Behind the Screens: Headlines that matter for privacy and data securityFederal US News
Three Dating Apps Removed From App Store After Potential COPPA Violations
Three dating apps—Meet24, FastMeet, and Meet4U, all operated by Wildec LLC—have been removed from Apple’s App Store and Google’s Google Play Store following FTC allegations that the apps allowed children as young as 12 to access them, in violation of the Children’s Online Privacy Protection Act (COPPA) and the FTC Act. The Wildec apps collect users’ birthdates, email addresses, photographs, and real-time location data. While the three apps claimed in their privacy policies to prohibit users under the age of 13, the apps failed to block users who indicated they were under 13 from using the apps and from being contacted by other users of the apps. The apps have been removed from the app stores until they address the alleged violations outlined by the FTC.
FTC Announces Changes to FCRA Model Forms
The FTC approved publication of a Federal Register notice announcing the rescission of several model forms and disclosures under the Fair Credit Reporting Act (FCRA). When Dodd-Frank transferred rulemaking authority under several portions of the FCRA to the Consumer Financial Protection Bureau (CFPB), the FTC retained seven rules issued under the FCRA, as amended, that continue to apply to motor vehicle dealers. The FTC has rescinded several of its Model Forms and Disclosures associated with rules and authorities transferred to the CFPB. The CFPB issued revisions to its FCRA model forms and disclosures in 2018, and the FTC’s forms are no longer necessary and may cause confusion. As detailed in the Federal Register notice, the Commission is rescinding the following appendices of 16 CFR part 698: A, D, E, F, G, and H. In addition, the FTC is re-designating Appendix B (Model Forms for Risk-Based Pricing and Credit Score Disclosure Exception Notices) as Appendix A, and Appendix C (Model Forms for Affiliate Marketing Opt-Out Notices) as Appendix B.
Senator Urges Apple to Offer DNT Option
Senator Josh Hawley sent a letter to Apple CEO Tim Cook asking his company to be an industry leader by giving customers an option to prohibit companies from tracking their data. Hawley suggested that Apple give customers the ability to prevent companies from collecting data that is not related to their online services. Companies that currently collect data could send it to other companies, possibly exposing customers to privacy violations, but a fix for this problem is simple, “You need only require app developers, as a condition for appearing in the App store, to certify that their apps will not collect data beyond what is indispensable to companies' online services if a user activates the 'limit ad tracking' feature that you already provide.” Hawley's letter follows his recent introduction of a bill called the Do Not Track Act, which would allow consumers to enroll in a national registry through an internet browser setting or an app, legally blocking online companies from collecting any data on that consumer beyond what is necessary for the companies' online services. While California law requires a website to disclose if it recognizes a “Do Not Track” setting, few steps have been taken to require website operators or app stores to develop technology to assist in this regard.
State US News
Nevada Passes Amendment to Privacy Law
The Nevada Assembly unanimously passed legislation amending Nevada’s existing online privacy notice statute. The legislation amends Nevada’s law in two notable ways: first, entities subject to the statute will need to establish a designated request address through which consumers can submit verified requests directing the entity not to make any “sale” of covered information collected about consumers; second, the legislation excludes financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA covered entities and certain motor vehicle manufacturers from having to comply with the online privacy notice statute. Notably, the legislation defines “sale” much differently than it is defined in the California Consumer Privacy Act. Specifically, the Nevada legislation defines “sale” to mean “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” The legislation also excludes the following five disclosures from the definition of sale: processing on behalf of the operator, providing a product or service, reasonable expectations of the consumer, affiliates, and transfer of assets. The legislation now heads to the governor for signature.
SF Bans Facial Recognition Technology
San Francisco’s Board of Supervisors voted to approve a ban on the use by city agencies—including the police department—of facial recognition technology. Called the Stop Secret Surveillance Ordinance, the ban is the first of its kind for a major American city. The policy is intended to be an extension of the data privacy reforms (i.e., CCPA) passed by California last year. City agencies are prohibited from using facial recognition technology, or information gleaned from external systems that use such technology. Private companies would not be impacted by this ban, but it does affect any companies selling such technology to the city government. Critics of the ordinance argue the city should instead draft regulations that acknowledge the usefulness of facial recognition technology rather than an outright ban. This particular battle with facial recognition technology in San Francisco, however, is mostly theoretical because the police department does not currently deploy this technology. It’s only used at SFO and ports, areas under federal jurisdiction and not impacted by this ordinance. Other cities and states are looking into similar bans.
