Consumer Protection Connection

Consumer Protection

White House Issues New Cybersecurity Executive Order

Posted in Cybersecurity

On May 11, President Trump issued Executive Order Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which centers on federal networks, critical infrastructure, and the nation’s overall cybersecurity. The order largely expands on cybersecurity recommendations developed during the Obama administration. The order calls for a review of vulnerabilities and preparedness by the Secretary of Homeland Security and the Director of the White House Office of Management and Budget (OMB), who are directed to “jointly assess each agency’s risk management report to determine whether the risk mitigation and acceptance choices set forth in the reports are appropriate and sufficient to manage the cybersecurity risk to the executive branch.” Key provisions include:

  • Federal agency heads will now be held accountable for cybersecurity in their agencies. They are required to review their computer security measures and submit a risk management report to the Secretary of Homeland Security and the Director of OMB within 90 days.
  • The head of the Department of Homeland Security is responsible for oversight of the cybersecurity measures of companies that DHS has determined are “at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security,” and must report on the adequacy of the security protocols of such businesses to the President within 6 months.
  • Federal agencies are instructed to implement the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The NIST Cybersecurity Framework is intended to “help organizations manage cybersecurity risk in the nation’s critical infrastructure, such as bridges and the electric power grid,” and was developed in consultation with industry, academia, and government agencies.

Many analysts are calling the executive order a good first step but note there is considerable work still to be done, including details of how expanded cybersecurity infrastructure will be funded and how the new regime will be implemented.

The recent, destabilizing “Wanna Cry” ransomware attacks made all too apparent how important it is to have a strong cybersecurity regime in place. As predicted, the government is looking to the NIST Cybersecurity Framework as a guide for managing cybersecurity risks for government agencies and critical infrastructure businesses. Whether or not your business is part of a critical infrastructure industry, the Framework can be a useful tool in understanding and managing security risks.

Are Your Security Tools Up to Date?

Posted in Cybersecurity, Data Security, Privacy

The effects of the massive cyberattack using ransomware known as “Wanna Cry” are still being felt all over the world. Tens of thousands of organizations have been infected, including the UK’s National Health Service, which ran some services on an emergency-only basis the day the attack began in earnest. Some security experts surmise that the virus is activated using a malware worm that, once activated, travels automatically between computers. Businesses with numerous partners and suppliers that connect to their network were especially at risk. If and when Wanna Cry is contained, the attack will fade from the public’s view, but legal repercussions may follow for affected users.

Image of worm reaching up toward nothing in particularWanna Cry, also known as “Wanna Decryptor,” is a hacking tool thought to be developed by the U.S. National Security Agency (NSA). Wanna Cry exploits a vulnerability in Windows operating systems that allows the ransomware to spread automatically across multiple networks. The attack is the first incidence of self-spreading ransomware that cannot be stopped once it infects a network.

Microsoft issued a patch on March 14, 2017, to fix the hole in Windows. However, many organizations failed to apply the patch and found themselves susceptible to Wanna Cry over the last couple weeks. Indeed, in some regions, a large proportion of affected users were using pirated copies of Windows. Unusually, Microsoft has even released patches for such systems.

The damage caused by the Wanna Cry attack was both predictable and possibly preventable. In April 2017, a group calling themselves the Shadow Brokers released onto the web what they claimed where NSA-developed hacking tools (report here). Many security experts predicted it was only a matter of time before the Shadow Brokers’ tools were exploited on a large scale.

There are several lessons apparent at the outset:

First, organizations and individuals should update their systems frequently. Organizations both large and small sometimes wait before applying security patches issued by major software providers. Reasons may include other priority IT initiatives, concerns about the compatibility of specialized or legacy software, a lack of understanding of the seriousness of the vulnerability that the patch is intended to address, or simply manpower limits. The Wanna Cry attack, however, illustrates the importance of implementing patches and updates promptly to avoid falling prey to an attack that takes advantage of the unpatched vulnerability. Businesses should also bear in mind that failure to keep systems updated can result not only in disruption of business, but in the potential for theft of confidential company, client, and employee information, and could lead to lawsuits or regulatory enforcement actions alleging a lack of due diligence. While no protection or patch can be foolproof, systematic application of updates is a key security imperative in an increasingly integrated world.

Backing up crucial files on a separate server is also helpful in case the main network becomes compromised.

