IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of, companies subject to COPPA.  While the FTC has pursued companies for alleged violations of all facets of its COPPA Six Step Compliance Plan, most recently the FTC has focused on the obligation to promptly and securely delete all data collected if it is no longer needed.  Taken as a whole, recent FTC activity may indicate a desire on the part of the FTC to expand its regulatory reach.

First, as documented In “IoT Device Companies:  Add COPPA to Your “To Do” Lists,” the FTC issued guidance in June, 2017, that “Internet of Things” (“IoT”) companies selling devices used by children are subject to COPPA, and may face increased scrutiny from the FTC with respect to their data collection practices.  While COPPA was originally written to apply to online service providers and websites, this guidance made it clear that COPPA’s reach extends to device companies. In general, this action focused on step 1 of the Compliance Plan (general applicability of COPPA), while also providing some guidance on how companies could comply with step 4 of the Compliance Plan (obtaining verifiable parental consent).

Then, in January, 2018, the FTC entered its first-ever settlement with an internet-connected device company resulting from alleged violations of COPPA and the FTC Act.  As discussed in “IoT Device Companies: COPPA Lessons Learned from Vtech’s FTC Settlement,” the FTC alleged violations by the device company of almost all the steps in the Compliance Plan, including failure to appropriately post privacy policies (step 2), failure to appropriately notify parents of the intended data collection activities prior to data collection (step 3), failure to verify parental consent (step 4) and failure to implement adequate security measures to protect the data collected (step 6).  The significance of the settlement was that it solidified the earlier guidance that COPPA operates to govern device companies, in addition to websites and online application providers.

In April, 2018, the FTC further expanded its regulatory reach by sending warning letters alleging potential COPPA violations to two device/application companies located outside the United States.  Both companies collected precise geolocation data on children in connection with devices worn by the children.  The warning letters clarified that, although located outside the United States, the FTC deemed the companies subject to COPPA, as: a) their services were directed at children in the United States; and b) and the companies knowingly collected data from children in the United States.  Interestingly, one of the targeted companies, Tinitell, Inc., was not even selling its devices at the time of the letter’s issuance.  Nonetheless, the FTC warned that since the Tinitell website indicated that the devices would work through September 2018: a) COPPA would continue to apply beyond the sale of the devices; and b) the company is obligated to continue to take reasonable measures to secure the data it had and would continue to collect.

Most recently, the FTC again took to its blog post to remind companies that COPPA obligations pursuant to step 6 (implement reasonable procedures to protect the security of kids’ personal information) may extend even beyond the termination of the company’s relationship with the child.  Although “reasonable security measures” is a broad concept, the FTC narrowed in on the duty to delete data that is no longer required.

Section 312.10 of COPPA states that companies may keep personal information obtained from children under the age of 13 “for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.”  After the fulfillment of the purpose for which the information was collected, the information is to be deleted in such a manner and using reasonable measures to ensure that it cannot be accessed or used in connection with the deletion.

On May 31, 2018, the FTC posted a blog entitled “Under COPPA, data deletion isn’t just a good idea.  It’s the law.” which reminds website and online service providers subject to COPPA (and, by extension, any device companies that market internet-connected devices to children) that there are situations in which COPPA will require subject companies to delete the personal information it has collected from children, even if the parent does not specifically request the deletion.  This guidance establishes an affirmative duty on the company collecting the information to self-police and to securely discard the information as soon as it no longer needs it, even if the customer has not made such a request.

The blog further suggests that all companies review their data retention policies to ensure that the stated policies adequately address the following list of questions:

  • What types of personal information are you collecting from children?
  • What is your stated purpose for collecting the information?
  • How long do you need to hold on to the information to fulfill the purpose for which it was initially collected? For example, do you still need information you collected a year ago?
  • Does the purpose for using the information end with an account deletion, subscription cancellation, or account inactivity?
  • When it’s time to delete information, are you doing it securely?

It will be interesting to see if the FTC continues to focus on COPPA in its enforcement actions. All told, the FTC has brought around thirty actions pursuant to COPPA.  But recent activity, like the warning letters to international companies and the recent guidance on data deletion, indicate that the FTC may be expanding the arena for COPPA applicability.

OTHER THOUGHT LEADERSHIP POSTS:

Good, Bad or Ugly? Implementation of Ethical Standards In the Age of AI

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below With the explosion of artificial intelligence (AI) implementations, several technology organizations have established AI ethics teams to ensure that their respective and myriad uses across...

