Tag Archives: Federal Trade Commission

Is Computer Tech Support Really Calling to Help You?

Does the thought of losing everything on your computer leave you queasy? That’s the anxiety fraudsters attempt to exploit with tech support scams – and it’s conduct the Federal Trade Commission (FTC) and law enforcement partners are challenging through 16 civil and criminal (yes, criminal) actions announced as part of Operation Tech Trap.

Tech support scammers’ modus operandi is to run ads that resemble pop-up security alerts from Microsoft, Apple, or other companies. Consumers are warned that their computers are infected with viruses or are under hack attack. Some pop-ups even feature a countdown clock, supposedly showing the time remaining before the hard drive will be fried – unless the consumer calls a toll-free number supposedly affiliated with one of those big-name companies.

Once operators have consumers on the phone, the real theatrics begin. Operators claim to need remote access to consumers’ computers so they can run “diagnostic tests.” Those tests purport to reveal grave problems that can only be solved by one of their “certified technicians” – for a hefty fee, of course. Companies use high-pressure tactics to strong-arm consumers into paying hundreds of dollars for unnecessary repairs, anti-virus protection or software, and other products and services. (Here’s an example of a pitch in action from the FTC.)

 

In settling a case against Click4Support LLC and others, the FTC and AGs from Connecticut and Pennsylvania announced that the defendants are banned from marketing technical support services, will pay a total of more than $554,000, and will forfeit an additional $1.3 million held by the court-appointed receiver. A federal judge in Philadelphia also entered a $27 million default judgment against a related party.

But that’s not all. There have been several other similar cases brought by the FTC.

How does this boil down for you or your business?

  • Consumers get caught in tech support scammers’ web, but so do small businesses and people who work from home. The FTC has updated its advice on what you can do to protect yourself. Also, the FTC will be hosting a roundtable this summer for law enforcement agencies leading the charge against this kind of fraud and for businesses affected by tech support scams, including companies whose names have been misused by con artists. Looking for tips on spotting other B2B scams? The FTC’s new Protecting Small Businesses site is designed with you in mind.
  • People who participate in tech support scams aren’t just risking their assets and future livelihoods. They could face criminal prosecution.

If you or your business have questions or concerns regarding fraud, computer law, privacy, or cybersecurity law matters, including assistance with policies, prevention or recovery from a ransomware attack and cybersecurity insurance or insurance claims, contact attorney Jeffrey A. Franklin at Prince Law Offices.

Leave a comment

Filed under Business Law, Communications Law, Computer Law, Consumer Advocacy

Protecting Personal Information: A Guide for Business

ftcThe Federal Trade Commission (FTC) has published an updated version of its Protecting Personal Information: A Guide for Business.

A sound data security plan is built on 5 key principles:

  1. TAKE STOCK. Know what personal information you have in your files and on your computers.
  2. SCALE DOWN. Keep only what you need for your business.
  3. LOCK IT. Protect the information that you keep.
  4. PITCH IT. Properly dispose of what you no longer need.
  5. PLAN AHEAD. Create a plan to respond to security incidents.

Most companies keep sensitive personal information in their files—names, Social Security numbers, credit card, or other account data—that identifies customers or employees.

This information often is necessary to fill orders, meet payroll, or perform other necessary business functions. However, if sensitive data falls into the wrong hands, it can lead to fraud, identity theft, or similar harms. Given the cost of a security breach—losing your customers’ trust and perhaps even defending yourself against a lawsuit—safeguarding personal information is just plain good business.

Some businesses may have the expertise in-house to implement an appropriate plan. Others may find it helpful to hire a contractor. Regardless of the size—or nature—of your business, the principles in this brochure will go a long way toward helping you keep data secure.

If you or your business have questions or concerns regarding fraud, computer law, privacy, or cybersecurity law matters, including assistance with policies, prevention or recovery from a ransomware attack and cybersecurity insurance or insurance claims, contact attorney Jeffrey A. Franklin at Prince Law Offices.

