The FTC released two guides on the privacy and security issues related to the Internet of Things. The first is a staff report based on discussions in an FTC-hosted workshop on the subject held on November 19, 2013. In addition to summarizing the workshop discussions, the report contains staff’s recommendations in the IoT space. This prompted a FTC Commissioner (Joshua Wright) to dissent from the decision to issue the report. In Commissioner Wright’s view, it is premature to publish staff recommendations in this area without further research, data, and analysis. The dissenting statement can be found here.
The report discusses the benefits of IoT as well as three risks:
- enabling unauthorized access and misuse of personal information;
- facilitating attacks on other systems; and
- creating risks to personal safety
The report also discusses Fair Information Practice Principles including security, data minimization, notice, and choice. Click here to read the full report.
Along with the staff report, the FTC issued a guide called “Careful Connections” that provides recommendations on building security into IoT applications. Download the guide here.
Target. Home Depot. Neiman Marcus. This isn’t a list of places to shop. These companies were hit with some of the biggest data breach incidents of 2014. And, as the recent hack on Sony Pictures Entertainment demonstrates, it’s not just the customer information that gets compromised in cyberattacks—employees can also be the victims.
In November, hackers broke into Sony’s computer systems and stole personal information of over 47,000 current and former employees, celebrities, and freelancers. The information included personal emails, budgets, salary information, human resource records, and other private (and embarrassing) documents. Some of the stolen information was leaked online, including a spreadsheet containing names, birth dates, and Social Security numbers of over 3,000 employees. Buzzfeed reports that the 40 gb data dump contains email exchanges between Sony and its employees regarding very sensitive matters, such as their medical treatments, disciplinary action, and inter-office romance.
The ease with which the hackers did their dirty work is eye-opening. The attack was carried out with widely available malware. It didn’t help that Sony’s security measures were shockingly subpar. Sony had failed to encrypt the leaked files. One of the stolen files containing login credentials to Sony computers and servers and other online accounts was quite obviously named “Passwords.”
Sony apparently made a conscious decision not to beef up its security. In 2007, Sony’s then-executive director information security, Jason Spaltro, said in an interview that it was a “valid business decision to accept the risk” of a security breach, and that he would not invest $10 million to avoid a possible $1 million in loss. A team of just 11 employees was responsible for maintaining the security systems for Sony’s 7,000 employees. A September 2014 security audit report showed gaps in Sony’s security procedures, such as failure to monitor one firewall and more than 100 other devices.
In the aftermath of the attack, Sony is facing four lawsuits. Three of the lawsuits allege that Sony failed to take adequate precautions to guard against known weaknesses in the security of its computer systems. Another lawsuit accuses Sony of waiting too long to notify employees that their personal data had been stolen.
What should companies do to protect themselves against a data breach like Sony’s? Be sure to develop administrative, physical, and technical safeguards over personal information handled by your company. At minimum, use encryption technology. If a third party handles personal information of your employees or customers, contractually require them to exercise reasonable care and to report security breaches immediately. Another precautionary measure is to conduct periodic security audits and risk analyses of information systems.
If a data breach involves a business located in Hawaii or one that does business in Hawai‘i and maintains or possesses personal information of Hawaii residents, Hawaii law requires the business to notify persons affected by the breach. If notice is provided to 1,000 persons or more at once, the State Office of Consumer Protection and credit reporting agencies must also be notified. Companies should prepare data breach procedures in advance so that a clearly charted process for complying with applicable notification laws is available in the chaos ensuing after a data breach incident.
The Federal Trade Commission (FTC) just announced that Snapchat agreed to settle charges that it deceived consumers about how its popular mobile message app worked and what personal user data it collected. (Read the FTC’s press release here). Part of Snapchat’s appeal was a feature enabling users to control how long a message could be seen by the recipient. After the designated time limit expires, the message is destroyed, much like the mission briefings in Mission Impossible. At least that’s what Snapchat told users. According to the FTC, Snapchat misled consumers because the app didn’t exactly work the way it said it did. The FTC’s complaint against Snapchat (read it here) included these allegations:
- Recipients of a “snap” (a Snapchat message) could save the snap using tools outside of the app. Snapchat apparently stored video snaps in a location on the recipient’s mobile device outside of the app’s secure “sandbox.” This enabled recipients to find and save video snaps by connecting their mobile device to a computer and using simple file browsing tools. Another way to bypass the deletion feature was to use apps that connected to Snapchat’s API to download and save snaps.
- Snapchat told users that if a message recipient took a snapshot of the snap, the sender would be notified. In fact, the screenshot detection mention could be bypassed.
- Snapchat collected geolocation data of users when it said it would not.
- Snapchat told users to enter their mobile number to find friends who also use the app, implying that the user’s mobile phone number was the only information it collected. Without the user’s knowledge, Snapchat also collected the names and phone numbers of all contacts in the address book on the user’s phone.
So what’s the significance of the settlement? Here are a few quick takeaways.
- Descriptions of mobile apps in an app marketplace like iTunes App Store or Google Play are product descriptions that could be the basis for false advertising claims.
- Take into account exploits and workarounds when drafting privacy policies and product descriptions. This includes software that uses the app’s API.