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of,...

Predictive Algorithms in Sentencing: Are We Automating Bias?

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Although algorithms are often presumed to be objective and unbiased, recent investigations into algorithms used in the criminal justice system to predict recidivism have produced compelling...

My Car Made Me Do It: Tales from a Telematics Trial

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that...

When Data Scraping and the Computer Fraud and Abuse Act Collide

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use...

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States...

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be...

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to...

#TheFTCisWatchingYou: Influencers, Hashtags and Disclosures 2017 Year End Review

Influencer marketing, hashtags and proper disclosures were the hot button topic for the Federal Trade Commission (the “FTC”) in 2017, so let’s take a look at just how the FTC has influenced Social Media Influencer Marketing in 2017. First, following up on the more...

Part III of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the third in a series of three articles on the FTC’s Stick with Security blog. Part I and Part II of this series can be found here and here. Over the past 15 years, the Federal Trade...

Is Your Bug Bounty Program Uber Risky?

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States Uber drivers had been hacked.  Uber, like many companies, leveraged a vulnerability disclosure or “bug bounty” program that invited hackers to test Uber’s systems for certain vulnerabilities, and offered financial rewards for qualifying vulnerabilities.  In fact, Uber has paid out over $1,000,000 pursuant to its program, which is administered through HackerOne, a third-party vendor.  Uber initially identified the breach as an authorized vulnerability disclosure, paid the hackers $100,000, and the hackers deleted the records.  Yet, Uber has faced lawsuits, governmental inquiry and much public criticism in connection with this payment.

What did Uber do wrong and how can organizations ensure that their programs are not subject to the same risks?  To answer this question, one must first understand why and how companies create bug bounty programs.

Why Institute a Bug Bounty Program?

Many companies feel it is far better to pay money upfront to identify vulnerabilities before those vulnerabilities turn into public relations and regulatory nightmares that not only drain manpower and financial resources, but also may result in litigation and increased governmental oversight.  In addition, advance knowledge of a vulnerability allows a company to develop the right solution for the problem, rather than reacting hastily in the pressure-filled post-breach environment.  A properly structured bug bounty program also can be a great way to test the viability of a new concept, product or platform.  It should be noted that the payments made pursuant to bug bounty programs are rewards and NOT ransoms.  The difference is the collaboration and structure of permission-based interactions.

Hackers may be motivated for a number of reasons, including financial gain, intellectual challenge and the personal prestige to be gained from discoveries.  Most of all, by participating in a sanctioned bug bounty program, hackers are able to do what they love without fear of legal repercussion.  The Computer Fraud and Abuse Act prohibits the unauthorized entry into a “protected computer” for purposes of obtaining information from it.  Put simply, any individual who hacks a system could be criminally prosecuted.  However, when a company sanctions and even invites the activity, as is the case with a bug bounty program, a hacker can be reasonably certain that it will not be prosecuted, provided that it complies with the program’s requirements.

Having made the decision to launch a bug bounty program, a company must then decide whether to create an ad hoc program, or to engage a third-party service provider to run the program.  Going it alone requires a dedicated team of employees that not only understand the bug bounty program and the technology or functionality being tested, but also are qualified to evaluate any discovered vulnerabilities and issue resulting compensation. Alternatively, outsourcing can provide some comfort, not to mention the expertise of a vendor who can scale the program as needed.  Essentially, the vendor acts as an intermediary to help the client formulate goals for its use of the program, communicate with hackers, evaluate the identified vulnerabilities and administer payment of the bounties.  Bug bounty vendors offer a measure of safety to all parties, not just in terms of bug bounty program reliability, but also in ensuring increased accuracy and quality of the hackers.

