The Federal Communications Commission (FCC) has obtain a USD$595,000 settlement from Cox Communications (the third largest cable company in the United States) for a privacy breach.
In August 2014, a hacker gained access to Cox systems containing customers’ personal information, by pretending to be from Cox’s IT department and convincing a Cox customer service representative and a Cox contractor to enter their account details into a “phishing” website controlled by the hacker. The Cox system in question did not have technical safeguards, such as multi-factor authentication, to prevent the compromised credentials from being used to access the personal information.
Cox will also be required to improve its privacy and data security practices by:
- designating a senior corporate manager who is a certified privacy professional,
- conducting privacy risk assessments,
- implementing a written information security program,
- maintaining reasonable oversight of third party vendors,
- implementing a data breach response plan, and
- providing privacy and security awareness training to employees and third-party vendors.
Link (FCC): FCC consent order
The EFF has released the results of research on poorly secured automated licence plate recognition (APLR) systems. The research identified more than a hundred APLR cameras left accessible to anyone with a web browser. The EFF release also looks at the response of five agencies operating the APLR cameras, on being warned of the vulnerabilities.
Link (EFF): License Plate Readers Exposed! How Public Safety Agencies Responded to Major Vulnerabilities in Vehicle Surveillance Tech
An update of EU regulatory developments since the European Court of Justice ruled the US/EU Safe Harbour Agreement invalid:
The Unabhängiges Landeszentrum für Datenschutz (ULD), a German data protection agency, has issued a position paper stating that “organisations, which use Standard Contractual Clauses to transfer personal data to US, now need to consider terminating the underlying standard contract with the data importer in the US or suspending data transfers. In consistent application of the requirements explicated by the CJEU in its judgment, a data transfer on the basis of Standard Contractual Clauses to the US is no longer permitted“.
This has been closely following by a public statement from the Article 29 Working Group, which is currently analysing the impact of the European Court of Justice judgment on other transfer tools (such as Standard Contractual Clauses). The ULD noted that in the interim “data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used“, although “this will not prevent data protection authorities to investigate particular cases, for instance on the basis of
complaints, and to exercise their powers in order to protect individuals“.
Links: Article 29 Working Group Statement and ULD Position Paper
California has passed privacy law regulating the use of voice recognition in TVs. The law prohibits the operation of a voice recognition feature unless the user is prominently informed during the initial setup or installation of a connected TV. Further, any recordings of conversations collected through the operation of a voice recognition feature cannot be sold or use for any advertising purpose.
Link (Legislation): AB No.1116
The new Trans-Pacific Partnership was signed last week, and includes a chapter on electronic commerce. The full details of the agreement are not yet available, but New Zealand’s Ministry of Foreign Affairs and Trade (MFAT) has released a summary.
The chapter on electronic commerce promises to be of particular interest to privacy and data protection practitioners. In its summary of chapter 14, MFAT states:
“TPP Parties commit to ensuring free flow of the global information and data that drives the Internet and the digital economy, subject to legitimate public policy objectives such as personal information protection. The 12 Parties also agree not to require that TPP companies build data centres to store data as a condition for operating in a TPP market, and, in addition, that source code of software is not required to be transferred or accessed.”
Link: TPP Ministerial Summary (MFAT)
In Australia, Kmart has engaged IT forensic investigators after personal details of its online customers were hacked. Kmart says no customer credit card details have been compromised. However, customers’ names, email addresses, home addresses, telephone numbers, and product purchase details were accessed in an “external privacy breach” early last month. Kmart has also contacted the Australian Privacy Commissioner and Federal Policy to help with the investigation.
In the US, Experian, one of the largest data brokers and credit agencies in the world, has also been hacked. Information from the hack includes names, addresses, and social security, driver’s license and passport numbers. The licence and passport numbers were in an encrypted field, but Experian says that encryption may also have been compromised.
Link: Kmart (Sydney Morning Herald) and Experian (The Guardian)
California today passed the Electronic Communications Privacy Act, which prohibits law enforcement or other regulators from forcing businesses to hand over metadata or digital communications without a warrant. It also requires a warrant to track or search devices like mobile phones. The Act is being hailed as the most comprehensive law of its kind in any U.S. state.