Tuesday, March 29, 2016
Consumer data security claims by many businesses seek to settle the fears and doubts of many consumers engaging in electronic payments. Those representations should be tempered with an accurate description of its practices to keep consumer information and transaction data secure. Several agencies have been tasked with a different scope of authority. Data security has been allocated to be under the auspices of the Dodd-Frank Act. Information protection regarding consumer confidential information has been the responsibility of the Federal Trade Commission under Gramm-Leach-Bliley Act. Deceptive business practices of covered financial institutions fall under the Consumer Financial Protection Bureau (CFPB), section 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010, for the purposes of enforcing federal consumer financial laws.
The veracity of business claims of protecting consumer data and payment processing is scrutinized. Failure to meet the security claims will be deemed as a deceptive business practice. The CFPB has stressed the importance of attending to the integrity of digital payment system security. It has as well emphasized the growing reliance and trust that consumers are displaying entrusting their private information and financial information as they execute electronic transactions. In a recent press release, it has stated: “It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”
While the FTC, Office of the Comptroller of Currencies (OCC) and other federal banking agencies are authorized to police the handling of data security, consumer information of financial institutions, the CFPB had reviewed the claims made by Dwolla, Inc., an online payment transaction platform that providing payment processing services through the Department of the Treasury’s payment portal. In an Order issued through the administrative proceeding of the CFPB, Dwolla, Inc. was determined to have committed deceptive data security representations to the public. The consent order states that Dwolla, Inc.’s communications made false statements about its data safety processes, e.g., of its use of encryption, that its practice surpassed the Payment Card Industry (PCI) standards. Conversely, the CFPB asserts that Dwolla, Inc. did not among several issues: provide acceptable data security training to its employees, establish acceptable and appropriate date security policies and practices, timely and regular risk assessments, and use encryption.
The order also outlined a list of actions required to address the findings with a five-year horizon within which the Dwolla, Inc. is ordered to comply with the stipulated items, report the actions taken to remedy the findings, and to record all implementations and findings, and continuously submit as scheduled monitoring compliance reports. From this case financial technology businesses involved in payment processing should carefully screen their representations on their communications, websites, advertisements, and press releases, related to their practices and standards. Failure to apply what is claimed to be in practice and failure to not exercise due diligence in safeguarding confidential financial consumer information will be punishable devoid of there ever being consumer harm. Advertisements and marketing efforts in this competitive and growing payment processing industry should be tempered with a sober realization of what is actually implemented in the daily cycle of transactions and in the keeping of records. As a result, a fine was imposed on Dwolla, Inc. to be paid within ten days of the order and they will be monitored for the next five years.
 The Dodd–Frank Wall Street Reform and Consumer Protection Act (Pub.L. 111–203, H.R. 4173; commonly referred to as Dodd-Frank) was signed into federal law July 21, 2010.
Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web."
Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.
Internet service providers (ISP) are being pressured for enhanced privacy practices by the Federal Communications Commission (FCC). Commissioner Wheeler’s proposal issued March 11th seeks to regulate ISPs and their handling of consumer information to heighten consumer privacy protection. The FCC issued its draft Notice of Proposed Rulemaking (NPRM) focusing on ISPs and not on websites, with its comment cycle commencing after its March 31st adoption.
The FCC clarifies that the Federal Trade Commission (FTC) has authority over websites and internet applications, but the point of rulemaking is to enhance consumer notification and consumer opportunity to consent in order for consumers to make informed consent decisions about how their information is managed and shared. The hinging aspect of the Commissioner’s proposal is the data security responsibility and data security reporting that will be newly expected of ISPs.
While the FTC has authority in many respects over ensuring privacy and data integrity oversight handling by entities, the FCC sees their best practices as a guideline to follow for ISPs. The impetus for risk management practices imposed and expected by the FTC will now be expected to be employed by ISPs. The measures include implementing customer authentication steps, personnel training, due diligence efforts to secure the confidentiality of customer information. In addition, ISPs will be expected to responsibly report timely data breaches to the Commission and law enforcement within seven days and to customers who are affected within ten days. The requirement for reporting to law enforcement, however, for some peculiar reason, is required only when more than 5000 customers are affected.
The FCC intends to trifurcate the levels of sharing of customer information. The three categories, if you will, are an opt-in consent, opt-out consent, and consent that is deemed approved upon ISP service subscription. The last category involving the inherent assumption of consent is based on the administrative function that an ISP would be allowed to share consumer information so long as it is pertinent to ISPs ability to provide its service and administer the account in question. ISP functions involving account billing, usage monitoring, and reporting, account reconciliation, and account collections would be considered consented to by customers without the need of their explicit consent.
The opt-out and opt-in categories address the ISPs’ permissible use of customer data as it seeks marketing activities with third-party vendors and services. Such would require the ISP to provide customers to designate their opt-out option. The determination of what constitutes “other communications-related services” remains pending. Other uses of customer data and personal information by ISPs will require the ISP to obtain opt-in consent from the customer. The overall sense of the NPRM is to enhance the privacy of consumer data and improve ISP role and responsibility to secure consumer information and be accountable for breaches.
Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.
Data security breaches are becoming too common for comfort and ease as we engage in daily participants in the marketplace. Companies, governmental institutions, nonprofits, and organizations are quickly learning that cyber incidents could be a day away. If they claim that their information is secure their claim can be checked and they can be found guilty of deception, giving customers, members, and the like a false sense of security. Inadequate measures that do not meet reasonable and industry standards may soon be left with no avail and that lackadaisical approach to IT management it has affected recently schools as well as commonly shopped at stores.
One such store, Home Depot, just entered into a settlement agreement out the United States District Court for the Northern District of Georgia that were filed on March 7, 2016. A couple of days later, a suit was filed in the United States District Court for the Central District of Florida against the University of Central Florida (UCF). The complaint sites claim for negligence in handling confidential information, breach of implied contract to maintain the data secure, conversion and a claim for bailment. The latter is underscored by the argument that the plaintiffs claim that UCF did not safeguard the personal or financial information of persons.
The store suit claimed that the store failed to maintain industry standard data security and appropriate notification practices. In count, I asserted violations of consumer laws regarding all affected plaintiffs and separate statewide consumer law classes. Count II asserted violations of state data breach notification statutes on behalf of separate statewide classes. Count III asserted the occurrence of negligence. Count IV asserted the occurrence of a breach of implied contract. Counts V and VI were asserting unjust enrichment and declaratory judgment. The complaint asserted that the store violated state data breach statutes by not timely informing customers and not providing them accurate notification of the breaches.
In its settlement, the store agreed to establish a reimburse fund for cardholders and a fund for identity protection for cardholders. The store will also invest to enhance its data security practices and improve its identity protection services. The cyber intrusion into Home Depot’s system occurred where a vendor’s credentials were acquired to enter the network and extract customer purchasing card information using a malware.
The UCF lawsuit claims that the school committed negligence by failing to reasonably secure the personally identifiable information (PII), to maintain the PII securely, and to provide notice of the incident in a timely manner. The suit claims that UCF took over a month to notify the affected persons and that the size of the affected class approximates 63,000. The UCF potentially affected persons range from employees, students, and alumni and the type of information extracted may have included social security numbers and complete names. The lawsuit as well asserts that UCF violated Florida’s Deceptive and Unfair Trade Practices Act claiming that UCF’s conduct was unlawful by not seeking to protect the plaintiff’s’ vested interest in the privacy, security, and integrity of their PII.
See, Home Depot Data Security Settlement, In re The Home Depot Inc., 1:14-md-02583, (NDGA).
Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.
Tuesday, March 22, 2016
Internet of things and the interconnectedness of devices has inherent drawbacks. Initially, the convenience of using interconnected devices overcomes the awareness of the lack of control over the information that is gathered about their use. The convenience and allure of the novelty of Internet of Things catch everyone’s whim to acquire the latest. But unfortunately, there are risks that must be encountered and there are ever present liabilities. The Internet of Things has been identified by U.S. national intelligence community as a threat to data privacy, data reliability, and services we all rely on. With the advent of digital toys for children, hackers can seek information on the adolescent users.
The news is replete with stories of security issues and breach of data and cyber intrusions. At the cornerstone of these developments is the reality that software and security and their interplay will be woven into our lives. Yet what seems overlooked is the evident role of software keeping up with the risks. These risks are beyond identity theft, bank hacking, and cyber hacking for confidential information. There is a risk of physical threat that could affect air traffic control towers, nuclear power plants, water treatment, power grids in major cities, and not to mention law enforcement communications.
The concern shared on this post has global dimensions. Potential attacks are seeking to infiltrate major industrial control systems to harness the ability to shut down business and administrative functions. Such a cyber incident, according to Lloyd’s of London, is tantamount to a blackout causing total economic disruption. A similarly described incident was reported to have occurred in the Ukraine on or about mid-December 2015 affecting it energy grid. The infecting malware is suspected to have targeted Ukraine’s industrial control system. Fortunately, for them, they had an alternative means of restoring because it was not dependent on Internet connection and they were able to utilize redundant means of using manual power switches.
 James R. Clapper, Director of National Intelligence, spoke on threat assessment before the U.S. Senate Select Committee on Intelligence in February 2016.
Monday, March 7, 2016
Social media pics are so commonly shared. Many a social media user posts pics of dinners with friends, vacations spots, golf outings, parties, gatherings, and much more. They each can tell a story and the story is about you. When you share and what you share can have an impact on your career and your current job, and even the school you are desiring to attend. Yet, it is hard to think that this would be the case. But with employers vetting candidates, finding out about the social interests of a candidate or even an employee becomes interesting to the soon to be the employer or the current employer. This curiosity spills into the radar of your supervisor who is wondering what you are doing during your medical leave.