Components of a Bug Bounty Program

In June 2017, the Department of Justice’s Criminal Division Cybersecurity Unit (the “CU”) provided written guidance for companies seeking to implement a vulnerability disclosure program.  Presented as more of a list of considerations, as opposed to a list of requirements, the CU specifically recognizes that each company’s program must be driven by its unique business purposes and needs.  Nevertheless, the CU suggests that a good program will be:

  • Appropriately designed with a clear scope – The CU suggested that when developing the program, a company must designate both the components and/or data and the types of vulnerabilities or methods of attack it wants hackers to test.  The CU does include factors to consider when the company’s program targets protections of sensitive information, which include detailing restrictions on and handling requirements for sensitive data (such as prohibitions on saving, storing or transferring such sensitive data) and detailing what methods hackers can use to find vulnerabilities.  Lastly, the company should consider whether any of the vulnerabilities it is testing impact interests of third party business vendors or partners; if so, the company should obtain authorization from such third parties to proceed with the program.
  • Properly administered – Once a company has clearly outlined the scope of the program, it must include guidance as to how the program works.  Companies should include clearly stated points of contact, preferably nonpersonal email accounts that are regularly monitored.  A company will want to be able to reproduce or corroborate any identified vulnerability, and the CU suggests that while a company is free to set the rules as to documentation format, it should be mindful that if hackers are prevented from saving certain data, it may have to be willing to accept written descriptions.  Timing should also be addressed – some companies require a prompt disclosure, while some have a long-term deadline and others create short-term challenges which offer higher payouts for the more bugs identified in a defined time period.  Lastly, the company should determine its overall budget for the program and advertise the levels of bounties offered and the attendant requirements to attain each level of reward.
  • Accompanied by a stated vulnerability disclosure policy – The policy should clearly state the scope and administrative requirements of the bug bounty program.  The critical component here is having the policy publicized and accessible to potential participants.  In addition, the company should state the consequences for hackers that operate outside the parameters of the program.  While laws are a bit vague on this point, companies often promise not to prosecute if hackers fully comply with all elements of the program.  Lastly, the policy should provide a company contact to whom hackers can direct questions and receive guidance on program rules.

Conclusion

Once a bug bounty program is created and publicized, a company must hold itself to as strict a compliance standard as it applies to its hacker participants.  What challenged Uber was that it paid a drastically larger amount (ten times the highest advertised reward amount pursuant to the program) for just one breach, thereby circumventing its own publicized and authorized program.  Not only did the amount exceed the limits of its stated program, but Uber negotiated with the hacker, which appeared as extortion-like behavior.  In addition, officials at Uber were aware that this situation unfolded differently than the typical bug bounty interaction.  Rather than notify Uber of the potential vulnerability, the hacker downloaded the sensitive information, then contacted Uber to request payment.  At that point, Uber should have notified law enforcement.  Not only did Uber fail to contact authorities, it waited more than a year to notify the public or authorities about the breach.

Whether a company runs its own program or enlists the aid of a service such as HackerOne, it would be well-advised to ensure compliance with the terms of the program.    Furthermore, it must make certain that all relevant business and legal leaders at the organization are aware of the identified vulnerability, particularly if it is a significant one or involves sensitive information.  Only by involving all stakeholders in the discussion can the organization ensure that its program does not run afoul of relevant legal and other guidelines and requirements.

OTHER THOUGHT LEADERSHIP POSTS:

Good, Bad or Ugly? Implementation of Ethical Standards In the Age of AI

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below With the explosion of artificial intelligence (AI) implementations, several technology organizations have established AI ethics teams to ensure that their respective and myriad uses across...

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of,...

Predictive Algorithms in Sentencing: Are We Automating Bias?

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Although algorithms are often presumed to be objective and unbiased, recent investigations into algorithms used in the criminal justice system to predict recidivism have produced compelling...

My Car Made Me Do It: Tales from a Telematics Trial

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that...

When Data Scraping and the Computer Fraud and Abuse Act Collide

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use...

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States...

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be...

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to...

#TheFTCisWatchingYou: Influencers, Hashtags and Disclosures 2017 Year End Review

Influencer marketing, hashtags and proper disclosures were the hot button topic for the Federal Trade Commission (the “FTC”) in 2017, so let’s take a look at just how the FTC has influenced Social Media Influencer Marketing in 2017. First, following up on the more...

Part III of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the third in a series of three articles on the FTC’s Stick with Security blog. Part I and Part II of this series can be found here and here. Over the past 15 years, the Federal Trade...

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

In “IoT Device Companies:  Add COPPA to Your “To Do” Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be subject to the Children’s Online Privacy Protection Act (COPPA) and may face increased scrutiny from the FTC with respect to their data collection practices.  That warning became a harsh reality for VTech Electronics Limited (VTech), which recently entered into a settlement with the FTC to, among other things, pay $650,000 for alleged violations of COPPA and the FTC Act.

