Tag Archives: privacy

New FTC Website Helps Small Businesses Avoid Scams and Cyber Attacks

Attacks can be especially devastating to small businesses; FTC provides information on how businesses can protect themselvesftc

At the direction of Acting Chairman Maureen Ohlhausen, the Federal Trade Commission (FTC) has launched a new website – ftc.gov/SmallBusiness – with articles, videos, and other information aimed at helping small business owners avoid scams and protect their computers and networks from cyberattacks and other threats.

“Small businesses are critical to our economic strength, building America’s future, and helping the United States compete in today’s global marketplace,” Acting Chairman Ohlhausen said. “This innovative new website is a one-stop shop where small businesses can find information to protect themselves from scammers and hackers, as well as resources they can use if they are hit with a cyberattack.”

According to the U.S. Small Business Administration (SBA), there are more than 28 million small businesses nationwide, employing nearly 57 million people. Scammers frequently target small businesses with deceptive tactics designed to get them to pay for supplies they didn’t order, donate to fake charities or trick them into giving access to their network or downloading malware that can corrupt their business’s computers.

Cyberattacks can be particularly devastating to small businesses, and many of them lack the resources that larger companies have to devote to cybersecurity. Symantec Corp.’s 2016 Internet Security Threat Report indicates the percentage of spear-phishing attacks targeting small business rose dramatically from 18 percent to 43 percent between 2011 and 2015.

The FTC’s new web page offers specific information to help small businesses protect their networks and their customer data. This includes a new Small Business Computer Security Basics guide, which shares computer security basics to help companies protect their files and devices, train employees to think twice before sharing the business’s account information, and keep their wireless network protected, as well as how to respond to a data breach. It also has information on other cyber threats such as ransomware and phishing schemes targeting small businesses. The FTC is continuing to work with the SBA on additional ways to help small businesses.

If you or your business have questions or concerns regarding fraud, computer law, privacy, or cybersecurity law matters, including assistance with policies, prevention or recovery from a ransomware attack and cybersecurity insurance or insurance claims, contact attorney Jeffrey A. Franklin at Prince Law Offices.

Leave a comment

Filed under Business Law, Communications Law, Computer Law, Consumer Advocacy, News & Events

Protecting Personal Information: A Guide for Business

ftcThe Federal Trade Commission (FTC) has published an updated version of its Protecting Personal Information: A Guide for Business.

A sound data security plan is built on 5 key principles:

  1. TAKE STOCK. Know what personal information you have in your files and on your computers.
  2. SCALE DOWN. Keep only what you need for your business.
  3. LOCK IT. Protect the information that you keep.
  4. PITCH IT. Properly dispose of what you no longer need.
  5. PLAN AHEAD. Create a plan to respond to security incidents.

Most companies keep sensitive personal information in their files—names, Social Security numbers, credit card, or other account data—that identifies customers or employees.

This information often is necessary to fill orders, meet payroll, or perform other necessary business functions. However, if sensitive data falls into the wrong hands, it can lead to fraud, identity theft, or similar harms. Given the cost of a security breach—losing your customers’ trust and perhaps even defending yourself against a lawsuit—safeguarding personal information is just plain good business.

Some businesses may have the expertise in-house to implement an appropriate plan. Others may find it helpful to hire a contractor. Regardless of the size—or nature—of your business, the principles in this brochure will go a long way toward helping you keep data secure.

If you or your business have questions or concerns regarding fraud, computer law, privacy, or cybersecurity law matters, including assistance with policies, prevention or recovery from a ransomware attack and cybersecurity insurance or insurance claims, contact attorney Jeffrey A. Franklin at Prince Law Offices.

1 Comment

Filed under Business Law, Communications Law, Computer Law, Consumer Advocacy

FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras

Device-maker’s alleged failures to reasonably secure software created malware risks and other vulnerabilities

ftc

The Federal Trade Commission (FTC) filed a complaint today against Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumers’ privacy at risk.

In a complaint filed in the Northern District of California, the FTC charged that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.

The complaint filed today is part of the FTC’s efforts to protect consumers’ privacy and security in the Internet of Things (IoT), which includes cases the agency has brought against ASUS, a computer hardware manufacturer, and TRENDnet, a marketer of video cameras.

“Hackers are increasingly targeting consumer routers and IP cameras — and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”

According to the FTC’s complaint, D-Link promoted the security of its routers on the company’s website, which included materials headlined “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.” But despite the claims made by D-Link, the FTC alleged, the company failed to take steps to address well-known and easily preventable security flaws, such as:

  • “hard-coded” login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that could allow unauthorized access to the cameras’ live feed;
  • a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
  • the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and
  • leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.