Equifax Hit With Indiana Lawsuit Over 2017 Breach
The state of Indiana is suing Equifax over the 2017 breach that affected nearly 148 million people, including almost 4 million Indiana residents. According to the lawsuit, Equifax failed to protect the Indiana residents whose personal information was exposed by the breach. The lawsuit accuses Equifax of delaying investment in its technology and accumulating outdated systems in order to drive revenue and profit.
Massachusetts Privacy Bill Poses Class Action Risks
Massachusetts state senators introduced a consumer data privacy bill—An Act Relative to Consumer Data Privacy (S.120)—with a private right of action with significant statutory damages that may be recoverable in class actions without a requirement to demonstrate actual injury to establish standing. As proposed, any “consumer who has suffered a violation of this chapter may bring a lawsuit against the business or service provider that violated this chapter.” The statute directs that “the consumer need not suffer a loss of money or property as a result of the violation in order to bring an action for a violation of this chapter,” and any “violation of this chapter shall constitute an injury in fact to the consumer.” This could remove a critical hurdle for consumers attempting to recover damages in data privacy class actions to date. S.120 also renders unenforceable “any provision of a contract or agreement of any kind that purports to waive or limit in anyway a consumer’s right under this chapter,” including any limitation on “any right to a remedy or means of enforcement.” However, under recent Supreme Court precedent holding that state laws may not discriminate against arbitration, this provision’s application to arbitration provisions is likely preempted by the Federal Arbitration Act. Apart from this, other contractual provisions that limit litigation risk may be unavailable to companies defending against class actions under S.120, reducing the number of defense strategies available.
CA Class Action Alleges Damages From Hidden Cameras
Several individuals submitted a complaint against two hospitals for the alleged use of hidden cameras. According to the complaint, these hospitals installed hidden cameras on drug carts in operating rooms to catch potential thieving employees. Patients were not informed that their procedures and private communications with their doctors would be recorded, and the hospital failed to log or track which employees accessed the images.
EU to Create Biometrics Database
The European Parliament has agreed to build a single biometric database that will combine various border control, security and migration systems across the EU. The Common Identity Repository will provide law enforcement with facial recognition data and fingerprints, as well as personal information such as password numbers and birth dates, of more than 350 million citizens. Three new systems will be created—the European Criminal Records System for Third Country Nationals, the Entry/Exit System, and the European Travel Information and Authorisation System. Eurodac, the system for identifying asylum seekers and irregular border-crossers, the Schengen Information System and the Visa Information System will be covered as well. The EU says “proper safeguards” will be in place to ensure data protection and appropriate access to information. After formal approval of these new rules by the European Council, EU Member States will have 2 years to comply.
UK Tax Agency Told to Delete Files After Breach
The UK Information Commissioner’s Office (ICO) ordered HM Revenue and Customs (HMRC) to delete the voice records of 5 million taxpayers that it collected in violation of the GDPR. The ICO accused the tax collection agency of failing to give customers sufficient information about how their biometric data would be processed, and failing to give taxpayers an opportunity to consent to the processing of their information. The GDPR designates biometric data as “special category information,” which triggers stricter requirements than other forms of data. HMRC has been given until June 5 to delete the unlawfully obtained files. An HMRC spokesman said that more than 1.5 million people have phoned the tax agency since October 2018 saying that they want to continue using the voice ID service. HMRC’s chief executive and permanent secretary, said his agency will delete all records where it has not gained explicit consent “well before” the ICO’s deadline.
Royals Win Paparazzi Battle Using GDPR
Prince Harry won a legal dispute with Splash News, a photo agency which used a helicopter to take pictures inside his home. He based his case on the photographers having mishandled his personal data under the GDPR. According to Article 5 of the GDPR, companies are obliged to handle data “fairly and in a transparent manner,” and also to use it for “legitimate purposes.” Companies need a reason to handle the data, like the subject’s consent, some kind of contract, or be able to argue that it was in the public interest or for a legitimate purpose. It’s important to note that the dispute did not involve a trial and these issues were never argued in court. Although Splash apologized in a court statement, it did not admit specific wrongdoing and could have chosen to argue that it did not breach the GDPR rather than settle.
