Tag Archives: FTC

The Regulators Are Coming! The Regulators Are Coming!

Everyone knows that the regulators have been going after businesses that don’t protect consumer information.  Some people say they are to overreaching.  Others say that they are not doing enough.  Either way, the reality is that you have to deal with them.  So who are they and who do they go after?  Read on.

The FTC.  The FTC has gone after businesses using section 5 of the FTC act – basically saying that the actions of a business represent unfair or deceptive practices.  Recently, after the FTC went after Wyndham Hotels after a series of breaches, Wyndham went to court in an effort to get the courts to agree that the FTC had no jurisdiction over cyber security.  Unfortunately, the courts did not agree and Wyndham settled (see article).  Suffice it to say, the FTC’s jurisdiction covers anyone who is in business and they have levied multi-million dollar fines and consent decrees that allow them to watch over that business for 20 years.

The FCC. The FCC is  a new player in the privacy regulation business.  Their jurisdiction is limited to communications and broadcasters.  Recently, they have gone after a number of businesses blocking WiFi signals in an effort to force you to buy their WiFi services at a hefty price.  Marriott, Hilton, the Baltimore Convention Center and others have felt the wrath of the FCC (see article).  This is a low risk regulator to most businesses.

The CFPB.  The CFPB is a new regulator which came out of the Dodd-Frank Act and was created in 2010.  Recently, they went after a small Fin-Tech company, Dwolla (see blog post) saying that they were lying about the cyber security measures they were providing to their customers.  CFPB oversees financial institutions such as banks, insurance companies, fin-tech companies such as Dwolla, brokers, etc.  In Dwolla’s case the fine was relatively small ($100k) and the duration of the consent order was short (5 years) compared to FTC actions.  The CFPB’s reach covers anyone in the financial industry or supporting that industry and they are just beginning to figure out their role.

HHS Office Of Civil Rights (OCR).  Health and Human Services enforces HIPAA and HiTech, specifically in the area of protecting your medical information.  They have done some some enforcement actions in the past, but they have been a somewhat weak regulator in the area of privacy.  Recently, they got beat up by their Inspector General’s office saying that they were being namby-pamby (see blog post), so it appears that they are stepping up enforcement.  Their area of jurisdiction is health information, so if you are a medical or dental practice, insurance provider or a vendor to one of these businesses, you could come in their cross hairs.  Still, they seem to be behind the power curve.  Recently, they finally created a full time office to handle enforcement.

Earlier this month they fined North Memorial Health Care of Minnesota $1.55 million because they did not have policies in place to cover what their Business Associates (essentially, vendors and subcontractors) did with your data.  This stemmed from a vendor of theirs had a laptop – UNENCRYPTED – with the medical records of 10,000 patients on it, stolen out of their car.

Also this month, HHS OCR fined the Feinstein Institute $3.9 million.  This fine also was the result of an unencrypted laptop being stolen out of an employee’s car.  This time it had 13,000 patient records on it.  They were fined for not having encryption AND, not having a documented explanation why encrypting patient data wasn’t needed.  HIPAA and HiTech don’t require encryption, but they do require a documented explanation of how you manage risk if you don’t implement reasonable controls.

They two cases date back to 2012.  I assume this means that HHS OCR is still playing catch up and we don’t really know what this new office is going to do.

These are just a small sample of regulators that could come after a business that does not protect non public personal information of different varieties, depending what industry you are in.

I am sure that there are many more to consider, but suffice it to say, that almost every business could come into the cross hairs of at least one of these regulators.

Of course, this does not include state regulators, such as the New York Department of Financial Services or the California Attorney General, both of whom have been very active in the privacy arena.

So, if you collect non-public personal information, protecting that information should be a high priority for your business if you want to keep the privacy regulators at bay.

Information for this post came from Health Data Management.

Facebooktwitterredditlinkedinmailby feather

FTC Settles With Asus Over Security Claims

Asus is an international manufacturer of all kinds of computer and networking equipment.

The FTC, in this case, was not upset with Asus for making hardware that was buggy and not secure, thereby exposing customer’s information, but rather representing that their routers had numerous security features that could protect users from unauthorized access and hackers when it was buggy and not secure.

In fact, under section 5 of the FTC act, as the Wyndham Hotel chain discovered, they could probably have brought an action in either case, but it is much clearer that saying it was secure when it was not is deceptive.

According to the FTC,

ASUS marketed its routers as including numerous security features that the company claimed could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.” Despite these claims, the FTC’s complaint alleges that ASUS didn’t take reasonable steps to secure the software on its routers.

