HFN Technology & Regulation Client Update
Dear Clients and Friends,
The beginning of 2017 has been marked by a variety of regulatory and compliance developments in technology compliance, digital advertising, big data, content, privacy and information security regulations. In this edition of the Technology & Regulation Client Update, we have concentrated on updating you regarding some of the key developments in these areas, which apply to a number of important regulatory and technological issues. Among these, you can read about the following updates and more:
Google's fight against "bad" ads, violating sites and scammers in the past year; FTC's enforcement actions regarding data security practices in the area of Internet of Things and
robocall extensive operations; First HIPAA enforcement action for untimely reporting of a breach and new cybersecurity
guidance for medical devices; US Court ruling concerning overseas e-mail seizures; FTC's new best practice guidelines on cross-device tracking; NIST's draft update of the Framework for Improving Critical Infrastructure Cybersecurity; FINRA's new report on blockchain and potential implications for securities industry; and Chinese regulator's new requirement for registration of app stores.
Ariel Yosefi, Partner Co-Head - Technology & Regulation Department Herzog Fox & Neeman
Quick Navigation Industry Compliance Developments | Notable Legal and Regulatory Actions Standards and Best Practice Guidance | Regulatory and Legislative Developments
INDUSTRY COMPLIANCE DEVELOPMENTS
Google Took Down 1.7 Billion "Bad Ads" and Banned Approximately 200 Publishers over Misleading Content in 2016
Google has recently released a new report elaborating on how it is dealing with spam, bots and other problematic ads on its network. According to Google, the company took down more than 1.7 billion ads that violated its advertising policies in 2016, more than double the amount of bad ads it eliminated in 2015.
In 2016, Google executed two main actions to eliminate more bad ads. First, the company expanded its policies to various types and practices of misleading and predatory offers. For instance, in July, it introduced a policy banning ads for payday loans, which often result in unaffordable payments and high default rates for users (see our previous related report). In the six months since publishing this policy, the company disabled more than 5 million payday loan ads.
Second, the company improved its technology to discover and disable bad ads even faster. For instance, "trick to click" ads frequently appear as system warnings to misleading users into clicking on them, not realizing they are often downloading harmful software or malware. In 2016, the company's systems detected and disabled a total of 112 million ads for "trick to click".
Google's actions against bad ads also included, inter alia, disabling ads promoting illegal activities or products. For example, the company disabled more than 68 million bad ads for healthcare violations, as well as more than 17 million bad ads for illegal gambling violations. Moreover, Google requires its advertisers to provide upfront information in order for the potential users to make informed decisions. Some ads try to drive clicks and views by intentionally misleading people by false information. Consequently, the company took down nearly 80 million bad ads for deceiving, misleading and shocking users.
Google also detected more "self-clicking ads" on mobile devices which could cause users, without warning, to end up in the app store downloading an app they have never heard of, and tabloid cloakers, a new type of scam ad that tries to trick the company's system by pretending to be news, taking advantage of timely topics. In 2016, Google's systems detected and disabled more than 23,000 self-clicking ads on its platforms. To fight tabloid cloakers, the company suspended more than 1,300 accounts for such activity. In addition, the company took down nearly 7 million bad ads for intentionally attempting to trick its detection systems.
Additionally, Google took actions against prohibited websites which were promoted in the ads. Some examples of common policy violations which occurred in sites in 2016, are as follows: The company took action against 8,000 sites promoting payday loans; it took action against 47,000 sites for promoting content and products related to weight-loss scams; it took action against more than 15,000 sites for unwanted software and disabled 900,000 ads for containing malware; and
suspended approximately 6,000 sites and 6,000 accounts for attempting to advertise counterfeit goods.
Finally, Google has recently introduced a new AdSense misrepresentative content policy, which assists the company in taking action against website owners that misrepresent who they are, resulting in deceiving people regarding their content. In the last two months of 2016, the company reviewed 550 sites that were suspected of misrepresenting content to users, including impersonating news organizations. It took action against 340 of them for violating its policies, based on misrepresentation as well as other offenses, and nearly 200 publishers were permanently eliminated from its network.
NOTABLE LEGAL AND REGULATORY ACTIONS
FTC Charged D-Link for Inadequate Security of Its Routers and IP Cameras
The US Federal Trade Commission ("FTC") has recently filed a complaint in the Northern District of California against D-Link Corporation, claiming that inadequate security measures taken by the company left its wireless routers and Internet Protocol (IP) cameras vulnerable to hackers and compromised the privacy of thousands of consumers.
