FTC Goes After IoT Device Manufacturer for Alleged Security Vulnerabilities in Routers, IP Cameras

Federal Trade Commission Doorway SignOn January 6, the Federal Trade Commission (FTC) announced that it had filed a complaint against Taiwanese D-Link Corp. and its U.S. subsidiary, D-Link Systems Inc. (D-Link), alleging the company made deceptive claims about the security of its products and engaged in unfair practices that put U.S. consumers’ privacy at risk. The case is noteworthy for the fact that the FTC did not cite an actual breach affecting D-Link’s devices; rather, it brought the action based on alleged potential harm to consumers that could result from security vulnerabilities associated with the devices.


D-Link sells networking equipment that integrates consumers’ home networks, such as routers, internet protocol (IP) cameras, baby monitors and home security cameras. These devices allow consumers to monitor the safety of their homes, young children and even pets by allowing access to live feeds from their cameras using their mobile devices or a computer.

The FTC alleges that D-Link failed to protect against “widely known and reasonably foreseeable risks of unauthorized access” to the routers and cameras, thus endangering the privacy and security of their customers. These failures, the FTC asserts, could lead to the exploitation of the devices and exposure of consumer information to attackers. Continue Reading

Tax Season Is in Full Swing: Beware of the W-2 Spear Phishing Scam

Phishing ScamLast year we saw an unprecedented number of companies of all sizes fall victim to a W-2 spear phishing scam. The scam usually began with a “spoofing” email that appeared to have been sent by a company’s CEO or CFO to one or more employees in the human resources or payroll department. The email typically requested that all of the company’s employees’ W-2s be sent in PDF format via return message or uploaded to a file sharing site. Unbeknownst to the human resources or payroll department employees, the email did not come from the CEO or CFO but a criminal who had conducted some research to, at the very least, identify the names and email addresses of the CEO or CFO as well as the targeted human resources or payroll department employees. Here is an example:


From:               Jim.Smith@company.com

To:                   Tony.Adams@company.com

Subject:             Treat as Urgent

Date:                 March 7, 2016 10:55 AM


Hi Tony,

I need copies of all employees’ W-2 wage and tax statements for 2015 to complete a business transaction. I need them in PDF format. You can send them as an attachment.


Jim Smith


Continue Reading

Massachusetts Breach Notifications Will Now Be Publicly Available Online

connectivityOn Jan. 3, 2017, the Massachusetts Office of Consumer Affairs and Business Regulation announced that it will begin making its data breach notification archive publicly available online. Previously, data breach notifications filed with the Massachusetts attorney general were only available through public records requests. The change was made pursuant to the June 2016 amendment to the Public Records Law, which, among other things, authorized individual agencies to post public record information of significant interest that agencies deem appropriate.

“The Data Breach Notification Archive is a public record that the public and media have every right to view,” said Consumer Affairs Undersecretary John Chapman. “Making it easily accessible by putting it online is not only in keeping with the guidelines suggested in the new Public Records Law, but also with Governor Baker’s commitment to greater transparency throughout the Executive Office.” Continue Reading

Data Breach Trends — 2016: the Year of Ransomware

Hacker wearing black glove clicking on ransomware buttonOver the past year, the BakerHostetler Incident Response team has closely monitored data breach trends, and we are confident in concluding that 2016 was the year of ransomware. Nothing has had a greater impact or has been as widespread in 2016 than ransomware.

From a hospital in California to a police department in Massachusetts, ransomware has been a plague for organizations large and small. And yet, despite being around for years, 2016 was the year ransomware became an epidemic. Security firm Kaspersky Labs estimates that in the third quarter of 2016, a ransomware infection was occurring every 30 seconds, and a November 2016 study by SentinelOne found that half of all companies surveyed reported a ransomware attack in the past 12 months. With the FBI announcing that ransomware was on track to be a billion-dollar criminal enterprise, it’s no secret that money has been fueling this outbreak. Continue Reading

New York Department of Financial Services Issues Revised Cybersecurity Regulations