- The FTC is getting more active in pursuing false advertising claims against mobile app makers. In December of last year, the FTC settled charges that the developer of the “Brightest Flashlight Free” app deceived consumers about how their geolocation information would be shared with advertising networks and other third parties. The FTC’s interest in suing companies that allow a data breach to occur is also a growing concern, especially after the New Jersey federal district court’s decision in FTC v. Wyndham Worldwide Corp., recognizing the FTC’s authority to prosecute cases where a company is alleged to have failed to maintain “reasonable and appropriate data security for consumers’ sensitive personal information.”
- Information transmitted over the Internet is rarely, if ever, gone forever. Somehow, somewhere, electronic data can be retrieved.
It’s time to roundup the bills related to computer technology that the Hawai‘i legislature is considering in its 2014 regular session. Click here for a chart summarizing the proposed legislation. Here are the highlights:
Social Media and Internet Account Passwords: Several bills to prohibit improper requests for access to personal social media accounts of employees and students were introduced in the 2013 session. None of the them passed. This year, HB2415 renews the effort to outlaw improper social media password requests.
Internet Sales Tax: HB1651 would require online companies with arrangements with Hawaii merchants for referral of business to collect use taxes on sales made in Hawaii. This bill would affect online retailers like Amazon, who allows local merchants to sell their products through Amazon Marketplace.
Restrictive Covenants: In an effort to encourage the development of technology business in Hawai‘i, a state with a relatively small geographic area, two bills (HB2617 and SB3126) would prohibit technology businesses from requiring employees to enter into noncompete agreements and restrictive covenants. “Technology business” is defined as “a trade or business that relies on software development, information technology, or both.”
Cybersquatting: SB2958 would put the burden on a cybersquatter to prove that it did not register a domain name in bad faith or with intent to use it in an unlawful manner, provided that the person claiming cybersquatting can demonstrate the potential of immediate and irreparable harm through misuse of the domain name.
Cybersecurity Council: SB2474 would establish the Hawai‘i cybersecurity, economic, education, anfrastructure security council.
Mobile Devices: Three bills (HB1509, HB1896, and SB2729) would make it a State offense to use a mobile electronic device while operating a motor vehicle. Certain counties already have similar laws.
3D Printing: In response to the rising availability of 3D printers, HB1802 would make it a crime to create, possess, sell, trade, or give another person a firearm made with digital manufacturing technology.
Computer crimes: A series of bills criminalizes various kinds of computer activity, including unauthorized access to a computer or network and damage to a “critical infrastructure computer” (HB1640); theft of a computer (HB1644); or personal electronic device for storing or retrieving personal information (HB2080); and revenge porn (SB2319).
Photo by Ian Lamont (CC BY 2.0) via Flickr
You’ve probably heard of BYOD (Bring Your Own Device). But do you know about BYOC? It stands for Bring Your Own Cloud, and it’s more prevalent than you might think.
Cloud storage services like DropBox, Google Drive, and SkyDrive sport features that are attractive to an increasingly mobile workforce. They provide gigabytes of storage for free. Files in the cloud are accessible anywhere with an internet connection. Changes to a file in a cloud account are synced across all devices with access to the account. It’s not difficult to see why cloud services are gaining popularity among individuals and companies alike.
Therein lies the problem. Because personal cloud accounts are so handy and easy to set up, an employee can create a security risk for a company in a matter of minutes. An employee can essentially connect the organization to the cloud without the company’s knowledge via a private cloud account. This enables the transfer of confidential company data to a location outside the company’s reach.
ComRent International, LLC v. Palatini, 2013 WL 5761319 (E.D. Pa. Oct. 24, 2013), involved such a scenario. ComRent hired Clayton Taylor to serve as a vice president of product development. Taylor primarily worked on matters related to Experium, a company that he co-founded and of which he was a minority owner. Taylor set up a Google Drive account to store, access, and edit all of Experium’s intellectual property and confidential commercial information. Only Taylor knew the username and password necessary for the account. When ComRent hired an engineering firm to consult on options for the future of Experium, Taylor refused to grant the firm access to any of Experium’s intellectual property, believing that ComRent might appropriate the intellectual property for itself. As a result, ComRent terminated Taylor and filed a lawsuit seeking access to the Google Drive account containing Experium’s corporate files.
Here are some tips for avoiding problems with unauthorized use of personal cloud storage accounts by employees.
Set a Policy: Remaining silent—and therefore ambiguous—about the organization’s stance on cloud storage can lead employees to believe they may use personal cloud accounts for work purposes without letting management know. To eliminate such misconceptions, set a policy on whether or not the organization will use cloud storage. If the decision is yes, then adopt measures to ensure responsible use of cloud storage. If the decision is no, then clearly communicate to employees that storing work data in a personal cloud account is against company policy.
Maintain Control: If an organization decides to use cloud storage, it should retain control over the information necessary to access the cloud storage account (e.g., login credentials). It is advisable to create an account under the organization’s name for official work purposes instead of allowing employees to use their personal accounts.
Restrict Unauthorized Cloud Services: Consider restricting access to private cloud storage sites from any device that can also access company data, including mobile devices, through the use of blacklists, proxies, and other network security measures. This will prevent the transfer of work files to a private cloud account. Organizations with BYOD programs might find it challenging to eliminate all access to private cloud services, but it is worthwhile consulting with the IT department about the feasibility of implementing such restrictions.
Retain Ownership: Make it clear that company information remains property of the company regardless of where it is stored. It’s also a good idea to have employees sign written non-disclosure agreements.
Stay safe in the cloud!