According to the FTC's complaint, although D-Link promoted the security of its routers on the company's website, it failed to take reasonable steps to address well-known and easily preventable security flaws, such as:
A software flaw known as "command injection" that could enable remote attackers to take control of consumers' routers by sending them unauthorized commands over the Internet;
"Hard-coded" login credentials integrated into D-Link camera software such as the username "guest" and the password "guest" that could allow unauthorized access to the cameras' live feed;
Leaving users' login credentials for D-Link's mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information; and
The mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months.
This complaint is part of the FTC's efforts to enforce privacy and security in the field of Internet of Things (IoT).
FTC Shut Down Two Massive Illegal Robocall Operations
The FTC has recently announced a crackdown on two massive robocall telemarketing operations, both of which have been blasting robocalls to consumers on the National Do Not Call ("DNC") Registry since at least 2012.
According to the FTC's complaint in the first of the two actions, the defendants illegally blasted millions of robocalls in 2012 and 2013 to consumers on the DNC Registry selling home security systems or generating leads for home security installation companies. According to the complaint, the robocalling was so extensive that, during just one week in July 2012, the defendants allegedly placed more than 1.3 million illegal calls to consumers nationwide. The large majority (80%) of the numbers called were listed on the DNC Registry. Even after these defendants were caught by the Indiana Attorney General's office in 2014, resulting in a $4.375 million judgment, the FTC alleged that the defendants continued to violate the Telemarketing Sales Rule.
According to the FTC's complaint in the second action, between at least March 2009 and May 2016, the defendants made or assisted to make billions of robocalls, many of which sold extended auto warranties, search engine optimization services, and home security systems, or generated leads for companies selling those goods and services. The majority of those calls were to numbers on the DNC Registry. In just the first three months of 2014, the FTC claimed that the defendants made more than 329 million robocalls to consumers in all 50 states, including 32 million to numbers on the DNC Registry. Additionally, in the first quarter of 2015, the FTC alleged that the defendants made 222 million calls, including 40 million to numbers on the DNC Registry.
Many of the defendants in the two cases have agreed to court orders that permanently ban them from making robocalls, making any calls to numbers listed on the DNC Registry, violating the TSR, or assisting others in doing so. The settling defendants will also pay the FTC a total of more than $500,000. Finally, the FTC clarified that if a telemarketer has not obtained the consumers' written permission, then it is illegal to make these calls.
OCR Settled First HIPPA Enforcement Action for Lack of Timely Breach Notification
The US Department of Health and Human Services, Office for Civil Rights ("OCR"), has recently announced the first Health Insurance Portability and Accountability Act (HIPAA) settlement, based on the untimely reporting of a breach of unsecured Protected Health Information ("PHI").
The settlement arose from an October 2013 breach involving the discovery that paper-based operating room schedules, which contained the PHI of 826 individuals, including names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois. OCR's investigation revealed that Presence Health failed to notify, without unreasonable
delay and no later than 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR. Specifically, the investigation revealed that Presence St. Joseph Medical Center notified the affected individuals, the media, and OCR, respectively, more than 100 calendar days after discovering the breach.
The settlement required Presence Health to pay $475,000 to OCR and implement a corrective action plan that obligates Presence Health to:
Revise its policies and procedures related to complying with the HIPPA Breach Notification Rule, including policies and procedures that set forth its workforce members' roles and responsibilities with respect to: o Receiving and addressing internal and external breach reports; o Completing risk assessments of potential breaches of unsecured PHI; and o Preparing required notifications to individuals, the media and OCR;
Modify its policies and procedures for sanctions against workforce members who fail to comply with the entity's HIPAA procedures;
Distribute the revised policies and procedures to all Presence Health workforce members; Submit its security awareness training program to OCR and provide training to all workforce
members; Report any events of non-compliance with its HIPAA policies and procedures; and Submit annual compliance reports for a period of two years.
This settlement places covered entities on notice that they must act quickly following the discovery of a breach of unsecured PHI.
Microsoft Victory in the Overseas E-mail Seizure Case is Upheld
A divided Second US Circuit Court of Appeals in New York declined to reconsider its decision forbidding the US government from forcing Microsoft and other technology companies to provide customer emails which are stored on overseas servers.
