Tag: FTC

FTC Extends Deadline for Comments on COPPA Rule until December 11

By Rafael Moscatel, CIPM, CRM, IGP on December 9, 2019

The Federal Trade Commission is extending the deadline to submit comments on the agency’s review of the Children’s Online Privacy Protection Act Rule (COPPA Rule) until December 11, 2019.

The federal government’s Regulations.gov portal is temporarily inaccessible. The FTC is giving commenters additional time to submit comments, as well as an alternative mechanism to file them. Those unable to submit comments via Regulations.gov can submit them via email with the subject line “COPPA comment” to secretary@ftc.gov. All comments, whether filed through Regulations.gov or sent by email, must be submitted by11:59 p.m. ET on December 11, 2019.

The Commission voted 5-0 to extend the comment deadline until December 11, 2019.

Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

Posted in: COPPA, FTC

Ethics Information Security Privacy

FTC Issues Opinion and Order Against Cambridge Analytica For Deceiving Consumers About the Collection of Facebook Data, Compliance with EU-U.S. Privacy Shield

By Rafael Moscatel, CIPM, CRM, IGP on December 6, 2019

The Federal Trade Commission issued an Opinion finding that the data analytics and consulting company Cambridge Analytica, LLC engaged in deceptive practices to harvest personal information from tens of millions of Facebook users for voter profiling and targeting. The Opinion also found that Cambridge Analytica engaged in deceptive practices relating to its participation in the EU-U.S. Privacy Shield framework.

In an administrative complaint filed in July, FTC staff alleged that Cambridge Analytica and its then-CEO Alexander Nix and app developer Aleksandr Kogan deceived consumers. Nix and Kogan agreed to settle the FTC’s allegations. Cambridge Analytica, which filed for bankruptcy in 2018, did not respond to the complaint filed by FTC staff, or a motion submitted for summary judgment of the allegations.

The FTC staff’s administrative complaint alleged that Kogan worked with Nix and Cambridge Analytica to enable Kogan’s GSRApp to collect Facebook data from app users and their Facebook friends. The complaint alleged that app users were falsely told the app would not collect users’ names or other identifiable information. The GSRApp, however, collected users’ Facebook User ID, which connects individuals to their Facebook profiles.

The complaint also alleged that Cambridge Analytica claimed it participated in the EU-U.S. Privacy Shield—which allows companies to transfer consumer data legally from European Union countries to the United States—after allowing its certification to lapse. In addition, the complaint alleged the company failed to adhere to the Privacy Shield requirement that companies that cease participation in the Privacy Shield affirm to the Department of Commerce, which maintains the list of Privacy Shield participants, that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.

In its Opinion, the Commission found that Cambridge Analytica violated the FTC Act through the deceptive conduct alleged in the complaint. The Final Order prohibits Cambridge Analytica from making misrepresentations about the extent to which it protects the privacy and confidentiality of personal information, as well as its participation in the EU-U.S. Privacy Shield framework and other similar regulatory or standard-setting organizations. In addition, the company is required to continue to apply Privacy Shield protections to personal information it collected while participating in the program (or to provide other protections authorized by law), or return or delete the information. It also must delete the personal information that it collected through the GSRApp.

The Commission voted 5-0 to issue the Opinion and Final Order.

Posted in: 2016 Election, Cambridge Analytica, Facebook, FTC, Privacy Shield

Information Security Privacy

FTC Announces Settlements with Four Companies Related to Allegations they Deceived Consumers over Participation in the EU-U.S. Privacy Shield

By Rafael Moscatel, CIPM, CRM, IGP on December 3, 2019December 3, 2019

The Federal Trade Commission has reached settlements with four companies that allegedly misrepresented their participation in the EU-U.S. Privacy Shield framework, which enables companies to transfer consumer data legally from European Union countries to the United States. The FTC also alleged that two of the companies failed to comply with Privacy Shield requirements.

In separate actions, the FTC settled Privacy Shield cases against:

Click Labs, Inc., a website and mobile app services provider;
Incentive Services, Inc., a developer of service award and incentive programs for employers;
Global Data Vault, LLC, a provider of data storage and recovery services; and
TDARX, Inc., an IT services provider.

In addition to allegations that each company falsely claimed to participate in the EU-U.S. Privacy Shield framework, the FTC also alleged that Click Labs and Incentive Services falsely claimed to participate in the Swiss-U.S. Privacy Shield framework, which establishes a process for companies to transfer consumer data in compliance with Swiss law.

In its cases against Global Data and TDARX, the FTC further alleged that the companies continued to claim participation in EU-U.S. Privacy Shield after allowing their certifications to lapse, and that those companies failed to comply with the framework. The companies allegedly failed to verify annually that statements about their Privacy Shield practices were accurate, and failed to affirm that they would continue to apply Privacy Shield protections to personal information collected while participating in the program.

