FDA Flunks Data Security Exam

Last week, the HHS Office of Inspector General released a damning report on FDA’s data security:  “The objective of this review was to determine whether the FDA’s network and external Web applications were vulnerable to compromise through cyber attacks.”  In short, they were vulnerable:

Overall, FDA needed to address cyber vulnerabilities on its computer network. Although we did not obtain unauthorized access to the FDA network, we identified the following issues:

Web page input validation was inadequate, external systems did not enforce account lockout procedures, security assessments were not… More

The FTC Wants to Regulate the Internet of Things, Including Your Car

The FTC recently filed a comment on the National Highway Traffic Safety Administration’s advance notice of proposed rulemaking related to vehicle-to-vehicle communications.  The comment left no doubt that the FTC wants to regulate the Internet and everything connected to it.

Nonetheless, the FTC’s specific comments about vehicle security were noteworthy:

First, participants expressed concern about the ability of connected car technology to track consumers’ precise geolocation over time. Such information may divulge personal details about an individual.  Did Consumer A visit an AIDS clinic last Tuesday? What place of worship does he attend? Was he at a psychiatrist’s office… More

FCC Enters the Data Security Enforcement Field with $10 Million Fine on Telecoms

In a first for the FCC, it announced on October 24 that it intends to fine two telecom companies $10 million for data security violations:

The FCC intends to fine TerraCom, Inc. and YourTel America, Inc. $10 million for several violations of laws protecting the privacy of phone customers’ personal information. According to an investigation by the Enforcement Bureau, TerraCom and YourTel apparently stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access. The information was gathered to demonstrate eligibility for the Lifeline program, which is… More

COPPA Compliance is Important for General Audience Websites, Too

Yelp’s $450,000 settlement with the FTC in September should serve as an important reminder for all owners and operators of websites or mobile apps – even if your site is not for kids, you need to know and abidge by what the Children’s Online Privacy Protection Act (COPPA), and the related COPPA Rule, requires.

Yelp allows registered users to write reviews of local businesses. A user can access Yelp through desktop and mobile websites, as well as apps on both iOS and Android. Once registered, a user can upload a profile picture and post photos to go along with reviews… More

Lessons from the iCloud Celebrity Hack

The highly publicized hacking of the iCloud accounts of dozens of celebrities was disclosed over Labor Day weekend and has raised larger, more serious concerns regarding the security of personal and corporate data held in the cloud.

Several explanations for how the hack was achieved have been offered, with some initial pointing the finger at potential flaws in Apple’s security system. In a press release on Tuesday, Apple denied that the hacking stemmed from “any breach in any of Apple’s systems,” and pointed to “a very targeted attack on user names, passwords and security questions,… More

Don’t Put Off That New HIPAA Business Associate Agreement: September 23, 2014 Deadline Looms

It’s been a while, but we have another HIPAA deadline just around the corner: September 23, 2014.

September 23, 2014 is the date by which all HIPAA business associate agreements need to be in compliance with the current HIPAA regulations (often called the Omnibus Rule). The current rules went into effect on March 26, 2013, but certain then-existing HIPAA BAAs were grandfathered and did not have to be updated immediately. The grandfathering ends and up-to-date BAAs must be in place starting September 23, 2014.

Specifically, compliance was required 180 days following the HIPAA Omnibus Rule’s effective date (3/26/13); that initial deadline was… More

New COPPA Safe Harbor Added By iKeepSafe

Last week, the FTC announced approval of a new Safe Harbor Program under the Children’s Online Privacy Protection Act (COPPA), called iKeepSafe. The program was created by the Internet Keep Safe Coalition, a nonprofit organization that describes its goal as the “creation of positive resources for parents, educators and policymakers who teach youths how to use new media devices and platforms in safe and healthy ways.”

The COPPA Rule affords some flexibility in compliance through use of a safe harbor provision, 16 C.F.R. § 312.10. The provision allows that operators – that is, persons who operate… More

App Developers Should Note Revisions to COPPA FAQs

The FTC’s July 10, 2014 complaint filed against Amazon has left app developers with concerns about how to make apps that target kids and still comply with the law. The complaint, brought under Section 5(a) of the FTC Act, alleged that Amazon failed to obtain parents’ or account holders’ informed consent to in-app charges incurred by children. While the complaint was not brought under the Children’s Online Privacy Protection Act (COPPA), the increased scrutiny on child-targeted apps should have all app developers making sure they understand what COPPA requires when it comes to getting parental consent.

Generally, COPPA… More

In Riley v. California, Supreme Court Rules Police Must Obtain Warrant before Searching Cell Phones

In a unanimous decision issued today, the Supreme Court ruled that police cannot search the cell phones of arrested individuals without a warrant. In reaching its decision, the Court recognized that there is an immense amount of personal information on smart phones and held that access to that information would constitute a significant invasion of individual privacy. With the relatively recent invention of cell phones and the sudden pervasiveness of smart phones in the United States, the Court was forced to grapple with the application of century old legal principles to the practical realties of modern day technology. As… More