Tag Archives: FTC

FTC to Enforce Voluntary GDPR Compliance Statements

U.S. based companies that have updated their privacy policies to reflect increased consumer privacy protections intending to match the European Union’s GDPR protections may have unknowingly opened themselves up to added scrutiny from the Federal Trade Commission, according to FTC spokesperson Juliana Gruenwald Henderson.

Several organizations that collect consumer data on a large scale, including Facebook and Microsoft, have taken it upon themselves to increase personal data use transparency for their consumers through clearer privacy policies. This increase in transparency is designed, in part, to increase trust among their users, as well as potentially staying one step ahead of future U.S. regulation. That domestic regulation, however, might be coming sooner than anticipated.

The FTC’s Statement

Gruenwald Henderson explained, “If a company chooses to implement some or all of GDPR across their entire operations, and as a result makes promises to U.S. consumers about their specific practices they must live up to those commitments.” She added that this enforcement, although broad in nature, would only by applied towards specific and appropriate situations and “the FTC could initiate an enforcement action if the company does not comply with the EU data protection promises for U.S. customers.”

The FTC’s statement shows the government takes seriously companies’ privacy promises to their consumers. “If the company claims that it is compliant with EU law, it better be right, because the FTC will be looking for companies that are non-compliant but say otherwise,” said David Vladeck, former director of the FTC’s Bureau of Competition. Continue reading FTC to Enforce Voluntary GDPR Compliance Statements

Operation Main Street: The FTC’s Initiative to Battle Scams Against Small Business

Small businesses drive a significant portion of the American economy by providing jobs and services nationwide. As a vital component of domestic commerce, it is essential that there are protections in place to keep these companies safe from cyber scams. That’s where the FTC steps in, fulfilling their mission to protect consumers and small business owners.

The FTC, law enforcement, state and federal partners and the Better Business Bureau (BBB) have recently coordinated to form Operation Main Street, an education effort to help alert small businesses about scams and how to avoid them.

Example Scam Activity

In addition to cyber scams like business compromise emails and other phishing attacks, according to the FTC, some scammers actually call their targets claiming to be collecting on past-due bills for a variety of services including online directory listings, search engine optimization and web design and/or hosting. The scammer warns to “pay now” or the small businesses account will be turned over to collections and red flagged. The scammer warns that refusal to pay could have a negative impact on the company’s credit. However, the reality is the targeted small business never ordered the products or services to begin with; it’s all part of the con. Continue reading Operation Main Street: The FTC’s Initiative to Battle Scams Against Small Business

BLU Settles with FTC Over Privacy and Data Security Claims

Phone manufacturer BLU reached a settlement with the Federal Trade Commission (FTC) over allegations BLU allowed a Chinese third-party service to harvest user data without user knowledge or consent. This data harvesting was first brought to light in 2016, when security firm Kryptowire reported that BLU phones were sending information to China using software from Shanghai Adups Technology Company (ADUPS), a contracted third party of BLU.

What Data Was Harvested

According to the FTC’s press release, BLU contracted with ADUPS to issue security and operating system updates to BLU products. However, the BLU devices were also sending large amounts of data – more than BLU told its users – to ADUPS in China.

The harvested data included full text messages, location-tracking, call and text logs with corresponding phone numbers and contact lists, and a breakdown of applications installed on the BLU devices.

BLU’s Response Continue reading BLU Settles with FTC Over Privacy and Data Security Claims

FTC Brings the Enforcement Hammer for EU-US Privacy Shield Misrepresentations

For the first time, the Federal Trade Commission is holding companies accountable in three enforcement actions for misleading consumers about their Privacy Shield participation.

EU-U.S. Privacy Shield

The Privacy Shield framework allows companies to transfer consumer data across the pond from EU member states to the U.S. while complying with EU data protection laws. The Privacy Shield was birthed to replace the U.S.-EU Safe Harbor framework which was deemed invalid in 2015.

To participate in the framework, companies must certify with the U.S. Department of Commerce and demonstrate compliance with the Privacy Shield Principles. The Department of Commerce maintains the list of active members, while the FTC enforces compliance.

During Safe Harbor’s tenure as the preferred data transfer mechanism between the EU and U.S., the FTC brought 39 enforcement actions against companies for reasons of noncompliance. Now we see the first three enforcement actions under the newer Privacy Shield framework.

Privacy Shield Enforcement

The FTC announced that three companies violated the FTC Act by making false claims regarding their Privacy Shield certification to consumers. The companies never actually completed the certification process.