EU Releases E-Commerce Proposal
The EU published a new e-commerce proposal that aims to strengthen consumer confidence in online transactions, keep internet access open, and shield traders from attempts to restrict data flows or seize their data and source code. Businesses and consumers rely on a patchwork of bilateral or regional rules and the EU Commission believes a global framework is needed. Meanwhile, the US is pushing for rapid reform of the WTO. President Trump has threatened to withdraw from it, blocked the appointment of trade judges and adopted tough tactics in trade disputes. An EU Commission source said there was a very strong incentive to try to agree new WTO rules.
ICO Blogs on Human Involvement in AI Systems
The UK Information Commissioner’s Office (ICO) began a series of blogs as part of its ongoing work on developing a framework for auditing AI. In the first element of the series, ICO explored how organizations can ensure “meaningful” human involvement to make sure AI decisions are not classified as solely automated by mistake. AI systems often process personal data to either support or make a decision. The GDPR establishes stricter conditions for AI systems that make solely automated decisions (without human input) with legal or similarly significant effects for individuals. AI systems that only support human decision-making are not subject to these conditions, however the human input must be meaningful. The main takeaway is that human reviewers must actively check a system’s recommendation, consider all available input data, weigh up and interpret the recommendation, consider any additional factors and use their authority and competence to challenge the recommendation if necessary.
Singapore Updates Data Breach Notification Guidelines
As part of new guidelines to help companies manage data breaches more effectively and that are expected to be included in the upcoming amendment of Singapore’s data protection act, companies are now expected to take no more than 30 days to complete an investigation into a suspected data security breach and notify the authorities of the incident 72 hours after completing their assessment. Companies are also expected to notify authorities if a breach affects more than 500 individuals or where “significant harm or impact” to the individuals are likely to occur due to the breach. Data intermediaries also should report potential data breaches to their parent organization within 24 hours from when they first identify a suspected incident. The Personal Data Protection Commission (PDPC) also unveiled new guidelines for “active enforcement,” which detailed its approach in applying its regulatory powers to respond/act when dealing with data breaches, including an “expedited decision process” to more quickly conclude investigations of “clear-cut data breaches” (i.e., incidents that were similar to previous cases and where the company provided upfront admission of liability for the breach).
Other Global News
WhatsApp Says Hackers Used Security Flaw to Spy
After a security flaw allowed hackers to remotely snoop on users, WhatsApp has urged its 1.5 billion users to update their software. The company believes the attackers, likely with a sophisticated private security company that works with governments, targeted a “select number of users” after exploiting a vulnerability allowing them to install the spyware by calling victims' accounts, even if the victims did not answer the calls. WhatsApp said it has fixed the flaw. Ireland's data protection authority, WhatsApp's lead privacy regulator in Europe, is looking into the breach to determine if and to what extent any WhatsApp EU user data has been affected, which would trigger the company's obligations under the GDPR.
Panama’s New Privacy Law
In October of 2018, Panama’s National Assembly approved data privacy legislation. The bill was signed into law by the President. The law establishes that in order for the processing of personal data to be lawful, it must be carried out with the prior, informed and unequivocal consent of the data subject, and establishes a number of data subject rights. Among others, it provides for the right to access personal data, the right to request the rectification or cancellation of personal data that is incorrect, irrelevant, incomplete, outdated, inaccurate, false or impertinent, the right to refuse to provide personal data, the right to revoke consent and the right to data portability. The law creates a Personal Data Protection Council which has the power to develop internal regulations, recommend public policies on data protection and evaluate cases and provide recommendations. Finally, the law also establishes the duty to compensate for pecuniary and/or moral damages caused by the improper treatment of personal data, with sanctions ranging from PAB 1,000-10,000 (approx. $1,000 – 10,000) depending on the seriousness of the violation.
