June 4, 2013
Over the last few years privacy, and the lack of comprehensive protection, have made numerous headlines. From overly inquisitive mobile applications that fail to disclose how cell photo data is accessed and shared (Path) to handset manufacturers failures to properly inculcate privacy in the design and manufacturing process (HTC) to security lapses at government databases resulting in exposure of sensitive personal information (South Carolina), consumers, regulators and legislators are waking up to privacy issues.
Recent developments highlight the trend in Privacy
In the U.S. we lack a single comprehensive privacy law, although many state and federal laws address various aspects of collecting, storing and sharing personal information. In the absence of a single, over-arching, mandate, legislators and regulators are stepping into fill at perceived need.
GPS, Location & Privacy
The Geolocation Privacy and Surveillance (GPS) Act addresses use of location data by law enforcement. The bill (not yet law) requires police to obtain a warrant based on probable cause whenever it seeks “location information.” Unfortunately, the term “location information” is very broadly defined, does not distinguish requests for access based on the level of precision, time period, or whether the information is for past or future conduct.
Proposed Federal Privacy Standards
Two bills introduced this year aim to create a baseline level of privacy protection at the federal level. John Kerry (D-MA) and Sen. John McCain (R-AZ) introduced S. 799, the Commercial Privacy Bill of Rights Act of 2011, to create a regulatory framework for the comprehensive protection of personal data for individuals, enforceable by the Federal Trade Commission (FTC). Similarly, Rep. Cliff Stearns (R-FL) is promoting a Consumer Privacy Protection Act (H.R.1528), directed at consumers and focused on restricting the sale or disclosure of personal information.
FTC Protects Privacy Under Mantle of Consumer Protection
As a result of alleged data security failures that led to three data breaches at Wyndham hotels in less than two years, the Federal Trade Commission filed suit against hospitality company Wyndham Worldwide Corporation. The case against Wyndham is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security.
The FTC complaint alleges that Wyndham failed to maintain adequate and industry standard security measures by storing credit-card information in unencrypted format, allowing servers to remain unpatched, and failing to use firewalls.
The FTC alleges that these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.
Most notably, the lawsuit will test whether the Federal Trade Commission has the jurisdiction to compel companies to provide a certain level of cybersecurity in order to safeguard consumer personal information.
Privacy Remains Top Concern
Many companies across many industries, financial services, higher education and healthcare, just to name a few, are facing a wide range of security and privacy concerns, scrambling to implement A defensible security framework and demonstrate compliance. It’s alarming, considering the significant consequences associated with not complying.
Organizations can lose contracts, customers and their reputation. That could put some out of business.
Compliance Preparation & Best Practices
Large organizations can spend many months and millions of dollars on compliance. Your business need not go to such extremes. To prevent getting caught by surprise and to prepare for the compliance journey, I’ve listed below some suggested best practices.
Periodic risk assessments. Evaluate potential damage and disruption caused by unauthorized access, use, disclosure, modification, or destruction of data or systems.
Policies and procedures. Incorporate procedures for detecting, reporting, and responding to security incidents, as well as business continuity plans.
Standardize. Set standards of acceptable information security for networks, facilities, and information systems.
Train Employees. Awareness training for employees, contractors, and other users of information systems is critical. Articulate the security risks associated with activities and define users’ responsibility for complying with policies and procedures.
Test & Evaluate. Periodic assessment of the effectiveness of information security policies, procedures, practices, and controls helps determine weak spots. At a minimum they should be conducted annually, according to Ford.
Respond & Repair. Have a pre-defined process for planning, implementing, evaluating, and documenting remedial actions designed to address legal, PR, HR and related risks in the event of a breach.
THIS IS NOT LEGAL ADVICE. The procedures outlined above are merely suggestions and there is no guarantee that implementation will reduce risk or mitigate liability.
Please contact Leavens, Strand, Glover & Adler at 866-734-2568 for a free consultation to learn how LSGA can help meet your specific needs.
