Federal Trade Commission

Subscribe to Federal Trade Commission

Facebook does it.  Google does it.  It’s everywhere in the mobile ad ecosystem.  And your smartphone does it more often than you know, according to a study released on Monday by Carnegie Mellon.

Now, Federal authorities have turned their attention to cross-device and cross-service tracking of consumers over the last several days and weeks. Speaking at a Federal Communications Bar Association and American Bar Association joint event on March 25, Federal Communications Commission Enforcement Bureau Chief Travis LeBlanc expressed his privacy concerns with Triple-Play providers of Internet, video, and voice services aggregating customer data collected from across all three services. This came just a day after reports that Google would be testing a new model for television advertising in markets where it sells both Google Fiber Internet and television service. Also on March 24, the House Commerce, Manufacturing and Trade Subcommittee held a hearing on the Internet of Things that included questions about how personal information could be protected when collected and shared by connected devices. Continue Reading Cross-Device Tracking: The New World

The Federal Communications Commission’s (“FCC”) net neutrality proceeding culminated this month with the release of an Order reclassifying broadband Internet access service as a common carrier Telecommunications Service subject to regulation under Title II of the Communications Act. Previously, the FCC classified broadband service as a lightly regulated Title I Information Service, while Title II was primarily used to regulate telephone service. This decision by the FCC has two major privacy implications for broadband customers and Internet Service Providers (“ISPs”).

First, as previously reported on this blog, the FCC’s reclassification decision puts in flux the federal agency that has authority to enforce ISP’s privacy policies. Until now, the Federal Trade Commission (“FTC”) has asserted its Section 5 authority over “unfair or deceptive” practices to bring enforcement actions against companies that violate their own privacy policies or fail to adequately safeguard customer data. The FTC has brought dozens of actions over privacy policy violations, and previously declared that it has the authority to do so specifically against broadband providers that violate their published policies. In fact, though not a privacy allegation, the FTC recently used its Section 5 authority to bring an enforcement action against AT&T in its capacity as an ISP for allegedly “throttling” data throughput even when a customer signed up for an unlimited data plan.

But Section 5 of the FTC Act exempts common carriers from FTC oversight of “unfair methods of competition… and unfair or deceptive acts or practices.” With broadband service soon to be regulated as common carriage in light of the FCC’s Order, and broadband ISPs regulatedas common carriers, the FTC will likely lose its enforcement authority over that service to the FCC. In the fall of 2014, FTC Commissioner Maureen Ohlhausen expressed concern over the FTC’s continued ability to protect consumers should the FCC decide to pursue reclassification, and FTC officials, including FTC Chairwoman Edith Ramirez and Consumer Protection Director Jessica Rich, recently reiterated those concerns and called on Congress to eliminate the common carrier exemption. One data security and breach notification bill currently before the House Subcommittee on Commerce, Manufacturing, and Trade would do just that in the limited context of privacy.

Second, broadband service is now subject to the privacy provisions of Title II that protect Customer Proprietary Network Information (“CPNI”) – which includes information related to the quantity, location, and amount of use of a telecommunications service. However, the FCC’s rules implementing those provisions are mostly inapplicable to broadband service as they specifically focus on protecting information related to telephone calls, such as phone numbers dialed and the duration of calls. To resolve this dilemma, the FCC’s Order applies Section 222 of the Communications Act to broadband providers, which prohibits carriers from using or disclosing individually identifiable CPNI without consent except as needed for providing service, but forbears from applying the FCC’s current implementing rules pending further proceedings to adopt new rules that apply specifically to broadband.

Today is Data Privacy Day, and as you might expect, we have a few bits and bytes for you.

Use the Opportunity 

Data Privacy Day is another opportunity to push out a note to employees regarding their own privacy and security — and how that can help the company.   Emails with articles and reminders are helpful.   Here are some that might be interesting to your company:

Happy Data Privacy Day – Now Lock Your Cellphone

Celebrate Data Privacy Day

8 Ways to Celebrate Data Privacy Day Securely

And finally – International Privacy Day – Protect Your Digital Footprint

The concept reinforces corporate privacy programs, while encouraging employees to take steps to protect their personal data.