Ontario Court Releases Two Decisions for Privacy Class Action Certification Motions
In Tocco v. Bell Mobility Inc., the Ontario Superior Court of Justice certified the class action in which it is alleged that the defendant breached privacy rights by using the personal information of data service customers for a marketing initiative without obtaining their consent. The plaintiff alleges, among other things, that due to the sensitivity of the information collected—i.e., credit scores—the defendant was required to obtain express consent to enroll customers in an advertising program, and that the defendant’s opt-out options did not allow customers to withdraw consent for profiling purposes. In Kaplan v. Casino Rama, the Court dismissed the certification motion for the proposed class action brought by individuals whose personal information was stolen in a cyber-attack and subsequently posted online because it was unable to certify any common issues among the plaintiffs. The Court noted that following the cyber-attack, the defendant contacted all appropriate authorities, took steps to close down the websites that contained the stolen information, notified all affected customers, employees and supplies, and offered free credit monitoring to many of them. Two and a half years later, there was no evidence that anyone had experienced fraud or identity theft as a result of the cyber-attack and no evidence that anyone had sustained any compensable financial or psychological loss.
New Wave of Workforce Data Analytics
A new wave of workforce data analytics, is raising tough questions in Switzerland. According to a study out of the University of St Gallen, of the 160 companies surveyed, 61% are using datafication-based human resources systems in retention and transition, 38% for workplace design, 37% in performance management, 21% recruiting and hiring and 18% in compliance. While not a direct comparison, these rates are much lower than the estimated 80% of companies in the US, according to a survey, that are monitoring employees’ use of e-mail, Internet or phone, up from the 35% in 1997. That’s partially because Switzerland’s labor and data protection laws are more restrictive. Most of the actual monitoring in Swiss workplaces is happening in the area of compliance. Only a few companies are experimenting with sophisticated techniques such as sentiment analysis that uses data mining and machine learning to comb through text to determine a person’s emotional state or level of satisfaction. A 2018 survey found that 88% of workers in Switzerland are open to the collection of data on them and their work if it improves their performance or wellbeing or provides other personal benefits. The global average stood at 89%. Since there are so many legal grey areas, the question of where employers should draw the line is increasingly about ethics and acceptance by employees and the public.
Australia Releases Quarterly Breach Report
The latest quarterly data breach report from the Office of the Australian Information Commissioner (OAIC) has revealed over 10 million individuals had their information compromised in a single incident. While the report did not detail the origin of the breach that affected over 10 million individuals, it did show that the most number of affected individuals from a single finance-related breach was less than 500,000 and the health sector's three heaviest impacting breaches affected less than 5,000 individuals each. In total, the OAIC received 215 data breach notifications. Of these, 61% were attributed to malicious or criminal attacks, while human error accounted for 75 data breaches, and 9 were labelled as system faults. Australia’s Notifiable Data Breach (NDB) scheme came into effect in February of 2018, requiring agencies and organizations in Australia covered by the Privacy Act 1988 to notify individuals—whenever their personal information is involved in a data breach that is likely to result in “serious harm”—as soon as practicable after becoming aware of a breach. The OAIC said this is the last time the office will report on the NDB Scheme quarterly, with the commissioner to move to releasing information every 6 months instead.
Ransomware Attacks Surge in 2019
Insurer Beazley Group says its clients have reported twice the number of ransomware cyberattacks in the first quarter of 2019 as they did last year, with hackers targeting bigger companies and demanding bigger ransoms than ever before. Beazley, which insures, among others, law firms, hospitals, and oil and gas companies, said its Breach Response team has tallied a 105% increase in ransomware attacks among its clients year over year. Many of the attacks are coordinated and rely on sophisticated types of ransomware like Ryuk and BitPaymer, and the demanded ransoms are on average nearly double what they were last year.
Report Finds Social Attacks on the Rise
The 2019 Verizon Data Breach Investigations Report analyzed 41,686 security incidents, of which 2,013 were confirmed data breaches, from 73 data sources. Small businesses continued to make up a large percentage of victims, although the percentage fell from 58% in 2017 to 43% in 2018. One notable new trend was the rise in social attacks, with C-suite executives nine times more likely to be the target of social breaches than in years past. Two findings regarded threat types differed from previous years. Physical actions as a means of breach dropped from 11% last year to only 4%, while social attacks jumped from 17% of breaches to 33%. Phishing topped the list of social attack varieties, followed by pretexting.