According to the complaint, hackers could exploit these vulnerabilities using any of several simple methods. For example, using a compromised router, an attacker could obtain consumers’ tax returns or other files stored on the router’s attached storage device. They could redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances.

The FTC alleges that by using a compromised camera, an attacker could monitor a consumer’s whereabouts in order to target them for theft or other crimes, or watch and record their personal activities and conversations.

These tips can help you secure your router:

  • Before you buy or replace a device, do research online. Use search engines to find reviews, but be skeptical about the source of the information. Is it from an impartial security expert, a consumer, or the company itself?
  • Download the latest security updates. To be secure and effective, update the software that comes with your device. Check the manufacturer’s website regularly for new software and updates.
  • Change your pre-set passwords. Change the device’s default password to something more complex and secure.

There are additional steps you can take to help keep your IP camera secure.

The FTC has provided guidance to IoT companies on how to preserve privacy and security in their products while still innovating and growing IoT technology.

The Commission vote authorizing the staff to file the complaint against D-Link Corporation and California-based D-Link Systems, Inc. was 2-1, with Commissioner Maureen K. Ohlhausen voting no. The complaint was filed in the U.S. District Court for the Northern District of California.

NOTE: The FTC files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the Commission that a proceeding is in the public interest. The case will be decided by a federal district court judge.

If you or your business have questions or concerns regarding fraud, computer law, privacy, or cybersecurity law matters, including assistance with policies, prevention or recovery from a ransomware attack and cybersecurity insurance or insurance claims, contact attorney Jeffrey A. Franklin at Prince Law Offices.

Leave a comment

Filed under Business Law, Communications Law, Computer Law, Consumer Advocacy

ASUS Settles FTC Charges Routers Put Consumers’ Privacy At Risk

ftc_logo_430ASUSTeK Computer, Inc. (ASUS)  has agreed to settle Federal Trade Commission charges that critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk. The administrative complaint also charges that the routers’ insecure “cloud” services led to the compromise of thousands of consumers’ connected storage devices, exposing their sensitive personal information on the internet.  If you have a ASUS router at home, perhaps it is time for an upgrade.

The proposed consent order will require ASUS to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.

“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”

ASUS marketed its routers as including numerous security features that the company claimed could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.” Despite these claims, the FTC’s complaint alleges that ASUS didn’t take reasonable steps to secure the software on its routers.

For instance, according to the complaint, hackers could exploit pervasive security bugs in the router’s web-based control panel to change any of the router’s security settings without the consumer’s knowledge.  A malware researcher discovered an exploit campaign in April 2015 that abused these vulnerabilities to reconfigure vulnerable routers and commandeer consumers’ web traffic. The complaint also highlights a number of other design flaws that exacerbated these vulnerabilities, including the fact that the company set – and allowed consumers to retain – the same default login credentials on every router: username “admin” and password “admin”.

According to the complaint, ASUS’s routers also featured services called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own “cloud” storage accessible from any of their devices. While ASUS advertised these services as a “private personal cloud for selective file sharing” and a way to “safely secure and access your treasured data through your router,” the FTC’s complaint alleges that the services had serious security flaws.

For example, the complaint alleges that  hackers could exploit a vulnerability in the AiCloud service to bypass its login screen and gain complete access to a consumer’s connected storage device without any credentials, simply by accessing a specific URL from a Web browser. Similarly, the complaint alleges that the AiDisk service did not encrypt the consumer’s files in transit, and its default privacy settings provided – without explanation – public access to the consumer’s storage device to anyone on the Internet.

In February 2014, hackers used readily available tools to locate vulnerable ASUS routers and exploited these security flaws to gain unauthorized access to over 12,900 consumers’ connected storage devices.

The Commission alleges that, in many instances, ASUS did not address security flaws in a timely manner and did not notify consumers about the risks posed by the vulnerable routers.  In addition, the complaint alleges that ASUS did not notify consumers about the availability of security updates.  For example, according to the complaint, the router’s software update tool – which allowed consumers to check for new router software – often told consumers that their router was on the most current software when, in fact, newer software with critical security updates was available.

In addition to establishing a comprehensive security program, the consent order will require ASUS to notify consumers about software updates or other steps they can take to protect themselves from security flaws, including through an option to register for direct security notices (e.g., through email, text message, or push notification).  The consent order will also prohibit the company from misleading consumers about the security of the company’s products, including whether a product is using up-to-date software.

