Welcome to the first Monday in April.
Our Privacy Monday is a report on the Federal Trade Commission’s latest privacy notice-related settlements with Fandango and Credit Karma. These settlements should be reviewed by any company with (or planning to have) mobile applications and reinforces our mantra: Say what you do, and do what you say. And make sure you know what that is.
Stop Phoning it In on Mobile Security: What Your Business Needs to Know About the FTC Settlements with Fandango and Credit Karma
Written by Jake Romero
If you’ve had a birthday in the past two weeks, you may have received a greeting card from an unlikely source; the National Security Agency. Following President Obama’s call for large-scale reform of the NSA, the agency has initiated a rebranding campaign in the hopes of winning back the trust and favor of the American public. White House Press Secretary Jay Carney acknowledged early Tuesday morning that birthday cards have been mailed to approximately 11 million Americans over the past few weeks; based largely on information collected from telecommunications companies and major mobile application developers. Carney also added that there are plans to expand the program. “The reality is that, as everyone knows, the NSA has the information and is therefore in a position to be of great assistance to the average American,” Carney said. With that in mind, the NSA is currently testing an expansion of the program that would offer text message or email reminders of spouse birthdays, anniversaries and major upcoming events at the school where an individual’s child is registered.
The cards are simple and casual in tone, with messages such as “We hope you’re having a great birthday here in America!” and each is signed anonymously by a member of the agency. They are also, however, a sobering reminder of the lengths to which an agency or corporate entity may need to go to repair its reputation following unwanted sharing or disclosure of personal information. A recent Harris Poll found that blame and distrust following a data breach can be wide-spread, but is largely focused on retailers. The poll’s findings suggest that ultimately the negative consequences for a data security incident will be felt largely by the entity with which the individual consumer has the closest relationship. There is no time like the present to ensure that your security measures for protecting the information of your customers is up-to-date.
A picture of the card received by one of our colleagues can be found here.
UPDATE to our story yesterday:
In what apparently is a big “oops,” two banks that took legal action against Target over its recent data breach have withdrawn their claims. The suits were withdrawn due to an erroneous allegation against Trustwave, a security vendor also named in the suit.
Green Bank of Houston filed a notice of dismissal Monday in the U.S. District Court for the Northern District of Illinois, effectively saying it will no longer pursue the claim. Trustmark National Bank of New York made a similar filing Monday.
Read more here: Computerworld
Last Monday in March (Opening Day for you baseball fans) - some privacy/security bits and bytes to close out the month.
Microsoft: “We won’t access private e-mail accounts … Promise.”
Microsoft has committed to no longer accessing the private e-mail accounts of its users after criticism that the company looked at the e-mail of a former employee during an internal investigation. The company said it will turn such matters over to law enforcement. Microsoft has “advocated that governments should rely on formal legal processes and the rule of law for surveillance activities,” so “it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations,” Microsoft’s General Counsel Brad Smith wrote in a blog post.
Read More: The Hill’s Hillicon Valley Blog
It has been difficult to keep up with all the various permutations of the Target data breach saga.
Yesterday, the fingerpointing continued in the form of the release of a Harris Poll and testimony on Capitol Hill at a U.S. Senate hearing. Continue Reading
Mintz Levin employment lawyer Don Schroeder was recently quoted in this Law360 Article entitled Microsoft Steps in Privacy Quagmire With Email Snooping. The article focuses on the controversial choice by Microsoft Corp. to search a blogger’s e-mail account for evidence of leaked trade secrets by its former employee. The article also explores whether or not the company will face charges and how it will fare against public opinion.
Written by Julia Siripurapu, CIPP/US
Delaware state representative Darryl Scott recently introduced the Child Online Protection Act (House Bill 261 or the “Bill”), to the state’s House of Representatives. If passed, the Bill would: (1) prohibit the online marketing and advertising of certain products and services to children under the age of 18 (“Minors”) as well as using a Minor’s personally identifiable information (“any information about a person that permits the physical or online identifying or contacting of a person,” such as a home or other physical address, e-mail address, telephone number, social security number (or other government issued ID), geolocation data, DNA or other genetic material) to market or advertise certain products or services to the Minor, (2) permit individuals to delete or request the deletion of content they posted online (either via a website or mobile application) as Minors, except in certain prescribed circumstances, and (3) requires online operators to establish an age verification system “that can be reasonably expected to identify the age of the child who is a prospective or registered user.” Continue Reading
Mintz Levin is presenting a roundtable discussion tomorrow titled: NIST Framework: How to Best Mitigate Cyber Risk for Your Organization
With the threats facing even the largest companies highlighted by recent disclosures by Target, Neiman Marcus, and others that the security of millions of customer credit and debit cards has been compromised, companies of all types are taking a closer look at what they can do to mitigate their risks and protect their customers and suppliers. In addition, agencies including the SEC, FTC, Defense Department, and GSA are paying increased attention to companies’ cyber vulnerabilities.