  • HR software company Decusoft LLC falsely stated in its privacy policy that it “participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.”
  • Printing services company Tru Communication (aka TCPrinting.net) falsely stated in its privacy policy that it “will remain compliant and current with Privacy Shield at all times.”
  • Real estate management company Md7 LLC falsely stated in its privacy policy that it “complies with the EU-U.S. Privacy Shield Framework.”

Acting FTC Chairman Maureen K. Ohlhausen notes, “Today’s actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce. Companies that want to benefit from these agreements must keep their promises or we will hold them accountable.”

In conjunction with the settlements, the FTC prohibits the three companies from misrepresenting their participation in any privacy or data security program sponsored by a government or regulatory agency.

Key Takeaways

What can other companies learn from the mistakes in these cases?

The FTC is committed to enforcing misrepresentations about Privacy Shield participation. Given the prior settlements under the Safe Harbor framework, the FTC remains consistent in their efforts to hold companies accountable.

The FTC advises, “If you apply to participate in Privacy Shield, follow through. If you apply but then decide not to participate, don’t tout your compliance in your privacy policy or elsewhere on your website. Furthermore, if the Department of Commerce contacts your company about a deficient or incomplete application, it’s wise to heed the warning by completing the self-certification process in a timely manner or by removing any false statement regarding participation in the Privacy Shield Framework.”

FTC Continues Its ‘Stick with Security’ Series

What are the key lessons learned from the mountain of data security investigations conducted by the FTC over the years?

The Federal Trade Commission (FTC) promised to reveal those lessons and provide practical guidance through a blog series titled ‘Stick with Security.’ Reviewing the blog posts within the series will give organizations actionable guidance and advice to protect consumer data.

The Stick with Security series spans ten blog posts, with a new one released each Friday. Last month, we covered the first five posts in our article – Stick with Security: FTC Provides Guidance on Reasonable Data Security Practices.

Below we recap the latter half of the FTC’s Stick with Security posts.

Stick with Security: Segment and Monitor Your Network

The FTC’s sixth post – “Stick with Security: Segment and Monitor Your Network” – demonstrates the benefits of segmenting your network and keeping a watchful eye on data transfers. It offers practical guidance and examples on how to:

  • Segment your network; and
  • Monitor activity on your network.

Stick with Security: Secure Remote Access to Your Network

The FTC’s seventh post – “Stick with Security: Secure Remote Access to Your Network” – calls on organizations to address the risks posed by remote access to networks and systems. The FTC provides a few examples of the good and the bad including:

  • Ensure endpoint security; and
  • Put sensible access limits in place.

Stick with Security: Apply Sound Security Patches

The FTC’s eighth post – “Stick with Security: Apply Sound Security Patches When Developing New Products” – emphasizes the importance and efficiency of building security into product development from the start. The post highlights several measures organizations can take to include security into their product development strategy including:

  • Train your engineers in secure coding;
  • Follow platform guidelines for security;
  • Verify that security features work; and
  • Test for common vulnerabilities.

Stick with Security: Make Sure Service Providers Implement Reasonable Security Measures

The FTC’s ninth post – “Stick with Security: Make Sure Service Providers Implement Reasonable Security Measures” – emphasizes the importance of reasonable security practices for an organization’s service providers. The FTC offers several steps and examples to incorporate reasonable security expectations with your service providers including:

  • Do your due diligence;
  • Put it in writing; and
  • Verify compliance.

Stick with Security: FTC Provides Guidance on Reasonable Data Security Practices

The Federal Trade Commission (FTC) is making good on its promise earlier this year to provide lessons and practical guidance from data security investigations. The FTC is publishing a series of blog posts under the theme “Stick with Security,” which will build on the principles in its previous Start with Security Guide for Businesses.

The Stick with Security series will highlight real-life security examples based on the FTC’s 60+ law enforcement actions, closed investigations, and FAQs. These efforts are designed to give businesses actionable advice to protect and secure consumer data.

Each Friday the FTC will publish a new blog in the series on their Business Blog. We will provide a recap and link to each blog posting here in our cyber newsletter updates.

Stick with Security: Insights into FTC Investigations

In its first post – “Stick with Security: Insights into FTC Investigations” – the FTC notes important lessons and takeaways from investigations closed with no further action. While those matters fade away without any public attention, the FTC highlights common cases and examples in their posting.

