EdTech,” as it is called, broadly refers to online curriculum and instructional materials accessed by school and personal devices. EdTech has the capacity to use student performance data to improve vendors’ learning programs and enhance educational outcomes. But it also has the ability to use that data for commercial uses that would otherwise be forbidden under privacy laws.
In a recent workshop held on December 1, 2017 by the FTC and ED, the agencies examined issues surrounding student privacy and EdTech. In particular, they looked at the intersection of the Children’s Online Privacy Protection Act (COPPA), overseen by the FTC, and the Family Educational Rights and Privacy Act (FERPA) regulated by ED. The workshop examined critical questions such as whether EdTech providers sufficiently understood FERPA and COPPA requirements, whether it is appropriate for school officials to provide consent under COPPA using in loco parentis concepts, what limits apply to personal information collected by EdTech vendors, and how schools can maintain “direct control” over EdTech providers when they rely on the School Official exception to FERPA’s consent requirements. Click here for more information about the workshop.
FERPA and COPPA have not been amended and updated in several years, during which the use of EdTech has exploded. Parents and privacy advocates increasingly are expressing concerns that the statutes are antiquated and inadequate to the task at hand. In response, many states have passed privacy legislation, and the EdTech industry has attempted to self-regulate through voluntary commitments such as the Student Privacy Pledge. But a robust and balanced federal regulatory scheme is the best approach for industry, schools, and students, providing a uniform system across the country and strong assurances that student data privacy and protection will be a reality.
On September 15, 2017, the Trump White House released a Press Release regarding the EU-U.S. Privacy Shield—reiterating that they “firmly believe that the upcoming review [of the EU-U.S. Privacy Shield] will demonstrate the strength of the American promise to protect the personal data of citizens on both sides of the Atlantic.”
The first alliance of its kind, the E.U.-U.S. Privacy Shield provides a framework for the exchange of consumer personal data between the United States and countries in the European Union. Established in 2016, one of the purposes was to enable U.S. companies to more efficiently receive data from countries in the EU while staying compliant with privacy laws that protect EU citizens. The agreement also allows companies to store EU citizens’ personal data on U.S. servers.
The “upcoming review” referenced in the White House Press Release refers to the first annual review of the Privacy Shield since its adoption, with both EU and U.S. officials stating their support for the alliance in a joint statement released September 21, 2017. According to this statement, over 2,400 organizations have jointed the Privacy Shield since the program’s inception a year ago. The U.S. and EU both declared a “share[d] . . . interest in the Framework’s success and remain committed to continued collaboration to ensure it functions as intended.”
But what good is an agreement without any bite for potential violators? The Federal Trade Commission (FTC) recently signaled that it fully intended to keep companies accountable for potential violations of the EU-U.S. Privacy Shield.
According to an FTC Press Release dated September 8, 2017, three U.S. Companies agreed to settle FTC charges that they “misled consumers about their participation” in the EU-U.S. Privacy Shield. The FTC alleged that these companies violated the FTC Act by “falsely claiming that they were certified to participate in the EU-U.S. Privacy Shield” when they had all “failed to complete the certification process for the Privacy Shield.” Acting FTC Chairman Maureen K. Ohlhausen warned companies that these “actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce.” Notably, these enforcement actions are the first cases the FTC has brought to enforce the Privacy Shield.
Moving forward, companies should carefully assess whether they have completed the steps and certification necessary to make certain representations about participation in the EU-U.S. Privacy Shield—as both the FTC and the current White House administration fully intend on continuing to “demonstrate the strength of the American promise” to pull their weight in the alliance.
Building on the FTC’s “Start with Security” guide for businesses, the agency launched the “Stick with Security” blog on July 21, 2017. The blog provides additional guidance on each of the 10 fundamental principles of data security through hypotheticals based on FTC decisions, questions submitted, and FTC enforcement actions. Each week, the FTC publishes a post dedicated to one of the 10 data security principles.
The 10 fundamental “Start with Security” principles include:
- Start with security. The first principle urges companies to factor data security into all aspects of the business and to make conscious decisions about how, when, and whether to collect, retain and use personally identifiable information.
- Control access to data sensibly. The second principle recommends restricting access to personal data to employees who have a legitimate need to access the data. This recommendation includes restricting administrative access to the company’s systems to employees tasked with making system changes.
- Require secure passwords and authentication. According to the third principle, companies should require “complex and unique” passwords, store passwords securely, and test for common vulnerabilities to protect against unauthorized access to data.
- Store sensitive personal information securely and protect it during transmission. The fourth principle advises companies to encrypt data while in transit and when at rest throughout the data’s entire lifecycle. Companies should use industry-tested methods of securing data and ensure that the measures are implemented and configured appropriately.