1 Comment

Filed under Business Law, Communications Law, Computer Law, Consumer Advocacy

FTC Offers Advice on How to Avoid and Respond to Ransomware Attacks

ftc

Following its recent workshop on Ransomware – malicious software that denies access to computer files until the victim pays a ransom – the Federal Trade Commission (FTC) is offering tips on how consumers and businesses can protect devices and respond to ransomware.

The FTC offers How to defend against ransomware to help consumers. Businesses can find guidance in Ransomware – A closer look and the accompanying video, Defend against Ransomware.

If you or your business have questions or concerns regarding fraud, computer law, privacy, or cybersecurity law matters, including assistance with prevention or recovery from a ransomware attack and cybersecurity insurance or insurance claims, contact attorney Jeffrey A. Franklin at Prince Law Offices.

 

 

Leave a comment

Filed under Business Law, Computer Law, Consumer Advocacy

National Consumer Protection Week

Prince Law Offices, P.C. and the Federal Trade Commission (FTC) — working with more ftc_logo_430than 100 federal, state and local agencies, consumer groups, and national organizations — will spotlight efforts to protect consumers from fraud, identity theft and other consumer issues during National Consumer Protection Week (NCPW), March 6-12, 2016.

For 18 years, NCPW has been a time to encourage consumers to learn about their rights, and how to make informed buying decisions and report scams, identity theft and unfair business practices. NCPW.gov offers information on a wide range of topics, including credit and debt, online safety, imposter and other scams, identity theft and more.

The site features a blog to update visitors on the latest consumer protection news, including legal actions, new resources and partner-sponsored NCPW events. People also can get free resources and promotional tools for their own consumer education activities, as well as information on filing consumer complaints.

“The FTC and our NCPW partners are on the front lines of consumer protection every day,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “We hope people will take advantage of this week to find resources that will help them fight scams and fraud in their communities all year long.”

During NCPW, partners and hundreds of community groups across the country host events to promote general consumer education or highlight a specific issue, such as a shred-a-thon to reduce the risk of identity theft.

Contact Prince Law Offices, P.C. to lean more about your rights and how to address scams, identity theft and unfair business practices.

Leave a comment

Filed under Business Law, Computer Law, Consumer Advocacy, Criminal Law, News & Events

ASUS Settles FTC Charges Routers Put Consumers’ Privacy At Risk

ftc_logo_430ASUSTeK Computer, Inc. (ASUS)  has agreed to settle Federal Trade Commission charges that critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk. The administrative complaint also charges that the routers’ insecure “cloud” services led to the compromise of thousands of consumers’ connected storage devices, exposing their sensitive personal information on the internet.  If you have a ASUS router at home, perhaps it is time for an upgrade.

The proposed consent order will require ASUS to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.

“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”

ASUS marketed its routers as including numerous security features that the company claimed could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.” Despite these claims, the FTC’s complaint alleges that ASUS didn’t take reasonable steps to secure the software on its routers.

For instance, according to the complaint, hackers could exploit pervasive security bugs in the router’s web-based control panel to change any of the router’s security settings without the consumer’s knowledge.  A malware researcher discovered an exploit campaign in April 2015 that abused these vulnerabilities to reconfigure vulnerable routers and commandeer consumers’ web traffic. The complaint also highlights a number of other design flaws that exacerbated these vulnerabilities, including the fact that the company set – and allowed consumers to retain – the same default login credentials on every router: username “admin” and password “admin”.

According to the complaint, ASUS’s routers also featured services called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own “cloud” storage accessible from any of their devices. While ASUS advertised these services as a “private personal cloud for selective file sharing” and a way to “safely secure and access your treasured data through your router,” the FTC’s complaint alleges that the services had serious security flaws.

