Arent Fox Privacy Report: Networking App Fined $5.7 Million for COPPA Violations

Federal US News

Musical.ly Fined $5.7 Million for COPPA Violations

The video social networking app Musical.ly, now known as TikTok, agreed to pay $5.7 million to settle FTC allegations that the company collected personal information from children under 13 without parental consent in violation of the Children’s Online Privacy Protection Act (COPPA). COPPA applies to operators of websites/online services that are:

1. Directed to children or
2. General audience if the operator has actual knowledge they are collecting personal information from kids.

The FTC identified Musical.ly as an app directed to children both based on its constructive and actual knowledge. With respect to constructive knowledge, the FTC noted that Musical.ly is directed to children because (i) a significant percentage of users were under 13, (ii) many press articles between 2016 and 2018 highlighted the app’s popularity among tweens and younger kids, and (iii) the app featured folders of Disney and school-related songs. Additionally, the FTC noted that Musical.ly had actual knowledge it was collecting personal information from children because users’ profiles revealed their ages and at least since 2014, the app has received thousands of complaints from parents of kids under 13 who were registered users. Given that Musical.ly’s collection of information from children under 13 brought it within the scope of COPPA, it needed to obtain verifiable parental consent to collect personal information from children under 13. The app has since released an update which requires all users to verify their age and users under 13 are now directed to a separate, more restricted in-app experience that protects their personal information and prevents them from publishing videos. This is the largest civil penalty the FTC’s ever assessed under COPPA.

FTC Reviews CAN-SPAM Rule

The FTC completed its first review of the CAN-SPAM Rule which establishes requirements for commercial electronic messages and gives recipients the right to opt-out of receiving such messages. The FTC collected comments from the public on a number of issues including whether the Rule was still necessary, the costs of compliance and the benefits to consumers, and what changes, if any, needed to be made to account for economic and technological advances. They unanimously voted to keep the Rule as-is, without making any changes.

HHS Releases Voluntary Cybersecurity Practices

In partnership with the industry, the Department of Health and Human Services released the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication, which aims to provide voluntary cybersecurity practices to healthcare organizations. The publication, the result of a true public-private partnership, was in response to a mandate set by the Cybersecurity Act of 2015 Section 405(d), to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry. It includes two technical volumes geared for IT and IT security professionals. Recent cyber-attacks continue to highlight the importance of ensuring the technologies that are vital to the healthcare industry are safe and secure.

FTC Hearings on Competition and Consumer Protection in the 21st Century Focus on International Engagement

The 11th session of the FTC’s Hearings Initiative, “The FTC’s Role in a Changing World,” which takes place on March 25-26, will focus on its international role in light of globalization, technological change, and the increasing number of competition, consumer protection and privacy laws and enforcement agencies around the world. The agency seeks public comment on questions such as:

• What strategies should competition, consumer protection and privacy agencies use to achieve convergent or interoperable policies and consistent or complementary enforcement outcomes?
• How can cross-border enforcement cooperation be strengthened?

From a practical perspective, what are the consequences of having differing approaches internationally to competition, consumer protection and privacy enforcement around AI and other emerging technologies?

State US News

California to Close Breach Notification Loopholes

Attorney General Xavier Becerra announced a new bill that aims to close loopholes in California’s existing data breach notification laws by expanding the requirements for companies to notify users or customers if their passport and government ID numbers, along with biometric data (defined as “unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, or other unique physical representation or digital representation of biometric data”), have been stolen. Several other states, like Alabama, Florida and Oregon, already require data breach notifications in the event of passport number breaches, and also biometric data in the case of Iowa and Nebraska, among others. Illinois, Washington and Texas have laws that specifically cover biometric privacy.

California remains, however, one of only a handful of states that require the provision of credit monitoring or identity theft protection following covered breaches. “We have an opportunity today to make our data breach law stronger and that’s why we’re moving today to make it more difficult for hackers and cybercriminals to get your private information,” said Becerra. “AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection.”

Lawmakers Seek Input on CCPA

During the three-hour hearing at the California State Assembly in Sacramento, representatives from the California Chamber of Commerce, California Retailers Association, American Civil Liberties Union and independent academics and researchers, among others, voiced concerns about the CCPA's private right of action, the law's definitions of terms as they stand now, and the ability of companies to adequately prepare for and comply with such a sweeping law. On hand at the hearing was Supervising Deputy AG on Consumer Protection Stacey Schesser, who indicated to lawmakers that the AG will be asking for increased funding to help it enforce the CCPA. She also indicated that her office would seek to expand the private right of action—the AG cited private rights of action as “critical adjunct” to law enforcement's ability to enforce.