Start with Security – and Stick with It

The FTC’s second post – “Start with Security – and Stick with It” – outlines five key security practices that apply to businesses of all sizes and industries. The blog post offers examples of each security practice:

  • Don’t collect personal information you don’t need
  • Hold onto information only as long as you have a legitimate business need
  • Don’t use personal information when it’s not necessary
  • Train your staff on your security standards
  • When feasible, offer consumers more secure choices

Stick with Security: Control Access to Data Sensibly

The third post in the Stick with Security Series – “Stick with Security: Control Access to Data Sensibly” – details security measures for businesses to consider when limiting unauthorized access to consumer and other sensitive data. The post emphasizes two key principles for access control, along with related examples:

  • Restrict access to sensitive data
  • Limit administrative access

Stick with Security: Require Secure Passwords and Authentication

The fourth blog post – “Stick with Security: Require Secure Passwords and Authentication” – aims to give businesses practical examples of effective authentication procedures to safeguard their networks. Examples are provided relating to the recommended security measures:

  • Require long, complex, and unique passwords
  • Store passwords securely
  • Guard against brute force attacks
  • Protect sensitive accounts with more than just a password
  • Protect against authentication bypass

Stick with Security: Store Sensitive Personal Information Securely

The fifth post – “Stick with Security: Store Sensitive Personal Information Securely and Protect it During Transmission” – describes examples of reasonable protections businesses can take to secure sensitive data:

  • Keep sensitive information secure throughout its lifecycle
  • Use industry-tested and accepted methods
  • Ensure proper configuration

Disney Gets Caught in COPPA Lawsuit

The Walt Disney Company ended up on the wrong end of a lawsuit over violations of the Children’s Online Privacy Protection Act (COPPA). The class action suit alleges violations related to embedded software collecting children’s personal information from Disney’s apps.

COPPA Background

COPPA rules are regulated by the Federal Trade Commission. They require operators of commercial websites and online services directed at children under the age of 13 to comply with certain privacy standards. For example, COPPA rules require applicable organizations to post privacy policies, notify parents about their information practices, and obtain parental consent before collecting, using, or disclosing children’s personal information.

Disney Lawsuit

Ad tech companies provide the software development kits that Disney uses to track behavior across various apps and devices. This class action complaint makes several allegations and claims about Disney’s potential violations:

  • Tracking children’s online behavior to facilitate behavioral advertising or marketing analysis
  • Creating online profiles for child users with data elements like location, browsing history, and app usage
  • Failing to obtain verifiable parental consent, and never providing a mechanism for consent to be given

Disney released a statement, “Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families. The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in Court.”

Disney has been involved in alleged COPPA violations in the past, when a subsidiary company was given a $3 million penalty in 2011 for collecting and disclosing children’s personal information without parental consent.

Safe Harbor Update

The FTC made news in regards to COPPA by approving TRUSTe’s modifications to its safe harbor program. Organizations in an approved safe harbor program – like TRUSTe’s – are subject to program-regulated guidelines rather than COPPA’s formal FTC investigation and enforcement process.

Organizations covered under TRUSTe’s safe harbor program should review the approved updates.

Increasing Regulatory Requirements for IoT

The COPPA update is part of a larger regulatory wave to address the expanding privacy and security issues surrounding the Internet of Things (IoT).

While the FTC update focuses on ‘smart toys,’ the overall trend will require all organizations to analyze the privacy and security implications stemming from the emerging ‘smart’ business models.

The security industry expects to see much more action in the near future (including legislation making its way through Congress) related to shifting regulation and new vulnerabilities for the Internet of Things.

FTC Updates COPPA Compliance Guidance

Anyone who falls under regulations with the COPPA knows the FTC takes children’s privacy seriously.

With more products being marketed towards minors (i.e. internet-connected toys) the Federal Trade Commission revisited compliance requirements under the Children’s Online Privacy Protection Act (COPPA).

The FTC released an update to the ‘Six-Step Compliance Plan for Your Business’ to simplify COPPA compliance for organizations. Several new focus areas are noted in the guidance including:

  • New business models. As technologies evolve, organizations are changing the way they collect data. Evolving data collection activities are addressed in the new update. For example: The update added regulations for voice-activated devices that collect personal information.
  • New products covered by COPPA. COPPA no longer applies strictly to websites and mobile apps. The law now covers a growing list of connected devices that make up the Internet of Things. This includes web-connected toys and other products intended for children that collect personal information, such as voice recordings or geolocation data.
  • New methods for getting parental consent. The revised Compliance Plan discusses two newly-approved methods for getting parental consent: asking knowledge-based authentication questions and using facial recognition to get a match with a verified photo ID.

