Tag Archive | "Data security"

FTC Approves Settlement with Lenovo over Advertising Software Privacy Allegations

The Federal Trade Commission recently announced that it has approved a settlement with Lenovo regarding the company’s alleged, widely-publicized practice of pre-installing an advertising software program on some laptops that caused security vulnerabilities.

The settlement terms include prohibitions regarding the misrepresentation of any features of pre-installed software that would “inject advertising into consumers’ Internet browsing sessions or transmit sensitive consumer information to third parties.”  In the event that Lenovo does pre-install such software, the company is required to contain express consent prior to such software is activated.

The company is also required – for 20 years – to implement a software security program for most consumer software pre-loaded on its laptops.  The program is subject to third-party audits.

Between August 2014 and February 2015, Lenovo laptops allegedly came pre-loaded with software called VisualDiscovery, a program developed by a now-defunct advertising company.    The FTC purportedly found that VisualDiscovery delivered pop-up ads from the ad company’s retail partners whenever a user’s cursor hovered over a similar looking product on a website.

To deliver its ads, according to the Commission, VisualDiscovery acted as a “man-in-the-middle” between consumers’ browsers and the websites they visited, even those websites that were encrypted.  Without the consumer’s knowledge or consent, according to the FTC, this “man-in-the-middle” technique allowed VisualDiscovery to access all of a consumer’s sensitive personal information transmitted over the Internet, including login credentials, Social Security numbers, medical information, and financial and payment information.

The FTC alleges that while VisualDiscovery collected and transmitted to the ad company’s  servers more limited information, such as the websites the user browsed and the consumer’s IP address, the ad company had the ability to collect more information.

As alleged by the agency, to facilitate its display of pop-up ads on encrypted websites (those that include https:// in the web address), VisualDiscovery used an insecure method to replace digital certificates for those websites with its own VisualDiscovery-signed certificates.  Digital certificates are used to signal to a user’s browser that the encrypted websites visited by a consumer are authentic and not imposters.  As alleged in the complaint, VisualDiscovery did not adequately verify that the websites’ digital certificates were valid before replacing them, and used the same, easy-to-crack password on all affected laptops rather than using unique passwords for each laptop.

Because of these security vulnerabilities, consumers’ browsers could not warn users when they visited potentially spoofed or malicious websites with invalid digital certificates, the FTC stated.   The FTC also alleged that the vulnerabilities enabled potential attackers to intercept consumers’ electronic communications with any website, including financial institutions and medical providers, by simply cracking the pre-installed password.  The complaint alleges that Lenovo did not discover these security vulnerabilities because it failed to assess and address security risks created by third-party software it pre-loaded on its laptops.

“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” acting FTC Chairwoman Maureen Ohlhausen said in a statement.  “This conduct is even more serious because the software compromised online security protections that consumers rely on.”

Lenovo said in a statement that it stopped pre-installing the program on devices after questions were raised about privacy violations.  “While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years,” the company said.  “To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications.”

Notably, the settlement does not include a fine.

Contact the author if you are interested in learning more about the design and implementation of compliant privacy and data security protocols, or if you are the subject of a regulatory investigation or enforcement action.

Richard B. Newman is an Internet marketing compliance and regulatory defense attorney at Hinch Newman LLP focusing on advertising and digital media matters. His practice includes conducting legal compliance reviews of advertising campaigns, representing clients in investigations and enforcement actions brought by the Federal Trade Commission and state Attorneys General, commercial litigation, advising clients on promotional marketing programs, and negotiating and drafting legal agreements. You can find him on LinkedIn at FTC Defense Lawyer.

 

ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result. Hinch Newman LLP | 40 Wall St., 35thFloor, New York, NY 10005 | (212) 756-8777.

 

Posted in CPA MarketingComments (0)

FTC’s Data-Breach “Unfairness” Standard

 

The FTC has showed no signs of slowing down when it comes to data breach investigations and enforcement actions. In doing so, the Commission utilizes concepts of “unfairness” and “deception.”

Companies that tell consumers they will safeguard their personal information are forced to live up to those representations.

To establish that a company’s practices are unfair, the FTC is required to establish that the practices cause or are likely to cause substantial injury to consumers that is not reasonably avoidable by them, and that is not outweighed by countervailing benefits.

The FTC routinely alleges that – and investigates whether – a company’s data security measures create a vulnerability.   The absence of an actual exploitation of such a vulnerability has not stopped the FTC from taking action. In other words, the FTC has alleged that the mere risk of cyber attack “causes or is likely to cause substantial consumer injury,” in violation of the FTC Act.

For example, in a 2013 enforcement action the FTC alleged that malware could exploit vulnerabilities. In early 2017, the FTC took this same position with respect to a manufacturer’s alleged unreasonable security measures that could purportedly be exploited.

