On November 15, 2017, the Trump administration released the Vulnerabilities Equities Policy and Process. This documents describes the process by which U.S. agencies and departments determine whether to disclose or restrict information on vulnerabilities in information systems and technologies. The Vulnerabilities Equities Process (VEP) balances whether to disclose vulnerability information to the vendor or supplier in the expectation that the vulnerability will be fixed or to temporarily restrict disclosure of the information so that it can be used for national security and/or law enforcement purposes.

The Equities Review Board (ERB), consisting of individuals from numerous agencies, functions as the forum for interagency deliberation and determination concerning the VEP. The National Security Agency will function as the VEP Executive Secretariat. The VEP Executive Secretariat will oversee communications, documentation and recordkeeping for the VEP. The VEP Executive Secretariat will also publish a report of unclassified information on an annual basis.

The VEP provides steps for submitting and reviewing identified vulnerabilities:

  • When an agency determines that a vulnerability reaches the threshold for entry into the VEP, it will notify the VEP Executive Secretariat and provide a recommendation for disclosure or restriction of the vulnerability.
  • The VEP Executive Secretariat will provide notice to all agencies of the ERB and request agencies to respond if they have a strong interest (i.e., “equity”) in the vulnerability. Any agencies with a strong interest in the vulnerability must concur or disagree with the recommendation.
  • The ERB will then reach a consensus on whether or not to disclose or restrict the vulnerability

The view the VEP Charter, click here.

To view the fact sheet, click here.

The FTC is seeking public comment on a petition by Sear’s to reopen and modify its 2009 consent order to restrict the broad definition of “tracking application”.

Background.  In 2009, the FTC issued an order settling charges that Sears Holdings Management Corporation (“Sears”) had failed to adequately disclose the scope of consumers’ personal information it collected via a downloadable software application.  While Sears represented to consumers that the software would track their “online browsing”, the FTC alleged that the software would also monitor consumers’ other online secure sessions – including sessions on third parties’ websites — and collect information transmitted in those sessions, “such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based emails.”  The software would also track some computer activities unrelated to the Internet.  The proposed settlement called for Sears to stop collecting data from consumers who downloaded the software, and to destroy all data it had previously collected.

The 2009 Sears case is significant, among other reasons, because, the FTC found a violation of Section 5 of the FTC Act notwithstanding Sears’ disclosure, because the disclosure was not sufficiently conspicuous.  Specifically, while Sears did disclose the full scope of the software’s specific functions, the details of such functions were contained on approximately the 75th line of the scroll box containing the privacy statement and user license agreement.  The FTC order stated that because such description was not displayed clearly and prominently, that Sears was being “unfair and deceptive” under Section 5 of the FTC Act.

Petition.  On October 30, 2017, Sears petitioned the FTC to reopen and modify its final order to modify the broad definition of “tracking application”.   Sears states that the current definition should be updated because of changing circumstances over the past eight years which result in the definition unnecessarily restricting Sears’s ability to compete in the mobile app marketplace. Sears states that the requested modification would enable the company to “keep step with current market practices” related to retail online tracking applications.

  • Definition. Paragraph 4 of the consent order defines “tracking application” as:  “any software program or application disseminated by or on behalf of respondent, its subsidiaries or affiliated companies, that is capable of being installed on consumers’ computers and used by or on behalf of respondent to monitor, record, or transmit information about activities occurring on computers on which it is installed, or about data that is stored on, created on, transmitted from, or transmitted to the computers on which it is installed.” 
  • Modification. Sears requests that the following additional language be inserted after the word “installed”: “unless the information monitored, recorded, or transmitted is limited solely to the following: (a) the configuration of the software program or application itself; (b) information regarding whether the program or application is functioning as represented; or (c) information regarding consumers’ use of the program or application itself.”
  • Rationale. Sears states that the proposed modification is necessary to carve out commonly accepted and expected behaviors from the scope of the Order without modifying the Order’s core manage of providing notice to consumers when software applications engaged in potentially invasive tracking.  Sears states subparts (a) and (b) would exclude “activities common to all modern software applications” while subpart (c) would exclude “information tracking that is commonly accepted by consumers and that does not present the type of risks to consumer privacy that the Order was intended to remedy.” Sears further states that the proposed modification mirrors language that the FTC has used to exclude such commonly accepted practices from more recent consent orders.

