Tag Archives: Data Security

Stick with Security – Part 1

stick_with_security_1When it comes to data security, what’s reasonable will depend on the size and nature of your business and the kind of data you deal with. But certain principles apply across the board: Don’t collect sensitive information you don’t need. Protect the information you maintain. And train your staff to carry out your policies.

The FTC’s Start with Security initiative was built on those fundamentals. Some helpful tips follow.

DON’T COLLECT PERSONAL INFORMATION YOU DON’T NEED.

It’s a simple proposition: If you don’t ask for sensitive data in the first place, you won’t have to take steps to protect it. Of course, there will be data you must maintain, but the old habit of collecting confidential information “just because” doesn’t hold water in the cyber era. Continue reading

Leave a comment

Filed under Business Law, Communications Law, Computer Law, Consumer Advocacy

Stick with Security: FTC Providing Insights on Data Security Practices

ftc_logo_430As part of its ongoing efforts to help businesses ensure they are taking reasonable steps to protect and secure consumer data, the Federal Trade Commission (FTC) is publishing a series of blog posts using hypothetical examples based on lessons from closed investigations, FTC law enforcement actions, and questions from businesses. These new posts will build on the FTC’s Start with Security guide for businesses.

FTC Acting Chairman Maureen K. Ohlhausen pledged earlier this year to be more transparent about the lessons learned from the FTC’s closed data security investigations and to provide additional information for businesses about practices that contribute to reasonable data security, culminating in this “Stick with Security” Initiative.

In the first blog post published July 21, 2017, the FTC highlights some of the themes that have emerged from an examination of closed FTC data security investigations. For example, while news reports might call attention to a data breach, they might not focus on the fact that the company that suffered the breach had encrypted the data, which substantially reduces the risk of consumer injury (and legal liability). Another lesson gleaned is that security researchers’ valuable work can alert us to new vulnerabilities, but sometimes the risk of a vulnerability being exploited to cause consumer injury is more theoretical than likely. Another key lesson is that in almost every closed case, the entities involved used the same common-sense security fundamentals outlined in the FTC’s Start with Security guide for businesses.

If you or your business have questions or concerns regarding fraud, computer law, privacy, or cybersecurity law matters, contact attorney Jeffrey A. Franklin at Prince Law Offices.

Leave a comment

Filed under Business Law, Communications Law, Computer Law, Consumer Advocacy

FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras

Device-maker’s alleged failures to reasonably secure software created malware risks and other vulnerabilities

ftc

The Federal Trade Commission (FTC) filed a complaint today against Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumers’ privacy at risk.

In a complaint filed in the Northern District of California, the FTC charged that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.

The complaint filed today is part of the FTC’s efforts to protect consumers’ privacy and security in the Internet of Things (IoT), which includes cases the agency has brought against ASUS, a computer hardware manufacturer, and TRENDnet, a marketer of video cameras.

“Hackers are increasingly targeting consumer routers and IP cameras — and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”

According to the FTC’s complaint, D-Link promoted the security of its routers on the company’s website, which included materials headlined “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.” But despite the claims made by D-Link, the FTC alleged, the company failed to take steps to address well-known and easily preventable security flaws, such as:

  • “hard-coded” login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that could allow unauthorized access to the cameras’ live feed;
  • a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
  • the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and
  • leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.

According to the complaint, hackers could exploit these vulnerabilities using any of several simple methods. For example, using a compromised router, an attacker could obtain consumers’ tax returns or other files stored on the router’s attached storage device. They could redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances.

The FTC alleges that by using a compromised camera, an attacker could monitor a consumer’s whereabouts in order to target them for theft or other crimes, or watch and record their personal activities and conversations.

These tips can help you secure your router:

  • Before you buy or replace a device, do research online. Use search engines to find reviews, but be skeptical about the source of the information. Is it from an impartial security expert, a consumer, or the company itself?
  • Download the latest security updates. To be secure and effective, update the software that comes with your device. Check the manufacturer’s website regularly for new software and updates.
  • Change your pre-set passwords. Change the device’s default password to something more complex and secure.

There are additional steps you can take to help keep your IP camera secure.

The FTC has provided guidance to IoT companies on how to preserve privacy and security in their products while still innovating and growing IoT technology.

The Commission vote authorizing the staff to file the complaint against D-Link Corporation and California-based D-Link Systems, Inc. was 2-1, with Commissioner Maureen K. Ohlhausen voting no. The complaint was filed in the U.S. District Court for the Northern District of California.

NOTE: The FTC files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the Commission that a proceeding is in the public interest. The case will be decided by a federal district court judge.

If you or your business have questions or concerns regarding fraud, computer law, privacy, or cybersecurity law matters, including assistance with policies, prevention or recovery from a ransomware attack and cybersecurity insurance or insurance claims, contact attorney Jeffrey A. Franklin at Prince Law Offices.

Leave a comment

Filed under Business Law, Communications Law, Computer Law, Consumer Advocacy

FTC takes on toothless encryption claims for dental practice software

On January 5, 2016, the Federal Trade Commission (FTC) announced a data security proposed settlement.  When a company promises to encrypt ftc_logo_430dentists’ patient data, but fails to live up to established standards, it shouldn’t come as a surprise that the FTC would bristle. A $250,000 proposed settlement with Henry Schein Practice Solutions, Inc..

Schein sells software to help dentists manage their practices. Many dentists use the company’s Dentrix G5 software to enter patient data, send appointment reminders, process payments and insurance claims, and add clinical notes. That can involve lots of sensitive stuff, including contact information, Social Security numbers, dates of birth, IDs and passwords, insurance providers, and details about diagnoses and prescriptions.

