Tag Archives: data collection

The Ordinance: Chicago’s Proposal to Protect Personal Data

With the passage of the General Data Protection Regulation (GDPR), many government entities here in the US have joined the bandwagon in strengthening data protection laws concerning personal information. The city of Chicago is the latest municipality to actively take on the threat of data breaches.

Chicago’s Personal Data Collection and Protection Ordinance (“the Ordinance”)  was recently introduced to its city council and is designed to equip consumers with control over their information, informed consent to its disclosure, awareness of its use, and redress for its misuse.

Data Collection & Disclosure

The purpose of the Ordinance is to regulate operators that collect sensitive customer personal information through the Internet about individual consumers in the City of Chicago.

Some of the major provisions of the Ordinance include:

  1. Obtain prior opt-in consent from Chicago residents to use, disclose or sell their personal information;
  2. Notify affected Chicago residents and the City of Chicago in the event of a data breach;
  3. Register with the City of Chicago if they qualify as “data brokers;”
  4. Provide specific notification to mobile device users for location services; and
  5. Obtain prior express consent to use geolocation data from mobile applications.

Continue reading The Ordinance: Chicago’s Proposal to Protect Personal Data

BLU Settles with FTC Over Privacy and Data Security Claims

Phone manufacturer BLU reached a settlement with the Federal Trade Commission (FTC) over allegations BLU allowed a Chinese third-party service to harvest user data without user knowledge or consent. This data harvesting was first brought to light in 2016, when security firm Kryptowire reported that BLU phones were sending information to China using software from Shanghai Adups Technology Company (ADUPS), a contracted third party of BLU.

What Data Was Harvested

According to the FTC’s press release, BLU contracted with ADUPS to issue security and operating system updates to BLU products. However, the BLU devices were also sending large amounts of data – more than BLU told its users – to ADUPS in China.

The harvested data included full text messages, location-tracking, call and text logs with corresponding phone numbers and contact lists, and a breakdown of applications installed on the BLU devices.

BLU’s Response Continue reading BLU Settles with FTC Over Privacy and Data Security Claims

The CLOUD Act and Private Data in the U.S. and Abroad

In March 2018, the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act was signed into law as part of the 2018 Omnibus Spending Bill. The CLOUD Act allows U.S. federal law enforcement to compel U.S.-based technology companies to provide requested data stored on servers regardless of whether the data are stored inside or outside the U.S.

The CLOUD Act establishes procedures for law enforcement when requesting this data and to provide clarity for organizations caught between conflicting domestic and foreign laws.

What is the Cloud? Continue reading The CLOUD Act and Private Data in the U.S. and Abroad

Cyber Liability – A Message from the Attorneys General

Written by: Randall J. Krause, Esq., CIPP/US

At ACI’s Cyber & Data Risk Insurance conference held on March 24, 2014, representatives from five (5) state attorneys general offices (AGs)* sent a message to organizations throughout the United States. They had been asked to address the following question: “What are the top 5 messages that you want to send to companies across the country?” Their responses, along with some additional explanation, are the subject of this article.

In short, the AGs’ top 5 messages are (1) everyone is vulnerable to data breaches; (2) as a “steward” of sensitive data, you must be proactive in your efforts to protect it; (3) dispose of sensitive data properly and/or don’t collect it in the first place; (4) employee training and monitoring regarding cyber and data risks are critical; and (5) encryption is a basic “reasonable measure” to safeguard sensitive data*.

CyberCrime_1120201299-resize-380x3001. Don’t be fooled – Everyone is vulnerable to data breaches

As privacy professionals often say, when it comes to whether your organization will experience a data breach, “the question is not if, but when.” According to the PandaLabs 2013 Annual Report, 20% of all malware that has ever existed was created in 2013, with 31.53% of computers around the world being infected. In early 2013, the Ponemon Institute reported that, in its survey of small businesses throughout the United States, 55% of those responding reported having had a data breach (almost all involving electronic records), and 53 % reported having had multiple breaches. Continue reading Cyber Liability – A Message from the Attorneys General