Written by: Stephanie D. Willis
As the world recovers from the excitement leading up to Tuesday’s Apple Live Event announcement of the new iPhone 6 and Apple Watch, mobile app developers are chomping at the bit to create software that leverages the new operating system and Apple’s widely-anticipated “HealthKit,” a purportedly secure platform that allows mHealth apps to share user’s health and fitness data with the new Health app and with each other. In fact, over 300 apps were created per day in recent years, according to some reports. But because the mobile app market is supersaturated, the quantity of available mobile apps does not equal the number of quality and secure apps that would be appropriate for use at an organization with a high privacy and security risk profile. The draft Technical Considerations for Vetting 3rd Party Mobile Applications (the Vetting Report) issued by National Institute of Standards and Technology (NIST) in August 2014 is an essential document for any organization to use to help weed out the mobile apps that may create unnecessary IT risks.
Back to school, back to traffic jams … back to Privacy Mondays! Our look at bits and bytes and goofs and gaffes in data privacy and security
Home Depot Breach Update
It has been nearly a week, and The Home Depot has still not confirmed that it is the latest victim of point-of-sale hackers in what is potentially a massive data breach. The company has confirmed that it has been in contact with the U.S. Secret Service about investigation into a potential breach and Chief Executive Officer Frank Blake told investors at the annual Goldman Sachs Retailing Conference last Thursday that Home Depot and investigators were working around the clock to find a breach. He has yet to confirm that a breach has occurred.
The delay has engendered the filing of at least one purported class action law suit in the U.S. District Court for the Northern District of Georgia, Atlanta Division. The suit — filed last Thursday — alleges that Home Depot failed to meet its legal obligation to protect the putative plaintiffs credit card and personal information and failed to timely warn them that their information had been stolen or compromised. The complaint alleges that in “late April or early May 2014, computer hackers gained access to Home Depot’s POS data network and stole the personal financial information of hundreds of thousands, if not millions, of Home Depot’s customers.” None of these facts have been confirmed by the retailer and have only appeared in the security blog, Krebs on Security, as reported by “unnamed banking sources.”
Written by Jake Romero
When one thinks of the use of technology in school, often the first image that comes to mind is of students sending ill-advised Snapchats and making in-app purchases that line the pockets of the Kardashian family, rather than paying attention in geometry. As a tool for teachers, however, online educational tech products can be a valuable resource to deliver materials to students in dynamic fashion and collect detailed information regarding learning habits. As a result, there has been a substantial increase in classroom technology products that operate online and collect and process student data, including many products that may not subject to the provisions of the Family Educational Rights and Privacy Act (FERPA) because they are being used at the direction of a faculty member, rather than under a contract with the school. Now, California is aiming to close this regulatory gap and reign in the use of student data for commercial gain.
Senate Bill 1177, referred to as the Student Online Personal Information Protection Act (SOPIPA), has been passed by the California legislature and is expected to be signed into law. SOPIPA applies to operators of online services (including web sites and mobile applications) with actual knowledge that the online service is used for K-12 school purposes, where the service was designed and marketed for K-12 school purposes. SOPIPA imposes restrictions with respect to the collection, use, storage and destruction of student personal information. As defined in the bill, student “personal information” includes any information or materials created by the student (or his or her parent or guardian) while using the service, as well as information gathered by the online service that is related to the student. If signed into law, SOPIPA will require the following:
- Use Restrictions. Education service providers who are subject to SOPIPA will not be permitted to use, share, disclose or compile personal information about K-12 students other than for the K-12 school purpose for which it was collected and for maintaining the service. SOPIPA also explicitly bars use, sharing, disclosure or compilation of student information for commercial purposes, such as advertising or profiling.
- Marketing Restrictions. Education service providers will be prohibited from marketing or advertising products and services to the students on the online service, or allowing any third party to do so.
