The U.S. Federal Trade Commission (“FTC”) has filed a lawsuit against device manufacturer D-link for allegedly deceiving the marketplace about the security of its products and, in turn, unfairly placing customer privacy at risk.

Overview

Taiwan-based manufacturers D-Link Corporation and D-Link Systems, Inc. (collectively, “D-Link”) design a variety of home network devices, such as routers, IP cameras, and baby monitors. Devices such as these are susceptible to hacking when they are connected to each other and to the internet (in what is often referred to as the “Internet of Things” or “IoT”), and weak security measures therefore pose a significant security concern. Judging from D-Link’s advertisements for its products, the company is certainly aware of these risks. D-Link boasted that its routers are safelocked from hackers thanks to “Advanced Network Security,” its baby monitors and cameras assure a “Secure Connection” to protect the livestream view of a sleeping child, and promises of an “easy” and “safe” network appear repeatedly during the set up process for a D-Link device with an online interface. As the FTC explains in its lawsuit claims like those made by D-Link are not only misleading but also dangerous.

Despite an apparent awareness of consumers’ cybersecurity concerns, the FTC alleges that D-Link neglected to build common security measures into the devices it sells. The allegations are startling: mobile app credentials were stored unsecured in plain text on consumer devices; a private company key code was accidentally made viewable online for six months; hard-coded login credentials in camera software left video feeds vulnerable to unauthorized viewers. And that’s just the beginning. More details are listed in the FTC’s complaint filed in a U.S. District Court in California on January 5, 2017.  These lapses and D-Link’s deceptive advertising prompted the FTC to charge the company with a violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45.

As of January 10th, D-link has denied the allegations outlined in the complaint and has retained the Cause of Action Institute as counsel to defend against the action.

The growing IoT problem

In recent years, the FTC has tried to keep pace with mounting concerns over the IoT industry by filing a handful of complaints focused on consumer protection.  For example, it went after the company TRENDnet after the firm’s faulty software allowed hundreds of personal security cameras to be hacked. It also filed an action against computer parts manufacturer ASUS after its cloud services were compromised and the personal information of thousands of consumers was posted online. These isolated mistakes add up; when millions of unsecured and seemingly innocuous WiFi-enabled devices join the global network, they can serve as a massive launchpad for crippling cyber attacks like the one that overwhelmed internet traffic operator Dyn and shut down several major websites in October 2016. The efforts of the FTC are aimed at mitigating such attacks and encouraging technology developers to invest effort and resources in order to secure their IoT devices before they hit the marketplace.

Search for solutions

Both the FTC and the National institute of Standards and Technology (NIST) have released reports offering guidelines and technical standards for building reliable security into the framework of new systems and devices.  As we wrote about recently, the White House has also left the incoming Trump administration an extensive report on cybersecurity recommendations. Achieving these standards will require a combination of regular agency enforcement and greater market demand for safe, secure devices. In the meantime, some digital vigilantes are working to stop cyber-attacks before they start. Netgear, for instance, has launched a “bug bounty program” offering cash rewards of $150-$15,000 for eager hackers to track and report security gaps in its devices, applications, and APIS.  Indeed, incentivizing solutions rather than quietly overlooking mistakes, and searching for loopholes in our laws, will make a substantial difference in safeguarding the IoT landscape.

It’s likely that 2017 will see still more data breaches and hacking stories, and companies should be looking closely at cybersecurity as a risk management issue, and not as an IT issue (we’ve been saying that for years ….).

One of the issues for 2017 will continue to be global changes in data protection laws, and how US companies operating in a global environment prepare for compliance with competing regulations.

To that end, we continue our ongoing series of webinars on the European Union’s General Data Protection Regulation (GDPR).

The upcoming webinar, the fifth in our GDPR Series, will explore the ways in which the Regulation creates new avenues for data transfers, and narrows others. In particular, we will consider sector-specific Commission decisions, privacy seals/certifications, the exception for non-repetitive, limited transfers, and the outlook for BCRs and Model Clauses.