Tagged: applications, cell photo data, consumers, databases, Design, disclose, exposure, government, HTC, legislators, manufacturing, Mobile, personal information, Privacy, protection, regulators, security, South Carolina
The rapid growth and expansion in the mobile market presents a number of privacy and security issues for mobile software and hardware developers, platform operators, advertisers and marketers who collect, store, use and share consumer information. As awareness of privacy risks grow among consumers, legislators and regulators are increasing scrutiny of mobile privacy and privacy policies in mobile apps.
Businesses operating in the mobile industry are facing a widening array of Regulatory compliance issues. Staying abreast of legal risks and issues can be daunting. How can mobile operators and application developers spot trends and adjust strategies to start competitive? First, keep an eye on FTC activity. Second, monitor new bills coming up in Congress. Third, follow this blog, adlerlaw.wordpress.com.
FTC Privacy Enforcement Actions
Earlier this year, the FTC expanded mobile privacy obligations beyond software to include hardware makers when it announced a settlement with HTC America over charges that HTC failed to use adequate “security by design” in millions of consumer mobile devices. As a result, the company is required to patch vulnerabilities on the devices which include #Smartphones and #Tablets. The settlement, the first action involving a mobile device manufacturer and the new “Privacy By Design” guidelines, sheds some light on the legal risks for mobile device manufacturers and, to some extent, mobile application developers.
Congressional Privacy Laws, Bills & Initiatives
Not surprisingly, federal legislators are taking up the mantle of Consumer Privacy in the area of Mobile Applications. In January 2013, U.S. Rep. Hank Johnson, introduced his mobile privacy bill, The Application Privacy, Protection and Security Act of 2013, or the “APPS Act,”. The bill focuses on transparency, user control and security, mandating that an application 1) provide the user with notice of the terms and conditions governing the collection, use, storage, and sharing of the personal data, and 2) obtain the consent of the user to the terms and conditions. Significantly, the privacy notice is required to include a description of the categories of personal data that
will be collected, the categories of purposes for which the personal data will be used, and the categories of third parties with which the personal data will be shared.
The Bill also requires that application developers have a data retention policy that governs the length for which the personal data will be stored and the terms and conditions applicable to storage, including a description of the rights of the user and the process by which the user may exercise such rights in addition to data security and access procedures and safeguards.
App developers unaware of the data protection requirements may face significant risks and potential harm to their reputation among users of smart devices. If you have concerns about what key data protection and privacy legal requirements apply to mobile applications and the types of processing an app may undertake contact us for a mobile app legal audit. Vague or incomplete descriptions of the ways which a mobile app handles data or a lack of meaningful consent from end users before that processing takes place can lead to significant legal risk. Poor security measures, an apparent trend towards data maximisation and the elasticity of purposes for which personal data are being collected further contribute to the data protection risks found within the current app environment.
Learn more David M. Adler here.
Tagged: compliance, data, Mobile, Privacy, regulation, Risk, security
On February 22, 2013, the FTC announced a settlement with HTC America over charges that HTC failed to use adequate “security by design” in millions of consumer mobile devices. As a result, the company is required to patch vulnerabilities on the devices which include #Smartphones and #Tablets. The settlement, the first action involving a mobile device manufacturer and the new “Privacy By Design” guidelines, sheds some light on the legal risks for mobile device manufacturers and, to some extent, mobile application developers.
The FTC alleged that HTC failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk. The resulting vulnerabilities posed risks to sensitive functionality, including the possibility that malware could send text messages, record audio, and install additional malware onto a consumer’s device.
Here are four key take-aways for mobile device manufacturers and application developers from the FTC’s complaint:
- provide your engineering (programming) staff with security training
- review or test your software on mobile devices for potential security vulnerabilities
- follow well-known and commonly accepted secure coding practices
- establish a process for receiving and addressing vulnerability reports from third parties
Smartphones and tablets are powerful, popular, and continue to find their ways into our personal and business lives. New mobile apps hit the market each day. In this fast-moving era of entrepreneurship and creativity, mobile device and app developers need to keep up with evolving privacy and security. Apps and mobile devices that tap into consumer data — including contact information, photos, and location to name a few — pose a heightened risk to digital snoops, data breaches, and real-world thieves.
