Toying With Children’s Data: Lessons From the FTC’s First Connected Toys Settlement Action

Every year, especially around the holidays, more and more products that connect to the internet hit the market. For adults, connected home devices that act like personal domestic assistants have become increasingly popular. Children have been adding connected toys, some of which have the intelligence and programming to become a child’s best friend, to their holiday gift lists. Although the holidays have passed, connected toys are still finding themselves on lists, such as birthday lists, but more importantly, on the investigation lists of the Federal Trade Commission (FTC) and its Canadian counterpart. On Jan. 8, 2018, the FTC – in cooperation with the Office of the Privacy Commissioner of Canada (OPC), which issued its own report finding violations of Canadian law – settled its first-ever connected toy privacy case with Hong Kong-based VTech Electronics, Ltd., (VTech), resulting in a $650,000 penalty. This case is also notable because it illustrates the effectiveness of the application of the U.S. SAFE WEB ACT, which facilitates FTC cooperation with other nations’ data protection authorities (DPAs), and indicates that the multi-DPA task force known as the Global Privacy Network (which includes the FTC and the OPC) can be effective in helping address international consumer privacy harms. In sum, the case arises out of a December 2015 data security breach that compromised the personal data of approximately 6 million children and 5 million adults worldwide. Both the OPC and the FTC concluded that the incident arose out of VTech’s failure to reasonably protect the data.

Continue Reading

Recent Trends, Future Predictions, and Effective Risk Assessments

Risk assessments are a fundamental part of any organization’s risk management process. But many organizations still do not incorporate true risk assessments into their information-security planning, even though doing so makes good business sense and is required by many standards and regulatory frameworks (the HIPAA Security Rule, PCI-DSS, and the NY Department of Financial Services Cybersecurity Requirements all require risk assessments, to name just a few). If you’re not incorporating a true risk assessment into your security program, 2018 is a good year to start. A properly completed risk assessment will help your organization understand and mitigate its most critical risk scenarios, and will prepare your organization to respond favorably to regulator inquiries during an audit or after a security incident at a time when regulatory scrutiny is likely to increase. Continue Reading

The IRS Succeeds in Compelling Crypto Exchange to Disclose User Information

As the price of bitcoin leaps and lurches toward new highs, it seems fitting that the legal regime surrounding it and other virtual currencies is similarly unpredictable. With bitcoin edging its way into mainstream finance, and Coinbase, one of the world’s largest exchanges of bitcoin and other cryptocurrencies, currently holding the top spot on Apple’s free apps chart, U.S. regulators have begun to grapple with how to bring cryptocurrencies and those who use them into compliance with existing and new laws. Though some agencies, like the Securities and Exchange Commission, have chosen a soft entry into regulation by first issuing proactive guidance, others, including the Internal Revenue Service (IRS), have opted to go directly into enforcement actions. A recent decision by the U.S. District Court for the Northern District of California on these actions has brought issues of cryptocurrency account holders’ privacy, anonymity and tax liability onto center stage. Continue Reading

Coming Full Circle: FTC Recovers BIAS Regulation Jurisdiction Following FCC Vote

In a widely publicized decision, the Federal Communication Commission (FCC) voted on Dec. 14, 2017, to repeal the tenets of the Protecting and Promoting the Open Internet Order, or the Open Internet Order, of 2015. See Protecting and Promoting the Open Internet, Report and Order on Remand, 30 FCC Rcd. 5601 (2015). While many have heard of the political debate surrounding the anticipated overturn of the Open Internet Order, commonly referred to as net neutrality rules, many businesses and data privacy experts should pay attention to the privacy regulatory implications this move creates. Most important, this order establishes Federal Trade Commission (FTC) jurisdiction over data privacy and security regulation for broadband internet access service (BIAS) providers, restoring parity between the treatment of BIAS providers and so-called edge networks (e.g. search engines and social media networks) that existed under FTC jurisdiction. Continue Reading

Small Health Care Providers: Do you really know what your IT services vendor is providing to secure your systems?