The FTC offers an additional FAQ resource for organizations that have further questions regarding COPPA compliance.

The FBI also released a related article on privacy risks associated with Internet-connected children’s toys.

FTC Website Dedicated to Help Small Businesses Against Cyber Threats

Small businesses can feel the pain of a cyber-attack more than most enterprises. With scarce resources to allocate beyond business operations, small businesses are a prime target for cyber criminals.

There’s a false statistic circulating that 60% of small businesses fail within six months of a cyber-attack. While the number may be exaggerated, small businesses do have a hard time responding appropriately.

It’s not surprising that a cyber-attack, with all the costs and time involved, can derail a small business. Luckily, the FTC has recently provided some recourse for the little guys.

FTC Website

Recognizing these struggles, the FTC launched a website dedicated to help small businesses avoid scams and protect their computers and networks from cyber-attacks.

The FTC markets their new site as, “a one-stop shop where small businesses can find information to protect themselves from scammers and hackers.”

They cite several ways small businesses are specifically targeted by cyber criminals:

  • Social engineering tactics charging the business for supplies they didn’t order
  • Soliciting donations for fake charities
  • Phishing small businesses into giving access and control to computers and networks

The resources on the FTC site include:

  • Small Business Computer Security Basics Guide
  • Information on responding to a data breach
  • Guidance on threats like ransomware and phishing

Key Takeaways

There’s been a push lately to educate small and medium sized businesses on cyber risks and threats. We’ve seen guidance trickle down from regulators (see article PCI Guide for Small and Medium-Sized Businesses), and this website from FTC provides yet another resource for businesses to leverage.

One benefit to guidance materials like these from the FTC: in the event of an incident an organization can probably gain some points with the regulators by showing their due diligence with the provided regulatory cyber tools and resources.

We also strongly encourage small businesses to take advantage of the cyber risk management resources in their cyber insurance policies. We provide policyholders with easy tools to leverage:

  • Phishing training courses
  • Sample security policies and procedures
  • Cyber security fitness check
  • Incident Response Plan templates and guidance

Reach out to cyberteam@eplaceinc.com for any help accessing these resources, or to schedule a meeting with our Virtual-CISOs to discuss any of your cyber initiatives.

FTC Settlement Showcases a Repeat Offender

When the cop gives you a ticket for speeding, don’t pull away from the side of the road and continue blazing down the highway. Upromise did just that, and the FTC caught up with them once again.

The Federal Trade Commission (FTC) settled with Upromise for $500,000 over violating a previous FTC settlement and consent order.

Who is Upromise?

Upromise is a membership reward service offering a loyalty program to families saving for college. The service offers credits for college savings accounts when members purchase from the company’s affiliates and partners.

Background

In 2012, the FTC and Upromise reached a prior settlement. The FTC alleged Upromise’s TurboSaver toolbar collected users’ information without disclosing the extent of the collection. The user information was then transmitted insecurely over the Internet. This was in parallel with their privacy notice stating the toolbar would rarely collect personal data, and security controls were in place to protect such data.

The 2012 settlement included a few action items for Upromise:

  1. Clearly disclose the toolbar’s data collection practices
  2. Obtain consent from users before collecting data
  3. Obtain a third-party assessment regarding the toolbar

New Violations

Unfortunately, Upromise never made good on those promises.

After the 2012 debacle with the FTC, Upromise started promoting a new toolbar for consumers called RewardU. Now the FTC is alleging Upromise is making the same mistakes with its RewardU toolbar.

According to the FTC, the company failed to clearly and prominently disclose the collection and use of consumer data by the RewardU toolbar. The disclosures were hidden where a consumer would need to click a link, scroll through two full screens of text, and find the company’s statement in the second paragraph of a footnote.

Additionally, Upromise failed to obtain the required third-party assessments regarding the RewardU toolbar. The company instead submitted various assessments about their operations not implicated under the 2012 FTC Order.

Settlement

All of this led the FTC and Upromise to settle once again… this time for a $500,000 penalty.

Upromise must also permanently expire any RewardU-related cookies and inform users who downloaded the toolbar how they can uninstall it and delete associated cookies.

Key Takeaways

This settlement shows the FTC is still committed to data privacy and security issues. This case is unique in that Upromise is a repeat customer. The FTC isn’t afraid to revisit prior settlements and hold companies to their promises in the resolution agreements.