The question does percolate on the concern over how is one’s privacy respected? Another related question is does someone relinquish such privacy when the person posts activities and events of him or herself participating. In Jones v. Gulf Coast Health Care,  the court dealt most with the issues germane to the Family Medical Leave Act (FMLA). What the court focused on was the balance of needing a special accommodation and where the employ’s FMLA right was infringed. While determining the plaintiff’s argument that its firing infringed on its FMLA rights, the court stated “As long as the employee has been given the requisite leave period, the statute does not forbid an employer from discharging an employee who fails to come back to work at the expiration of the leave. In this case, the plaintiff returned one day late. Court further states, “An employee’s insistence on taking more leave than is allowed by the FMLA is not protected conduct.”
The social media privacy of the employee is up for grabs. By 2014, over twenty states enacted legislation regarding employers’ access to employees’ and applicants’ usernames and passwords. While they each vary over employers allowable treatment of employees social media login credentials and their access to them, many states have pending legislation in Georgia, Florida, Hawaii, Massachusetts, Illinois, and even Minnesota and others placing restrictions on the access by employers to the employees’ login credentials. New York’s pending legislation seeks to amend the New York State Online Privacy Protection and Internet Safety Act and establishes the New York State Online Accounts and Social Media Privacy Act. It goes further than other states by prohibiting even prospective employers from accessing credentials and social media information.
In 2015, Florida’s S.B. 126 sought to prohibit employers from requesting or requiring access to a social media account of an employee or prospective employee under certain circumstances, from taking retaliatory personnel action for an employee's refusal to allow access to his or her social media account; and authorizing civil action for a violation, did not succeed beyond committee. In Florida’s 2016 legislative session, S.B. 186 prohibits employers from requesting employees and prospective employees of their social media account information. However, it does permit employers to request such information for ‘business purposes.’ Other states are dancing the same ‘can do” and “cannot do” line without a clear definition for what can be a construed as a ‘business purpose.’ This is only going to fuel more litigation helping attorneys’ bottom line.
 Jones v. Gulf Coast Health Care of Delaware, LLC, (M.D. Fla. Feb. 18, 2016).
Armburst v. SA-ENC Operator Holdings, LLC, No. 2-14- cv-55-Ftm-38CM, 2015 WL 3465760, at *5 (M.D. Fla. June 1, 2015).
Saturday, March 5, 2016
Faceprints are used by social media to identify you as a named social media participant and is useful to them for the purposes of relating you to other individuals in the social media platform. Last year we posted on the European Union’s concern with facial recognition technology being limitlessly used for the wrong reasons. The EU’s main concern was the potential vulnerability of citizens if identities were to fall into the wrong hands. Facial Recognition Technology (FRT) does step forward and can go beyond what appears to be a helpful means to enhance associations on Facebook, Shutterfly, Google, and other social media platforms.
Uses of FRT is prevalent by governments, law enforcement, and commercial entities. The limitless event of using FRT has made privacy cases pop up in the United States, underscoring claims of violation of privacy arguments. The inherent application of biometric technology used by law enforcement is as well easily used for commercial purposes. Yet, if the government is infringing on privacy, the Fourth Amendment provides protections, which by virtue of the court decisions, also apply to handheld technologies including mobiles. The extent of the protection is to where one reasonably expects privacy. The expectation of privacy is being determined when one is in public settings in a commercial area.
Commercial uses are occurring when an establishment sells the video of its daily occurrences in their establishment to a third-party. That third-party by using FRT will then identify the patrons of the establishment and collect the relational biometric data. In turn, then marketing agencies can profile your social habits, your commercial interests, political activities, recreational interests, even your favorite liquor store, drug store, adult store, and the church you worship at and where and when you bank.
On the commercial aspect of using faceprint technology, the constitutional principles are not applicable. The redress would be with the Federal Trade Commission to determine in what manner the biometric technology is used, collected, and shared. More importantly, if it is related to advertising, marketing, and activities that could be construed as deceptive and unfair business practices, the FTC is within its wheelhouse. Into the realm of privacy, how the digital data used, collected, and shared is, however, outside the FTC’s wheelhouse.
Social media has broadened not by itself but by the sheer availability provided that multitudes around the world interconnect by sharing their information, putting their own lives for the public to view and be informed about. Unbeknownst to them the means of biometric technology enabling facial recognition has dramatic human rights and privacy implications. It as well has security and identity protection vulnerability implications for all. Current laws are archaic as they are silent on this facet of our digital social life and social aspect of our personal business. One can say, that “in social media we don’t mind our own business we mind the business of others.” Moreover, when it comes to state protections, only Washington, Illinois, and Texas have provisions in place that limit the use and collection of biometric information. Federal provisions that seem applicable to this malady of cyber security and potential invasion of privacy, i.e., the Wiretap Act and the Video Privacy Act are not written to aptly address the nuanced information technological developments involving biometrics and faceprints. This technological use of faceprints and biometrics is the new frontier for surveillance, account verification, antiterrorism, law enforcement, and knowing where you have been and where you like to shop. It is also useful as it is collectively related to your activity, to enable a profiling to predict your life’s next steps.