In this informative discussion, we’ll look at the Cybersecurity Framework’s recommendations and how you can use them to assess and improve your organization’s security practices. Our speakers have been actively involved in the development of the NIST framework and private sector cybersecurity policy. You won’t want to miss their insights into the framework’s key elements and the most effective approaches for developing a program that best suits your individual organization’s risks and circumstances.
To join us, register here — REGISTRATION LINK
Welcome to March Madness — although if your brackets look anything like mine do this morning, it is not particularly “welcome.” Let’s just say that there is no danger of my winning Warren Buffet’s $1 billion.
Privacy and cybersecurity continue to be hot topics and the breaches roll on. Here are some privacy and security bits and bytes for this Monday morning.
Wall Street Journal Article Jeopardizes Security of Grid?
Last week, the Wall Street Journal published an article detailing how the U.S. “could suffer a coast-to-cost blackout” if someone took out just nine specific substations. The article doesn’t name the nine substations, and most of the later half of the article is actually devoted to a rehashing of the Pacific Gas & Electric Metcalf substation attack from last year. But, it was certainly enough to raise the hackles of regulators and utility executives.
Acting FERC Chairman Cheryl A. LaFleur said: [The] publication by The Wall Street Journal of sensitive information about the grid undermines the careful work done by professionals who dedicate their careers to providing the American people with a reliable and secure grid. The Wall Street Journal has appropriately declined to identify by name particularly critical substations throughout the country. Nonetheless, the publication of other sensitive information is highly irresponsible. While there may be value in a general discussion of the steps we take to keep the grid safe, the publication of sensitive material about the grid crosses the line from transparency to irresponsibility, and gives those who would do us harm a roadmap to achieve malicious designs. The American people deserve better.
Intelligent Utility article
NERC Critical Asset Report
University of Maryland Reports Second Data Breach in Four Weeks
University of Maryland Chief Information Officer Ann Wylie must feel like a woman under siege. Last Thursday, she reported to administrators and department chairs that the university network had been hacked — again — and personal information had been stolen — again. Wylie says that this latest incident is not related to the February data breach we wrote about here.
For more reading about data breaches in higher education (one of the very hottest of hot spots), see this article from The Chronicle of Higher Education.
California Department of Motor Vehicles Investigating Potential “Large Scale Breach”
Security blogger Brian Krebs — who broke the Target breach story — is out in front of another potential large breach. The California DMV confirmed over the weekend that it is investigating a potential security breach, but that it had no immediate evidence that its computer system had been hacked. The important part of this statement is that Krebs is reporting that the breach is likely to have been at the DMV’s credit card processor, which would make this a much bigger story.
Stay tuned. Read more:
Krebs on Security
Written by Julia Siripurapu, CIPP/US
Just two months after Apple’s settlement with the FTC over lax parental controls over children’s in-app purchases (see our prior blog post), Google takes the spotlight with claims of unauthorized children’s in-app purchases in the Google Play Store! This time, it’s not an FTC action, but a class action. The suit was filed on March 7 in the U.S. District Court for the Northern District of California. The suit was brought by a New York mother (“Plaintiff”) on behalf of herself and other parents whose minor children downloaded free or relatively inexpensive child-directed games from the Google Play store and then incurred charges for purchasing items that cost money within the app without parental consent or authorization. For example, the Plaintiff’s five year old son spent over $65 dollars on virtual Crystals while playing the game “Marvel Run Jump Smash!” on an Android device.
According to the complaint, the apps directed to children that are offered for sale in the Google Play store are “designed to induce purchases of what Google refers to as ‘In-App Purchases’ or ‘In-App Content,’ i.e. virtual supplies, ammunition, fruits and vegetables, cash, and other fake ‘currency,’ etc. within the game in order to play the game as it was designed to be played (‘Game Currency’)”. As noted in the complaint, while Google required users to enter a password to authenticate their account before purchasing and downloading an app or Game Currency, once the account is authenticated, the user, including children, could purchase “several hundreds of dollars” in Game Currency during a 30 minute window without having to re-enter a password. This billing practice allowed Google to automatically charge the account holder’s credit or debit card or PayPal account, without notifying the account holder or obtaining further consent of the account holder. Continue Reading