Category Archives: United States

Privacy row over FBI iris scan database

The FBI has collected nearly 430,000 iris scans over the past three years, an investigation by technology website The Verge, has revealed.

Privacy International said it was “deeply concerning” that hundreds of thousands of iris scans were being added to a database without public debate, proper safeguards “or even awareness that such data has been taken and is being stored”.

“If our biometric data is to be collected at all, such systems should not be introduced or continued before a public debate, strong legal frameworks, and strict safeguards are in place,” the organisation told the BBC.

Link: Radio New Zealand

Privacy scrutiny for Oculus Rift

Concerns have emerged this week over the privacy policy wording of Facebook’s virtual reality company (and Facebook subsidiary) Oculus Rift.

First to press was ZDNet, highlighting wording that purports to disclaim responsibility for data breaches.  This was followed by a letter (PDF) to the company from Senator Al Franken, demanding more detailed disclosures on what information Oculus collects from users and what it does with that data.

All in all, this is a timely reminder of the PR implications of privacy policies, especially for high profile businesses.  In jurisdictions like New Zealand, it is also an open question as to whether disclaimers of the kind highlighted above might attract attention from regulators under  unfair contract terms legislation.

Link: ZDNet  |  TechCrunch
Hat-tip: IAPP

US payments processor Dwolla fined for misrepresenting security practices

The US Consumer Financial Protection Bureau (CFPB) recently fined payments startup Dwolla US$100,000 for misrepresenting its security practices.

Dwolla advertised its service as “safe” and “secure”, and claimed its security practices exceeded industry standards and were PCI compliant. Dwolla also claimed that it encrypted all sensitive personal information.

The CFPB found that in fact Dwolla’s security practices fell well short of industry standards, for example, Dwolla:

  • failed to encrypt some types of sensitive personal information, including social security numbers
  • did not adopt or implement a written data-security plan to govern the collection, maintenance, or storage of consumers’ personal information
  • failed to conduct adequate, regular risk assessments to identify reasonably foreseeable internal and external risks to consumers’ personal information, or to assess the safeguards in place to control those risks
  • provided little or no datasecurity training to employees on their responsibilities for handling and protecting the security of consumers’ personal information, and
  • released applications to the public without having tested whether they were secure.

Link: Press Release from Consumer Financial Protection Bureau  |  Full CFPB Complaint

Privacy and cybersecurity reform for US energy sector

The Federal Energy Regulatory Commission has issued a final rule creating information security standards for the US electric grid.  The US Congress is also considering legislation designed to combat perceived cybersecurity and privacy threats related to the grid.  Among other things, the legislation would establish a regulated security testing regime for products used in the grid.

Link: Hogan Lovells Chronicle of Data Protection

FTC settles claim for misrepresenting standard of software’s data security

The Federal Trade Commission (FTC) has settled a claim against Henry Schein Practice Solutions Inc (Shein), a provider of office management software for dental practices. The FTC claimed that Shein falsely advertised the level of encryption in software provided to protect patient data.

Shein marketed a database to dental practices with claims that the software was compliant with Advanced Encryption Standard (AES) encryption required to protect patient data under healthcare regulations in the US. However, rather than “encryption”, the software used a less secure algorithm of “data camouflage” which was more vulnerable to attack.

Under the settlement, Shein will be required to notify all customers that the software does not provide industry-standard encryption. Shein will also pay USD$250,000 as disgorgement – a common provision in FTC advertising cases, but the first for marketing claims specifically related to data security.

Link (FCC): FCC press release

Google Cookie Class Action Survives

The US Court of Appeals for the Third Circuit has allowed a class action to proceed against Google relating to the company’s practice of side-stepping “cookie-blockers” on Internet Explorer and Safari’s browsers to track users’ internet activities without their consent.   The class action brought a pot pourri of claims against Google.  A Court upheld the dismissal of a number of claims, but re-opened the way for the plaintiffs to pursue claims of privacy violation under the California Constitution and California tort law.

The Court ruled that, if the plaintiffs’ factual pleadings are ultimately substantiated, it could be open to a reasonable jury to conclude that there was a “serious invasion of privacy” on the basis that Google deliberately overrode the “cookie-blockers” on Internet Explorer and Safari’s browsers and, at the same time, it held itself out as respecting the “cookie-blockers”.   As part of this finding, the Court noted that “Google’s alleged conduct was broad, touching untold millions of internet users; it was surreptitious, surfacing only because of the independent research of Mayer and the Wall Street Journal; and it was of indefinite duration …“.

Link (US Court of Appeals, Third Circuit): In re: Google Cookie Placement Consumer Privacy Litigation

Hackable hospitals

A feature by Monte Reel and Jordan Robertson for Bloomberg Business looks at the world of security vulnerabilities in medical devices.  The authors look at the findings of a research carried out for the Mayo Clinic on the security of devices used on its premises.  The results are sobering:

“For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.

‘Every day, it was like every device on the menu got crushed,’ Rios says. ‘It was all bad. Really, really bad.’ The teams didn’t have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn’t be changed, and so on.

The Mayo Clinic emerged from those sessions with a fresh set of security requirements for its medical device suppliers, requiring that each device be tested to meet standards before purchasing contracts were signed. Rios applauded the clinic, but he knew that only a few hospitals in the world had the resources and influence to pull that off, and he walked away from the job with an unshakable conviction: Sooner or later, hospitals would be hacked, and patients would be hurt. He’d gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve.’

Link: Full article on Bloomberg Business