The latter defendant chose not to settle, arguing that the existence of a vulnerability alone is not a “substantial consumer injury.” The court agreed and dismissed the FTC’s unfairness claim with leave to amend because the FTC did not identify an incident involving the exploitation of the alleged vulnerabilities and that the “mere possibility of injury” was insufficient under that prong of the statute.

Time will tell whether this ruling will discourage the Commission from taking action upon the existence of vulnerabilities alone.  The ruling certainly suggests that, absent evidence of data misuse, the FTC will face challenges demonstrating that a heightened risk of exposure of personal data constitutes the requisite “substantial injury.”

Despite the foregoing ruling, it is wise to anticipate that the FTC will continue to aggressively investigate and enforce privacy and data security matters, and push the boundaries of “unfairness” claims. Periodic vulnerability assessments should be conducted and remediation patches implemented. Representations and disclosures should also be evaluated for accuracy by an FTC defense lawyer.

Richard B. Newman is an Internet marketing compliance and regulatory defense attorney at Hinch Newman LLP focusing on advertising and digital media matters. His practice includes conducting legal compliance reviews of advertising campaigns, representing clients in investigations and enforcement actions brought by the Federal Trade Commission and state Attorneys General, commercial litigation, advising clients on promotional marketing programs, and negotiating and drafting legal agreements. You can find him on Twitter @FTCLawDefense.

 

ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result. Hinch Newman LLP | 40 Wall St., 35thFloor, New York, NY 10005 | (212) 756-8777.

Posted in LegalComments (0)

U.S. Federal Trade Commission Investigating the Equifax Data Breach

Last month, reports surfaced that Equifax, Inc., one of the nation’s leading credit reporting services, was the subject of a historic cyberattack that compromised the security of financial and other personal information of more than 143 million U.S. consumers.  The data breach involved names, social security numbers, birth dates, addresses, driver’s license numbers and credit card numbers.

Not surprisingly, given the breadth of the breach and criticism that Equifax dragged its feet on alerting consumers, the Federal Trade Commission has now opened an investigation into the unprecedented data hack.

“The FTC typically does not comment on ongoing investigations.  However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach,” said Peter Kaplan, the FTC’s acting director of public affairs, in a statement.

Reports indicate that the breach was due to an open-source software vulnerability that the company used to create Java web applications.  The FTC will no doubt be investigating when cybersecurity professionals discovered the vulnerability, when Equifax was put on alert, whether it took proper measures to install security updates and what representations were made to consumers.

For years, the FTC has investigated and taken action against numerous companies for violation of the FTC Act due to inadequate privacy and data security protocols.  For example, in the recent case of FTC v. Wyndham Worldwide Corp., 799 F. 3d 236 (3rd Cir. 2015) hackers accessed the personal and financial information of hundreds of thousands of consumers, resulting in millions of dollars in fraudulent credit card charges.

Consequently, the FTC filed suit against Wyndham, alleging that it made deceptive claims regarding its cybersecurity practices and that its failure to protect the privacy of customer information amounted to an unfair practice.  In support

The FTC cited several facts to supports its allegations against Wyndham, including that it: stored payment card information in clear readable text; allowed the use of easily guessed passwords for remote access; did not use firewalls; did not properly restrict third-party vendor access; failed to conduct security investigations when vulnerabilities were raised; failed to follow industry standard incident response procedures; and failed to monitor its network for malware and harmful software.

Most likely, the FTC will be assessing the foregoing factors during the Equifax investigation, as well as those unique to the company.

The agency’s top Democrat, Terrell McSweeny, stated that she is “very concerned” about the size of the breach, as well as Equifax’s response.

Given the FTC’s public acknowledgement of the investigation, it is probably safe to assume that Equifax will be subject to a permanent injunction and restitutionary remedies designed to compensate consumers that are harmed by the massive data breach.

The Consumer Financial Protection Bureau has also revealed that it has commenced an investigation into the Equifax incident.

Some believe that the scope of the data breach could prompt Congress to act on data privacy legislation, including a data breach notification law and minimum data security standards for credit reporting agencies.

Please contact the author if you are interested in discussing the design and implementation of preventative data security and privacy protocols, or if you are the subject of a local, state or federal regulatory investigation or enforcement action.

 

This article should be of interest to social media influencers and marketers.  Consult with an experienced FTC compliance lawyer for assisting designing and implementing preventative compliance controls, or if you are being threatened with civil litigation or a regulatory investigation.

Follow the author on Twitter.

Richard B. Newman is an Internet marketing compliance and regulatory defense attorney at Hinch Newman LLP focusing on advertising and digital media matters. His practice includes conducting legal compliance reviews of advertising campaigns, representing clients in investigations and enforcement actions brought by the Federal Trade Commission and state Attorneys General, commercial litigation, advising clients on promotional marketing programs, and negotiating and drafting legal agreements.

 

ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result. Hinch Newman LLP | 40 Wall St., 35thFloor, New York, NY 10005 | (212) 756-8777.

 

Posted in LegalComments (0)


Facebook

Subscribe via RSS