Please contact us if you are interested in learning how to evaluate your mobile security and privacy risk or to help develop a “Privacy By Design” approach mobile app security.
Please comment, tweet and forward!
- FTC moves against mobile device makers over security (networkworld.com)
- AT&T to usher in split-personality mobile devices (reviews.cnet.com)
Tagged: "Privacy By Design" guidelines, developers, device, Federal Trade Commission, FTC, HTC, HTC Corporation, legal risks, manufacturer, Mobile, mobile application, Mobile device, Smartphone, Tablet computer, Vulnerability (computing)
December 23, 2012
As a result of the rapid shift in marketing from unilateral one-to-many communications, to the multilateral, many-to-many or many-to-one conversations enabled by Social Media, employees and employers are struggling to manage accounts that are used for both work and personal purposes.
This new phenomenon has benefits, but it also creates a number of legal challenges. For employees, it may result in greater efficiency, more opportunities for authentic customers engagement and the ability to stay on top of the most current grands and business issues. For employers, it presents opportunity to reap substantial benefits from lower communications and customer support costs. For in-house counsel, it raises a host of legal and practical issues with few easy solutions and significant liability and regulatory risks.
First, there are hardware issues. Smartphones, tablets and other personal electronics often have social networking capabilities built in. in addition, they contain contain both personal and business data. Because these devices are always on and always connected, they are more than just personal property. They have become essential business tools. For both sides of the workplace equation, employers and employees must understand where the privacy lines fall between personal versus work-related information.
Second, there are data issues. Employers must balance their needs to monitor employee usage, employees’ privacy concerns, and the risk of liability for theft or exposure of data if a device is lost or stolen, or from lack of proper safeguards on account usage. For in-house counsel tasked with drafting policies to address these risks, , Prior to implementation of any policy, the legal team needs to educate front line employees and management on reasonable expectations of privacy and security and the harms that the organization seeks to prevent.
Lastly, recent cases such as the Cristou v. Beatport litigation, highlight the struggle to define and control the beginning and end of employee social media accounts, ownership and protection of intellectual property and the post termination risks that arise from the absence of appropriate policies.
As we prepare to start a new year, the time is ripe to establish security and privacy policies governing creation, maintenance and use of employees’ social media accounts for work functions. In-house counsel must lead the charge to educate, inform and train employees about privacy, security and evidence-recovery implications associated with use of social media.
Tagged: accounts, attorney, Business, BYOD, Communications, counsel, employee, employer, in-house, infosec, Law, Lawyer, Legal, Marketing, media, Mobile, policies, policy, Privacy, regulation, security, social, Workplace
September 18, 2012
Representative Markey is no stranger to mobile privacy issues. Last year, Rep. Markey asked the FTC to investigate the practices of the Carrier IQ software company as a possible unfair or deceptive act or practice.
On September 12, 2012, Rep. Markey, co-Chair of the Bi-Partisan Congressional Privacy Caucus, released H.R. 6377, “The Mobile Device Privacy Act.” The legislation would require companies to disclose to consumers the capability to monitor telephone usage, as well as require express consent of the consumer prior to monitoring.
“Just because a mobile device is hand held doesn’t mean it should hand over personal information to third parties without permission,” said Markey in a released statement.
Tagged: Carrier, congress, data, Disclosure, house, legislation, Markey, Mobile, Mobile Device Privacy Act, monitoring, Privacy, software, telecommunications
September 7, 2012
Sept. 5 2012:
From the FTc web site:
The Federal Trade Commission has published a guide to help mobile application developers observe truth-in-advertising and basic privacy principles when marketing new mobile apps. The FTC’s new publication, “Marketing Your Mobile App: Get It Right from the Start,” notes that there are general guidelines that all app developers should consider. They include:
Tell the Truth About What Your App Can Do. – “Whether it’s what you say on a website, in an app store, or within the app itself, you have to tell the truth,” the publication advises;
Disclose Key Information Clearly and Conspicuously. – “If you need to disclose information to make what you say accurate, your disclosures have to be clear and conspicuous.”