The security of patient data is of particular concern to dentists and other healthcare providers because of their obligations under HIPAA. To help them meet those requirements, HHS cites guidance from the National Institute of Standards and Technology (NIST), which recommends Advanced Encryption Standard (AES) encryption – a nationally recognized standard. HHS’ Breach Notification Rule includes a safe harbor that says dentists don’t have to notify patients about certain breaches if the information was encrypted consistent with the standard cited by NIST.

According to the FTC, Schein was aware of the recommendation of AES, knew about the HHS safe harbor for encrypted data, and understood why encryption would be a key selling feature for dentists. So the company hit that point hard in its promotional material. For example, according to a sales brochure, “The database also provides new encryption capabilities that can help keep patient records safe and secure. And of course, encryption plays a key role in your efforts to stay compliant with HIPAA security standards.”

But there was something else the company knew. It knew that despite its “encryption” claim, Dentrix G5 didn’t use an established standard like AES encryption. Instead, it used a less secure and more vulnerable proprietary algorithm. Then in June 2013, the United States Computer Emergency Readiness Team (US-CERT) issued a Vulnerability Note and Alert publicly stating that the vendor of the less secure algorithm had agreed to rebrand its method as “Data Camouflage” so it wouldn’t be confused with encryption algorithms like AES.

But according to the FTC, despite receiving US-CERT’s Note, Schein continued to claim until January 2014 that Dentrix G5 “encrypts patient data.” The FTC says the company didn’t clearly alert dentists who bought Dentrix G5 before that date that its software used a method less complex than a standard encryption algorithm like AES. It’s likely that accurate information would have been material to dentists because had they known the truth, they may have taken additional steps to secure patient data. In addition, the company’s statements could have led dentists to mistakenly think they qualified for the HHS safe harbor in the event of a data breach.

The complaint charges that Schein falsely claimed that Dentrix GS provides industry-standard encryption and helps dentists protect patient data, as required by HIPAA.

The remedies in the proposed settlement are worth noting. The order prohibits the company from making misleading claims about the extent to which its products use industry-standard encryption, help ensure regulatory compliance, or protect consumers’ personal information. The company also will notify customers still using Dentrix G5 that the product doesn’t provide industry-standard encryption. In addition, the company will pay $250,000 as disgorgement. That’s a fairly common provision in FTC advertising cases, but a first for marketing claims specifically related to data security. You can file a public comment about the proposed settlement by February 4, 2016.

The FTC’s Start with Security campaign uses lessons from FTC cases to help businesses avoid security pitfalls. Today the FTC debuted a short video that the company in this case would have done well to heed: Use strong encryption to store and transmit sensitive data securely.

If you or your business have questions or concerns regarding consumer protection, fraud, computer law, privacy, cybersecurity or administrative law matters, contact attorney Jeffrey A. Franklin or any of our attorneys at Prince Law Offices.

Leave a comment

Filed under Business Law, Computer Law, Consumer Advocacy

FTC’s $100 million settlement with LifeLock

Today, the Federal Trade Commission (FTC) released the following: The law may not authorize the use of light sabers, but to protect consumers and ensure that companies comply with existing orders, the FTC will use the forces within its power. It’s a lock that the agency’s $100 million settlement with LifeLock – one of the largest redress orders of its kind – makes that point as big as life.

ftc_logo_430

LifeLock’s first go-round with the FTC and 35 state AGs was in 2010. According to that complaint, LifeLock didn’t live up to identity protection claims it made in its ads. To settle that case, the company agreed to secure customers’ sensitive information and promised not to mislead consumers in the future with deceptive claims about its services.

But as the FTC alleges, LifeLock violated four key provisions of that order. First, the FTC says that from October 2012 through March 2014, LifeLock failed to set up and maintain a comprehensive information security program to protect customers’ sensitive data, including their Social Security, credit card, and bank account numbers. The safety of consumers’ confidential information should be a serious consideration for any business – but for a company already under FTC order and in the business of selling identity protection services? You get the point.

Second, the filing charges that during that period, LifeLock falsely advertised that it protected consumers’ sensitive information with the same high-level safeguards as financial institutions. What about the company’s promise it would send alerts “as soon as” it received any indication that a customer may be a victim of identity theft? According to the filing, that ad claim was false, too. Finally, the FTC says LifeLock didn’t live up to the record-keeping provisions of the 2010 settlement, an essential part of any order.

Under the terms of the proposed settlement, the $100 million LifeLock has to pay will go toward consumer refunds. To make sure consumers are protected, the settlement explains in detail how that has to happen. LifeLock must deposit $100 million into the registry of the United States District Court in Arizona. Of that total, the company may use $68 million in settling an ongoing class action lawsuit related to the conduct alleged in the FTC’s filing. But let’s be clear: That money must go directly to consumers. Not one penny can be used for administrative costs or legal fees associated with the class action. Any money not received by consumers in the class action settlement or through settlements between LifeLock and the state AGs will go to the FTC for further consumer redress.

Surprised by the number of zeros in the settlement? You shouldn’t be. There’s not much the FTC takes more seriously than effective enforcement of existing orders. Furthermore, the FTC has made it clear that it won’t tolerate deceptive advertising and unreasonable data security practices. Today’s announcement gives companies 100 million more reasons to avoid both courses of conduct.

If you or your business have questions or concerns regarding consumer protection, fraud, or administrative law matters, contact attorney Jeffrey A. Franklin or any of our attorneys at Prince Law Offices, P.C.

Leave a comment

Filed under Business Law, Computer Law, Consumer Advocacy