This matter is part of the FTC’s ongoing effort to ensure that companies secure the software and devices that they provide to consumers.

The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through March 24, 2016, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically.

If you or your business have questions or concerns regarding consumer protection, fraud, computer law, privacy, or cybersecurity law matters, contact attorney Jeffrey A. Franklin at Prince Law Offices.

Leave a comment

Filed under Business Law, Computer Law, Consumer Advocacy

Identity Theft Assistance

Identity theft victims can now go online and get a free, personalized identity theft recovery plan as a result of significant enhancements to the Federal Trade Commission’s IdentityTheft.gov website.3 - homepage

The new one-stop website is integrated with the FTC’s consumer complaint system, allowing consumers who are victims of identity theft to rapidly file a complaint with the FTC and then get a personalized guide to recovery that helps streamline many of the steps involved.
The upgraded site offers an array of easy-to-use tools, that enables identity theft victims to create the documents they need to alert police, the main credit bureaus and the IRS among others.

“Millions of Americans have been victims of identity theft, and until now, there has not been a single site where they can quickly file an official complaint and then get real, personalized help,” said FTC Chairwoman Edith Ramirez. “The FTC’s new IdentityTheft.gov website empowers consumers to fight back faster and more effectively against identity thieves.”

“Identitytheft.gov is a vital resource as identity theft has reached epidemic levels,” said Illinois Attorney General Lisa Madigan. “As most Americans know, we live in an age when it’s not a matter of if, but when you will become a victim of identity theft. The FTC’s website is a great place for consumers to go for practical and personalized help to recover from the financial mess created by identity theft.”

“Local law enforcement is often the first place identity theft victims turn for help,” said Mary Gavin, Chief of Police for Falls Church, VA, and an Executive Committee member of the International Association of Chiefs of Police. “IdentityTheft.gov will be a powerful tool to help police assist victims, and the information victims report to the FTC can help law enforcers build cases.”

In 2015, the FTC received over 490,000 consumer complaints about identity theft, representing a 47 percent increase over the prior year, and the Department of Justice estimates that 17.6 million Americans were victims of identity theft in 2014.

When a consumer initiates a response plan through IdentityTheft.gov, the site will automatically generate affidavits and pre-fill letters and forms to be sent to credit bureaus, businesses, police, debt collectors and the IRS. Should a consumer’s recovery run into issues, the site will suggest alternative approaches. Once a consumer completes their initial report on the site, they will receive follow up e-mails and can return to their personalized plan online to continue the recovery process.

IdentityTheft.gov is also available in Spanish at RobodeIdentidad.gov, and allows Spanish-speaking consumers to view the automatically generated letters and other documents in Spanish, but print them in English for sending to the relevant recipients.

If you or your business have questions or concerns regarding consumer protection, fraud, computer law, privacy, or cybersecurity law matters, contact attorney Jeffrey A. Franklin at Prince Law Offices.

 

1 Comment

Filed under Business Law, Computer Law, Consumer Advocacy

IT’S DATA PRIVACY DAY

HappyDPD

Today, January 28th, is Data Privacy Day!  The purpose of Data Privacy Day is to raise awareness about and promote best practices for data privacy and protection.

Today marks the ninth Data Privacy Day (DPD), an international effort held annually on January 28 to create awareness about the importance of privacy and protecting personal information. DPD, led by the National Cyber Security Alliance (NCSA) in North America, is the signature event of NCSA’s year-round privacy awareness campaign and is centered on the theme of “Respecting Privacy, Safeguarding Data and Enabling Trust.”

To coincide with DPD, NCSA and TRUSTe released the U.S. Consumer Privacy Index 2016, which reveals the extent of current consumer privacy concerns. According to the research, consumer privacy concern levels are rising quickly: 68 percent of consumers listed not knowing how their personal information is collected online as a top concern, compared with only 57 percent who ranked losing personal income at the top. Additionally, 45 percent of respondents are more worried about their online privacy than they were just one year ago; and 37 percent of respondents listed companies collecting and sharing their personal information with other companies as a top cause of concern.

We encourage you to use available tools and take actionable steps to manage your privacy, like limiting access on social media, keeping apps, software and devices up to date and understanding the value of your personal information.

Businesses, take this opportunity to remind your company’s employees to comply with your data privacy and protection policies and practices, and to integrate data protection into their daily work habits.  Data Privacy Day is also a good time to assess (or reassess) your company’s exposure to data breaches.