Solicitation of Public Comment.  On November 8, the FTC issued a release seeking public comment on Sear’s petition requesting that it reopen and modify the 2009 order and definition.  The FTC will decide whether to approve Sears’ petition following the expiration of the 30-day public comment period.  Public comments may be submitted under December 8, 2017.

To view the 2009 FTC Order, click here.

To view Sears’s Petition, click here:

To view FTC’s solicitation of public comment click here.

 

If you’ve seen the news, you’re probably aware that Equifax announced last week that hackers had breached some of its website application software, potentially affecting the sensitive personal information of approximately 143,000,000 consumers.  If you believe you may be affected by the breach, or are wondering what to do about it, read below for: (A) a brief background of the breach and mitigating efforts, as well as: (B) 5 basic steps to take that may improve your chances of protecting yourself from identity theft as a result of the breach.

A. Background: Equifax Breach

The scope of data includes names, social security numbers, birth dates, addresses, and driver’s licenses.  The incident may have also compromised credit card numbers for 209,000 U.S. consumers, and other “dispute documents” that contained identifying information for 182,000 consumers.  On July 29, the company discovered the intrusion, which began in mid-May and continued through July.  More information can be found in a video statement by CEO, Rick Smith.  To support consumers, Equifax has beefed up its call centers and is directing consumers to a specific Equifax’s website, where they can type in their last name and the last 6 digits of their social security number to see if they are impacted; they also have the option to enroll in its “TrustedID Premier” service. Normally costing $19.95 a month, Equifax is offering this “comprehensive package of ID theft protection and credit monitoring at no cost.”

Criticisms.  Some debate currently exists about whether consumers should sign up for this product on the Equifax website, and various criticisms are being blasted on social media and elsewhere over the way in which Equifax is handling the breach:

  • Some have specifically criticized the nature of Equifax’s help, asserting that (a) consumers may be giving up some rights to sue the company if they signed up for its credit monitoring services, and (b) while companies do offer an opt out provision, consumers must do so in writing within 30 days of accepting the services, which the CFPB has pushed back against.
  • One Ars Technica article even criticizes the security of the Equifax website itself, which encourages you to type in your last name and the last 6 digits of your social security number to see if you’ve been impacted. According ot the article, “it runs on a stock installation WordPress … that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number.”
  • Some criticize free credit card monitoring as simply a Band-Aid, like treating the symptom instead of the underlying disease.
  • Other criticisms range from the Equifax’s delay (five weeks) before announcing to sale of shared by top executives shortly after the July 29 discovery of the breach.

Response.  Contrary to some of these assertions and several social media posts, Equifax has clarified on its website that consumers signing up for TrustedID Premier will not be automatically enrolled or charged after the conclusion of the complimentary year of Trusted ID Premier. Equifax also subsequently clarified in its FAQs that enrolling in the free credit file monitoring and ID theft protection associated with this cybersecurity incident does not waive any rights to take legal action.

B. Now What Do I Do?

Perhaps you are concerned that your information may have been compromised.  Perhaps you even went on the Equifax website and were told that your information “may have been impacted”. As you weigh the pros and cons of enrolling in Equifax’s TrustedID Premier product, or entering your information to see whether you may have been impacted, here are some additional steps you can take to protect yourself:

  1. Check your credit reports. Through this website, you can check your credit reports once a year – for free – from each of the 3 major credit reporting agencies, Equifax, Experian, and TransUnion. Accounts or activity that you do not recognize could indicate identity theft.
  2. Consider placing a credit freeze on your files. While it may not prevent an identity thief from making charges to existing accounts, placing a credit freeze on your file could make it harder for someone to open a new account in your name. A freeze will remain in place until you request it to be removed or temporarily lifted, which can take up to 3 business days.  Note that if you plan on opening a new account, applying for a job, renting an apartment or buying insurance in the near future, you will need to either remove the freeze or lift it temporarily for a specific time or specific party (e.g., potential landlord, employer, etc.). Check with your credit reporting company for the costs and lead times associated with temporarily lifting a freeze. If you coordinate with the party, you can find out which company they are contacting, and simply lift the freeze for that company instead of all three.
  3. Alternatively, if someone has misused your information, place a fraud alert. While a credit freeze locks down your credit, a fraud alert allows creditors to access your report as long as they take steps to verify your identify.  For instance, if you provide a phone number, the business must call you to verify you are the person making the credit requests. This may prevent someone from opening new credit accounts in your name, but won’t prevent the misuse of your existing accounts (i.e., bank, credit card, insurance statements), which you should still monitor for any indications of fraudulent transactions. You must only ask one of the three credit reporting companies to put a fraud alert on your report – they will contact the other two.  Fraud alerts are free, but require you to provide proof of your identity. They can vary from: (a) initial fraud alert (90 days, but can be renewed), (b) extended fraud alert (7 years) and (c) active duty military alert (protecting the military while deployed for one year).
  4. Monitor your existing credit card and bank accounts closely. As stated above, credit freezes and fraud alerts help prevent the opening of new accounts using your information, but they may not prevent misuse of your existing accounts. For the next couple of months, put a note in your calendar to sit down and go through each bank and credit statements to monitor for any charges you do not recognize.
  5. File your taxes early. Tax identity theft can occur when someone uses your Social Security number to get a tax refund or a job.  You may recall in 2015, when hackers obtained sensitive information and then used the data to authenticate themselves to the IRS Get Transcript application and receive tax record belong to approx. 724,000 tax filers. More recently, the IRS announced the compromise of an online tool used to fill out FAFSA student loan applications. By filing your taxes as soon as you have the tax information you need, you can help to prevent a scammer from doing so. Respond to any letters from the IRS right away.