“The Privacy Shield Framework is critical to facilitating transatlantic commerce and assuring our European partners of our commitment to data protection,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Enforcement of the Privacy Shield framework is a priority of the FTC, and we will hold companies accountable where, as here, they fail to keep their Privacy Shield promises.”

The Department of Commerce administers both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, while the FTC enforces the promises companies make when joining the programs. With today’s announcement, the FTC has now brought a total of 21 enforcement actions related to the EU-U.S. Privacy Shield framework since it was established in 2016.

Under the settlements, all four companies are prohibited from misrepresenting their participation in the EU-U.S. Privacy Shield framework, as well as any other privacy or data security program sponsored by any government, or any self-regulatory or standard-setting organization. As part of their settlements, Global Data Vault and TDARX also are required to continue to apply the Privacy Shield protections to personal information they collected while participating in the program, or return or delete the information.

The Commission voted 5-0 to issue the proposed administrative complaints and to accept the consent agreements with the four companies. The FTC will publish a description of the consent agreement packages in the Federal Register soon. The agreements will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent orders final. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.

Posted in: Click Labs, FTC, Global Data Vault, Incentive Services, Privacy Shield, TDARX

Data Governance Information Security Information Technology Privacy

FTC Slaps InfoTrax and its CEO with Severe Cybersecurity Order

By Rafael Moscatel, CIPM, CRM, IGP on November 18, 2019November 18, 2019

Utah Company Settles FTC Allegations it Failed to Safeguard Consumer Data

As a result, hacker gained access to personal information of a million consumers, agency says

via FTC Press Release

A Utah-based technology company has agreed to implement a comprehensive data security program to settle Federal Trade Commission allegations that the company failed to put in place reasonable security safeguards, which allowed a hacker to access the personal information of a million consumers.

InfoTrax Systems, L.C., provides back-end operation services to multi-level marketers. This includes such services as compensation, inventory, orders, accounting, training, and data security, as well as operating its clients’ website portals.

In its complaint, the FTC alleges that InfoTrax and its former CEO Mark Rawlins failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information it maintained on behalf of its clients. This includes failing to:

inventory and delete personal information it no longer needed;
conduct code review of its software and testing of its network;
detect malicious file uploads;
adequately segment its network; and
implement cybersecurity safeguards to detect unusual activity on its network.

In addition, the FTC alleged that InfoTrax stored consumers’ personal information—such as Social Security numbers, payment card information, bank account information, and user names and passwords—in clear, readable text on its network.

“Service providers like InfoTrax don’t get a pass on protecting sensitive data they handle just because their clients are other businesses rather than individual consumers,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “As this case shows, it’s every company’s responsibility to protect customers’ personal information, especially sensitive data like Social Security numbers.”

As a result of the company’s security failures, a hacker infiltrated InfoTrax’s server, along with websites maintained by the company on behalf of clients, more than 20 times from May 2014 until March 2016. In March 2016, the intruder accessed about one million consumers’ sensitive personal information, according to the complaint.

InfoTrax did not detect these intrusions until March 2016, when it was alerted that its servers had reached maximum capacity. This alert was due to a data archive file created by the hacker who had infiltrated its network. InfoTrax’s security failures not only affected its network but also the websites of its clients, the FTC alleges.

The personal information that the intruder obtained can be used to commit identity theft and fraud. The FTC alleges that InfoTrax’s failure to provide reasonable security for personal data in its care violated the FTC’s prohibition against unfair practices.

As part of the proposed settlement with the FTC, InfoTrax and Rawlins are prohibited from collecting, selling, sharing, or storing personal information unless they implement an information security program that would address the security failures identified in the complaint. This includes assessing and documenting internal and external security risks; implementing safeguards to protect personal information from cybersecurity risks; and testing and monitoring the effectiveness of those safeguards.

In addition, the proposed settlement requires the company to obtain third-party assessments of its information security program every two years. Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review. Finally, the order grants the Commission the authority to approve the assessor for each two-year assessment period.

The Commission vote to issue the administrative complaint and to accept the proposed consent agreement with InfoTrax and Rawlins was 5-0. Commissioner Christine S. Wilson released a concurring statement.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Once processed, comments will be posted on Regulations.gov.

Compliance & Privacy Partners provides smart and affordable privacy compliance, data governance and risk-management solutions designed to help organizations build privacy programs, assess, manage and remediate risks and demonstrate defensible compliance. We offer and support a variety of data privacy management platforms which include data subject fulfillment workflows, records and PI inventory management, vendor assessment and policy adherence tools, privacy impact assessments, file analysis projects and records retention enforcement.