The Department of Justice, on behalf of the FTC, filed a complaint against VTech alleging that the Kid Connect application embedded in a variety of online platforms and portable devices distributed by VTech collected personal information from hundreds of thousands of children, without providing the requisite direct notice of VTech’s information practices to parents; and without obtaining verifiable consent to the collection of the information from parents, both as required by COPPA.  In addition, the FTC stated that VTech’s data security measures to protect the information it had collected were neither reasonable, nor appropriate to satisfy the requirements of COPPA.  The complaint further alleged deceptive practices by VTech in connection with statements in its privacy policy relating to whether VTech encrypted collected data.

COPPA

COPPA requires that any company which collects personal information online from children under the age of 13 must: 1) have a privacy policy which clearly and completely discloses to parents what information is collected, how the collected information will be used and what the parent’s rights are with respect to modifying or deleting the information; 2) obtain verifiable consent from the parent to the collection and intended use; and 3) take reasonable measures to protect the security and confidentiality of the obtained information.  VTech required parents to provide personal information, including the parent’s name and email address, as well as the child’s name, gender and date of birth when signing up for platforms or devices leveraging the Kid Connect application.  However, The FTC found various violations of COPPA in VTech’s practices.  Alleged violations of COPPA are detailed below, along with key takeaways for IoT companies.

Violation: Although VTech had a privacy policy in place, it was posted only on certain registration pages, which violated COPPA’s requirement to provide a direct notice of its policies to parents.  The FTC asserted that VTech failed to provide the required direct and clear link to its information practices, because the link to the VTech privacy policy was not posted in each place where children’s information was collected and on the landing screen of the application.

Lesson:  Post frequent and prominent links to the company’s privacy policy in each and every location where the information is collected, as well as on the home/landing page for each service.  Note that information may be collected during initial sign up or subscription, at log in and/or account set up screens and during play or use on platforms devices.

Violation:  The FTC alleged that VTech failed to provide complete notice of its information collection and intended use practices.  COPPA requires organizations, among other things, to post their physical and email address, a full description of the information collected from children, as well as information about the parents’ rights to modify, review and delete their children’s information.   VTech failed to provide a complete description of collection practices and intended uses.

Lesson:  Ensure that privacy policies provide a complete and accurate description of how data is collected and used.  In the VTech case, multiple platforms and devices connecting to the application collected different data elements and provided different functionality.  For example, some devices permitted chatting with authorized contacts and briefly stored recordings of such chats and messages, whereas other platforms simply stored names, addresses and gender.  It is critical that the privacy policy completely explains each and every use.

Violation:  In its complaint, the FTC noted that VTech also failed to have a mechanism in place to verify that the registrant was a parent and not a child, thereby failing to obtain verifiable consent from the parents prior to collecting the information.

Lesson:  IoT companies must use available technology to be reasonably certain that the person providing the consent is, in fact, a parent.  There are a variety of FTC- approved methodologies, including knowledge based questions and facial recognition technologies.  Note that consent should be obtained again if an organization institutes any material change to previously consented to collection or use practices.

Violation:  VTech allegedly failed to implement adequate security measures to protect stored and transmitted information as required by COPPA.  The FTC noted weaknesses in VTech’s overall security program, which included inadequate training of employees as to information security requirements, and lack of penetration testing.  Specifically, the FTC identified VTech’s failure to institute an intrusion prevention or detection system, so that VTech would be apprised of any unauthorized attempted or actual breaches of its network.  In fact, VTech only learned of the intrusion and access to consumer information in November, 2015, from a journalist.  VTech also failed to monitor for or to identify the extraction of the children’s information across the VTech network boundaries.  Finally, VTech stored certain information in a manner that linked that information to a parent’s name and physical address, and failed to encrypt certain pieces of information, both of which could identify a child to a hacker.

Lesson:  Information and data security is a constantly evolving obligation, and it is critical that each company collecting information online stay up to date on current technologies.   The FTC noted that there were available intrusion measures which VTech could have implemented.  In addition, companies should regularly test the effectiveness of their current administrative practices and procedures and ensure that proper training is in place for new and current employees.

FTC Act

In addition to the alleged violations of COPPA, the FTC accused VTech of engaging in deceptive practices in violation of the FTC Act, by implying in its privacy policy that the personal information submitted by the parents would be encrypted.  VTech’s privacy policy stated that, “in most cases” the data provided would be encrypted.  In practice, however, VTech did not encrypt the collected information.

