With another Thanksgiving and another Black Friday having come and gone the holiday shopping season is in full swing yet again. As brick-and-mortar retail continues to experience a decline in favor of more convenient ecommerce options, retailers are increasingly looking for ways to enhance the in-store experience, with more and more looking to drive revenue through a targeted mobile strategy. In a counterintuitive approach, given that the rise of smartphones appears to be one of the main driving forces in the decline of brick-and-mortar retail, many retailers are utilizing mobile engagement with consumers to drive sales. These strategies can provide consumers with a number of benefits, including real-time reviews, recommendations and discounts, and even precise location maps to demonstrate where they can find the product they are looking for down to the aisle. However, the technology driving this mobile engagement is becoming the subject of increased scrutiny. Continue Reading
Phishing attacks continue to be the root cause of a considerable number of data breaches. Typically, these incidents occur when employees are enticed into giving up their login credentials in response to a cleverly designed, yet fake email. Thus, network passwords, combined with employee susceptibility to phishing emails, remain a major security weakness for corporations.
Passwords and Employees
A recent report by Israeli security firm Secret Double Octopus (SDO), reveals that despite policies intended to protect passwords, many employees do not take appropriate precautions. SDO reports that, based on its surveys, about 59 percent of employees rely on paper notes, documents, or electronic text documents to store work-related passwords. Even worse, fourteen percent of respondents said they share work-related passwords, while 21 percent admitted to reusing their work passwords for personal online services. Five percent of employees admit they have entered their work-related passwords into fraudulent forms/web pages – “admit” being the operative word. Continue Reading
On October 23, the Federal Trade Commission (FTC) released new guidance on how the Children’s Online Privacy Protection Act (COPPA) Rule may apply to audio recordings of children’s voices collected by websites and online services. Reflecting the FTC’s recent focus on privacy and security concerns related to the Internet of Things (IoT), the nonbinding Enforcement Policy Statement acknowledges the value of certain voice-dependent technologies and outlines how the COPPA Rule should be interpreted with respect to the rapidly growing number of voice-enabled services and applications.
COPPA applies to operators of websites and online services (which may include connected home devices, wearables, toys, and mobile apps) that obtain personal information from children under the age of 13; it imposes restrictions on the collection, use, and sharing of such personal information, requiring notice and parental consent absent certain limited exceptions. The COPPA Rule covers sites and services that are directed to children as well as those that are not targeted to children, but have actual knowledge that they are collecting personal information from children. Continue Reading
Lenovo, a manufacturer of personal computers, recently agreed, among other things, to implement a software security program in a settlement with the Federal Trade Commission (FTC) over issues with third-party software preinstalled on some laptops. The software was later found to have significant security vulnerabilities that put consumers’ personal information at risk.
The software created pop-up advertisements tailored to the consumer’s browsing. For example, if the consumer were shopping for an owl-shaped pendant, the software would generate advertisements for other owl-shaped pendants. The software acted as a “man-in-the-middle”, reviewing website information before passing it on to the browser – much like a person reading mail before delivering it with advertisements tailored to preferences indicated in the mail. Continue Reading
Advertisers’ and brands’ use of social media influencers has continued to grow in importance as brands seek to reach new consumers while marketing to a widespread demographic. Traditionally, influencers are known as people who leverage their social media presence to endorse or promote a brand or product for some form of compensation. As influencers have gained prominence on social media platforms, the Federal Trade Commission (FTC) has paid increasing attention to influencers’ disclosures of a relationship to those brands.
The FTC’s Testimonial and Endorsement Guides require that endorsers disclose any material connection to the brand, unless the connection is otherwise obvious to the consumer. The FTC has previously warned social media influencers against endorsing a brand or product without disclosing a material connection, such as payment, employment or receipt of anything of value including free product and sweepstakes entries, and has brought previous enforcement actions against marketers whose social influencers have failed to disclose their connections to the brand. However, despite persistent warnings and enforcement actions, social media influencers have continued to endorse products without clearly disclosing a material connection, therefore prompting the FTC to take action. Continue Reading
The September 5, 2017, decision of the Grand Chamber of the European Court of Human Rights (ECHR) in Bărbulescu v Romania (Bărbulescu) has interrupted a recent trend toward limiting privacy in the European workplace. The Bărbulescu decision held that a Romanian employee’s legally protected right to privacy was violated when his employer monitored personal messages he sent from a company account.
