The New Biometric Data Ruling You Need to Know About!

Authentication through biometrics—such as fingerprinting or iris scanning—is growing rapidly. In 2008, Illinois passed the Biometric Information Privacy Act (BIPA) and became the first state to regulate the collection and use of this kind of data.

Recently, the Illinois Supreme Court made it much easier for plaintiffs to show harm under BIPA. This means we’ll likely see a significant rise in the number of lawsuits alleging violations.

The Trouble with Biometrics

While convenient, there are several drawbacks to using this data to authenticate a user. Biometrics cannot be changed, like a password or government-issued identification number, if compromised. Consequently, lawmakers continue to regulate the collection, use, storage, and destruction of this sensitive data.

BIPA Basics

Generally, BIPA requires organizations to give written notice and receive consent from the individuals whose biometric data is being collected or used. Biometric identifiers include fingerprints and voiceprints as well as retina, iris, hand, and facial geometry scans.

Companies are required to publish a privacy policy describing their biometric data retention policy. BIPA also gives individuals a private right of action to sue companies and obtain damages for violations.

Technical Violations Benefit Plaintiffs

Rosenbach v. Six Flags significantly changed the litigation landscape regarding biometric data handling. According to the Illinois Supreme Court, an individual could be “aggrieved” simply by a technical violation of BIPA even without suffering an actual injury or damage.

Prior to this case, plaintiffs had to show actual harm to collect damages. In short, this decision makes it much easier for plaintiffs to successfully sue companies for BIPA violations.

Practical Advice

This recent decision highlights the importance of notice and consent procedures related to collecting biometric information. Here are some things you can do today.

  • If you collect biometric data, get familiar with BIPA requirements and other biometric privacy laws (e.g. Texas).
  • Provide adequate informed notice and receive written consent before collecting or using biometric data.
  • Review your privacy policy for notice and consent procedures designed to educate individuals about the company’s privacy practices.
  • Review vendor relationships and determine whether third parties have access to or use your biometric data. If so, make sure you disclose that in your privacy policy!
  • Train your employees to properly handle biometric data.

OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

California-based Cottage Health agreed to pay $3 million and implement a corrective action plan as part of a HIPAA settlement to resolve allegations it had unintentionally disclosed electronic patient information. This settlement, in December 2018, brought the annual total of collections from OCR enforcement actions to $28.7 million, setting a new annual record.

Two Breaches

Cottage Health, which operates four hospitals in California, notified HHS’ OCR about two breaches of unsecured electronic protected health information (ePHI), one in December 2013 and another in December 2015, affecting more than 62,500 individuals.

The first incident occurred when the security configuration settings of the health system’s Windows operating system reportedly permitted access to files containing ePHI without requiring a username and password. As a result, patient information was available to anyone on the internet with access to Cottage Health’s server. Continue reading OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

Indiana Argues Companies are Deceptive if They Suffer a Data Breach

The Indiana Attorney General recently lodged a claim under the Indiana Deceptive Consumer Sales Act (Indiana Deception Act) that might allow data breach victims to file class action lawsuits against companies and recover $500 or more per person in damages and attorney’s fees.

If successful, this could open the floodgates of litigation against companies who suffer data breaches exposing personally identifying information.

The Indiana Deception Act

The Indiana Deception Act protects consumers from companies who commit deceptive and unconscionable sales acts. Under the Indiana Deception Act, a company “may not commit an unfair, abusive, or deceptive act, omission, or practice in connection with a consumer transaction.” For the first time, the Indiana Attorney General recently argued that this Act should apply to data breaches. Continue reading Indiana Argues Companies are Deceptive if They Suffer a Data Breach

Google Hit with Biggest Ever GDPR Fine

The biggest GDPR fine was recently issued by France’s National Data Protection Commission (CNIL) to Google  for multiple GDPR violations, the regulator recently announced. The fine? A whooping 50 million euros (about $57 million).

Two Types of GDPR Violations

First, CNIL found that Google provided information to users in a non-transparent way, saying, “The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions,” according to the CNIL.

Second, CNIL concluded that Google was not validly obtaining users’ permission for data processing and ads personalization purposes. The users’ consent, CNIL claims, “is not sufficiently informed,” and it’s “neither ‘specific’ nor ‘unambiguous’.”

Confirming Customer Sentiment

The CNIL’s findings echo what many users have felt when dealing with privacy settings of large online companies, such as Google and Facebook; essentially stating that while it may be possible to opt out of various ads personalization and data processing schemes, the process and settings are too convoluted for many users to understand.  Continue reading Google Hit with Biggest Ever GDPR Fine

Oklahoma Government Suffers Massive Data Leak

Another massive data leak has been discovered.