All businesses should have a breach response plan in place before an attack occurs, especially in the event of a ransomware attack that paralyzes internal systems and blocks access to data until a ransom is paid. Assessing an organization’s data collection and security practices, assembling a breach response team, and identifying legal obligations, law enforcement contacts, and forensics experts before an event occurs can help ensure an effective and timely response if, despite precautions, a company becomes the target of a data breach or ransomware demand. Regular training for directors, employees, and contractors is also important to raise awareness throughout the organization and mitigate risks. Automating updates and patching through your system can also help.

You don’t want to wait for the next wave of attacks to plan to protect your business, your employees, and your customers.

New Mexico Enacts Data Breach Notification Law; Tennessee Reinstates Encryption Safe Harbor

Posted in Privacy

New Mexico is the 48th state to enact a data breach law. That law, the Data Breach Notification Act (HB15), is scheduled to take effect on June 16, 2017.  Alabama and South Dakota are now the only states without a data breach notification law.

The New Mexico law is like other state breach notification laws in that the notification requirement is tied to the unauthorized acquisition of unencrypted computerized data that compromises the security or confidentiality of “personally identifiable information” (PII).  As is also customary, PII is defined as an individual’s first name or initial plus last name and either a social security number, driver’s license number, government-issued identification number, or account or credit card/debit number plus security code or password.  Unlike many states, however, the law also includes biometric data in the definition of PII.  The law also requires that owners and licensees of PII properly dispose of it and implement reasonable security procedures to protect PII, and companies must require service providers to likewise implement and maintain reasonable security procedures appropriate to the nature of the PII.

Companies that experience a reportable breach must notify all affected New Mexico residents within 45 days of discovery of the breach, unless a company determines that the breach does not give rise to a significant risk of identity theft or fraud.  If more than 1,000 New Mexico residents are affected, then a company must also notify the Attorney General and the three major consumer reporting agencies within 45 days.

Tennessee recently amended its data breach notification law by reinstating an encryption safe harbor.  Tennessee was the first and only state to extend data breach notification obligations to encrypted data as well as unencrypted data, so the recent amendment realigns the Tennessee law with those of other states in that regard.

To view Keller and Heckman LLP’s latest summary of all U.S. state data breach notification laws, available on our website, click here.

FTC Seeks Comments on Proposed Changes to TRUSTE’s COPPA Safe Harbor Program

Posted in Privacy

In a Federal Register notice, the FTC has asked for comments on intended changes to TRUSTe’s existing safe harbor program under the Children Online Privacy Protection Act (COPPA). TRUSTe proposed the changes following its settlement earlier this month with the New York Attorney General over allegations that the compliance and security company did not adequately assess whether companies certified under its safe harbor program allowed third party sites to track children.

In its submission of the proposed changes to the FTC, TRUSTe stated its changes would “address regulatory expectations related to: (1) third party tracking technologies and (2) the timing for seal removal for participants who have not completed annual review and remediation by the anniversary of the prior year certification date.” TRUSTe also said that it “is making structural changes to its Children’s Privacy Certification Standards to align them with the TRUSTe Enterprise Privacy Certification Standards since many participants in our COPPA Safe Harbor program also participate in the TRUSTe Enterprise Privacy Program.” In particular, the FTC is seeking input on whether the compliance mechanisms and the incentives for operators’ compliance with the updated safe harbor program are effective.

The comment period ends May 24, 2017.

FTC Warns Influencers to be Clear About Endorsements on Social Media

Posted in Advertising

Everyone who is anyone is on Instagram these days, apparently. But not all posts on the photo-sharing platform are purely organic; some result from material connections between influencer or celebrity posters and the brands or products they are endorsing. This connection is not always made clear to viewers, however, according to the Federal Trade Commission (FTC). This week, the FTC sent letters to 90 marketers and influencers, warning of the obligation to “clearly and conspicuously disclose their relationships … when promoting or endorsing products through social media.”

The FTC’s letters came after public interest groups filed a number of petitions concerning influencer advertising on Instagram. Instagram came under particular scrutiny because disclosures on some posts are available to viewers in the Instagram mobile app only after a viewer clicks on the post’s “more” button. The FTC advised recipients that disclosure of any material connection should be made clear above the “more” button, and suggested that disclosures made in a hashtag string at the end of a description was likely insufficient.