Contact Information for the Three Credit Reporting Companies:

  1. TransUnion — 1-800-680-7289
  2. Experian — 1-888-397-3742
  3. Equifax — 1-888-766-0008

On August 7 2017, the U.S. Securities and Exchange Commission (SEC), through its Office of Compliance Inspections and Examinations (OCIE), published a Risk Alert summarizing observations on how broker dealers, investment advisers, and investment companies have addressed cybersecurity issues. The OCIE examined 75 financial firms registered with the SEC. The examinations focused on the firms’ written policies regarding cybersecurity. The OCIE observed increased cybersecurity preparedness since a similar 2014 observational initiative was conducted but also noticed areas of compliance and oversight that could be improved.

In particular, the OCIE observed that almost all firms that were examined maintain cyber-security related written procedures regarding protection of customer and shareholder records and information. Additionally, the examinations confirmed many of the firms are conducting cybersecurity risk assessments, penetration tests and vulnerability scans, and maintaining clearly defined cybersecurity organizational charts for workforces. However, the OCIE also observed that, in some cases, firms are administering vague or unclear cybersecurity policies, are not adequately following cybersecurity policies, or are not conducting adequate system maintenance to address system vulnerabilities. The Risk Alert concluded that, despite some improvements, cybersecurity remains one of the top compliance risks for financial firms. The OCIE noted that it will continue to monitor financial firms’ compliance in this area.

To view the Risk Alert, click here.

 

 

An Alabama man has been sentenced to spend six months in prison for illegally accessing the personal information of over fifty women. For over two years, Kevin Maldonado engaged in a hacking technique called “phishing,” creating fake email accounts impersonating email providers and requesting numerous women to change their email passwords. He was then able to obtain passwords and access private information, including personal photographs. Maldonado then stored the stolen information on his personal computer. Maldonado pleaded guilty in February 2017 to computer intrusion, and was sentenced to six months in prison and three years of supervised release.

Although extensive, Maldonado’s phishing technique is a common strategy employed by hackers to gain personal information. Phishing scams are fraudulent email messages that appear to come from legitimate sources. In 2016, according to the FBI’s Internet Crime Complaint Center, there were more than 19,000 victims of phishing and related scams. Email users can guard against these scams by verifying information sent in emails, like the name of the company, sender and url links embedded in the email message. Personal firewalls and security software can provide even more protection if needed.

To view information from the SEC on protection from phishing scams, click here.

To view the U.S. Attorney’s press release click here.

Today, on June 1, 2017, China’s new cybersecurity law, entitled the “Network Security Law”, goes into effect.  The law was passed in November 2016.  It now becomes legally mandatory for “network operators” and “providers of network products and services” to: (a) follow certain personal information protection obligations, including notice and consent requirements; (b) for network operators to implement certain cybersecurity practices, such as designating personnel to be responsible for cybersecurity, and adopting contingency plans for cybersecurity incidents; and (c) for providers of networks.

The law focuses on protecting personal information and individual privacy, and standardizes the collection and usage of personal information. Companies will now be required to introduce data protection measures, and sensitive data (e.g., information on Chinese citizens or relating to national security) must be stored on domestic servers.  Users now have the right to ask service providers to delete their information if such information is abused.  In some cases, firms will need to undergo a security review before moving data out of China. One of the challenges is that the government has been unclear on what would be considered “important or sensitive data”, and which products may fall under the “national security” definition.