A small health care provider such as a physician office or clinic often will contract with an IT services vendor to meet overall IT needs to operate the business. A small health care provider may not have the resources and expertise to understand the technical support that an IT services vendor provides, and it relies upon the IT services vendor’s expertise to support, secure, and protect the IT systems and patient data. A health care provider that is a covered entity as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is required to comply with HIPAA, the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), and the privacy and security regulations promulgated (the Privacy and Security Rules). HIPAA requires a covered entity to enter into a business associate agreement with an IT services vendor that has access to, uses, maintains, and transmits protected health information (PHI) on behalf of the health care provider. The business associate agreement includes the regulatory minimum requirements that the business associate must take to protect the covered entity’s PHI. But does the health care provider understand what the IT services vendor is providing to secure PHI from unauthorized use and disclosure? Continue Reading

Blockchain – The Future of Digital Identity?

Government agencies, prominent tech companies, startups and newly-created foundations are all working to develop a new paradigm for proof of identity based on blockchain technology. Known as “digital identity,” “decentralized identity,” or “self-sovereign identity,” it would allow individuals to control their own digital identities, limit access to personal data, and provide a much-needed, secure replacement to the current username and password system for access to websites. Digital identity also holds promise for the more than one billion people worldwide who lack officially recognized proof of their existence and, as a result, are deprived of protection, access to banking, education and basic rights. Read more >>

Bringing Geolocation Into Focus

With another Thanksgiving and another Black Friday having come and gone the holiday shopping season is in full swing yet again. As brick-and-mortar retail continues to experience a decline in favor of more convenient ecommerce options, retailers are increasingly looking for ways to enhance the in-store experience, with more and more looking to drive revenue through a targeted mobile strategy. In a counterintuitive approach, given that the rise of smartphones appears to be one of the main driving forces in the decline of brick-and-mortar retail, many retailers are utilizing mobile engagement with consumers to drive sales. These strategies can provide consumers with a number of benefits, including real-time reviews, recommendations and discounts, and even precise location maps to demonstrate where they can find the product they are looking for down to the aisle. However, the technology driving this mobile engagement is becoming the subject of increased scrutiny. Continue Reading

Moving Beyond Passwords – Does Your Face Raise Privacy Concerns?

Phishing attacks continue to be the root cause of a considerable number of data breaches. Typically, these incidents occur when employees are enticed into giving up their login credentials in response to a cleverly designed, yet fake email. Thus, network passwords, combined with employee susceptibility to phishing emails, remain a major security weakness for corporations.

Passwords and Employees

A recent report by Israeli security firm Secret Double Octopus (SDO), reveals that despite policies intended to protect passwords, many employees do not take appropriate precautions. SDO reports that, based on its surveys, about 59 percent of employees rely on paper notes, documents, or electronic text documents to store work-related passwords. Even worse, fourteen percent of respondents said they share work-related passwords, while 21 percent admitted to reusing their work passwords for personal online services. Five percent of employees admit they have entered their work-related passwords into fraudulent forms/web pages – “admit” being the operative word. Continue Reading

From the Mouths of Babes: FTC Issues COPPA Enforcement Policy Regarding Voice Recordings

On October 23, the Federal Trade Commission (FTC) released new guidance on how the Children’s Online Privacy Protection Act (COPPA) Rule may apply to audio recordings of children’s voices collected by websites and online services. Reflecting the FTC’s recent focus on privacy and security concerns related to the Internet of Things (IoT), the nonbinding Enforcement Policy Statement acknowledges the value of certain voice-dependent technologies and outlines how the COPPA Rule should be interpreted with respect to the rapidly growing number of voice-enabled services and applications.

COPPA applies to operators of websites and online services (which may include connected home devices, wearables, toys, and mobile apps) that obtain personal information from children under the age of 13; it imposes restrictions on the collection, use, and sharing of such personal information, requiring notice and parental consent absent certain limited exceptions. The COPPA Rule covers sites and services that are directed to children as well as those that are not targeted to children, but have actual knowledge that they are collecting personal information from children. Continue Reading

Deception and Unfair Practices Come Preinstalled

Lenovo, a manufacturer of personal computers, recently agreed, among other things, to implement a software security program in a settlement with the Federal Trade Commission (FTC) over issues with third-party software preinstalled on some laptops. The software was later found to have significant security vulnerabilities that put consumers’ personal information at risk.

The software created pop-up advertisements tailored to the consumer’s browsing. For example, if the consumer were shopping for an owl-shaped pendant, the software would generate advertisements for other owl-shaped pendants. The software acted as a “man-in-the-middle”, reviewing website information before passing it on to the browser – much like a person reading mail before delivering it with advertisements tailored to preferences indicated in the mail. Continue Reading

LexBlog