Registration is online here.

 

 

The Obama White House has grappled with cybersecurity more than any administration in history: China’s 2009 hack of Google, the 2015 Office of Personnel Management breach, and the recent investigation of Russian cyberattacks during the 2016 election, to name just a few examples. In the midst of the president-elect’s transition efforts, President Obama’s administration has published what it considers to be a blueprint for enhancing the cybersecurity capabilities of government institutions and our digital consumer society today and for years beyond Inauguration Day.   Continue Reading #MLWashingtonCyberWatch: White House Releases Cybersecurity Report Aimed at New Administration

 

The growing scale of cybersecurity concerns is prompting action from government leadership on the federal level. Before the Thanksgiving recess, the House’s Committee on Energy and Commerce got in on the act when two of its subcommittees–the Communications and Technology Subcommittee, chaired by Rep. Greg Walden (R-OR), and the Commerce, Manufacturing, and Trade Subcommittee, chaired by Rep. Michael C. Burgess, M.D. (R-TX)–held a joint hearing to investigate and consider the role of Internet-enabled devices (collectively referred to as the “Internet of Things,” or “IoT”) in high-profile online attacks.  Continue Reading House Energy & Commerce Committee Holds Hearing on Security of the Internet of Things

Even president-elect Donald Trump has been the victim of a data breach. Several times actually. The payment card system for his Trump Hotel Collection was infected by malware in May 2014 and 70,000 credit card numbers were compromised by the time the hack was discovered several months later.  The hotel chain paid a penalty to the State of New York for its handling of that incident.  The hotel chain also experienced at least two additional breaches during this past year affecting various properties. From a business perspective, Mr. Trump certainly understands the high costs of cybersecurity in dollars and distraction. But from the Oval Office, it is far less clear what the Trump Administration might do to secure our country’s digital infrastructure and prosecute cybercriminals. Equally uncertain are Mr. Trump’s views on privacy rights and how his presidency might affect federal protections for personal information and cross-border transfers of data. We do not have a crystal ball, but offer some thoughts. Continue Reading The Cyber President? What To Expect From the Trump Administration On Cybersecurity And Privacy

 

 

As we previewed last week, the Federal Communications Commission (FCC) has adopted new privacy rules that govern Internet service providers’ (ISPs) handling of broadband customer information.  Though the Wireline Competition Bureau stated that it expects it will be at least several days before the final Order is released to the public, the FCC released a fact sheet describing the rules as adopted.

These rules are the culmination of a process that began in 2015 with the reclassification of Broadband Internet Access Service (BIAS) as a common carrier telecommunications service regulated under Title II of the Communications Act.  As a consequence of reclassification, the obligations established under the privacy framework adopted by the Federal Trade Commission (FTC) no longer applied to ISPs due to the common carrier exception in Section 5 of the FTC Act.  Accordingly, the FCC determined that the privacy protections governing telephone customer proprietary network information (CPNI) set forth in Section 222 of the Communications Act would now apply to ISPs’ provision of BIAS.

On April 1, 2016, the Commission released a Notice of Proposed Rulemaking setting forth proposed privacy and data security rules that would govern ISPs’ provision of BIAS.  The rules originally proposed by the FCC would have subjected ISPs to significantly greater constraints on their ability to use customer data for advertising, marketing, and offering customized services and features than the FTC’s privacy framework, which continues to apply to websites, apps, and all other entities in the Internet ecosystem other than ISPs.  For example, while the FTC framework applies differing choice mechanisms (i.e., opt-in, opt-out, or implied consent) depending on the sensitivity of the data being collected and the context of its use, the FCC initially proposed to apply a default opt-in regime to virtually all data – rejecting any distinctions based on data sensitivity.