- Segment your network and monitor who’s trying to get in and out. The fifth principle speaks to the design of a company’s network; it should be segmented and include intrusion detection and prevention tools.
- Secure remote access to your network. The sixth principle considers a company to be responsible not only for the security of its internal network, but also for examining the security of employees’ computers and systems of others to whom the company grants remote access to its systems. In addition, companies should limit remote access to only the areas that are necessary to achieve the purpose.
- Apply sound security practices when developing new products. The seventh principle urges companies to use engineers trained in secure coding practices and to follow explicit platform guidelines designed to make new products more secure. This principle also indicates that companies are expected to ensure that their privacy and security features function properly and meet advertising claims.
- Make sure your service providers implement reasonable security measures. The eighth principle advises companies to choose providers with appropriate security measures and standards and to require providers to meet expectations by expressly including those obligations in provider contracts. Also companies should preserve contractually the right to verify that the provider is meeting expectations on data security matters.
- Put procedures in place to keep your security current and address vulnerabilities that may arise. The ninth principle instructs companies to implement and maintain up-to-date security patches, heed warnings regarding known vulnerabilities, and establish a process for receiving and responding to security alerts.
- Secure paper, physical media, and devices. The tenth principle applies similar security lessons to non-electronic data, such as data on paper and other physical media. This principle recommends storing paper containing sensitive data in a secure area, using PINs and encryption to secure data housed on other physical media, establishing security policies for employees when traveling with media that contains sensitive data, and disposing of sensitive data on paper and other physical media securely.
Since July 21st, the FTC has published seven helpful posts. Up next, the FTC will discuss the eighth principle: Make sure your service providers implement reasonable security measures.
In another twist in the LabMD case, LabMD has succeeded in obtaining a delay on the FTC’s enforcement action during its appeal. Of course, the substantive issues remain to be determined.
In 2013, the Federal Trade Commission (FTC) issued an administrative complaint against LabMD for alleged “unfair” data security practices culminating in an Opinion and Final Order (Order) against the company for violating Section 5 of the Federal Trade Commission Act (Section 5). After exhausting administrative law procedures, LabMD filed an appeal with the U.S. Court of Appeals for the Eleventh Circuit to prevent the FTC from enforcing the Order until the court reviewed several unresolved legal questions, including whether or not the FTC can enforce data security standards in the absence of identifiable harm.
The Court’s Analysis
In determining whether or not to grant the Stay, the court weighed the following four considerations:
- Did LabMD make a strong showing it would succeed on the merits;
- Would LabMD be irreparably injured without the stay;
- Does issuing the stay substantially injure a third party; and
- What is in the public’s best interest?
Success on the Merits
To succeed on the merits, LabMD must show that the FTC misinterpreted Section 5 as it was applied in the Order. Section 5 grants the FTC authority over “unfair or deceptive acts.” (15 U.S. C § 45 (a)). “Unfair” is defined as something that has caused “or is likely to cause substantial injury to consumers.” (15 U.S.C. § 45 (n)). Federal agencies are charged with reasonably interpreting their own statutes. In its discussion, the court said that LabMD presented “a strong showing that the FTC’s factual findings and legal interpretations may not be reasonable.” In other words, there is enough ambiguity in the FTC’s analysis that the Order should not be enforced, yet. The court says, “[i]t is not clear that the FTC reasonably interpreted ‘likely to cause’ …we do not read the word ‘likely’ to include something that has a low likelihood. We do not believe an interpretation that does this is reasonable.”(emphasis added).
The second point of analysis examines to what extent LabMD would be harmed if the Order is enforced. Here the court highlights the fact that LabMD (which was founded in 1996) is no longer in operation, with no employees, no revenue, and is relying on pro bono legal representation. Simply put, the court determined that LabMD is not well positioned to assume the costs required to comply with the Order.
Third Party Injury & Public’s Interest
The third and fourth points consider if third parties would be harmed by delaying the Order. Here the court notes that the “FTC’s ruling did not point to any tangible harm to any consumer, because there is no evidence that any consumer suffered a harm.” The court continues, “there is no evidence that any consumer ever suffered any tangible harm…we find it improbable that a party downloaded this information now years ago, has not used it for several years, but may yet use it for nefarious purposes before this appeal terminates”. This analysis led the court to determine there is no risk of immediate harm to consumers or the public if the Order is delayed.
What’s Next for the FTC and LabMD?
This Stay comes after a handful of attempts to clarify the FTC’s policies and procedures in this case, including a letter from Sen. Jeff Flake and Sen. Mike Lee sent to Chairwoman Ramirez challenging the FTC’s analysis. In particular, the letter addresses whether the “FTC’s cybersecurity regime complies with the protections of due process under the constitution.” The letter directly addresses the FTC’s analysis that LabMD’s vagueness challenge was inapplicable because there are no fundamental rights implicated in the case. The letter asks “[a]re laws unconstitutionally vague only if they implicate fundamental rights?”
