On July 29, the FTC announced the issuance of an Opinion and Final Order reversing an Administrative Law Judge (ALJ) Initial Decision to dismiss a 2013 FTC complaint against a Georgia-based medical testing laboratory (Respondent). In a 3-0 vote, the Commission determined that Respondent “failed to implement reasonable security measures to protect the sensitive consumer information on its computer network and therefore that its data security practices were unfair under Section 5 of the [FTC] Act.” In reversing the Initial Decision, the Commission concluded that Respondent’s security practices lacked “even basic precautions” to protect consumers’ sensitive information by, among other things, failing to (i) “use an intrusion detection system or file integrity monitoring”; (ii) “monitor traffic coming across its firewalls”; (iii) provide adequate data security training to its employees, finding that “essentially no data security training” was provided; and (iv) delete “any of the consumer data it had collected.” According to the Commission, such failures led to the exposure of medical and other sensitive information for 9,300 consumers on a peer-to-peer (P2P) network to which millions of users had access. Read more…
On August 5, New York AG Schneiderman announced that an online retailer will pay $100,000 in penalties to settle allegations that its weak security practices led to a data breach that potentially exposed more than 25,000 credit card numbers and cardholder data. According to AG Schneiderman, after a third party accessed the retailer’s website on August 7, 2014, a merchant bank notified the retailer on June 5, 2015 that customers’ credit card accounts were showing fraudulent charges. The retailer subsequently hired a company to conduct a forensic investigation, during which malware was found on and subsequently removed from the retailer’s website. AG Schneiderman contends that the retailer violated various sections of the New York State General Business Law by failing to notify its customers or law enforcement of the breach and by misrepresenting the safety and security of its website, also in breach of Executive Law § 63(12). In addition to the $100,000 penalty, the settlement requires that the retailer (i) conduct thorough and efficient investigations of future data security breaches; (ii) promptly notify New York law enforcement and affected customers of data security breaches; (iii) “maintain reasonable security policies and procedures designed to protect the personal information of consumers in accordance with New York State General Business laws”; (iv) remediate security vulnerabilities on its websites; and (v) train its employees with the most current data security practices.
Department of Agriculture Requests Comments on Continuation of, and Changes to, Registration Form to Request Electronic Access Code Information
On July 22, the Federal Register published the U.S. Department of Agriculture’s (USDA) request for comments on the Office of the Chief Information Officer’s (OCIO) intent to “request approval for the continuation of and changes to the [USDA] Registration Form to Request Electronic Access Code information collection to allow USDA customers to securely and confidently share data and receive services electronically.” The USDA’s eAuthentication Service (eAuth) collects customer and employee information in order to provide “public citizens as well as federal government employees with a secure single sign-on capability for USDA applications, management of user credentials, and verification of identity, authorization and electronic signatures.” The online self-registration process and identity proofing service, which is voluntary, permits USDA customers and employees to access to USDA Web applications and services via the Internet. As it currently exists, the eAuth service allows customers to access USDA Web site portals through two Levels of Assurance (LOAs). LOA 1 provides limited access to portals and applications that have minimal security requirements. LOA 2 “enables users to conduct official electronic business transactions via the Internet, enter into a contract with the USDA, and submit forms electronically via the Internet to USDA agencies.” The OCIO is developing LOA 3, which, if authorized, would provide public citizens with accounts. LOA 3 would require the same level of self-registration and identity proofing, but would also incorporate strong multi-factor authentication credentials for access to secure, high risk, or sensitive systems. Comments on the USDA’s notice are due by September 20, 2016.
On July 12, the European Union (EU) finalized and adopted the EU-U.S. Privacy Shield for transatlantic data flows. As previously covered in InfoBytes, on October 6, 2015, the Court of Justice of the European Union declared in Shrems v. Data Protection Commissioner “invalid” a decision of the European Commission that the EU-U.S. Safe Harbor Framework provided adequate protection for personal data transferred from the EU to the U.S., thus requiring the EU and the U.S. to develop a new framework for transatlantic data transfers. The recently finalized EU-U.S. privacy shield is based on the following principles: (i) strong obligations on companies handling data, including requiring the Department of Commerce to regularly conduct updates and reviews of participating companies and tightening conditions for the onward transfers of data; (ii) clear safeguards and transparency obligations on U.S. government, assuring that “the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms”; (iii) effective protection of individual rights, including complaint-handling mechanisms and the designation of an Ombudsperson independent from U.S. intelligence services to handle redress possibility in the area of national security for EU citizens; and (iv) annual joint review mechanism to monitor the functioning of the Privacy Shield. On July 12, the Commission simultaneously released a Q&A, a Fact Sheet, the “Adequacy Decision,” which will enter into force immediately after Member States are notified, and Annexes.
On June 8, the SEC announced that a New York-based financial services firm agreed to pay a $1 million civil monetary penalty to resolve allegations that it violated the “Safeguards Rule,” Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)). According to the SEC, the firm “failed to ensure the reasonable design and proper operation of its policies and procedures in safeguarding confidential customer data.” The SEC further contends that the firm failed to audit or test the authorization models that allowed employees to access the portals hosting customer data. The financial services firm settled the charges without admitting or denying the SEC’s findings. As of result of the company’s alleged failures, between 2011 and 2014, a then-current employee of the firm gained access to and copied data regarding approximately 730,000 customer accounts to his personal server. The SEC alleges that the employee’s personal server was hacked, and portions of the misappropriated data were posted to at least three Internet sites, with an offer to sell more of the stolen data in exchange for payment in digital currency. Per the employee’s separate consent order, the employee agreed to an industry and penny stock bar with the right to apply for reentry after five years. He was previously criminally convicted for his actions and received 36 months of probation and $600,000 in restitution.