Coming Full Circle: FTC Recovers BIAS Regulation Jurisdiction Following FCC Vote

In a widely publicized decision, the Federal Communication Commission (FCC) voted on Dec. 14, 2017, to repeal the tenets of the Protecting and Promoting the Open Internet Order, or the Open Internet Order, of 2015. See Protecting and Promoting the Open Internet, Report and Order on Remand, 30 FCC Rcd. 5601 (2015). While many have heard of the political debate surrounding the anticipated overturn of the Open Internet Order, commonly referred to as net neutrality rules, many businesses and data privacy experts should pay attention to the privacy regulatory implications this move creates. Most important, this order establishes Federal Trade Commission (FTC) jurisdiction over data privacy and security regulation for broadband internet access service (BIAS) providers, restoring parity between the treatment of BIAS providers and so-called edge networks (e.g. search engines and social media networks) that existed under FTC jurisdiction. Continue Reading

Small Health Care Providers: Do you really know what your IT services vendor is providing to secure your systems?

A small health care provider such as a physician office or clinic often will contract with an IT services vendor to meet overall IT needs to operate the business. A small health care provider may not have the resources and expertise to understand the technical support that an IT services vendor provides, and it relies upon the IT services vendor’s expertise to support, secure, and protect the IT systems and patient data. A health care provider that is a covered entity as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is required to comply with HIPAA, the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), and the privacy and security regulations promulgated (the Privacy and Security Rules). HIPAA requires a covered entity to enter into a business associate agreement with an IT services vendor that has access to, uses, maintains, and transmits protected health information (PHI) on behalf of the health care provider. The business associate agreement includes the regulatory minimum requirements that the business associate must take to protect the covered entity’s PHI. But does the health care provider understand what the IT services vendor is providing to secure PHI from unauthorized use and disclosure? Continue Reading

Blockchain – The Future of Digital Identity?

Government agencies, prominent tech companies, startups and newly-created foundations are all working to develop a new paradigm for proof of identity based on blockchain technology. Known as “digital identity,” “decentralized identity,” or “self-sovereign identity,” it would allow individuals to control their own digital identities, limit access to personal data, and provide a much-needed, secure replacement to the current username and password system for access to websites. Digital identity also holds promise for the more than one billion people worldwide who lack officially recognized proof of their existence and, as a result, are deprived of protection, access to banking, education and basic rights. Read more >>

Bringing Geolocation Into Focus

With another Thanksgiving and another Black Friday having come and gone the holiday shopping season is in full swing yet again. As brick-and-mortar retail continues to experience a decline in favor of more convenient ecommerce options, retailers are increasingly looking for ways to enhance the in-store experience, with more and more looking to drive revenue through a targeted mobile strategy. In a counterintuitive approach, given that the rise of smartphones appears to be one of the main driving forces in the decline of brick-and-mortar retail, many retailers are utilizing mobile engagement with consumers to drive sales. These strategies can provide consumers with a number of benefits, including real-time reviews, recommendations and discounts, and even precise location maps to demonstrate where they can find the product they are looking for down to the aisle. However, the technology driving this mobile engagement is becoming the subject of increased scrutiny. Continue Reading

Moving Beyond Passwords – Does Your Face Raise Privacy Concerns?

Phishing attacks continue to be the root cause of a considerable number of data breaches. Typically, these incidents occur when employees are enticed into giving up their login credentials in response to a cleverly designed, yet fake email. Thus, network passwords, combined with employee susceptibility to phishing emails, remain a major security weakness for corporations.

Passwords and Employees

A recent report by Israeli security firm Secret Double Octopus (SDO), reveals that despite policies intended to protect passwords, many employees do not take appropriate precautions. SDO reports that, based on its surveys, about 59 percent of employees rely on paper notes, documents, or electronic text documents to store work-related passwords. Even worse, fourteen percent of respondents said they share work-related passwords, while 21 percent admitted to reusing their work passwords for personal online services. Five percent of employees admit they have entered their work-related passwords into fraudulent forms/web pages – “admit” being the operative word. Continue Reading

From the Mouths of Babes: FTC Issues COPPA Enforcement Policy Regarding Voice Recordings

On October 23, the Federal Trade Commission (FTC) released new guidance on how the Children’s Online Privacy Protection Act (COPPA) Rule may apply to audio recordings of children’s voices collected by websites and online services. Reflecting the FTC’s recent focus on privacy and security concerns related to the Internet of Things (IoT), the nonbinding Enforcement Policy Statement acknowledges the value of certain voice-dependent technologies and outlines how the COPPA Rule should be interpreted with respect to the rapidly growing number of voice-enabled services and applications.

