An Alabama man has been sentenced to spend six months in prison for illegally accessing the personal information of over fifty women. For over two years, Kevin Maldonado engaged in a hacking technique called “phishing,” creating fake email accounts impersonating email providers and requesting numerous women to change their email passwords. He was then able to obtain passwords and access private information, including personal photographs. Maldonado then stored the stolen information on his personal computer. Maldonado pleaded guilty in February 2017 to computer intrusion, and was sentenced to six months in prison and three years of supervised release.

Although extensive, Maldonado’s phishing technique is a common strategy employed by hackers to gain personal information. Phishing scams are fraudulent email messages that appear to come from legitimate sources. In 2016, according to the FBI’s Internet Crime Complaint Center, there were more than 19,000 victims of phishing and related scams. Email users can guard against these scams by verifying information sent in emails, like the name of the company, sender and url links embedded in the email message. Personal firewalls and security software can provide even more protection if needed.

To view information from the SEC on protection from phishing scams, click here.

To view the U.S. Attorney’s press release click here.

Today, on June 1, 2017, China’s new cybersecurity law, entitled the “Network Security Law”, goes into effect.  The law was passed in November 2016.  It now becomes legally mandatory for “network operators” and “providers of network products and services” to: (a) follow certain personal information protection obligations, including notice and consent requirements; (b) for network operators to implement certain cybersecurity practices, such as designating personnel to be responsible for cybersecurity, and adopting contingency plans for cybersecurity incidents; and (c) for providers of networks.

The law focuses on protecting personal information and individual privacy, and standardizes the collection and usage of personal information. Companies will now be required to introduce data protection measures, and sensitive data (e.g., information on Chinese citizens or relating to national security) must be stored on domestic servers.  Users now have the right to ask service providers to delete their information if such information is abused.  In some cases, firms will need to undergo a security review before moving data out of China. One of the challenges is that the government has been unclear on what would be considered “important or sensitive data”, and which products may fall under the “national security” definition.

Penalties vary, but can include (1) a warning, injunction order to correct the violation, confiscation of proceeds and/or a fine (typically ranging up to $1 million Chinese yuan (~$147,000); (2) personal fines for directly responsible persons up to $100,000 Chinese yuan (~$14,700); and (3) under some circumstances, suspensions or shutdowns of offending websites and businesses and revocations of operating permits and business licenses. Such sanctions would take into account the degree of harm and the amount of illegal gains. (Fines could include up to five times the amount of those ill-gotten gains).

While draft implementing regulations and a draft technical guidance document have been circulated by the Cyber Administration (China’s internet regulator) the final versions of these documents are still forthcoming.  These documents are expected to clarify obligations regarding restrictions on cross-border transfers of “personal information” and “important information”, including a notice and consent obligation. They may also include procedures and standards for “security assessments”, which are necessary to continue cross-border transfers of personal information and “important information”.  Under the draft regulation, “network operators” would not be required to comply with the cross-border transfer requirements until December 31, 2018.  It is expected that the final draft will contain a similar grace period.

Although large multinational corporations are typically accustomed to adapting to new laws and regulations in various countries and are already accustomed to tight internet and content controls in China, there remains concern about the potential cost impacts as well as the enforcement risk of the ambiguous language.  It is also unclear on whether the new law may alienate small or medium sized businesses otherwise looking to enter the Chinese market.  While Beijing is touting the law as a welcome milestone in data privacy, companies both large and small are concerned that the law is both vague and exceptionally broad, thus potentially putting companies at undue risk of regulatory enforcement unrelated to cybersecurity.

For an official press release from the state run website, China Daily, on May 31, 2017, click here.

Target Corporation has reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the investigation into the retailer’s 2013 data breach, officials announced on May 23, 2017. The 2013 data breach incident triggered various state consumer protection and data breach laws when hackers accessed consumer data for over 110 million Target customers. In response, state attorneys general from across the country joined in an investigation led by Connecticut and Illinois. The investigation has culminated in the largest multistate data breach settlement to date.

In November 2013, hackers breached Target’s gateway server using stolen credentials from a third-party vendor. The hackers were able to access a customer service database, install malware on the system, and capture consumer data. Customer payment card accounts for more than 41 million and contact information for more than 60 million, including full names, telephone numbers, email and mailing addresses, payment card numbers and verification codes, and encrypted debit PINs, were compromised in the breach.

Notably, Target has agreed to much more than the monetary payments to the states. Through Target’s compliance with the settlement agreement, various state attorneys general project Target will set industry standards for secure credit card processing and customer data maintenance. According to the settlement terms, Target must adhere to several requirements, including: (1) developing, implementing, and maintaining a comprehensive information security program within 180 days designed to protect customer personal information; (2) employing an executive or officer responsible for implementing and maintaining the information security program; (3) developing and implementing policies and procedures for auditing vendor compliance with its information security program; (4) maintaining encryption protocols and policies; (5) complying with the Payment Card Industry Data Security Standard (“PCI DSS”) with respect to its payment card system; (6) segmenting its payment card system from its larger computer network; (7) deploying and maintaining controls to detect and prevent the execution of unauthorized applications within its point-of-sale terminals and servers; and (8) adopting improved, industry-accepted payment card security technologies, such as chip and PIN technology.