Transitional Period for NYDFS’ Cybersecurity Regulation Ends

The two-year transitional period of the NY State Department of Financial Services’ Cybersecurity Regulation—touted as the most stringent cybersecurity regulation in the world—has ended and as of March 1 the last rolling requirement regarding third-party management is in effect. This provision requires the adoption of processes that address the identification and risk assessment of third parties and the minimum cybersecurity practices they must meet. Such policies and procedures shall address to the extent applicable:

1. The identification and risk assessment of third parties;
2. Minimum cybersecurity practices required to be met by such third parties in order for them to do business with the company;
3. Due diligence processes used to evaluate the adequacy of cybersecurity practices of such third parties; and
4. Periodic assessment of such third parties based on the risk they present and the continued adequacy of their cybersecurity practices.

These are important requirements to note even for companies not under NYDFS supervision because increased vendor and third-party service provider oversight requirements will likely be required by emerging regulations.

Lawmakers Propose Florida Biometric Privacy Law

Two senators have proposed legislation to require private companies using consumers’ biometric data (defined as “retina or iris scan, fingerprint, voice print, or scan of hand or face geometry”) to obtain informed consent and apply protections to it in storage. The Florida Biometric Information Privacy Act would require written notice of biometric data collection, use, and storage practices, considering the data as confidential and sensitive information for the application of industry standards, and making businesses liable for the unauthorized distribution of biometric data. It would also include a private right of action from $1,000 to $5,000 (same as Illinois’ BIPA and the proposed NY law).

NYDFS Cybersecurity Regulation’s Third-Party Requirements Are Live

After a two year transitional period, Section 500.11 of the New York State Department of Financial Services’ Cybersecurity Regulation, which addresses third-party security, is in force as of March 1, 2019.

The Regulation, which seeks to address the growing cyber threat to information and financial systems, became effective on March 1, 2017. It applies to financial services companies—such as commercial banks, credit unions, health insurers, investment companies, mortgage brokers, and offices of foreign banks—that are required to obtain licensure or similar authorization from the New York State Department of Financial Services (covered entities). While the Regulation aims to enforce the cybersecurity practices by which many financial companies in New York already abide, for example the PCI DSS standards, the biggest adjustment is the fact that regulators at the Department of Financial Services are able to enforce compliance and penalize noncompliance.

Read the full article here.

EU News

UK Employers Liable for Rogue Employee Data Leaks

The Court of Appeal of England and Wales issued a decision in WM Morrison Supermarkets PCL v Var‎ious Claimants, upholding the decision of the High Court that, while Morrisons itself is not at fault in relation to its handling ‎of personal data, it is vicariously liable for the criminal actions of one of its employees. Morrisons’ senior IT internal auditor had a longstanding grudge against the company. When Morrisons’ external auditor requested a copy of payroll data relating to around 100,000 employees, the employee took a copy of the data and posted it on a file sharing website. When that failed to attract ‎attention, he anonymously sent a CD containing the data and a link to the file-sharing site to three newspapers.

The newspapers reported the leak to Morrisons which promptly had the file sharing site taken down and informed the police. ‎The court found that there was a sufficient ‎connection between the position in which the employee was employed and his wrongful conduct to make it right that Morrisons ‎be held liable—Morrisons had put him into the position of handling and disclosing the payroll data. The court found no exception to the principle that the employee’s motive to harm the company was irrelevant. Morrisons is liable for damages to its current ‎and former employees whose personal and confidential information were unlawfully disclosed on the internet by the criminal ‎act of another employee, in breach of the DPA.

DPAs Flooded with Complaints

A major takeaway from the IAPP Data Protection Intensive – Paris Session (The Regulators’ View) was that the GDPR has created massive shifts in how data protection authorities (DPAs) in the EU budget, staff, prioritize and operate. In addition to meetings in Brussels and collaborations with the European Data Protection Board (EDPB), DPAs have been inundated with complaints and breach notifications. For example, Michael Kaiser, data protection officer at the German Hesse Data Protection Authority said complaints are up 1,200 percent since the GDPR went into effect and that “everyone seems to think that under the GDPR, data processing is no longer lawful.” According to Cathal Ryan, assistant commissioner at the Data Protection Commission in Ireland, companies need to look a little more closely at whether a breach is a reportable one under the letter of the law.

Online Ad Group Bidding Practice Conflicts with GDPR

Privacy advocates released a document from the Interactive Advertising Bureau (IAB) that expresses concerns the GDPR would prohibit the digital ad industry’s practice of disseminating personal information about consumers to dozens of other companies in order to solicit ad bids from them (i.e., real-time-bidding). The advocates believe admits that a key part of the IAB’s business practices would breach the GDPR. In one of the documents, the IAB says the GDPR's consent requirements, which require users to know the identities of their data processors before their data is processed, are “incompatible” with the online real-time bidding ecosystem. Lobbying groups representing the ad tech industry have expressed concerns that the GDPR would disable the way online advertising works, but privacy advocates say the industry can change to comply with the GDPR without going extinct. The files were released as part of the activists' ongoing complaint made to the UK’s ICO and the Irish DPC against the IAB and Google LLC.