The FTC’s Endorsement Guides, which apply to both marketers and endorsers, stress that “when there exists a connection between the endorser and the seller of the advertised product that might materially affect the weight or credibility of the endorsement (i.e., the connection is not reasonably expected by the audience), such connection must be fully disclosed.”

The FTC has filed complaints against a number of businesses for lack of adequate endorsement disclosures, but this is the first time warning letters have been sent to influencers directly. Both marketers and influencers need to bear in mind the importance of disclosing a material connection, and doing so in a way consumers will likely see. Marketers may wish to update their social media policies with this in mind.

TRUSTe Settles COPPA Safe Harbor Enforcement Action with NYAG

Posted in Privacy

TRUSTe has settled allegations by the New York Attorney General that it did not adequately assess whether companies certified under its Children’s Online Privacy Protection Act (COPPA) Safe Harbor seal program allowed third party sites to track children. TRUSTe agreed to pay $100,000 and will be required to adopt new procedures to make its COPPA Safe Harbor certification review process more rigorous.

TRUSTe’s Children’s Privacy Program is an authorized safe harbor scheme that requires TRUSTe to carry out at least one yearly comprehensive evaluation of its customer’s websites to ensure they remain in compliance with COPPA. Under COPPA, companies are required to obtain parental consent before permitting any tracking of children under 13. While TRUSTe carried out electronic scans of seal program participants’ websites for third party tracking technology, the NYAG alleged that TRUSTe failed to perform similar searches of those companies’ child-directed webpages. The NYAG also alleged that TRUSTe failed to provide its customers with complete results of the investigations, including information on the tracking software they uncovered in their scans.

This settlement comes two years after TRUST found itself in hot water with the Federal Trade Commission (FTC) over allegations that the privacy company neglected to re-certify more than 1,000 companies between 2006 and 2013 under the EU-US Safe Harbor program in place at the time.

Government Agencies to be Rated on Cybersecurity Using NIST Framework

Posted in Cybersecurity

The Trump administration has announced that it will impose new metrics on federal agencies related to cybersecurity.  Agencies and departments will be required to comply with the framework developed by the National Institute of Standards and Technology (NIST) and report back to the Department of Homeland Security (DHS), the Office of Management and Budget (OMB), and the White House.

Homeland security advisor Thomas Bossert stated that the President’s budget will include an increase in federal funding to combat cyber threats, and that the administration’s priorities vis-à-vis cybersecurity are to modernize and centralize the existing system. To this end, the Administration intends to partner with business, including Silicon Valley, and state and local governments, on cybersecurity.

In the federal sector, the White House’s March 2017 budget blueprint calls for $1.5 billion for DHS activities to protect federal networks and critical infrastructure from cyberattacks. Additionally, a cybersecurity executive order will reportedly be finalized in the near future.

Plans to impose the NIST cybersecurity framework on federal agencies illustrate the Framework’s increasing importance as a standard for cybersecurity, not just for government agencies, but more broadly throughout the information ecosystem.  With security breaches, state-sponsored cyber-attacks, and ransomware demands increasing, the Framework offers useful guidance on processes and actions designed to enhance data security for government and industry alike.

FTC Takes on “Made in the USA” Claim for Second Time This Year

Posted in Advertising

“Made in the USA” is an attractive selling point for many consumers who want to support homegrown industry, so it is the topic of many advertising claims for a variety of products. But to establish that a product is American-made, manufacturers have to show all its key parts were made here. And if steel tags which proudly state “Made in the USA” were, in fact, manufactured overseas, that’s false advertising.

This is the situation faced by Texas-based Block Division, Inc., a manufacturer of metal pulleys. According to the FTC complaint released on March 8, 2017, Block’s advertising used images as well as explicit wording to reinforce its “Made in the USA” message. Yet, according to the FTC, the company imported integral components of its pulleys from other countries, including, ironically, the imported steel plates that were stamped with the words “Made in USA.”

Under a settlement with the FTC, Block Division is banned from advertising its products as USA-made unless the company can establish “the final assembly or processing of the product occurs in the United States, all significant processing that goes into the product occurs in the United States, and all or virtually all ingredients or components of the product are made and sourced in the United States.” The company can make “qualified” U.S. origin claims only if it clearly and conspicuously “conveys the extent to which the product contains foreign parts, ingredients, and/or processing.”

Acting FTC Chairman Maureen Ohlhausen commented “Consumers have the right to know that they can trust companies to be truthful when it comes to ‘Made in USA’ claims. This is an important issue for American business and their customers, and the FTC will remain vigilant in this area.”