The press release goes on to talk about some of the vulnerabilities and the fact that Asus did not address them in a timely or effective manner and did not notify consumers of the vulnerabilities.

Hopefully, this will act as a warning to manufacturers of Internet of Things devices that they better maintain reasonable security or the FTC will explain to them that they should.

In the agreement, Asus agreed to create a security program, have that program watched by the FTC for the next TWENTY years, to notify consumers of security flaws and workarounds for those flaws until they are patched and let the FTC audit them every two years during that period.

For those in the IoT space, doing what is in this agreement without being told will likely keep them out of the cross hairs of the FTC.  The FTC is not expecting IoT devices to be bug free, but they are expecting manufacturers to be responsible.

Manufacturers should consider themselves warned.

 

The FTC press release on the Asus settlement can be found here.

Facebooktwitterredditlinkedinmailby feather

Wyndham Hotels Settles Breach Investigation With FTC

The Wyndham Worldwide hotel chain, which has been fighting with the FTC for years after the hotel chain suffered three security breaches in two years exposing credit card data, settled with the FTC this week.

The hotel went as far as to attempt to get the courts to say that the FTC did not have the authority to regulate corporate cyber hygiene.  The court of appeals, in a decision this past summer, disagreed with Wyndham, and said that was within the FTC’s purview.

The FTC had filed suit against Wyndham in the Third Circuit, so to say that this issue was a bit adversarial would be polite.

Apparently Wyndham realized that they were not going to win this battle and settled with the FTC.  They declared victory by saying that they did not have to admit they were guilty or pay a fine.  Note that the FTC usually does not require either of these as a condition to settling.

What Wyndham did agree to is:

  • The FTC will monitor their behavior, cyber security wise, for the next TWENTY years.
  • The company will obtain annual security audits of its information security program that conform with the PCI standards – something that they should have been doing anyway.
  • The audit will certify that Wyndham is treating franchisee networks as untrusted (the fact that they were trusting the franchisee networks apparently facilitated the previous breaches)
  • The audit will also report on whether the hotel chain is compliant with a formal risk assessment process.
  • If the hotel has another breach of more than 10,000 cards, they will obtain an assessment of the breach and hand that assessment over to the FTC.
  • The order says that if Wyndham gets the necessary compliance certifications that they will be in compliance with this agreement.

The order needs to be approved by the judge overseeing this case, which we assume will not be a problem.

It seems to me that this is only a Pyrrhic victory for Wyndham.  While they may declare victory in the press, the FTC got exactly what they wanted and in fact, what they have usually obtained in a much less adversarial manner.  In the meantime, the FTC will be watching over Wyndham’s information security program for the next 20 years and Wyndham probably spent tens of millions on legal costs, which they get to eat.

I do suspect that this may be the last time a company who has been breached attempts to fight the FTC in this manner.

While the FTC recently suffered a setback in their case against LabMD, that case was different because there was no show of harm.  In the Wyndham case, 600,000+ credit cards were compromised at a cost of over $10 million.

 

Information for this post came from the FTC.

Facebooktwitterredditlinkedinmailby feather

Verizon Has A New Friend – The U.S. Senate

Well, maybe not a friend that you want to have, but they will likely get to visit the nation’s Capitol.

Verizon has gotten way more press than it would like by inserting super-cookies into it’s customers web traffic to allow folks like the marketing giant Turn to build dossiers on Verizon customers and then sell that information to advertisers in a thousandth of a second to the highest bidder.

Senators Bill Nelson of Florida, Richard Blumenthal of Connecticut and Edward Markey of Massachusetts have asked the FTC to investigate whether Verizon’s use of super cookies violate FTC privacy rules.  These senators wrote Verizon a short note last week asking them a few questions, which Verizon said it would respond to.

The Senators want to know if legislation is required (I assume to regulate or outlaw this activity).

Advertisers are probably really, really mad at Verizon right now.

If Verizon had just done what AT&T did last year when they got caught doing this, the ad industry would not be getting all this unwanted attention.

When AT&T got caught doing this last year, they said it was just an experiment (yeah, right!), my bad, and we will stop doing this now.

Verizon, on the other hand said that no one would ever user our super cookies to track what users were doing.  Even though Turn, who was doing that exact thing, was a vendor to Verzion (must have been a different department).

Turn said that just because people were deleting their cookies didn’t mean that they did not want to be tracked.

If Verizon has just been a little smarter and taken the AT&T route and said sorry, this would all have gone away.

And six months later they could have re-contextualized the program and started it back up.

From my point of view, I am glad they were not being very smart.

Mitch

Facebooktwitterredditlinkedinmailby feather