Penalties vary, but can include (1) a warning, injunction order to correct the violation, confiscation of proceeds and/or a fine (typically ranging up to $1 million Chinese yuan (~$147,000); (2) personal fines for directly responsible persons up to $100,000 Chinese yuan (~$14,700); and (3) under some circumstances, suspensions or shutdowns of offending websites and businesses and revocations of operating permits and business licenses. Such sanctions would take into account the degree of harm and the amount of illegal gains. (Fines could include up to five times the amount of those ill-gotten gains).

While draft implementing regulations and a draft technical guidance document have been circulated by the Cyber Administration (China’s internet regulator) the final versions of these documents are still forthcoming.  These documents are expected to clarify obligations regarding restrictions on cross-border transfers of “personal information” and “important information”, including a notice and consent obligation. They may also include procedures and standards for “security assessments”, which are necessary to continue cross-border transfers of personal information and “important information”.  Under the draft regulation, “network operators” would not be required to comply with the cross-border transfer requirements until December 31, 2018.  It is expected that the final draft will contain a similar grace period.

Although large multinational corporations are typically accustomed to adapting to new laws and regulations in various countries and are already accustomed to tight internet and content controls in China, there remains concern about the potential cost impacts as well as the enforcement risk of the ambiguous language.  It is also unclear on whether the new law may alienate small or medium sized businesses otherwise looking to enter the Chinese market.  While Beijing is touting the law as a welcome milestone in data privacy, companies both large and small are concerned that the law is both vague and exceptionally broad, thus potentially putting companies at undue risk of regulatory enforcement unrelated to cybersecurity.

For an official press release from the state run website, China Daily, on May 31, 2017, click here.

Target Corporation has reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the investigation into the retailer’s 2013 data breach, officials announced on May 23, 2017. The 2013 data breach incident triggered various state consumer protection and data breach laws when hackers accessed consumer data for over 110 million Target customers. In response, state attorneys general from across the country joined in an investigation led by Connecticut and Illinois. The investigation has culminated in the largest multistate data breach settlement to date.

In November 2013, hackers breached Target’s gateway server using stolen credentials from a third-party vendor. The hackers were able to access a customer service database, install malware on the system, and capture consumer data. Customer payment card accounts for more than 41 million and contact information for more than 60 million, including full names, telephone numbers, email and mailing addresses, payment card numbers and verification codes, and encrypted debit PINs, were compromised in the breach.

Notably, Target has agreed to much more than the monetary payments to the states. Through Target’s compliance with the settlement agreement, various state attorneys general project Target will set industry standards for secure credit card processing and customer data maintenance. According to the settlement terms, Target must adhere to several requirements, including: (1) developing, implementing, and maintaining a comprehensive information security program within 180 days designed to protect customer personal information; (2) employing an executive or officer responsible for implementing and maintaining the information security program; (3) developing and implementing policies and procedures for auditing vendor compliance with its information security program; (4) maintaining encryption protocols and policies; (5) complying with the Payment Card Industry Data Security Standard (“PCI DSS”) with respect to its payment card system; (6) segmenting its payment card system from its larger computer network; (7) deploying and maintaining controls to detect and prevent the execution of unauthorized applications within its point-of-sale terminals and servers; and (8) adopting improved, industry-accepted payment card security technologies, such as chip and PIN technology.

Target has one year to obtain a third-party security assessment and report and provide the report to the Connecticut Attorney General’s Office.

A copy of the full settlement is available here.

On April 4, 2017, President Trump signed legislation repealing the Federal Communications Commission’s (FCC) privacy protections adopted in October 2016. The regulations, set to go into effect later this year, would have required internet service providers (ISPs) to adopt stricter consumer privacy protections than websites like Google and Facebook. Among other things, the regulations would have required ISPs to obtain consent before sharing sensitive customer proprietary information, take reasonable measures to secure customer proprietary information, provide notification to customers, the FCC and law enforcement in the event of data breaches, and not condition provision of service on the surrender of privacy rights.

The regulations were opposed by many ISPs who felt that they would be at a disadvantage to companies like Amazon, Google and Facebook, who are regulated by the Federal Trade Commission (FTC). Because these companies offer internet services, and do not provide internet connection, they are subject to the less restrictive FTC regulations. While many ISPs have promised not to sell proprietary customer information, these promises are voluntary. President Trump’s repeal leaves the states as the only real possible enforcer of ISP privacy regulations.

Vintage toned Wall Street at sunset, NYC.