Conclusion

The action brought against VTech is the first such action before the FTC with respect to Internet-connected toys, and may signal a shift in focus by the FTC toward greater scrutiny for IoT device companies marketing to children.  Acting FTC Chairman Maureen K. Ohlhausen noted that, “As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data.”  In addition to paying the $650,000 penalty, VTech must create and implement a comprehensive data security program (to be independently audited for 20 years), provide compliance reporting to the FTC and is enjoined from further violations of COPPA or misstatements of its privacy policies in the future.  Now more than ever, it is critical that IoT device companies review their posted policies and practices with respect to all personal information collected from or about children under the age of 13: 1) to ensure that such policies are clear and complete; 2) the parents receive direct and full access to the entirety of the policies; 3) verifiable consent is obtained from the parents; and 4) the companies’ information security measures and policies are adequate to guard against and promptly identify any breaches with respect to collected information.

OTHER THOUGHT LEADERSHIP POSTS:

Good, Bad or Ugly? Implementation of Ethical Standards In the Age of AI

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below With the explosion of artificial intelligence (AI) implementations, several technology organizations have established AI ethics teams to ensure that their respective and myriad uses across...

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of,...

Predictive Algorithms in Sentencing: Are We Automating Bias?

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Although algorithms are often presumed to be objective and unbiased, recent investigations into algorithms used in the criminal justice system to predict recidivism have produced compelling...

My Car Made Me Do It: Tales from a Telematics Trial

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that...

When Data Scraping and the Computer Fraud and Abuse Act Collide

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use...

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States...

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be...

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to...

#TheFTCisWatchingYou: Influencers, Hashtags and Disclosures 2017 Year End Review

Influencer marketing, hashtags and proper disclosures were the hot button topic for the Federal Trade Commission (the “FTC”) in 2017, so let’s take a look at just how the FTC has influenced Social Media Influencer Marketing in 2017. First, following up on the more...

Part III of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the third in a series of three articles on the FTC’s Stick with Security blog. Part I and Part II of this series can be found here and here. Over the past 15 years, the Federal Trade...

Pros and Cons of Hiring a Security Rating Agency

Pros and Cons of Hiring a Security Rating Agency

By Jennifer Thompson


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

One can hardly check out any news outlet today without reading or hearing about a security breach.  Experts frequently advocate performing internal assessments to identify security weaknesses.  Commentators tout the importance of assessing the security of the entities with which you do business.  Investors, partners and markets shy away from companies that are not proactive enough with respect to security. Given the multitude of variables involved and security measures available, how can a company convey the effectiveness of its own security program in a meaningful manner? Further, given how fact and business-specific that security is, how can one company compare its own security measures to those taken by another company?  Many companies turn to independent ratings agencies for an objective evaluation and systematized rating.

Security rating agencies are becoming instrumental in helping companies evaluate security risks and potential transactions.  Investors in start-ups will use such ratings to evaluate risks and identify future investment needs of the entity.  Security ratings are a critical part of due diligence review in mergers, acquisitions and joint ventures.  Procurement departments routinely require vendors to obtain ratings before entering into agreements.  Some companies may even request that a rating agency evaluate its own operations to identify weak points and opportunities for improvement.

In compiling the ratings, the rating agencies compile public and private data points, feed them into the agency’s proprietary algorithm and generate a “score.”  Scores can be used to measure one entity’s security efforts against others.  Of course, the rating is only as reliable as the entity providing it, so is it worth it to expend the money on these services?  Similarly, once a score is obtained, can it harm your business?  Will others deem your score too low?  Will the publication of your score actually hamper prospects operations?  Or worse, will having a low score published ultimately make you a more attractive target to would-be hackers?

Fortunately, some forty-odd companies and the US Chamber of Commerce identified the need for suggesting a standardized methodology for the security rating agencies.  In June 2017, these companies and the US Chamber of Commerce issued the Principles for Fair and Accurate Security Ratings (the “Principles”).

The Principles seek to establish guidelines for fair and accurate reporting of security ratings and promote standards for the appropriate use and disclosure of the scores.  The Principles suggest that all security rating agencies should:

  • provide transparency of the methodologies and data used to create the rating;
  • provide a mechanism by which entities that are rated can dispute, correct and/or appeal any rating published by the ratings agencies;
  • provide advance notice of any changes to ratings methodologies so that rated companies are clear on how the procedural changes may affect their scores;
  • remain independent of the entities they rate; and
  • maintain confidentiality of all sensitive information (including information shared during disputes, non-public ratings and other private information).