The Federal Trade Commission Issues IoT (Internet of Things) Report

Following up on its November 2013 workshop on the Internet of Things, the Federal Trade Commission (“FTC”) has released a staff report on privacy and security in the context of the Internet of Things (“IoT”), “Internet of Things: Privacy & Security in a Connected World” along with a document that summarizes the best practices for businesses contained in the Report.  The primary focus of the Report is the application of four of the Fair Information Practice Principles (“FIPPs”) to the IoT – data security, data minimization, notice, and choice.

The report begins by defining IoT for the FTC’s purposes as “‘things’ such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet,” but limits this to devices that are sold to or used by consumers, rather than businesses, in line with the FTC’s consumer protection mandate.  Before discussing the best practices, the FTC goes on to delineate several benefits and risks of the IoT.  Among the benefits are (1) improvements to health care, such as insulin pumps and blood-pressure cuffs that allow people avoid trips to the doctor the tools to monitor their own vital signs from home; (2) more efficient energy use at home, through smart meters and home automation systems; and (3) safer roadways as connected cars can notify drivers of dangerous road conditions and offer real-time diagnostics of a vehicle.

The risks highlighted by the Report include, among others, (1) unauthorized access and misuse of personal information; (2) unexpected uses of personal information; (3) collection of unexpected types of information; (4) security vulnerabilities in IoT devices that could facilitate attacks on other systems; and (5) risks to physical safety, such as may arise from hacking an insulin pump.

In light of these risks, the FTC staff suggests a number of best practices based on four FIPPs. At the workshop from which this report was generated, all participants agreed on the importance of applying the data security principle.  However, participants disagreed concerning the suitability of applying the data minimization, notice, and choice principles to the IoT, arguing that minimization might limit potential opportunities for IoT devices, and notice and choice might not be practical depending on the device’s interface – for example, some do not have screens.  The FTC recognized these concerns but still proposed best practices based on these principles.

Recommendations

Data Security Best Practices:

  • Security by design.  This includes building in security from the outset and constantly reconsidering security at every stage of development. It also includes testing products thoroughly and conducting risk assessments throughout a product’s development
  • Personnel practices.  Responsibility for product security should rests at an appropriate level within the organization.  This could be a Chief Privacy Officer, but the higher-up the responsible part, the better off a product and company will be.
  • Oversee third party providers.  Companies should provide sufficient oversight of their service providers and require reasonable security by contract.
  • Defense-in-depth.  Security measures should be considered at each level at which data is collected stored, and transmitted, including a customer’s home Wi-Fi network over which the data collected will travel.  Sensitive data should be encrypted.
  • Reasonable access control.  Strong authentication and identity validation techniques will help to protect against unauthorized access to devices and customer data.

Data Minimization Best Practices:

  • Carefully consider data collected.  Companies should be fully cognizant of why some category of data is collected and how long that data should be stored.
  • Only collect necessary data.  Avoid collecting data that is not needed to serve the purpose for which a customer purchases the device. Establish a reasonable retention limit on data the device does collect.
  • Deidentify data where possible.  If deidentified data would be sufficient companies should only maintain such data in a deidentified form and work to prevent reidentification.

Notice and Choice Best Practices:  The FTC initially notes that the context in which data is collected may mean that notice and choice is not necessary. For example, when information is collected to support the specific purpose for which the device was purchased.

When notice or choice are necessary, the FTC offers several suggestions for how a company might give or obtain that, including (1) offer choice at point of sale; (2) direct customers to online tutorials; (3) print QR codes on the device that take customers to a website for notice and choice; provide choices during initial set-up; (4) provide icons to convey important privacy-relevant information, such a flashing light that appears when a device connects to the Internet; (5) provide notice through emails or texts when requested by consumers; and (6) make use of a user experience approach, such personalizing privacy preferences based on the choices a customer already made on another device.

Legislation.  The FTC staff recommends against IoT-specific legislation in the Report, citing the infancy of the industry and the potential for federal legislation to stifle innovation.  Instead, the FTC recommends technology-neutral privacy and data security legislation.  Without saying it explicitly, this appears to be a recommendation for something akin to the Consumer Privacy Bill of Rights recently proposed by the President, along with giving the FTC authority to enforce certain privacy protections, including notice and choice, even in the absence of a showing of deceptive or unfair acts or practices.

In the meantime, the FTC notes that it will continue to provide privacy and data security oversight of IoT as it has in other areas of privacy.  Specifically, the FTC would continue to enforce the FTC Act, the Children’s Online Privacy Protection Act, and other relevant statutes.  Other initiatives would include developing education materials, advocating on behalf of consumer privacy, and participating in multi-stakeholder groups to develop IoT guidelines for industry.