COPPA applies to operators of websites and online services (which may include connected home devices, wearables, toys, and mobile apps) that obtain personal information from children under the age of 13; it imposes restrictions on the collection, use, and sharing of such personal information, requiring notice and parental consent absent certain limited exceptions. The COPPA Rule covers sites and services that are directed to children as well as those that are not targeted to children, but have actual knowledge that they are collecting personal information from children. Continue Reading

Deception and Unfair Practices Come Preinstalled

Lenovo, a manufacturer of personal computers, recently agreed, among other things, to implement a software security program in a settlement with the Federal Trade Commission (FTC) over issues with third-party software preinstalled on some laptops. The software was later found to have significant security vulnerabilities that put consumers’ personal information at risk.

The software created pop-up advertisements tailored to the consumer’s browsing. For example, if the consumer were shopping for an owl-shaped pendant, the software would generate advertisements for other owl-shaped pendants. The software acted as a “man-in-the-middle”, reviewing website information before passing it on to the browser – much like a person reading mail before delivering it with advertisements tailored to preferences indicated in the mail. Continue Reading

FTC Takes Action Against Individual Social Media Influencers

Advertisers’ and brands’ use of social media influencers has continued to grow in importance as brands seek to reach new consumers while marketing to a widespread demographic. Traditionally, influencers are known as people who leverage their social media presence to endorse or promote a brand or product for some form of compensation. As influencers have gained prominence on social media platforms, the Federal Trade Commission (FTC) has paid increasing attention to influencers’ disclosures of a relationship to those brands.

The FTC’s Testimonial and Endorsement Guides require that endorsers disclose any material connection to the brand, unless the connection is otherwise obvious to the consumer. The FTC has previously warned social media influencers against endorsing a brand or product without disclosing a material connection, such as payment, employment or receipt of anything of value including free product and sweepstakes entries, and has brought previous enforcement actions against marketers whose social influencers have failed to disclose their connections to the brand. However, despite persistent warnings and enforcement actions, social media influencers have continued to endorse products without clearly disclosing a material connection, therefore prompting the FTC to take action. Continue Reading

European Court Provides Further Clarity on Employee Monitoring

The September 5, 2017, decision of the Grand Chamber of the European Court of Human Rights (ECHR) in Bărbulescu v Romania (Bărbulescu) has interrupted a recent trend toward limiting privacy in the European workplace. The Bărbulescu decision held that a Romanian employee’s legally protected right to privacy was violated when his employer monitored personal messages he sent from a company account.

This case stemmed from a Romanian company’s dismissal of Mr. Bărbulescu, a sales engineer, for using his company Yahoo Messenger account (the Account) for personal purposes. The engineer set up the Account at his company’s request to respond to customer inquiries and allegedly signed a company notice acknowledging that he was to use it only for work-related communications, but actually used it, in part, for personal communications with his fiancée and brother. The company later informed Mr. Bărbulescu that his communications were being monitored, and it believed that he was using the Account in part for personal purposes. The engineer responded to his employer in writing, stating he used the Account only for work-related purposes. Following this written representation, the company presented Mr. Bărbulescu with a 45-page transcript of his personal conversations and terminated him for breaching company policies. Continue Reading

Privacy Shield Update: Ahead of First Joint Review, Europeans Remain Skeptical as FTC Announces Enforcement Actions

On September 8, 2017, the Federal Trade Commission (FTC) announced enforcement actions against three companies alleged to have falsely claimed participation in the EU-U.S. Privacy Shield Framework. The move follows several months of uncertainty surrounding the Framework’s future as EU officials and privacy advocates have questioned its efficacy and validity in the run-up to the first annual joint review set to begin next week.

FTC Enforcement Actions

According to the FTC’s complaints, the three companies claimed on their websites to have self-certified to the EU-U.S. Privacy Shield Framework – and in one instance, also the Swiss-U.S. Privacy Shield Framework – whereas allegedly they had not completed the certification process.

The Commission’s allegations in these cases did not concern substantive violations of the Privacy Shield Principles; rather, they focused on misrepresentations regarding certification status. This should come as no surprise: in an April 13 blog post, the FTC issued a direct warning that it “will pursue enforcement if companies mislead consumers about their participation in Privacy Shield.”

These enforcement actions are likely to be a topic of conversation during the upcoming first annual joint review of the Privacy Shield Framework, which is scheduled to begin next week and will involve representatives from the U.S. Department of Commerce, the European Commission, the Article 29 Working Party and the FTC. Continue Reading