Today, acting FTC Chairman Maureen K. Ohlhausen and FCC Chairman Ajit Pai issued a joint statement on the FCC’s issuance of a temporary stay of a data security regulation for broadband providers scheduled to take effect on March 2.  In their statement, they advocate for a “comprehensive and consistent framework”, so that Americans do not have to “figure out if their information is protected differently depending on which part of the Internet holds it.”

The Chairmen stated that for this reason, they disagreed with the FCC’s 2015 unilateral decision to strip the FTC of its authority over broadband provider’s privacy and data security practices, and believed that jurisdiction over broadband providers’ privacy and data security practices should be returned to the FTC, thus subjecting “all actors in the online space” to the same rules.

Until then, the joint statement provides, the two chairmen “will work together on harmonizing the FCC’s privacy rules for broadband provider with the FTC’s standards for other companies in the digital economy.”  The statement provides that the FCC order was inconsistent with the FTC’s privacy framework. The stay will remain in place only until the FCC is able to rule on a petition for reconsideration of its privacy rules.

In response to concerns that the temporary delay of a rule not yet in effect will leave consumers unprotected, the Chairmen agree that it is vital to fill the consumer protection gap, but that “how that gap is filled matters” – it does not serve consumer’s interests to create two separate and distinct frameworks – one for Internet service providers and another for all other online companies.

Going forward, the statement says, the FTC and the FCC will work together to establish a uniform and technology-neutral privacy framework for the online world.

To view the joint FTC and FCC statement, click here.

To view the FCC Order staying the regulation, click here.

Today, Vizio, Inc., agreed to pay $2.2 million to settle charges by the FTC and the New Jersey Attorney General that it installed software on its Smart TGVS to collect viewing data on 11 million consumer televisions without the consumers’ knowledge or consent. The $2.2 million payment includes a $1.5 million payment to the FTC, and a $1 million payment to the New Jersey Division of Consumer Affairs, although $300,000 will be suspended and vacated after 5 years upon compliance with the order.   In a concurring statement, Commission Ohlhausen supported the order, but questioned the FTC’s allegation that individualized television viewing activity falls within the definition of sensitive information.

The 2014 complaint alleged that Vizio and an affiliate company manufactures smart TVs that capture second-by-second information about video displayed on the Smart TV, including video from consumer cable, broadband, set-top box, DVD, over-the-air broadcasts, and streaming devices.  In addition, Vizio facilitated the integration of specific demographic information (e.g., sex, age, income, marital status, household size, educational level, home ownership, household value, etc.) to the viewing data.  Vizio then sold the information to third parties, who used it for various purposes, including targeted advertising to consumers across devices.

According to the complaint, Vizio touted its “Smart Interactivity” features that “enables program offers and suggestions”, but failed to inform consumers that the settings also enabled the collection of consumer’s viewing data. The complaint alleges that Vizio’s data tracking, – which occurred without viewer’s informed consent – was unfair and deceptive. The Complaint charges that the Defendants participated in deceptive and unfair acts in violation of Section 5 of the FTC act, and similar charges under the New Jersey Consumer Fraud Act, in connection with the unfair collection and sharing of consumers’ Viewing Data and deception concerning their “Smart Interactivity” features.

As part of the settlement, Vizio stipulated to a federal court order that:

  • Requires Vizio to prominently disclose and obtain affirmative express consent of its data collection and sharing practices;
  • prohibits misrepresentations about the privacy, security, or confidentiality of consumer information they collect;
  • requires Vizio to delete data collected before March 1, 2016; and
  • requires Vizio to implement (and review biennially) a comprehensive data privacy program.

In a concurring statement, Commissioner Ohlhausen supported Count II of the complaint, alleging that Vizio deceptively omitted information about its data collection and sharing program.  However, she expressed concern about the implications of Count I, which alleged that granular (household or individual) television viewing activity is sensitive information, and that sharing this viewing information without consent causes or is likely to cause  a “substantial injury” under Section 5 of the FTC Act.  Although Commissioner Ohlhausen acknowledged that there may be good policy reasons to consider such information, she states that the statute does not allow the FTC to find a practice unfair based primarily on public policy, and that this case demonstrates “the need for the FTC to examine more rigorously what constitutes ‘substantial injury” in the context of information about consumers. Ohlhausen indicated that she will launch an effort in the coming weeks to examine this issue further.

To view the stipulated order, click here.

To view Commissioner Ohlhausen’s concurring statement click here.