For example, the complaint alleges that  hackers could exploit a vulnerability in the AiCloud service to bypass its login screen and gain complete access to a consumer’s connected storage device without any credentials, simply by accessing a specific URL from a Web browser. Similarly, the complaint alleges that the AiDisk service did not encrypt the consumer’s files in transit, and its default privacy settings provided – without explanation – public access to the consumer’s storage device to anyone on the Internet.

In February 2014, hackers used readily available tools to locate vulnerable ASUS routers and exploited these security flaws to gain unauthorized access to over 12,900 consumers’ connected storage devices.

The Commission alleges that, in many instances, ASUS did not address security flaws in a timely manner and did not notify consumers about the risks posed by the vulnerable routers.  In addition, the complaint alleges that ASUS did not notify consumers about the availability of security updates.  For example, according to the complaint, the router’s software update tool – which allowed consumers to check for new router software – often told consumers that their router was on the most current software when, in fact, newer software with critical security updates was available.

In addition to establishing a comprehensive security program, the consent order will require ASUS to notify consumers about software updates or other steps they can take to protect themselves from security flaws, including through an option to register for direct security notices (e.g., through email, text message, or push notification).  The consent order will also prohibit the company from misleading consumers about the security of the company’s products, including whether a product is using up-to-date software.

This matter is part of the FTC’s ongoing effort to ensure that companies secure the software and devices that they provide to consumers.

The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through March 24, 2016, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically.

If you or your business have questions or concerns regarding consumer protection, fraud, computer law, privacy, or cybersecurity law matters, contact attorney Jeffrey A. Franklin at Prince Law Offices.

Leave a comment

Filed under Business Law, Computer Law, Consumer Advocacy

Identity Theft Assistance

Identity theft victims can now go online and get a free, personalized identity theft recovery plan as a result of significant enhancements to the Federal Trade Commission’s IdentityTheft.gov website.3 - homepage

The new one-stop website is integrated with the FTC’s consumer complaint system, allowing consumers who are victims of identity theft to rapidly file a complaint with the FTC and then get a personalized guide to recovery that helps streamline many of the steps involved.
The upgraded site offers an array of easy-to-use tools, that enables identity theft victims to create the documents they need to alert police, the main credit bureaus and the IRS among others.

“Millions of Americans have been victims of identity theft, and until now, there has not been a single site where they can quickly file an official complaint and then get real, personalized help,” said FTC Chairwoman Edith Ramirez. “The FTC’s new IdentityTheft.gov website empowers consumers to fight back faster and more effectively against identity thieves.”

“Identitytheft.gov is a vital resource as identity theft has reached epidemic levels,” said Illinois Attorney General Lisa Madigan. “As most Americans know, we live in an age when it’s not a matter of if, but when you will become a victim of identity theft. The FTC’s website is a great place for consumers to go for practical and personalized help to recover from the financial mess created by identity theft.”

“Local law enforcement is often the first place identity theft victims turn for help,” said Mary Gavin, Chief of Police for Falls Church, VA, and an Executive Committee member of the International Association of Chiefs of Police. “IdentityTheft.gov will be a powerful tool to help police assist victims, and the information victims report to the FTC can help law enforcers build cases.”

In 2015, the FTC received over 490,000 consumer complaints about identity theft, representing a 47 percent increase over the prior year, and the Department of Justice estimates that 17.6 million Americans were victims of identity theft in 2014.

When a consumer initiates a response plan through IdentityTheft.gov, the site will automatically generate affidavits and pre-fill letters and forms to be sent to credit bureaus, businesses, police, debt collectors and the IRS. Should a consumer’s recovery run into issues, the site will suggest alternative approaches. Once a consumer completes their initial report on the site, they will receive follow up e-mails and can return to their personalized plan online to continue the recovery process.

IdentityTheft.gov is also available in Spanish at RobodeIdentidad.gov, and allows Spanish-speaking consumers to view the automatically generated letters and other documents in Spanish, but print them in English for sending to the relevant recipients.