Target has one year to obtain a third-party security assessment and report and provide the report to the Connecticut Attorney General’s Office.

A copy of the full settlement is available here.

On April 4, 2017, President Trump signed legislation repealing the Federal Communications Commission’s (FCC) privacy protections adopted in October 2016. The regulations, set to go into effect later this year, would have required internet service providers (ISPs) to adopt stricter consumer privacy protections than websites like Google and Facebook. Among other things, the regulations would have required ISPs to obtain consent before sharing sensitive customer proprietary information, take reasonable measures to secure customer proprietary information, provide notification to customers, the FCC and law enforcement in the event of data breaches, and not condition provision of service on the surrender of privacy rights.

The regulations were opposed by many ISPs who felt that they would be at a disadvantage to companies like Amazon, Google and Facebook, who are regulated by the Federal Trade Commission (FTC). Because these companies offer internet services, and do not provide internet connection, they are subject to the less restrictive FTC regulations. While many ISPs have promised not to sell proprietary customer information, these promises are voluntary. President Trump’s repeal leaves the states as the only real possible enforcer of ISP privacy regulations.

Vintage toned Wall Street at sunset, NYC.

Today, acting FTC Chairman Maureen K. Ohlhausen and FCC Chairman Ajit Pai issued a joint statement on the FCC’s issuance of a temporary stay of a data security regulation for broadband providers scheduled to take effect on March 2.  In their statement, they advocate for a “comprehensive and consistent framework”, so that Americans do not have to “figure out if their information is protected differently depending on which part of the Internet holds it.”

The Chairmen stated that for this reason, they disagreed with the FCC’s 2015 unilateral decision to strip the FTC of its authority over broadband provider’s privacy and data security practices, and believed that jurisdiction over broadband providers’ privacy and data security practices should be returned to the FTC, thus subjecting “all actors in the online space” to the same rules.

Until then, the joint statement provides, the two chairmen “will work together on harmonizing the FCC’s privacy rules for broadband provider with the FTC’s standards for other companies in the digital economy.”  The statement provides that the FCC order was inconsistent with the FTC’s privacy framework. The stay will remain in place only until the FCC is able to rule on a petition for reconsideration of its privacy rules.

In response to concerns that the temporary delay of a rule not yet in effect will leave consumers unprotected, the Chairmen agree that it is vital to fill the consumer protection gap, but that “how that gap is filled matters” – it does not serve consumer’s interests to create two separate and distinct frameworks – one for Internet service providers and another for all other online companies.

Going forward, the statement says, the FTC and the FCC will work together to establish a uniform and technology-neutral privacy framework for the online world.

To view the joint FTC and FCC statement, click here.

To view the FCC Order staying the regulation, click here.

Today, Vizio, Inc., agreed to pay $2.2 million to settle charges by the FTC and the New Jersey Attorney General that it installed software on its Smart TGVS to collect viewing data on 11 million consumer televisions without the consumers’ knowledge or consent. The $2.2 million payment includes a $1.5 million payment to the FTC, and a $1 million payment to the New Jersey Division of Consumer Affairs, although $300,000 will be suspended and vacated after 5 years upon compliance with the order.   In a concurring statement, Commission Ohlhausen supported the order, but questioned the FTC’s allegation that individualized television viewing activity falls within the definition of sensitive information.

The 2014 complaint alleged that Vizio and an affiliate company manufactures smart TVs that capture second-by-second information about video displayed on the Smart TV, including video from consumer cable, broadband, set-top box, DVD, over-the-air broadcasts, and streaming devices.  In addition, Vizio facilitated the integration of specific demographic information (e.g., sex, age, income, marital status, household size, educational level, home ownership, household value, etc.) to the viewing data.  Vizio then sold the information to third parties, who used it for various purposes, including targeted advertising to consumers across devices.

According to the complaint, Vizio touted its “Smart Interactivity” features that “enables program offers and suggestions”, but failed to inform consumers that the settings also enabled the collection of consumer’s viewing data. The complaint alleges that Vizio’s data tracking, – which occurred without viewer’s informed consent – was unfair and deceptive. The Complaint charges that the Defendants participated in deceptive and unfair acts in violation of Section 5 of the FTC act, and similar charges under the New Jersey Consumer Fraud Act, in connection with the unfair collection and sharing of consumers’ Viewing Data and deception concerning their “Smart Interactivity” features.