Hopefully, the Principles will result in greater consistency among rating agencies, increased reliability in the scores and more efficiency in the ratings process itself.  All of these Principles ideally will lead to candid discussions among business partners as to how entities can improve their security and, more importantly, suffer fewer breaches.

Of course, every company must assess whether to have itself rated and how to utilize and share any scores it obtains from the various rating agencies.  But assuming the agency retained to provide the security rating is in compliance with the Principles, at least buyers of these services can be reasonably certain they are receiving a truly objective measure with full opportunity to appeal or clarify any questions with respect to the score.

So, if your entity uses a security rating agency, make sure it is one that is operating in compliance with the Principles for Fair and Accurate Security Ratings espoused by the Chamber of Commerce.

OTHER THOUGHT LEADERSHIP POSTS:

Good, Bad or Ugly? Implementation of Ethical Standards In the Age of AI

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below With the explosion of artificial intelligence (AI) implementations, several technology organizations have established AI ethics teams to ensure that their respective and myriad uses across...

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of,...

Predictive Algorithms in Sentencing: Are We Automating Bias?

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Although algorithms are often presumed to be objective and unbiased, recent investigations into algorithms used in the criminal justice system to predict recidivism have produced compelling...

My Car Made Me Do It: Tales from a Telematics Trial

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that...

When Data Scraping and the Computer Fraud and Abuse Act Collide

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use...

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States...

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be...

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to...

#TheFTCisWatchingYou: Influencers, Hashtags and Disclosures 2017 Year End Review

Influencer marketing, hashtags and proper disclosures were the hot button topic for the Federal Trade Commission (the “FTC”) in 2017, so let’s take a look at just how the FTC has influenced Social Media Influencer Marketing in 2017. First, following up on the more...

Part III of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the third in a series of three articles on the FTC’s Stick with Security blog. Part I and Part II of this series can be found here and here. Over the past 15 years, the Federal Trade...

IoT Device Companies: Add COPPA to Your “To Do” Lists

IoT Device Companies: Add COPPA to Your “To Do” Lists

By Jennifer Thompson


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

Last week, the Federal Trade Commission (FTC) updated its guidance on the Children’s Online Privacy Protection Act (COPPA).  COPPA and the FTC’s related COPPA Rules establish guidelines to protect children under the age of 13 as they access the internet.  The recent updates issued by the FTC make it apparent that companies, when expanding their business offerings and product portfolios, must also ensure they are adequately protecting children in their potential use of these products and offerings.  Specifically, the FTC identified: 1) new business models that could cause a company to become subject to COPPA; 2) new products that are covered by COPPA; and 3) new methods for obtaining parental consent under COPPA.

New Business Models

In a June 21, 2017 business blog posting on the FTC website entitled, “FTC Updates COPPA Compliance Plan for Business,” the FTC noted that companies are using a variety of new business methodologies to collect personal information.  In particular, the FTC mentioned voice-activated devices that collect personal information.  Although the FTC did not  revise the COPPA rules to include specific language on emerging data collection business models, businesses adopting new methods of collecting personal data would be wise to comply with COPPA, as the FTC guidance suggests that these emerging data collection methodologies could affect the company’s obligations under COPPA.

New Products Covered by COPPA

Companies that are developing a variety of “Internet of Things” devices, as well as other devices utilizing geolocation and/or voice recognition technologies, may need to ensure that their products comply with COPPA, and not only if the device is specifically marketed to children.  The actual language of COPPA states that it applies to any “website or online service” that collects personal information from children under 13.  The FTC’s Six Step Compliance Plan (the “Compliance Plan”) for businesses offers a listing of what constitutes a “website or online service,” which makes it clear that COPPA applies to more than just websites and apps.  In fact, in the most recent update to the Compliance Plan, the FTC added “connected toys or other Internet of Things devices” to the list of items covered by COPPA. This new language includes not only toys, but also devices using voice recognition, geolocation services and other personal information.  It is interesting to note the breadth of the language.  “Other Internet of Things devices” could indicate that the FTC may require IoT devices beyond toys or those marketed directly to children to come under the provisions of COPPA if it is likely they could collect personal information for children under 13.