The Court refused to grant the US Justice Department's appeal over the Microsoft's July 14 victory case that was heard before a three-judge panel in the same court. In July 2016, the Court sided with Microsoft when it concluded that the Stored Communications Act (SCA) does not authorize courts to issue and enforce, against US-based service providers, warrants for the seizure of customer e-mail content that is stored exclusively on overseas servers.
It remains to be seen whether the case will be appealed by the US Justice Department to the Supreme Court, which will effectively be asked to decide regarding the territorial boundaries of data and the reach of the US laws in the digital era.
STANDARDS AND BEST PRACTICE GUIDANCE
FTC Published a new Report on Cross-Device Tracking
The FTC has recently issued a report on cross-device tracking. The report describes the technology used to track consumers across multiple Internet-connected devices, the benefits and challenges of cross-device tracking, the industry efforts to address those challenges, and finally provides some recommended best practices.
The FTC's report, which is based on comments and discussions from a November 2015 Cross-Device Tracking Workshop, explains that cross-device tracking associates multiple devices with the same consumer and links a consumer's activity across their devices (e.g., smartphones, tablets, personal computers, and other connected devices).
The FTC's report concludes by describing several recommended best practices for companies engaging in cross-device tracking, as well as publishers, app developers, and website operators:
Transparency: truthfully disclose tracking to consumers and business partners; Choice: offering consumers choice about how their cross-device activity is tracked; Sensitive Data: obtaining consumers' affirmative express consent before engaging in cross-device
tracking on sensitive topics and before collecting and sharing precise geolocation information; and Security: maintaining reasonable security in order to avoid future unexpected and unauthorized
uses of data.
Companies can expect to see increased enforcement in this field, including by both the FTC and through self-regulatory programs. As we previously reported, enforcement of the Digital Advertising Alliance's (DAA) guidance on cross-device tracking is set to begin on 1 February 2017.
FDA Released a Final Cybersecurity Guidance for Medical Devices
The US Food and Drug Administration ("FDA") published a final guidance addressing the cybersecurity vulnerabilities in medical devices in which it outlined how manufacturers should maintain the security of internet-connected devices.
The guidance recommends, inter alia, that manufacturers and stakeholders shall develop a way to monitor and detect cybersecurity vulnerabilities in their devices and then assess and detect the level of risk which any such vulnerability poses to patient safety. The FDA's guidance further recommends that manufacturers work with cybersecurity researchers and other stakeholders in order to receive information concerning potential vulnerabilities (known as a "coordinated vulnerability disclosure
In addition, the guidance also recommends that manufacturers deploy mitigations, such as software patches, to prematurely address cybersecurity issues, and in particular, before they can be exploited and cause harm. It also requires device manufacturers or importers to report any actions regarding device corrections and removals to the FDA.
The FDA emphasized that it is important for manufacturers and stakeholders to apply the core principles of the National Institute of Standards and Technology (NIST) to improve cybersecurity infrastructure.
According to the FDA, these guidelines are only the beginning of its efforts to address the security of medical devices.
The NIST Published an Update to the Cybersecurity Framework
The National Institute of Standards and Technology ("NIST") has recently released a draft update to the Framework for Improving Critical Infrastructure Cybersecurity (also known as the Cybersecurity Framework). The updated framework provides new details on managing cyber supply chain risks, clarifies key terms, and introduces measurement methods for cybersecurity. In this regard, it aims to further develop NIST's voluntary guidance to organizations on reducing cybersecurity risks. Several key changes to the Cybersecurity Framework are as follows:
Supply Chain Risk Management: the draft adds cyber supply chain risk management considerations throughout the Cybersecurity Framework, including a new section on "Buying Decisions" and a new category under the Cybersecurity Framework Core's Identify function with five subcategories;
Identity Management and Access Control: the Cybersecurity Framework Core's Protect function includes a renamed Identity Management and Access Control category involving changes to three subcategories;
Metrics and Measures: the draft includes a new section on "Measuring and Demonstrating Cybersecurity" that describes how metrics and measures can guide cybersecurity risk management and correlate with business results; and
Implementing Guidance Policy: the NIST has widened the Cybersecurity Framework's explanation of how organizations can make use of Cybersecurity Framework Tiers during the implementation phase and how to integrate Cybersecurity Framework considerations into overall risk management activities.