- Protection of Student Data. Education service providers will also be required to take all reasonable steps to protect student data at rest and in motion in a manner that meets commercial best practices standards. For clarity, SOPIPA provides that operators are deemed to have complied with this requirement if (i) its encryption process for data at rest is consistent with NIST Special Publication 800-111 and (ii) data in motion is encrypted in compliance with NIST Special Publication 800-52, 800-77 or 800-113 or other manner validated by the Federal Information Processing Standards.
- Third Party Subcontractors and Advertisers. If a secondary online service is accessible through the operator’s educational service, then the educational service operator is required to put the third party on notice that the online service is used, designed and marketed for K-12 school purposes. If that notice is not provided to the secondary service provider, then under SOPIPA the educational service provider will be liable for the secondary service’s compliance with SOPIPA, unless the secondary service had actual knowledge that the primary service is being used and was designed for K-12 purposes.
- Deletion of Student Data. Education service providers will be required to delete K-12 student data at the point where (i) the data is no longer being used for the educational purposes for which it was collected (whether before or after the student’s graduation or transfer to a different educational institution) or (ii) at the student’s request.
If SOPIPA is enacted, we can expect to see the biggest hit in the areas of targeted advertising and educational services analytics, particularly to the degree that those services rely on building a profile of the individual student. With SOPIPA heading to the Governor’s desk, online service providers (who should already be in the process of preparing for new restrictions on marketing toward children and requirements to delete children’s data that go into effect on January 1, 2015) should begin thinking about what kind of changes they may need to make to stay compliant.
In the past few years the National Labor Relations Board (“NLRB”) has taken an increased interest in whether workplace policies prohibiting employees from discussing the terms and conditions of their employment on social media such as Facebook and Twitter violate the National Labor Relations Act (“NLRA”) by interfering with workers’ rights to engage in concerted activity. Federal law prohibits an employer from interfering with employees who come together to discuss work-related issues for the purpose of collective bargaining or other mutual aid or protection, and the NLRB has (correctly) noted that social media has become one of the primary avenues through which employees engage in such activity. A spate of recent decisions makes clear that the NLRB has intensified (and will likely continue to intensify) its scrutiny of employer social media policies and this scrutiny extends no less to non-unionized employers.
Our colleagues at the Mintz Levin Employment Matters blog have written a thorough analysis of the latest, and you will want to read it and take another hard look at your company’s social media policies.
It appears that the data breach victim of the week (perhaps of the year) is The Home Depot. Brian Krebs has reported that it appears that two large dumps of purloined credit card numbers have made an appearance on the black market and that those numbers may have originated at Home Depot locations. Krebs’ reporting is here.
This latest incident raises yet another round of concerns about the malware known as “Backoff” and the potential widespread effect on retailers. We posted a Backoff update last week. According to the New York Times, when one adds the compromised records in Target, PF Chang’s, Neiman Marcus, Sally Beauty, Michaels, UPS and others, the number of affected customers amounts to more than one-third of the U.S. population.
Roundup of some latest reporting on the Home Depot breach:
Home Depot Breach Could Be as Big as Target’s - Computerworld
What it Means for Home Depot if Breach is as Big as Target’s – Forbes
Home Depot Tries to Reassure Customers – Wall Street Journal
The Home Depot story is rapidly evolving and we will update as further information is available.
Written by Susan Foster, Solicitor England & Wales/Admitted in California
(LONDON) The UK’s Information Commissioner’s Office (ICO) is accepting comments from the public on a proposed UK privacy seal program. The deadline for comments is October 3, 2014.
The ICO intends to endorse at least one privacy seal program in 2015. Privacy seal programs are voluntary privacy frameworks (such as TRUSTe, BBBOnLine and WebTrust) that are run by third party organizations. The ICO is seeking UK-specific programs and has articulated various requirements for such programs. The draft criteria and consultation document are available on the ICO website.