Asia News

China Regulators’ Reveal 2019 Enforcement Agenda

China has indicated its determination to protect personal data under its current legal framework:

1. Four Chinese ministries—the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation—released a joint announcement that intends to curb certain privacy practices, such as bundled consent, throughout 2019 and promote a certification scheme;
2. China’s National Information Security Standardization Technical Committee released the revised proposals to recommend a national standard Personal Information Security Specification (ref. GB/T 35273–2017) for public consultation; and
3. China’s Cybersecurity Review Technology and Certification Center announced that the personal data protection compliance program of a few companies, including Alipay and Tencent Cloud, have passed certification based on the national standard.

These coordinated efforts showcase Chinese authorities’ determination to strengthen personal data protection through both positive and negative incentives.

Thailand Passes Privacy Law

The Thailand Personal Data Protection Act (PDPA) was passed after numerous attempts over nearly two decades. While the Thai Constitution upholds the right to privacy, Thailand did not have a consolidated law broadly governing data protection before. Previously, there were only sector-specific laws. The PDPA will become the first consolidated law generally governing data protection in Thailand. Businesses should be aware of its:

1. Extraterritorial applicability;
2. Data subject notification requirements;
3. Consent requirements;
4. Consent of minors;
5. Restrictions and exemptions for the collection, use, disclosure, and cross-border transfer of personal data;
6. Explicit consent requirements for sensitive data and exemptions related thereto;
7. Data subjects’ rights;
8. Security measures;
9. Data breach and notification;
10. Records of processing activities;
11. Representatives of controllers or processors who are not established in Thailand;
12. Data protection officers (DPO);
13. Exemptions from cross-border transfer requirements for transfers within the same business group;
14. Prescribed criminal and administrative penalties; and
15. Actual and punitive damages for civil liability.

Other Global News

Brand Creative Used to Spread Malware

The brand creative of big brands that consumers trust is being used to spread malware. Namely, bad actors are using legitimate advertisements created by brands and inserting malicious code to run exploits. Users then click on these advertisements thinking they are clicking on the real advertisement and are taken to a phony site or their computers are infected with malware. When an ad network’s or exchange’s quality assurance process isn’t robust enough, the fake ad can slip through. The problem grows during periods of higher traffic, like holidays. The consumer has no idea that the brand isn’t directly responsible, and the question of responsibility is a tricky one because there are so many different points at which the quality control process can break down and malicious code can be injected.

Twitter Keeps Old Messages After Deletion

Security researcher Karan Saini revealed to TechCrunch that Twitter is keeping copies of direct messages sent through the social network even years after users delete them. Twitter’s privacy policy claims that it is possible for users to restore their accounts for 30 days after deactivation, in case the move to cancel was a mistake. After the 30-day period, Twitter’s privacy policy claims it deletes the data associated with the account, including the direct messages. TechCrunch’s own tests confirmed that it is possible to recover DMs from years ago, including those that were made by suspended and deleted accounts.

Formjacking On the Rise

Every month, thousands of retail websites are targeted by cyber criminals, who insert a small piece of malicious code that allows them to snatch customers’ credit card information, in a hacking technique that is called formjacking. Small and medium-sized businesses are the biggest targets of formjacking, which affects an average of 4,800 websites per month, but high profile brands have also recently fallen victim to these attacks. Most consumers have no way of knowing if they are visiting an infected online retailer.

OneTrust Launches Vendorpedia

The GDPR and other privacy laws hold data controllers liable for personal data breaches caused by their processors (vendors). As a result, companies need to be acutely aware of their vendor privacy policies, practices, certifications, and data processing activities. To help with this process, OneTrust recently announced a new vendor risk management module integrated into its privacy management and marketing compliance platform. Vendorpedia is a network of third-party vendors that provides details on security and privacy status, recent incidents, sub-processors and more.

Experts Suspect Spy Scheme in Equifax Breach

The September 2017 Equifax data breach, in which the sensitive personal information of more than 140 million people was stolen, alarmed markets and consumers, but the data has since disappeared. CNBC talked to data “hunters” who scour the dark web for stolen information, senior cybersecurity managers, top executives at financial institutions, and senior intelligence officials who played a part in the investigation and consultants who helped support it. The data has never appeared on any of the hundreds of underground websites selling stolen information, and they have not seen the data used in any of the ways they would expect, such as impersonating victims or accessing other websites. The consensus among these experts is that the data was stolen by a foreign government that is using the information to for spying purposes. Alternatively, the data may be used years from now—after the one year of monitoring that is often offered for a breach such as Equifax’s has ended.