Two FTC documents, Complying with the Made in USA Standard and Enforcement Policy Statement on U.S. Origin Claims, outline fundamental requirements to comply with FTC enforcement guidelines and to substantiate “Made in the USA” claims:

  • All significant parts and processing that go into the product are of U.S. origin (the “virtually all” standard);
  • Competent and reliable evidence exists to back up the claim that the product in question is made in the U.S.

Block Division and the iSpring Water Systems settlement last month are the latest in a line of complaints the FTC has brought in recent years against companies that deceptively promote “Made the USA” advertising. These cases indicate the ongoing seriousness with which the Commission will treat such claims in future.

Comments on the proposed settlement will be accepted online until April 7, 2017.

FCC Takes Initial Step to Give Privacy, Security Authority Back to FTC

Posted in Privacy

On March 1, the Federal Communications Commission (FCC) granted a temporary stay of one of the broadband privacy rules adopted in October of last year. That rule, which pertains to data security, would otherwise take effect on March 2. Newly installed FCC Chairman Ajit Pai and Federal Trade Commission (FTC) Acting Chair Maureen Ohlhausen issued a joint statement in support of the stay, which will allow the FCC to consider petitions for reconsideration of the October 2016 Report and Order before the data security and other new requirements for broadband internet service providers (ISPs) take effect. The Chairmen expressed their goal of “harmonizing the FCC’s privacy rules for broadband providers with the FTC’s standards for other companies in the digital economy.”

The FCC’s 2016 Report and Order established a comprehensive set of rules for protecting the confidentiality and security of information that ISPs acquire from their customers. Pai was one of two FCC Commissioners who issued a strong dissent. The recent stay, approved by the FCC in a 2-to-1 vote along party lines, follows Pai’s statement on February 24, 2017 that he would seek to reconsider elements of the Obama-era FCC’s privacy rules that were inconsistent with the FTC’s rules.

The moves by the FCC presage the likely withdrawal of the prescriptive broadband privacy rules, which rely on a determination by the FCC that ISPs are common carriers under its jurisdiction. This would return ISPs’ treatment of consumer privacy to the FTC, which has more experience enforcing privacy and data security laws in a technology-neutral manner.

Sealed: Three IT Companies Settle FTC Deceptive APEC Privacy Claims

Posted in Advertising, Privacy

If a business advertises it is a member of a privacy program, even a voluntary one, it had better be, according to the Federal Trade Commission (FTC). In separate but related complaints, the FTC alleged that three businesses – software provider Sentinel Labs Inc., private messaging app developer SpyChatter Inc., and cybersecurity software company Vir2us Inc. – represented that they were members of the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) when they were not.

The CBPR is a voluntary, cross-border privacy regime designed “to protect data that flows between the regions.” Its system is based on nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access, correction, and accountability.

Although membership is voluntary, false representations about participation are enforceable. Furthermore, participation isn’t simply a matter of saying you support the principles; participants must undergo a review by an APEC-recognized accountability agent, which certifies companies that meet CBPR standards. Despite assertions in their online privacy policies that they were CBPR members, Sentinel, SpyChatter, and Vir2us Inc. had never been certified by an APEC agent.

FTC Acting Chair Maureen Ohlhausen commented that “Cross-border commerce is an important driver of economic growth, and our cross-border privacy commitments help enable U.S. companies to compete around the world. Companies, however, must live up to the promises they make to protect consumer data.” Ohlhausen’s comments indicate the seriousness with which the FTC continues to approach deceptive advertising related to privacy.

Under their settlement with the FTC, the three companies are barred from making any misleading assertions about their “participation, membership or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization.”

Public comments may be submitted electronically on the Sentinel Labs, Inc., SpyChatter, Inc., and Vir2us, Inc. agreements through March 24, 2017.

It is important to note that there are a growing number of privacy “seal” programs, and some organizations offer a variety of such programs. Whether ads involve compliance with the EU-U.S. Privacy Shield, APEC, or programs under the Health Information Portability and Accountability Act (HIPAA) or Children’s Online Privacy Protection Act (COPPA), to minimize risk, businesses need to ensure that claims accurately reflect the specific program they joined. And, of course, they should only advertise participation while their membership or seal status is current and their policies and practices remain in compliance.

Consumer Protection Connection