The National Institute of Standards and Technology (NIST), publishers of the Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”) last February, have published a Request for Information in the Federal Register seeking comments on industry experience with the Framework to date. Comments are solicited in three areas: the current awareness of the existence and content of the Framework, industry experiences in using the Framework to evaluate and improve cybersecurity, and where future revisions of the Framework should be focused. The list is not exclusive, and comments on other Framework related matters are welcome as well. Comments are due by October 10, 2014 and may be submitted to firstname.lastname@example.org Comments will be made publicly available at http://www.nist.gov/cyberframework/cybersecurity-framework-rfi.cfm so no confidential information should be submitted.
Written by Cynthia Larose
Some weeks ago, we wrote a piece “What You Need to Know About Backoff Malware: The New Threat Targeting Retailers” . It’s apparently gotten worse. Any business utilizing point-of-sale (POS) terminals for “swiping” credit cards needs to pay attention to this threat and assess vulnerability. Hospitals, physicians’ offices, veterinary clinics, colleges and universities, municipalities — everyone — not just retailers. Read on.
Since our piece was published, it has become known that the Backoff malware or one of its multiple variants has been responsible for over 1,000 breaches of credit card information, including the Target mega-breach and two of the most recent, Supervalu and United Parcel Service. In fact, the fear is that is it so widespread, that the Department of Homeland Security and the US Secret Service issued a warning to retailers — regardless of size — to check their POS systems. Continue Reading
Written by Julia Siripurapu, CIPP/US
According to recent media reports, Google is allegedly designing a Google account for children under 13 which would permit children in this age group to officially create their own Gmail account and to access a kid-friendly version of YouTube. Google currently prohibits children 12 and under from creating a Google account by implementing an age neutral verification mechanism in the account creation process and using cookies to ensure that children cannot bypass the age screen on a subsequent try. As reported by the Wall Street Journal, “now Google is trying to establish a new system that lets parents set up accounts for their kids, control how they use Google services and what information is collected about their offspring… Google wants to make the process easier and compliant with the rules.”
The reported initiative, which has not yet been confirmed by Google, is certainly very interesting and would clearly require the tech giant to comply with the Children’s Online Privacy Protection Act (“COPPA”) and its implementing rule (as amended, the “COPPA Rule”). It will be especially interesting to see how Google handles the advertising component of the service, which is a major piece of its business. In order to comply with COPPA, Google would have to engineer and design the new service based on the requirements of the COPPA Rule. PC Magazine reported in its story that “as part of the move, Google will also introduce a dashboard where parents can oversee their kids’ activities.” This seems like a step in the right direction for Google, but it will be a long journey! As we all know, the COPPA Rule goes far beyond giving parents the right and ability to monitor their children’s online activities and includes, among other requirements, complex, parental notice and verifiable consent requirements. You can link here for a copy of the Mintz Levin Guide to COPPA.
As the first company that would offer an online service specifically targeting children under 13, Google would certainly be in the spotlight and the new service would be closely monitored by the privacy community and the FTC. In fact, privacy advocacy groups, like the Center for Digital Democracy (CDD), have already voiced concern, as reported by the Wall Street Journal, that “Unless Google does this right it will threaten the privacy of millions of children and deny parents the ability to make meaningful decisions about who can collect information on their kids.” CDD’s executive director, Jeff Chester, informed the Wall Street Journal that the CDD shared its concerns with the Federal Trade Commission on Monday and that the organization is in the process of creating an action plan for monitoring how Google rolls out the service to children. The Wall Street journal also reported that the FTC declined to comment on the matter, “saying the agency does not comment on specific companies’ plans.”
Technology, retail, medical, financial services, education ….. and more experience data losses on a daily basis through employee negligence, poor controls, insider attacks, advanced persistent threats from malevolent outsiders or computer viruses.
Join Mintz Levin Privacy team members and other privacy and security experts in San Francisco on September 30 for a roundtable discussion of best practices for assessing the risk and preparing to respond to data breaches.
Register here by September 25.