The US Consumer Financial Protection Bureau (CFPB) recently fined payments startup Dwolla US$100,000 for misrepresenting its security practices.
Dwolla advertised its service as “safe” and “secure”, and claimed its security practices exceeded industry standards and were PCI compliant. Dwolla also claimed that it encrypted all sensitive personal information.
The CFPB found that in fact Dwolla’s security practices fell well short of industry standards, for example, Dwolla:
- failed to encrypt some types of sensitive personal information, including social security numbers
- did not adopt or implement a written data-security plan to govern the collection, maintenance, or storage of consumers’ personal information
- failed to conduct adequate, regular risk assessments to identify reasonably foreseeable internal and external risks to consumers’ personal information, or to assess the safeguards in place to control those risks
- provided little or no datasecurity training to employees on their responsibilities for handling and protecting the security of consumers’ personal information, and
- released applications to the public without having tested whether they were secure.
Link: Press Release from Consumer Financial Protection Bureau | Full CFPB Complaint
The Federal Trade Commission (FTC) has settled a claim against Henry Schein Practice Solutions Inc (Shein), a provider of office management software for dental practices. The FTC claimed that Shein falsely advertised the level of encryption in software provided to protect patient data.
Shein marketed a database to dental practices with claims that the software was compliant with Advanced Encryption Standard (AES) encryption required to protect patient data under healthcare regulations in the US. However, rather than “encryption”, the software used a less secure algorithm of “data camouflage” which was more vulnerable to attack.
Under the settlement, Shein will be required to notify all customers that the software does not provide industry-standard encryption. Shein will also pay USD$250,000 as disgorgement – a common provision in FTC advertising cases, but the first for marketing claims specifically related to data security.
Link (FCC): FCC press release
The Federal Communications Commission (FCC) has obtain a USD$595,000 settlement from Cox Communications (the third largest cable company in the United States) for a privacy breach.
In August 2014, a hacker gained access to Cox systems containing customers’ personal information, by pretending to be from Cox’s IT department and convincing a Cox customer service representative and a Cox contractor to enter their account details into a “phishing” website controlled by the hacker. The Cox system in question did not have technical safeguards, such as multi-factor authentication, to prevent the compromised credentials from being used to access the personal information.
Cox will also be required to improve its privacy and data security practices by:
- designating a senior corporate manager who is a certified privacy professional,
- conducting privacy risk assessments,
- implementing a written information security program,
- maintaining reasonable oversight of third party vendors,
- implementing a data breach response plan, and
- providing privacy and security awareness training to employees and third-party vendors.
Link (FCC): FCC consent order
The UK Information Commissioner’s Office has fined Crown Prosecution Service (CPS) £200,000 for failing to maintain the security of recorded police interviews with victims and witnesses. The interviews concerned 31 police investigations, nearly all of which were on-going and of a violent or sexual nature.
CPS couriered unencrypted DVDs containing the videos of the police interviews to a private film company for editing. The film company used a residential flat as a studio. The studio was burgled and two laptops containing the videos were stolen. The laptops, which were left on a desk, were password protected but unencrypted and the studio had no alarm and insufficient security.
The Commissioner considered that CPS failed to take reasonable steps to prevent the breach. On the facts, the Commissioner concluded that reasonable steps would have included:
- inspecting the film company’s premises to ensure that they were suitable for the editing of videos containing police interviews;
- having a guarantee that the unencrypted DVDs would be stored in a lockable cabinet;
- having a guarantee that any laptops containing the videos were encrypted by the film company; and
- provision had been made for the return or destruction/erasure of the DVDs/videos at the end of the case.
Link (ICO): Monetary Penalty Notice under the Data Protection Act 1998
French privacy regulator, CNIL, has rejected Google’s informal appeal against its ruling (as reported previously) that individuals’ right to have posts removed extends to Google’s websites worldwide, including Google.com (and not just Google’s European websites such as Google.de or Google.fr). In doing so CNIL stressed that, contrary to suggestions by Google, this would not amount to applying French law extraterritorially. Instead, CNIL characterised the decision simply as “[requesting] full observance of European legislation by non European players offering their services in Europe”.
Link (CNIL): CNIL Decision
The Information Commissioner’s Office has fined Pharmacy2U Ltd (UK’s largest NHS approved online pharmacy) BGP$130,000 for selling more than 20,000 customers’ personal data to marketing companies without their informed consent.
The Commissioner emphasised that Pharmacy2U:
- ought to have known that its customers had a reasonable expectation of confidentiality when using an online pharmacy, especially when the company’s own website described the service as “discreet and confidential”, and
- should have displayed a notice in a prominent position on its website which provided its customers with a simple way to opt out of the sale of their personal data to third party organisations.
Link (ICO): ICO’s Decision
The US Securities and Exchange Commission and investment adviser R.T. Jones Capital Equities Management have agreed to settle charges that the latter failed to establish the required security policies and procedures in the lead up to a data breach that compromised the personally identifiable information of approximately 100,000 individuals.
As part of the SEC’s investigation, it found that R.T. Jones Capital did not have any written policies and procedures designed to protect customer information. Further, R.T. Jones Capital did not conduct periodic security risk assessments, encrypt personally identifiable information stored on a third-party server, implement a firewall, or maintain a response plan for potential security incidents.
Link: SEC Press Release