This case then begs the question: has data security regulation hit the proverbial ‘tipping point’? Is momentum slowly crawling away from big agency regulation and inching towards streamlined industry standards? Maybe. The Stay is certainly a win for LabMD, but it does not mean it is a loss for the FTC. The case is far from over. There are several substantive claims that must be addressed on appeal.
The Federal Trade Commission (FTC) is conducting a three-part fall conference workshop on select technology issues. The first conference was held on September 7th about ransomware. The second conference was held on October 13th about Drones and the last conference will be December 13th about Smart TVs. This is the first post in a two part series that will highlight key themes from the FTC conference and provide tips to help your business before, during, and after an attack.
Ransomware: What is it?
Ransomware is malware that infiltrates a device or potentially an entire information technology network and uses tools to encrypt or “lock” the data located on a device or network such that the organization cannot access its own data unless it pays what is in effect, a monetary ransom (typically paid in untraceable electronic currency called Bitcoins), to the attacker for a “key” to unlock and retrieve the data. Alternatively, some attackers may threaten to either delete the organization’s data or expose the organization’s data to the public if a ransom is not paid in the specified timeframe. Ransomware attacks are unfortunately becoming a common commodity service due to low barriers to entry.
Known sometimes as “ransomware-as-a-service,” the crime is attracting the participation of lower-end criminals as a distribution channel (an “affiliate”) for the “kingpin” or “boss.” The players are typically organized in a tiered hierarchy of 10-15 affiliates per boss. Such a structure makes it difficult to identify and catch the person in charge. According to panelists speaking at the FTC conference, ransomware attacks quadrupled last year, averaging 4,000 ransomware attacks per day, with an average victim payout of $300 last year (though they’ve heard of some demands as high as $30,000), and trending towards an average payout of $700 this year. They estimate that a boss can earn on average $90,000 annually, while affiliates earn on average, $7,200 annually.
“It’s Only Going to Get Worse”
According to Check Point Software, the total number of ransomware attacks increased by 13% in September 2016. Similarly, data breach insurer Beazley recently reported that it is projecting a fourfold increase in ransomware attacks in 2016. The increased number of attacks is in part because these attackers are continuously refining the ransomware business model. While the majority of ransomware attacks (greater than 90%) still occur via phishing emails targeted to users and requiring the user to take an action for the infection to take hold (such as clicking a link or downloading a document), attacks are now being delivered via a variety of other mechanisms such as malvertising, exploit kits, and other programs able to scan Internet of Things (IoT) devices like smart watches, cars, thermostats, and other home and business devices looking for “back door” entrances and other vulnerabilities to exploit. Ransomware can also potentially infiltrate a network via a Trojan horse, by hiding behind other general malware and viruses.
Most recently, ransomware has joined forces with another form of malware, distributed denial of service attacks (DDoS). DDoS attacks, more thoroughly explained here, prevent users from accessing legitimate websites. Cyber criminals have recently begun to combine DDoS attacks with ransomware by demanding payment in the form of bitcoins in order to restore access to websites. So long as victims keep paying the ransom (which they likely will do, given the low ransom value and high data value), ransomware attacks will remain an attractive, profitable business model with low operational risk to the boss and affiliates.
Before You’re Hit: “Practice Good Cyber Hygiene”
Experts emphasize the practice of good cyber hygiene as a preventive strategy to not falling victim to a ransomware attack – be vigilant, be informed (educate all the users of your network), and take preventive measures.
- Educate, educate, educate – your network is only as strong as its weakest link. Break the user mentality that “all links are meant to be clicked.” Teach your employees to recognize the good URLs vs. bad URLs. Train them not to click on bad or questionable links. Use VPN when on public WiFi. Don’t download free apps or any apps onto any device with access to your company’s network without prior approval from your organization’s IT team. Understand your network, what you have and the scope of your organization’s potential exposure (who is accessing what, where it is being accessed, etc.).
- Backup your critical data – understand your business and determine what data is critical to be backed up. Ensure that you back up your data on a routine schedule and the backup is separated from the main network. Do not make it easy for the criminals to access your backup. Do not use drop box as your backup.
- Isolate, segment and contain – segment the network so that any devices that really do not need to connect with other devices are not connected. Segmentation can help contain the spread of the malware to your other systems. As soon as a device is infected, isolate it as soon as possible to prevent the spread of the ransomware. Employers’ IT departments as well as service providers can use the latest commercially available applications to detect potential malware and strip them out before it reaches the employees/end users. Promptly install all patches to plug any holes identified in any network devices and applications.
Click here to continue onto Part 2 which identifies what you should do during and after an attack.