Build Privacy Considerations in From the Start. – Incorporate privacy protections into your practices, limit the information you collect, securely store what you hold on to, and safely dispose of what you no longer need. “For any collection or sharing of information that’s not apparent, get users’ express agreement. That way your customers aren’t unwittingly disclosing information they didn’t mean to share.”
Offer Choices that are Easy to Find and Easy to Use. – “Make it easy for people to find the tools you offer, design them so they’re simple to use, and follow through by honoring the choices users have made.”
Honor Your Privacy Promises. – “Chances are you make assurances to users about the security standards you apply or what you do with their personal information. App developers – like all other marketers – have to live up to those promises.”
Protect Kids’ Privacy. – “If your app is designed for children or if you know that you are collecting personal information from kids, you may have additional requirements under the Children’s Online Privacy Protection Act.”
Collect Sensitive Information Only with Consent. – Even when you’re not dealing with kids’ information, it’s important to get users’ affirmative OK before you collect any sensitive data from them, like medical, financial, or precise geolocation information.
Keep User Data Secure. – Statutes like the Graham-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act may require you to provide reasonable security for sensitive information.
Tagged: applications, apps, data, FTC, kids, Mobile, policies, Privacy, security
June 20, 2012
Mobile carriers, app developers, and other technology stakeholders will meet with the U.S. National Telecommunications and Information Agency on July 12 to discuss privacy standards for mobile use. The focus of the discussion will be the privacy practices of mobile apps and their transparency.
Applications will be the main focus on July 12 when enforcement begins. The initial series of meetings will decide on rights, obligations and enforcement of online and mobile device security under President Obama’s virtual “Privacy Bill of Rights”.
The U.S. Department of Commerce’s National Communications and Telecommunication Administration (NTIA) has made the decision that it is now time to put the president’s Privacy Bill of Rights into effect. In order to get started, they have sent an invitation to all of the “privacy stakeholders” in order to “generate robust input” in the creation of the very first transparency code of conduct for consumer data collection and use.
The White House and Congress hopes that this discussion will eventually lead to a privacy bill of rights. July’s meeting will be webcast for the public.
Tagged: bill of rights, information, law enforcement, legislation, Mobile, Obama, policy, Privacy, regulation, telecom, telecommunications
US consumers are waking up to privacy issues related to smartphone use. About two-thirds of search engine users disapprove of the collection of information on their searches for the purpose of personalizing their future search results and an equal proportion of all internet users disapprove of being tracked for the purpose of getting targeted ads.
Interestingly, the two most popular smartphone platforms treat application data gathering differently. While Apple reviews prospective applications before launching them into its iPhone app store, Google’s open-source Android platform has no such system in place. But while the Android system runs each application separately and explicitly lists the services or data each application accesses, Apple’s iPhone system treats all applications as equal and allows them to access many resources by default.
Until application developers and hardware makers start taking Privacy-By Design” seriously, users must pro-actively protect their privacy. If you have a smartphone and use it to download apps, there’s little you can do to completely lock down your personal information. But there are a number of precautions you can take to ensure minimal risk exposure.
So, here are seven basic basic smartphone privacy tips you can take to cut down on risks:
- Don’t download apps form unknown sources. If you have not heard of an app, read its user reviews. Even better, look it up online and see what has been said about it.
- When possible, opt out of information sharing capabilities.
- Get acquainted with your phone’s GPS features. Most smartphones allow one to adjust which applications have access to GPS. Turn this feature off for all but the most essential of apps.
- On Android: Before you download an app, check its user permissions. This should give you a breakdown of what information the app will access. Ask yourself if a simple game apps really needs to access the contact list?
- For Android: If you’ve opted to “root” (obtain privileged access) your device, be wary of granting apps root access. Doing so grants them complete control over your phone.
- For iPhone: If you have “jailbroken” (circumvented the proprietary programming restrixtions) your phone, be sure to change its root password. You can find guides online, or else get a trusted technician to do so for you.