Personally-identifiable information, or “PII”, is the information a company collects, stores and handles about its customers, employees, and business partners, usually in electronic formats.  The most common types of PII breaches typically involve the loss or theft of PII by an employee or third party, the access or duplication of PII by an unauthorized party, the use of PII by an unauthorized person, and the unauthorized use of PII by an authorized party.

We can help you or your business assess your exposure to data breaches, as well as the associated cost and potential for sanctions and the standard of care for cybersecurity best practices.

If you or your business have questions or concerns regarding consumer protection, fraud, computer law, privacy, or cybersecurity law matters, contact attorney Jeffrey A. Franklin at Prince Law Offices.

Leave a comment

Filed under Business Law, Computer Law, Consumer Advocacy, News & Events

FTC takes on toothless encryption claims for dental practice software

On January 5, 2016, the Federal Trade Commission (FTC) announced a data security proposed settlement.  When a company promises to encrypt ftc_logo_430dentists’ patient data, but fails to live up to established standards, it shouldn’t come as a surprise that the FTC would bristle. A $250,000 proposed settlement with Henry Schein Practice Solutions, Inc..

Schein sells software to help dentists manage their practices. Many dentists use the company’s Dentrix G5 software to enter patient data, send appointment reminders, process payments and insurance claims, and add clinical notes. That can involve lots of sensitive stuff, including contact information, Social Security numbers, dates of birth, IDs and passwords, insurance providers, and details about diagnoses and prescriptions.

The security of patient data is of particular concern to dentists and other healthcare providers because of their obligations under HIPAA. To help them meet those requirements, HHS cites guidance from the National Institute of Standards and Technology (NIST), which recommends Advanced Encryption Standard (AES) encryption – a nationally recognized standard. HHS’ Breach Notification Rule includes a safe harbor that says dentists don’t have to notify patients about certain breaches if the information was encrypted consistent with the standard cited by NIST.

According to the FTC, Schein was aware of the recommendation of AES, knew about the HHS safe harbor for encrypted data, and understood why encryption would be a key selling feature for dentists. So the company hit that point hard in its promotional material. For example, according to a sales brochure, “The database also provides new encryption capabilities that can help keep patient records safe and secure. And of course, encryption plays a key role in your efforts to stay compliant with HIPAA security standards.”

But there was something else the company knew. It knew that despite its “encryption” claim, Dentrix G5 didn’t use an established standard like AES encryption. Instead, it used a less secure and more vulnerable proprietary algorithm. Then in June 2013, the United States Computer Emergency Readiness Team (US-CERT) issued a Vulnerability Note and Alert publicly stating that the vendor of the less secure algorithm had agreed to rebrand its method as “Data Camouflage” so it wouldn’t be confused with encryption algorithms like AES.

But according to the FTC, despite receiving US-CERT’s Note, Schein continued to claim until January 2014 that Dentrix G5 “encrypts patient data.” The FTC says the company didn’t clearly alert dentists who bought Dentrix G5 before that date that its software used a method less complex than a standard encryption algorithm like AES. It’s likely that accurate information would have been material to dentists because had they known the truth, they may have taken additional steps to secure patient data. In addition, the company’s statements could have led dentists to mistakenly think they qualified for the HHS safe harbor in the event of a data breach.

The complaint charges that Schein falsely claimed that Dentrix GS provides industry-standard encryption and helps dentists protect patient data, as required by HIPAA.

The remedies in the proposed settlement are worth noting. The order prohibits the company from making misleading claims about the extent to which its products use industry-standard encryption, help ensure regulatory compliance, or protect consumers’ personal information. The company also will notify customers still using Dentrix G5 that the product doesn’t provide industry-standard encryption. In addition, the company will pay $250,000 as disgorgement. That’s a fairly common provision in FTC advertising cases, but a first for marketing claims specifically related to data security. You can file a public comment about the proposed settlement by February 4, 2016.

The FTC’s Start with Security campaign uses lessons from FTC cases to help businesses avoid security pitfalls. Today the FTC debuted a short video that the company in this case would have done well to heed: Use strong encryption to store and transmit sensitive data securely.

If you or your business have questions or concerns regarding consumer protection, fraud, computer law, privacy, cybersecurity or administrative law matters, contact attorney Jeffrey A. Franklin or any of our attorneys at Prince Law Offices.

Leave a comment

Filed under Business Law, Computer Law, Consumer Advocacy