 

Written by Cynthia Larose, CIPP and Ari Moskowitz, CIPP

This has been a big week for cybersecurity announcements from Washington.   In what the White House has called a series of “SOTU Spoilers,” President Obama announced his intention to follow through on some of the recommendations in his administration’s Big Data report — the culmination of the White House’s 90-day “Big Data” review in 2014.  Specifically, the President proposed following through on the report’s recommendations that the following legislation be passed:  a consumer privacy bill of rights, a national data breach notification law, and a law to promote student privacy. Continue Reading White House Proposes National Data Breach Notification Standard

Three privacy/security stories that you should know as you start your week:

 

President Obama to Offer Cybersecurity/Privacy Previews to State of the Union Proposals

In a series of speeches this week, President Obama will preview important issues to appear in his January 20th State of the Union address.    A White House official said in a statement to reporters over the weekend that the president would “lay out a series of legislative proposals and executive actions that will be in his State of the Union that will tackle identity theft and privacy issues, cybersecurity, and access to the Internet.”   The President will reportedly speak at an event at the Federal Trade Commission today and outline a plan to tackle identity theft and improve consumer and student privacy.    Tuesday, the President will discuss cybersecurity at the National Cybersecurity and Communications Integration Center.    We will keep readers updated on what the White House is calling “SOTU Spoilers.”

Read more here:Privacy and Security Updates Monday

CNBC

CNET

New York Times

 

ICYMI:  The January 2015 Edition of the Mintz Matrix Is Out — and State Changes are in the Works

On Friday, we released the updated version of the Mintz Matrix of state data breach notification laws.   In case you missed it, you can get the updated chart here.

Now that the state legislatures are getting into session, we are expecting more action amending and tightening up state laws.    For example, legislators in Washington state have already filed an amendment to that state’s data breach notification law.

At the end of 2014, several proposals were introduced and we will be following where these bills head in the  2015 session.     New York‘s proposal (Bill A10190) imposes requirements on entities conducting business in New York and which own/license computerized data that includes private information that are nearly identical to those required under Massachusetts 201 CMR 17.   Most importantly (as you will recall), the Massachusetts regulations require that entities develop, implement and maintain a comprehensive written information security program.     A proposed New Jersey amendment would expand the definition of “personal information” to include a combination of user name or email address with any password or security question and answer that would permit access to the online account.  Attorneys general in Indiana and Oregon closed out the year with calls for more robust data breach protection legislation in their states.    Stay tuned.

 

Tax Time is a Good Time For a “Security Check”

Businesses and their employees are all dealing with receipt of documents, filings, etc. during this taxing time of year.  Tax season is also a prime time for personal information scams and can expose lax internal controls.   Here are a few things to remember as you begin preparing for tax season:

Secure your data – Do you prepare your business’ taxes on a company computer? If so, you likely have some very sensitive financial information on your hard drive. Make sure your files are secured with password-protected directories and accounts, and that your entire system is protected from outside threats. Also, if you plan to use a wireless network to electronically file your taxes, be sure to use a secure Internet connection and never use public wireless hotspots.  Do NOT send personal information to employees or service providers via email.   Make sure that you only use secure transmission methods for sending W2 and other forms that contain Social Security or other sensitive information.   If a tax preparer asks you to send documents via unencrypted email — find another tax preparer.

Back up financial data – When was the last time you backed up your company data?  If you don’t already follow a backup schedule, tax season can be a great reminder that you need to regularly back up your data. Regularly backing up your data not only protects you at tax time in the event your data is compromised, it can also help protect you against future events such a natural disaster.  Remember that whether you back up to the cloud or a separate physical device/location, electronic data needs to be kept in a secure environment.

Keep your security software updated – You don’t have the time or resources to keep track of each and every new scam, phishing attack, or threat that comes around – that’s what your security software is supposed to do. But just as you can file your taxes without the most accurate tax information, your security software can’t do its job if it’s not up-to-date. The threat landscape changes daily, so keeping your security software up-to-date helps ensure that it will be able to address the most current threats to your information. After all, your ability to run an effective business depends on making sure your confidential data is safe and secure from outside threats.

Remind employees of phishing threats — Use this time of year as an opportunity to remind employees to protect themselves from tax-related phishing scams.    The IRS will never ask for personal information via email.  Ever.    Some of these reminders from the IRS may be useful to send to your employees as a reminder to protect themselves — and as a result, protect your business.