- If you are no longer using an app, uninstall it.
While there is no easy way to figure out which apps are the riskiest, paid apps tend to pass less data on than free ones. Remember, “free” content is usually monetized in other ways, most often by selling user data.
Tagged: android, application accesses, Mobile, prospective applications, search engine users, technology
Free content is not without a cost.
As our lives have become more digitally enmeshed with content, immersive entertainment and devices, the economic bargain that makes it possible has gone largely unnoticed. Simply put, the collection, analysis and sharing of personal data is driving the digital economy. Mobile applications (Apps), digital content and entertainment – from TV shows to games – are available for “free” but subsidized by income from online ads that are customized using data about customers. Vendors, advertisers and platforms compete for “eyeballs” based, in part, on the quality of the information they possess about users to whom the ads are targeted.
Across this interconnected landscape of users, content providers and devices, the issue of online privacy has become a major talking point for app developers, marketers, consumers and legislators. Recently, a wide range of stakeholders, from large institutions to smaller developers, have been accused of mishandling personal data. As the volume of public debate has increased, legislators have introduced a raft privacy initiatives. The Obama administration has called for a Privacy Bill of Rights, an industry consortium of leading web sites and search engines has proposed its own privacy best practices and the Electronic Frontier Foundation has published a consumer-oriented Mobile User Privacy Bill of Rights.
Part 1 of this article looks at several recent and high-profile revelations about how personal information is collected and used, often without the user’s knowledge and consent. Part 2 discusses the legal risks faced by vendors that don’t take adequate precautions to protect consumer privacy and Part 3 concludes with strategies and tactics that help leverage the power of personalization while avoiding the pitfalls of privacy and data security.
1. The current state of information gathering
The scope of personal information gathered is unprecedented and largely unknown. For years, “free” web-based content has been available because of the implicit compromise between content providers and content consumers. Advances in technology have made it easier to track a user’s web browsing habits, mobile browsing habits, and even real-time geospatial location (check in apps and GPS). In the last few months, we have learned that some apps not only gather this mostly non-personally-identifiable data, but also upload a user’s address book contacts and even photos.
On Wednesday Feb. 2012, software Developer Arun Thampi “outed” Path, the purveyor of a self-titled journaling app, for sending users’ address book contents to the company. Path lets users share what they’re doing with a select group of friends and gives users the option to find friends on the app through contacts or other social networks. Thampi disclosed the clandestine data transfer in a blog post after discovering that his phone’s entire address book, including full names and e-mail addresses, was being sent to Path without his explicit consent. According to Path, this data was necessary to in order to quickly notify users when people they know join Path.
Not too long ago, Google earned itself a similar PR (and legal) black eye when it launched its social network, Google Buzz, in 2010 through its Gmail web-based email product. At launch, users were not informed that the identity of individuals they emailed most frequently would be made public by default. Google Buzz automatically disclosed the email addresses of a user’s contacts by default. Google settled with the FTC over allegations that Google used deceptive practices and violated its own privacy policies.
On Feb 17 2012, WSJ reported that Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.’s Web browser on their iPhones and computers—tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked. The companies used special computer code that tricks Apple’s Safari Web-browsing software into letting them monitor many users. Safari, the most widely used browser on mobile devices, is designed to block such tracking by default.
A major topic for discussion just this week is the “Target Snafu.” As originally reported in the New York Times, Target used customer data and predictive analytics to determine that one of their customers was pregnant, and even her specific trimester. The girl’s father learned of the pregnancy when the retailer emailed her promotional material and coupons.
It used to take days or even weeks to gather, synthesize and extrapolate data about a customer’s buying habits and receptiveness to particular products or services. Now it takes milliseconds. A targeted ad can be sourced and served in the time it takes to hit “refresh” on a web browser. Companies are using massive amounts of data to predict what their customers are going to want next. More importantly, gathering that data is getting easier, cheaper and more ubiquitous as the source of that data moves from the desktop to mobile devices.
Tagged: Advertising, big data, content, Marketing, Mobile, online behavioral advertising, Privacy, security