This case stemmed from a Romanian company’s dismissal of Mr. Bărbulescu, a sales engineer, for using his company Yahoo Messenger account (the Account) for personal purposes. The engineer set up the Account at his company’s request to respond to customer inquiries and allegedly signed a company notice acknowledging that he was to use it only for work-related communications, but actually used it, in part, for personal communications with his fiancée and brother. The company later informed Mr. Bărbulescu that his communications were being monitored, and it believed that he was using the Account in part for personal purposes. The engineer responded to his employer in writing, stating he used the Account only for work-related purposes. Following this written representation, the company presented Mr. Bărbulescu with a 45-page transcript of his personal conversations and terminated him for breaching company policies. Continue Reading
On September 8, 2017, the Federal Trade Commission (FTC) announced enforcement actions against three companies alleged to have falsely claimed participation in the EU-U.S. Privacy Shield Framework. The move follows several months of uncertainty surrounding the Framework’s future as EU officials and privacy advocates have questioned its efficacy and validity in the run-up to the first annual joint review set to begin next week.
FTC Enforcement Actions
According to the FTC’s complaints, the three companies claimed on their websites to have self-certified to the EU-U.S. Privacy Shield Framework – and in one instance, also the Swiss-U.S. Privacy Shield Framework – whereas allegedly they had not completed the certification process.
The Commission’s allegations in these cases did not concern substantive violations of the Privacy Shield Principles; rather, they focused on misrepresentations regarding certification status. This should come as no surprise: in an April 13 blog post, the FTC issued a direct warning that it “will pursue enforcement if companies mislead consumers about their participation in Privacy Shield.”
These enforcement actions are likely to be a topic of conversation during the upcoming first annual joint review of the Privacy Shield Framework, which is scheduled to begin next week and will involve representatives from the U.S. Department of Commerce, the European Commission, the Article 29 Working Party and the FTC. Continue Reading
Two digital advertising companies, Adbrain and Exponential Interactive, were cited in recent decisions by the Better Business Bureau’s Online Interest-Based Advertising Accountability Program (OIBAAP) for not complying with the online advertising industry’s requirements for interest-based advertising (IBA), the practice of tracking users across time and services to build interest profiles on them in order to serve more relevant ads.
The latest in a series of enforcement actions by the OIBAAP for noncompliance with the Digital Advertising Alliance (DAA) Self-Regulatory Principles (Principles), these two cases provide important takeaways for digital advertisers.
Uber, the ride-hailing giant, agreed this week to implement a comprehensive privacy program and to undergo 20 years of privacy and data security audits in order to settle allegations by the Federal Trade Commission (FTC) that Uber did not keep its promises to protect customer data. The FTC had alleged two separate failures by Uber: first, misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second, misrepresenting that it deployed reasonable measures to secure personal information it stored on a third-party cloud provider’s servers. This week’s settlement made clear the FTC’s view that being an early-phase company is no excuse for weak data protection measures or misleading statements regarding consumer data privacy.
The settlement resolved an investigation that began in November 2014, after a series of media reports alleging improper access and use of customer personal information by Uber employees caused an outcry among consumers. One article reported that an Uber executive (now former) had suggested that the company hire “opposition researchers” to look into the “personal lives” of journalists who had raised questions regarding Uber’s business practices. A second article described an internal tracking tool, known as “God View,” that displayed the personal information of riders using Uber’s services. Continue Reading
On Aug. 17, 2017, Delaware revamped its existing data breach notification statute. In doing so, Delaware became the second state (joining Connecticut) to mandate offering individuals affected by a breach of security involving Social Security numbers at least one year of complimentary credit monitoring services. The new law takes effect on April 14, 2018, and includes some minor reworking of definitions to make the entire statute more cohesive, as well as several major new components.
First, the new law expands the definition of “personal information” to include a Delaware resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual: (1) Social Security number; (2) driver’s license number or state or federal identification card number; (3) account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a resident’s financial account; (4) passport number; (5) a username or email address, in combination with a password or a security question and an answer that would permit access to an online account; (6) medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a healthcare professional, or DNA profile; (7) health insurance policy number, subscriber identification number or any other unique identifier used by a health insurer to identify the person; (8) unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes; and (9) an individual taxpayer identification number. Continue Reading