If you or your business have questions or concerns regarding consumer protection, fraud, computer law, privacy, or cybersecurity law matters, contact attorney Jeffrey A. Franklin at Prince Law Offices.

 

1 Comment

Filed under Business Law, Computer Law, Consumer Advocacy

FTC takes on toothless encryption claims for dental practice software

On January 5, 2016, the Federal Trade Commission (FTC) announced a data security proposed settlement.  When a company promises to encrypt ftc_logo_430dentists’ patient data, but fails to live up to established standards, it shouldn’t come as a surprise that the FTC would bristle. A $250,000 proposed settlement with Henry Schein Practice Solutions, Inc..

Schein sells software to help dentists manage their practices. Many dentists use the company’s Dentrix G5 software to enter patient data, send appointment reminders, process payments and insurance claims, and add clinical notes. That can involve lots of sensitive stuff, including contact information, Social Security numbers, dates of birth, IDs and passwords, insurance providers, and details about diagnoses and prescriptions.

The security of patient data is of particular concern to dentists and other healthcare providers because of their obligations under HIPAA. To help them meet those requirements, HHS cites guidance from the National Institute of Standards and Technology (NIST), which recommends Advanced Encryption Standard (AES) encryption – a nationally recognized standard. HHS’ Breach Notification Rule includes a safe harbor that says dentists don’t have to notify patients about certain breaches if the information was encrypted consistent with the standard cited by NIST.

According to the FTC, Schein was aware of the recommendation of AES, knew about the HHS safe harbor for encrypted data, and understood why encryption would be a key selling feature for dentists. So the company hit that point hard in its promotional material. For example, according to a sales brochure, “The database also provides new encryption capabilities that can help keep patient records safe and secure. And of course, encryption plays a key role in your efforts to stay compliant with HIPAA security standards.”

But there was something else the company knew. It knew that despite its “encryption” claim, Dentrix G5 didn’t use an established standard like AES encryption. Instead, it used a less secure and more vulnerable proprietary algorithm. Then in June 2013, the United States Computer Emergency Readiness Team (US-CERT) issued a Vulnerability Note and Alert publicly stating that the vendor of the less secure algorithm had agreed to rebrand its method as “Data Camouflage” so it wouldn’t be confused with encryption algorithms like AES.

But according to the FTC, despite receiving US-CERT’s Note, Schein continued to claim until January 2014 that Dentrix G5 “encrypts patient data.” The FTC says the company didn’t clearly alert dentists who bought Dentrix G5 before that date that its software used a method less complex than a standard encryption algorithm like AES. It’s likely that accurate information would have been material to dentists because had they known the truth, they may have taken additional steps to secure patient data. In addition, the company’s statements could have led dentists to mistakenly think they qualified for the HHS safe harbor in the event of a data breach.

The complaint charges that Schein falsely claimed that Dentrix GS provides industry-standard encryption and helps dentists protect patient data, as required by HIPAA.

The remedies in the proposed settlement are worth noting. The order prohibits the company from making misleading claims about the extent to which its products use industry-standard encryption, help ensure regulatory compliance, or protect consumers’ personal information. The company also will notify customers still using Dentrix G5 that the product doesn’t provide industry-standard encryption. In addition, the company will pay $250,000 as disgorgement. That’s a fairly common provision in FTC advertising cases, but a first for marketing claims specifically related to data security. You can file a public comment about the proposed settlement by February 4, 2016.

The FTC’s Start with Security campaign uses lessons from FTC cases to help businesses avoid security pitfalls. Today the FTC debuted a short video that the company in this case would have done well to heed: Use strong encryption to store and transmit sensitive data securely.

If you or your business have questions or concerns regarding consumer protection, fraud, computer law, privacy, cybersecurity or administrative law matters, contact attorney Jeffrey A. Franklin or any of our attorneys at Prince Law Offices.

Leave a comment

Filed under Business Law, Computer Law, Consumer Advocacy