After failing to sell Dick Smith as a going concern, receivers Ferrier Hodgson are now trying to sell the company’s New Zealand and Australian assets, including customer databases. But does the Privacy Act 1993 allow it?
The US Consumer Financial Protection Bureau (CFPB) recently fined payments startup Dwolla US$100,000 for misrepresenting its security practices.
Dwolla advertised its service as “safe” and “secure”, and claimed its security practices exceeded industry standards and were PCI compliant. Dwolla also claimed that it encrypted all sensitive personal information.
The CFPB found that in fact Dwolla’s security practices fell well short of industry standards, for example, Dwolla:
- failed to encrypt some types of sensitive personal information, including social security numbers
- did not adopt or implement a written data-security plan to govern the collection, maintenance, or storage of consumers’ personal information
- failed to conduct adequate, regular risk assessments to identify reasonably foreseeable internal and external risks to consumers’ personal information, or to assess the safeguards in place to control those risks
- provided little or no datasecurity training to employees on their responsibilities for handling and protecting the security of consumers’ personal information, and
- released applications to the public without having tested whether they were secure.
The Federal Energy Regulatory Commission has issued a final rule creating information security standards for the US electric grid. The US Congress is also considering legislation designed to combat perceived cybersecurity and privacy threats related to the grid. Among other things, the legislation would establish a regulated security testing regime for products used in the grid.
The European Union’s new General Data Protection Regulation (GPDR) has passed its last major hurdle to adoption. On Dec. 18, 2015, the Permanent Representatives Committee of the European Council confirmed that the compromise texts on the legislative package had been agreed with the European Parliament.
The GPDR contains a number of features potentially of interest to privacy practitioners in other jurisdictions whose privacy laws may follow the direction set by the EU, including:
- codifying the ‘right to be forgotten’ confirmed by the European Court of Justice in the 2014 Costeja decision
- regulating algorithmic decision-making where it produces legal effects or significantly affects individuals, and
- introducing requirements for mandatory notification of data breaches.
Link: WSGR via Bloomberg BNA
The Federal Trade Commission (FTC) has settled a claim against Henry Schein Practice Solutions Inc (Shein), a provider of office management software for dental practices. The FTC claimed that Shein falsely advertised the level of encryption in software provided to protect patient data.
Shein marketed a database to dental practices with claims that the software was compliant with Advanced Encryption Standard (AES) encryption required to protect patient data under healthcare regulations in the US. However, rather than “encryption”, the software used a less secure algorithm of “data camouflage” which was more vulnerable to attack.
Under the settlement, Shein will be required to notify all customers that the software does not provide industry-standard encryption. Shein will also pay USD$250,000 as disgorgement – a common provision in FTC advertising cases, but the first for marketing claims specifically related to data security.
Link (FCC): FCC press release
The US Court of Appeals for the Third Circuit has allowed a class action to proceed against Google relating to the company’s practice of side-stepping “cookie-blockers” on Internet Explorer and Safari’s browsers to track users’ internet activities without their consent. The class action brought a pot pourri of claims against Google. A Court upheld the dismissal of a number of claims, but re-opened the way for the plaintiffs to pursue claims of privacy violation under the California Constitution and California tort law.
The Court ruled that, if the plaintiffs’ factual pleadings are ultimately substantiated, it could be open to a reasonable jury to conclude that there was a “serious invasion of privacy” on the basis that Google deliberately overrode the “cookie-blockers” on Internet Explorer and Safari’s browsers and, at the same time, it held itself out as respecting the “cookie-blockers”. As part of this finding, the Court noted that “Google’s alleged conduct was broad, touching untold millions of internet users; it was surreptitious, surfacing only because of the independent research of Mayer and the Wall Street Journal; and it was of indefinite duration …“.
Link (US Court of Appeals, Third Circuit): In re: Google Cookie Placement Consumer Privacy Litigation
Norton recently released its annual Cyber-security Insight Report for New Zealand. The report found that:
- the amount consumers lost to cyber-crime in the past year was NZD$256.8 million,
- 83% of the respondents are worried that they will become a victim of cyber-crime,
- only 45% of consumers “always” use a secure password,
- only 15% of consumers feel completely in control over their online security, and
- only 38% of the respondents are confident they know what to do if they become a victim of cyber-crime.
Link (Norton): Norton Cyber-security Insight Report (New Zealand)