New Methods for Obtaining Parental Consent

Of course, understanding whether your company or client is subject to COPPA is just one part of the equation.  Companies subject to COPPA must obtain parental consent prior to collecting the personal information of children under 13.  The analysis set forth by the FTC in its COPPA Rule for obtaining parental consent is that the methodology must be “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.”  In its recent guidance, the FTC expanded acceptable methods for obtaining such consent by listing two new methodologies:  Knowledge-Based Authentication (KBA) and facial recognition technology.

KBA will be acceptable if the user answers “a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer.”  The FTC, in its approval of this methodology, noted that KBA is widely used with great success in the financial services industry to appropriately authenticate the identity of the user and can therefore be used under COPPA to establish parental consent, provided that: 1) the questions are dynamic, multiple choice questions with sufficient variety and quantity that the probability is low that a child could guess the answers; and 2) the difficulty of the questions is such that a child could not appropriately answer the questions.

The FTC also will accept the use of facial recognition technology as a means of establishing parental consent if the company follows a two-step process to verify the identity of the person providing the consent.  The two-step process uses the facial recognition technology to establish the legitimacy of a photo ID of the parent (such as a driver’s license or passport), and then compares that authenticated photo ID to another picture submitted by the parent giving the consent (presumably taken with the device being used to access the COPPA covered website or online service).   In approving the facial recognition technology, the FTC noted that the technology must be capable of authenticating the initial ID (by analyzing fonts, holograms, etc.  on the ID) and then analyzing the second image to ensure the second image is a picture of the actual person providing the consent (and not a picture of another photo of the parent) to ensure the parent is, in fact, the person completing the consent process.  If the technology does not verify a match, the enrollment is rejected.  After the technology verifies the two faces match, live persons at the company also review the two photos to ensure the photos match, and then the identification information should be deleted promptly (within five (5) minutes).

Conclusion

When counseling clients on new business ventures, attorneys must keep in mind the reach of COPPA, as well as other more obvious regulations.  The FTC noted that recent developments in the marketplace necessitated changes to COPPA to specifically identify new business practices and products that are subject to COPPA, as well as new ways for companies to establish the requisite parental consent.  In addition, aspects of the FTC’s guidance suggest it will adopt an expansive view of what methods, products and practices are covered under COPPA, so companies developing new IoT devices would be wise to anticipate that COPPA may apply to them.

OTHER THOUGHT LEADERSHIP POSTS:

Good, Bad or Ugly? Implementation of Ethical Standards In the Age of AI

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below With the explosion of artificial intelligence (AI) implementations, several technology organizations have established AI ethics teams to ensure that their respective and myriad uses across...

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of,...

Predictive Algorithms in Sentencing: Are We Automating Bias?

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Although algorithms are often presumed to be objective and unbiased, recent investigations into algorithms used in the criminal justice system to predict recidivism have produced compelling...

My Car Made Me Do It: Tales from a Telematics Trial

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that...

When Data Scraping and the Computer Fraud and Abuse Act Collide

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use...

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States...

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be...

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to...

#TheFTCisWatchingYou: Influencers, Hashtags and Disclosures 2017 Year End Review

Influencer marketing, hashtags and proper disclosures were the hot button topic for the Federal Trade Commission (the “FTC”) in 2017, so let’s take a look at just how the FTC has influenced Social Media Influencer Marketing in 2017. First, following up on the more...

Part III of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the third in a series of three articles on the FTC’s Stick with Security blog. Part I and Part II of this series can be found here and here. Over the past 15 years, the Federal Trade...

Before You Hit “Send”: Ensuring Your Attorney-Client Emails Comply with the new ABA Guidance

Before You Hit “Send”: Ensuring Your Attorney-Client Emails Comply with the new ABA Guidance

By Jennifer Thompson


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

Today’s attorneys rely heavily on technology to communicate with clients, especially email.  At the same time, given the sensitive nature of many attorney-client communications and the potential windfall to anyone who wrongfully intercepts these email communications, such communications can also be extremely attractive to would-be hackers.  This situation prompted the American Bar Association (ABA) to issue new guidance on a lawyer’s ethical obligations with respect to the email transmission of client-related information.