Have a safe and secure week!

Questions of Authority – who will be the federal regulatory cop on the privacy beat?  FTC?   FCC?  Privacy, Data Security Jurisdiction Questions to the Forefront in 2015

Written by Christopher Harvie

As privacy and data security gain more visibility among policy-makers, questions of federal agency authority and jurisdiction are also gaining a higher profile.

Since 2002, the Federal Trade Commission (FTC) has brought 50 enforcement actions under Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices,” against companies alleged to have put consumers’ personal data at unreasonable risk. Earlier this year, in response to a court challenge brought by Wyndham Hotels, a Federal court in New Jersey upheld the FTC’s authority under Section 5 to bring enforcement actions to remedy unreasonable data security practices that lead to data breaches that cause consumer harm.    The court ruled that Congress need not explicitly grant the FTC authority to bring Section 5 actions against companies that cause consumer harm through inadequate data security practices and that the FTC does not need to adopt prior data security regulations detailing permissible and impermissible data security practices.  Instead, the court determined that the FTC complaint against Wyndham adequately plead “substantial injury to consumers” caused by data breaches linked to Wyndham’s “failure to implement reasonable and appropriate security measures” – including the failure to require use of complex passwords, erect adequate firewalls to prevent access by 3rd parties and insecure devices to enterprise servers, utilize up-to-date operating systems that could receive security patches and upgrades, or adequately inventory its computers in order to readily locate compromised device.  Issued in response to a Wyndham motion to dismiss for lack of jurisdiction, the courts’ decision does not constitute a ruling on the merits of the FTC complaint.  The jurisdictional issue is the subject of an interlocutory appeal to the 3rd Circuit, which remains pending while the parties engage in court-ordered mediation. Read our posts here and here for more information on the Wyndham case. Continue Reading On the Seventh Day of Privacy, federal agencies gave to me…..

Privacy & Security Matters Monday Blog Series ImageSometimes the day just gets away from you…

Here are three privacy & security things you should know for your week:

1.  FTC Cites TRUSTe With Misrepresenting Practices – Fines $200,000

Apparently TRUSTe hasn’t been quite so …. the fine is part of an agreed settlement with the FTC, under which the Commission has charged the “certification” company with misrepresenting practices to consumers and — contrary to its stated policies —  failing to conduct annual re-certifications of companies around 1,000 times between 2006 and 2013.  “TRUSTe promised to hold companies accountable for protecting consumer privacy, but it fell short of that pledge,” Edith Ramirez, the F.T.C.’s chairwoman, said in a statement. “Self-regulation plays an important role in helping to protect consumers. But when companies fail to live up to their promises to consumers, the F.T.C. will not hesitate to take action.”

FTC Press Release

PCWorld – TRUSTe Deceived Consumers About Recertification Program, FTC Says 

Washington Post – Latest FTC enforcement action shows why it’s so hard to figure out who to trust online

UPDATE (11/19):  TRUSTe’s Statement regarding the FTC action. Continue Reading Privacy Monday (on Tuesday….) — November 17, 2014

Corrective action taken by Verizon Communications to fix security issues with its FiOS and DSL routers resulted in the FTC closing its investigation to determine whether Verizon’s distribution of the routers was an unfair or deceptive practice.

According to the FTC, Verizon regularly shipped routers to consumers with the default security set to the outdated WEP standard, which has been known for a decade to have weaknesses that leave users of the routers vulnerable to hackers.

After the FTC initiated its investigation, Verizon took steps to mitigate the risks to its customers.  It changed the default security setting on the routers going out to customers from the obsolete WEP standard to the current WPA2 standard, it initiated an outreach campaign to its customers to encourage them to update the security settings on their routers, and it offered customers with older routers incompatible with the WPA2 standard the opportunity to upgrade to a newer, WPA2-compatible device.

The FTC emphasized that closing the investigation did not mean that Verizon might not have violated the FTC Act.  It cautioned that

what constitutes reasonable security changes over time as new risks emerge and new tools become available to address them. As most all consumer devices on the market today are compatible with WPA2, it would likely be unreasonable for Internet Service Providers (“ISPs”) or router manufacturers to continue to default consumer routers to WEP encryption. We hope and expect that all companies that provide consumers with these products will ensure reasonable and appropriate default security settings.

A copy of the FTC’s closing letter is available here.