This latest leak involves an open Oklahoma Department of Securities storage server exposing millions of records, including confidential files linked to FBI investigations, 17 years of email archives and thousands of Social Security numbers.

The breach was discovered by a researcher from cybersecurity specialist UpGuard, while scanning the web with Shodan, a search engine that lets the user find specific types of devices (webcams, routers, servers, etc.) connected to the internet using a variety of filters.

The data was exposed through an unsecured rsync service, a utility for synchronizing files across computer systems. With the IP address, registered to the Oklahoma Office of Management and Enterprise Services, anyone could download the publicly accessible files stored on the server. Continue reading Oklahoma Government Suffers Massive Data Leak

GDPR Complaints Filed Against Netflix & Amazon

GDPR Complaints Filed Against Netflix & Amazon

Video steaming leaders including Netflix, Amazon, and Apple have been accused of breaking the EU’s data regulations.

General Data Protection Regulation (GDPR) rules mandate EU individuals have the right to access a copy of the personal data companies collect about them through the regulation’s right of access. However, Max Schrems’ privacy group NOYB (None Of Your Business) has said it found that most of the big streaming companies have not fully complied and has filed formal complaints – which, if upheld, could result in substantial fines for the streaming giants.

Lack of Compliance

After GDPR went into effect in May 2018, many of the biggest names in tech including Amazon, Apple, Google and Spotify began allowing customers to download a copy of their data. NOYB, however, has said it found many of these streaming industry leaders did not do enough to comply with the new law. Continue reading GDPR Complaints Filed Against Netflix & Amazon

Australian Parliament Hacked!

Australian Parliament Hacked!

Australia’s parliament had to reset and change its computer network passwords after an unknown hacker tried to infiltrate and bypass its systems, according to a Reuter’s report.

As stated in the report, both Tony Smith, the speaker of the lower House of Representatives, and Scott Ryan, president of the upper house Senate, said there’s no evidence that any data had been accessed or stolen.

No Stolen Data

“We have no evidence that this is an attempt to influence the outcome of parliamentary processes or to disrupt or influence electoral or political processes,” Smith and Ryan responded in a joint statement.

“Accurate attribution of a cyber incident takes time and investigations are being undertaken in conjunction with the relevant security agencies.” Continue reading Australian Parliament Hacked!

Canada’s New Consent Guidelines are Effective Now!

Consent is an important element in privacy law.

Last year, Canadian officials jointly issued guidelines on how to obtain meaningful consent under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) which generally requires that you obtain meaningful consent for the collection, use and disclosure of personal information.

The guidelines outline seven principles for obtaining meaningful consent.

  1. Emphasize key elements

Organizations must allow individuals to quickly and easily review key elements affecting their privacy decisions early in the process. Key elements include what information is being collected, why it is being collected and who it is shared with. Continue reading Canada’s New Consent Guidelines are Effective Now!

Massachusetts Adds New Requirements to Breach Notification Law

Massachusetts Governor Charlie Baker recently signed a new law that amends the state’s data breach notification law.

“The improvements made to Massachusetts laws in this legislation are necessary to protect consumers from the consequences of data breaches that could expose personal information and to give consumers more control over their data and how it is used,” Governor Baker tweeted.

Key New Provisions include: Continue reading Massachusetts Adds New Requirements to Breach Notification Law

Popular Online Game ‘Town of Salem’ Suffers Data Breach Exposing 7.6 Million Players

A data breach at BlankMediaGames (BMG) has affected more than 7.6 million players of Town of Salem, a browser-based online role-playing game.

The Discovery

The incident was disclosed on December 28 to cybersecurity company DeHashed, which received an anonymous email containing evidence of server and database access.

DeHashed says affected data includes usernames, emails, passwords, IP addresses, game and forum activity, and payment information. Some users who paid for features also had billing data compromised.

The Breach

The attackers used a Local File Execution/Remote File Execution (LFI/RFI) attack that injects malicious code into a web server running PHP, DeHashed said.

The attackers then gained unauthorized access to the complete gamer database which contained 7,633,234 unique email addresses (most were Gmail, Hotmail, and email accounts).

BMG’s Response

A BlankMediaGames developer named Achilles responded on the Town of Salem forums that no credit-card numbers were stolen. Further, Achilles wrote, all passwords were hashed and not stored in plain text.

“The only important data compromised would be your Username/hashed password, IP and email,” Achilles wrote. “Everything else is just game related data.”

Moving Forward

Data is becoming a much larger issue for game developers; just last month, Bethesda Game Studios came under fire for a bug that leaked player information from support tickets.

If you’ve played Town of Salem, you should change your password immediately.