The ABA issued Formal Opinion 477 entitled “Securing Communication of Protected Client Information” on May 12, 2017.  The opinion notes that the attorney’s ethical duties of competency and confidentiality come together when using electronic communications.  The ABA’s ethical competency rules require an attorney to keep abreast of all changes in his or her practice area, including the most up to date electronic communication methods and related security measures.  At the same time, the attorney is obligated by the confidentiality rules to use reasonable methods to prevent inadvertent or unauthorized disclosures of client information.

So what qualify as “reasonable” measures to prevent inadvertent disclosures of client information in today’s technology-based world?  Not surprisingly, there is no hard and fast rule.  Rather, the ABA points to a variety of factors the attorney must weigh, such as how sensitive the information in the communication is to the client’s business; the cost and availability of additional safeguards the attorney could implement to protect the communication (including how likely it is the information would be disclosed absent such safeguards); and how the use of any such safeguards might adversely affect the attorney’s ability to adequately serve his or her client.

Accordingly, there are three important steps all attorneys should take when undertaking a new matter or onboarding a new client:

  1. Thorough Internal Assessments:  Attorneys must look at their own practices to understand what protections their firm currently uses to safeguard and store electronic transmissions.  In order to adequately assess security, the firm should:
  • catalog all devices being used by both attorneys and non-lawyers (including any personal devices used by staff for business purposes);
  • understand the access and security measures being used to control the devices;
  • evaluate who has access to protected client information and assess whether that access is appropriate;
  • survey firewalls, anti-spam software and encryption tools (and the corresponding protection of the associated encryption keys); and
  • perform due diligence on third party services such as applications, cloud servers and/or cloud sharing services and anti-virus protections (although the primary focus of the ABA opinion deals with email, any vulnerability in the firm’s system could compromise the security of the email transmissions).

Depending on the nature of the attorney’s practice, it may be reasonable to engage a specialist or a team of security professionals to ensure the firm and its systems are adequately protected.

  1. Open and Honest Discussion with Clients:  Attorneys must communicate with clients about the information to be shared and the client’s planned or desired communication methodologies.  It is only with a firm understanding of how sensitive the information pertaining to a particular matter is to the client’s business that the attorney and the client together can best determine how the information should be transmitted.
  1. Develop, Then Implement, a Plan:  Once it is understood what security measures are available at the firm and what the appropriate level of security is given the level of sensitivity of the communication, managing attorneys have a duty to create, implement and oversee a policy for all client communications.  This plan may include a variety of measures, including:
  • instituting protocols for communications via remote connectivity and remote devices;
  • clearly and conspicuously labeling the information and communications as confidential and subject to attorney-client privilege (which puts unintended recipients on notice as to the protected nature of the communications);
  • implementing multi-factor authentication, creating criteria around password strength and requiring regular password changes;
  • regularly training attorneys and staff in how to appropriately protect all communications;
  • updating and patching all software and systems; and
  • periodically reassessing and testing the effectiveness of technological security measures in use.

These steps may happen multiple times throughout a particular transaction or representation of the client and should be a dynamic and evolving process of fine-tuning the protections and adjusting the plan depending on the information involved.  But, if the attorney takes the critical first step of consciously and affirmatively understanding the security measures currently in place and otherwise available, and then maintains an open and ongoing dialog with the client as to the client’s information and communication preferences, the appropriate policies and practices will naturally follow.

OTHER THOUGHT LEADERSHIP POSTS:

Good, Bad or Ugly? Implementation of Ethical Standards In the Age of AI

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below With the explosion of artificial intelligence (AI) implementations, several technology organizations have established AI ethics teams to ensure that their respective and myriad uses across...

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of,...

Predictive Algorithms in Sentencing: Are We Automating Bias?

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Although algorithms are often presumed to be objective and unbiased, recent investigations into algorithms used in the criminal justice system to predict recidivism have produced compelling...

My Car Made Me Do It: Tales from a Telematics Trial

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that...

When Data Scraping and the Computer Fraud and Abuse Act Collide

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use...

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States...

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be...

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to...

#TheFTCisWatchingYou: Influencers, Hashtags and Disclosures 2017 Year End Review

Influencer marketing, hashtags and proper disclosures were the hot button topic for the Federal Trade Commission (the “FTC”) in 2017, so let’s take a look at just how the FTC has influenced Social Media Influencer Marketing in 2017. First, following up on the more...

Part III of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the third in a series of three articles on the FTC’s Stick with Security blog. Part I and Part II of this series can be found here and here. Over the past 15 years, the Federal Trade...