In response to comments from the FTC and others in the proceeding, the final rules adopted by the FCC align more closely with the FTC framework, though some important differences remain.  Continue reading for key elements of the proposed rules. Continue Reading What You Need to Know about the New Broadband Privacy Regulations

BREAKING NEWS –

The FCC has voted 3-2 along party lines to require internet service providers (ISPs) to get a customer’s explicit consent before they can use or share what is termed “sensitive” personal information.  That definition raises some eyebrows: according to the FCC’s rules, “sensitive” information includes browsing history, mobile location data, TV viewing history, call and text message records, and information about what mobile apps subscribers use.

The regulation was billed by the FCC as based on transparency, consumer choice and data security.

We will have a full analysis of the new regulations tomorrow.

 

You may not realize how much personal information your insurance company has about you. Scarier still is that much of this data is sensitive and valuable to hackers – such as your Social Security number, financial information, medical history, even itemized schedules of your most expensive personal property.  As data breaches affecting insurers have piled up in the past couple of years (Anthem, Premera Blue Cross and Blue Shield, Excellus Health Plan, UCLA Health System just to name a few), so too have calls for stronger data security protections applicable to insurance data.  In response, the CyberSecurity Task Force of the National Association of Insurance Commissioners (“NAIC”), the standard-setting organization in the U.S. insurance industry created and governed by the chief insurance regulators from the 50 states, the District of Columbia, and five U.S. territories (“Task Force”) is racing to finish its Insurance Data Security Model Law (“Model Law” or “Law”) by the end of this year so that states can begin the adoption process as early as 2017.  Continue Reading Insurance Regulators Fine Tuning Cybersecurity Guidance

 

It’s time for a compliance check on those website or mobile app privacy policies, before the California Attorney General comes knocking.

Attorney General Kamala D. Harris has announced the release of a new tool for consumers to report websites, mobile applications, and other online services that may be in violation of the California Online Privacy Protection Act (CalOPPA).  The form is available at https://oag.ca.gov/reportprivacy.  As a reminder, a website owner or app operator may violate CalOPPA by failing to post privacy policies or posting incomplete or inadequate policies that do not meet the requirements of the statute.

As we have previously written on this blog, the potential cost for not meeting the CalOPPA requirements can be substantial.  Violations of CalOPPA may result in penalties of up to $2,500 per violation which, for mobile applications, means up to $2,500 for each copy of the non-compliant application that is downloaded by California consumers.

“In the information age, companies doing business in California must take every step possible to be transparent with consumers and protect their privacy,” said Attorney General Harris. “As the devices we use each day become increasingly connected and more Americans live their lives online, it’s critical that we implement robust safeguards on what information is shared online and how. By harnessing the power of technology and public-private partnerships, California can continue to lead the nation on privacy protections and adapt as innovations emerge.”

Mobile app creators should be aware that the Attorney General’s office will not only be relying on consumers to identify non-compliant apps.  The Office is also partnering with the Usable Privacy Policy Project at Carnegie Mellon University to develop a tool that will identify mobile apps that may be in violation of CalOPPA by looking for discrepancies between disclosures in a given privacy policy and the mobile app’s actual data collection and sharing practices (for example, a company might share personal information with third parties but doesn’t disclose that in its privacy policies).

If you have any questions regarding CalOPPA compliance, please do not hesitate to contact the team at Mintz Levin.

 

 

For the next few months, the Mintz Levin Privacy Webinar Series is focusing on the upcoming EU General Data Protection Regulation (GDPR) to help businesses understand the reach and scope of the GDPR and prepare for the potentially game-changing privacy regulation.   The GDPR will affect how US businesses handle and process personal data originating in the EU and may require changes to business process.

Next week, we’ll present a webinar focusing on the data security and accountability requirements of the GDPR, including reviews and documentation of internal policies and procedures and data impact assessments.   We will also take a look at the onerous breach notification requirements and recommend actions that companies can take in advance to mitigate the need for breach notification.

Make sure to join us for this important webinar!

Registration link is here.