As part of the settlement, Vizio stipulated to a federal court order that:

  • Requires Vizio to prominently disclose and obtain affirmative express consent of its data collection and sharing practices;
  • prohibits misrepresentations about the privacy, security, or confidentiality of consumer information they collect;
  • requires Vizio to delete data collected before March 1, 2016; and
  • requires Vizio to implement (and review biennially) a comprehensive data privacy program.

In a concurring statement, Commissioner Ohlhausen supported Count II of the complaint, alleging that Vizio deceptively omitted information about its data collection and sharing program.  However, she expressed concern about the implications of Count I, which alleged that granular (household or individual) television viewing activity is sensitive information, and that sharing this viewing information without consent causes or is likely to cause  a “substantial injury” under Section 5 of the FTC Act.  Although Commissioner Ohlhausen acknowledged that there may be good policy reasons to consider such information, she states that the statute does not allow the FTC to find a practice unfair based primarily on public policy, and that this case demonstrates “the need for the FTC to examine more rigorously what constitutes ‘substantial injury” in the context of information about consumers. Ohlhausen indicated that she will launch an effort in the coming weeks to examine this issue further.

To view the stipulated order, click here.

To view Commissioner Ohlhausen’s concurring statement click here.

 

In a recent opinion, the Second Circuit ruled against the United States government and in favor of protecting data stored overseas. In Microsoft v. United States, the Second Circuit held that the Stored Communications Act (SCA) does not authorize courts to issue warrants against internet service providers (ISPs) for the seizure of customer email content stored exclusively on foreign servers. The case began in December 2013 when the government obtained a warrant to gain access to a Microsoft customer’s account on a server in Dublin, Ireland. Microsoft argued that the United States lacked the authority to obtain the data due to its location in an overseas server. The United States countered, arguing that the SCA warrant required Microsoft to turn over the data because, although the data was stored in an overseas server, Microsoft had access to it in the United States. Ultimately, the Second Circuit decided in favor of Microsoft. The Court held that the data was located in Ireland and the SCA was not meant to be applied extraterritorially.

On January 24, 2017, the Second Circuit denied rehearing the case. Although the decision was reached in a tie (4-4 vote), the rehearing request was denied due to a rule requiring a majority vote for granting of petitions. The decision garnered four dissents, with each dissenter essentially arguing that the issue rested on the location of the disclosure of the information, which would take place in the United States, and not the location of the information itself.

Microsoft v. United States raises important data privacy questions that will likely reappear in future cases. Asking courts to apply dated technology statutes and answer the complicated question of where virtual data is physically located leaves no straightforward answer. The United States government might get another shot to revisit this question in the near future, but it will have to be through the Supreme Court.

Woman Touching Screen Electronic Tablet Hand.Project Manager Researching ProcessOn November 11, 2016, Facebook announced to USA TODAY that it would no longer allow advertisers to exclude specific racial and ethnic groups when placing ads related to housing, credit or employment, according to a statement by Erin Egan, Facebook’s vice-president of U.S. public policy to USA Today.  According to the news article, Facebook will also require advertisers to affirm that they will not place discriminatory ads on Facebook, and will plan to offer educational materials to help advertisers understand their obligations.

Continue Reading Facebook to Stop Ads Targeting, Excluding Racial and Ethnic Groups

computer securityCourts and litigants find themselves standing on the precipice of Spokeo v. Robins, a monumental Supreme Court decision that could have potentially wide-ranging implications for data breach cases. Given the Court’s holding in Spokeo that a plaintiff must allege and prove more than just “a bare procedural violation” to satisfy the “concrete injury” component of standing’s injury-in-fact requirement, it may prove difficult for data-breach plaintiffs to survive challenges to their allegations of standing. For example, even if a consumer’s data has been stolen, a third party (such as a bank) may ultimately pay for any out-of-pocket losses (for instance, in the case of stolen credit card numbers). Thus, in the absence of any actual monetary losses, which is often the case, plaintiffs are forced to rely on allegations of an increased likelihood of fraud or identity theft. But as the initial influx of post-Spokeo cases make clear, plaintiffs must establish that their risk of future harm is more than speculative, a leap which some courts have been reluctant to take. Continue Reading Standing on the Precipice: The Actual Injury Requirement After Spokeo

Fiber Optic cables and UTP Network cablesOn October 27, 2016, the FCC released rules to “empower consumers to decide how data are used and shared by broadband providers.”  In the order, the FCC defines information protected under Section 222 for telecommunications carriers as “customer proprietary information (customer PI)”, to include the following: (1) individually identifiable Customer Proprietary Network Information (CPNI), (2) personally identifiable information (PII) and (3) content of communications.  The FCC also adopts and explains its multi-part approach to determining whether data has been properly de-identified and is therefore not subject to the customer choice regime adopted by the FCC for customer PI. Much of the rules are modeled after FTC best practices and the White House Administration’s Consumer Privacy Bill of Rights. Continue Reading FCC Adopts Privacy Rules Protecting Broadband and other Telecommunications Customers