With the clock ticking down to the new year, on December 28, 2016, the New York State Department of Financial Services (NYDFS) released highly anticipated revisions to its proposed Cybersecurity Requirements for Financial Services Companies (the “Proposal”). As we previously reported, the NYDFS first announced the proposed regulations in September; at that time, they were slated to go into effect on January 1, 2017. The updated Proposal retains many core concepts from the first, establishing “certain regulatory minimum standards” relating to cybersecurity protections for the customer information and IT systems of banks, insurance companies and other NYDFS-regulated financial institutions. But multiple provisions have undergone substantial revision, ostensibly to address the many concerns and objections that NYDFS received during the 45-day comment period following its September publication of the original version. Continue Reading

Revisit privacy notices in the new year

Companies are required to accurately disclose their material consumer data practices in clear, conspicuous and understandable privacy notices. As 2016 came to a close, the Federal Trade Commission (FTC) reminded companies of this in an enforcement action settlement concerning a privacy notice that did not accurately describe interest-based advertising practices and related consumer choice options, which we blog about here, and in an FTC staff report summarizing a Q4 FTC public workshop, Putting Disclosures to the Test (Disclosure Report), that examined academic and research approaches and findings on the effectiveness of disclosures and ways to evaluate disclosure effectiveness, including privacy notices. Two lessons can be learned from what the FTC had to say: (1) privacy notices are potentially deceptive if they are not complete and accurate, and (2) even a complete and accurate privacy notice is potentially deceptive if its disclosures are not made in ways that ensure that “consumers will see or hear and understand them.” Continue Reading

FCC Closes Year With Enforcement Advisory on Text Messages

Almost a year and a half after the Federal Communications Commission (FCC or Commission) issued a rule update to its rules and regulations implementing the Telephone Consumer Protection Act (TCPA) (2015 FCC TCPA Omnibus Ruling and Order),[1] which we discussed then here, the Commission, in a formal Enforcement Advisor (Advisory), has warned companies that use text messaging to communicate with or advertise to consumers, employees and others that “the FCC’s Enforcement Bureau will vigorously enforce the important consumer protections in the TCPA and our corresponding rules” and that it “is committed to protecting consumers from harassing, intrusive, illegal and unwanted robotexts to cell phones and other mobile devices.” It further warns that “[r]obotext violations are subject to enforcement by the FCC, including forfeiture penalties up to $18, 936 per violation.” While the FCC is required to issue a warning citation and find subsequent violations before imposing monetary penalties, the TCPA permits consumer class actions and no such opportunity to cure is required in those cases, which currently number in the thousands and frequently result in seven- and eight-figure resolutions. Accordingly, what the FCC says, and does not say, in this Advisory should be noted by companies that use text messaging. Continue Reading

Looking back at the HIPAA resolution agreements in 2016

In 2016, Health and Human Services’ (HHS) Office for Civil Rights (OCR), the enforcement arm for HIPAA, continued robust enforcement efforts. There were 12 reported resolution agreements (RA) in 2016. An RA is a settlement agreement between HHS and a covered entity (or business associate) where the entity agrees to the payment of a resolution amount. In addition to the payment amount, an RA typically also includes a corrective action plan (CAP), where OCR monitors compliance. Generally, RAs arise in the wake of a breach report submitted to OCR and a subsequent investigation.

The resolution amounts in 2016 continued a trend we have seen toward higher settlement payments, including settlements of over a million dollars and some well over that. Of the 12 RAs in 2016, seven were over $1 million, including amounts of $5.5 million, $3.9 million and $2.75 million.  Continue Reading

FTC Settles with Ad Tech Company Over Deceptive Online Tracking Practices

On December 20, 2016, the Federal Trade Commission (FTC) announced that Turn Inc. agreed to settle charges that it misled consumers about its online tracking activities and failed to honor consumer opt-outs as described in its privacy policy.


Turn is a digital advertising company that facilitates targeted marketing by commercial brands and ad agencies through the use of various tracking mechanisms such as cookies, web beacons and device identifiers that help direct ads to consumers online and through mobile apps.  Continue Reading

What Can Be Learned From 2016 Security Incidents?

Security Breach_465738902Cue the year-end articles saying that this was the worst year to date for data breaches. Follow that with more dire predictions for 2017. Layer in one-size-fits-all recommendations to mitigate these risks. And finish with technology solutions that you must have. If you read all of this you might come away thinking that if your company is not using AI and machine learning, buying threat intelligence, building a threat-hunting team, installing a next-generation antivirus solution, deploying an endpoint product and reducing your attack surface, all of those bears people talk about outrunning may already be in your network. Continue Reading