In addition, the NIST has recently published a Guide for Cybersecurity Event Recovery. This guide is intended to assist organizations concentrate on recovery planning alongside their existing plans for cybersecurity incident response and business continuity or disaster recovery. The guide also provides
detailed guidance concerning how organizations can improve their plans, processes, and procedures aligned with the Framework's Recover function.
The deadline for sending comments on the draft Framework for Improving Critical Infrastructure Cybersecurity (version 1.1) is 10 April 2017. NIST notes that it intends to issue a final version by the autumn of 2017, following a review of the comments received and convening another public workshop on the Cybersecurity Framework.
Version 1.1 of the NIST Cybersecurity Framework is intended to be voluntary. Nevertheless, given the widespread adoption of version 1.0 of this Cybersecurity Framework as a standard for organizations to estimate their cybersecurity postures and evaluate and improve their cybersecurity practices, organizations should seriously consider adopting version 1.1 as soon as it is finalized.
The Council of Europe Adopted new Guidelines on Big Data
The Committee of the Council of Europe's Data Protection Convention, also known as "Convention 108", has recently adopted new guidelines regarding big data, aiming to help policy makers and organizations processing personal data to place people at the center of the digital economy.
The nature of big data might render the application of traditional principles of personal data protection, such as purpose limitation or data minimization, very challenging. These guidelines include in some detail, a set of recommendations such as:
Any Big Data processing of personal data should comply with the requirement of free, specific, informed and unambiguous consent, and the principles of purpose limitation, fairness and transparency;
Data processors should provide an easy and user-friendly technical way for individuals to withdraw their consent;
Data controllers and processors should assess the likely impact on human rights of big data processing, for instance, by establishing ethical committees. In this regard, they should carry out risk assessments, and develop solutions by-design and by-default to mitigate the risks; and
The technical anonymization of data could be combined with legal or contractual obligations to prevent possible re-identification of the persons concerned.
The guidelines emphasize the importance of providing guidance on what has become in recent years an exponential source of knowledge, and an exponential source of processing of personal data.
REGULATORY AND LEGISLATIVE DEVELOPMENTS
FINRA Seeks Comments on a New Report on the Potential Implications of Blockchain
The US Financial Industry Regulatory Authority ("FINRA") has recently published a report which outlines the use and implications of Distributed Ledger Technology ("DLT"), better known as "blockchain", in the securities industry. The report also seeks comments as part of an effort to obtain feedback on any challenges associated with the use and implementation of DLT.
According to FINRA, there are a few regulatory issues which the financial service institutions should consider while exploring DLT, including, inter alia, customer data privacy, record keeping, know your customer, and anti-money laundering. More specifically, FINRA recommends that companies participating in a DLT network should assess and update their procedures and security measures in order to ensure compliance with customer data privacy rules. FINRA also cautions companies to consider the impact of instituting and controlling customer funds or holding private keys to customers' crypto securities, which could affect their compliance with regulations pertaining to the custody and security of customers' funds and securities. Additionally, broker-dealers should consider whether the use of a DLT network would satisfy recordkeeping requirements under the relevant regulations. Finally, the report also discusses several factors to consider in analyzing whether a DLT network will satisfy know your customer and anti-money laundering obligations.
Although the report does not provide specific guidance for a number of questions, it does represent a practical checklist of issues that will need to be addressed by regulated securities companies which will be considering the implementation of DLT networks more widely.
FINRA is encouraging all interested parties to provide comments on all aspects of its report by 31 March 2017.
The Chinese Regulator Demands Local App Stores to Register with the Authorities
The Cyberspace Administration of China has recently announced, in a notice published on its website, that it would be requiring mobile app stores to register with its offices in a concerted attempt to suppress fraudulent applications.
The new rules appear to be designed to defend users from apps which intentionally steal or defraud consumers, as well as restricting apps that offer stolen content, such as movies, TV shows, books, etc. According to these new rules, app store owners will be required to register with the authorities if they are, inter alia, setting up a storefront, making changes, or shutting down.
It should be noted that last month, Apple removed the English and Chinese-language versions of the New York Times app from its Chinese app store, after the Chinese authorities had informed Apple they were in breach of unspecified local regulations.
The new rules went into effect on 16 January 2017 following other regulations released in June 2016 titled Provisions on the Administration of Mobile Internet Application Information Services, which were intended to restrict apps that attempt to endanger or disrupt national security, social order, and other illegal activities.