Federal US News
FBI Issues Updated Ransomware Guidance
A recent report from New Zealand-based cybersecurity firm Emsisoft has revealed the extent to which ransomware is being used in cyberattacks in the United States. The first 9 months of 2019 have seen 621 ransomware attacks on government entities, health care organizations, and educational institutions. The recent attacks have prompted the FBI’s Internet Crime Complaint Center (IC3) to update its advice on ransomware.
The FBI has long maintained the view that paying a ransom is never advisable. The attackers may not hold valid keys to unlock the encryption or may choose not to supply them and issue further demands after an initial payment is made. That said, the latest ransomware guidance has seen the FBI slightly soften its stance on paying ransoms, saying “the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
What the recent attacks have clearly demonstrated is essential:
- Ensuring that valid backups of all critical data are made to keep attacked entities’ options open. It is no use creating backups and storing them on networked devices, as those backups are likely to also be encrypted.
- Creating multiple backup copies with at least one backup copy being stored on a non-networked device that is not connected to the internet.
- Testing backups to make sure files can be recovered in the event of a disaster. If backups are corrupted, paying the ransom may be the only option.
FTC Workshop Aims to Inform Potential COPPA Updates
Much of the focus at the FTC’s “Future of the COPPA Rule” workshop focused on the misconceptions surrounding the rule. FTC Commissioner Noah Joshua Phillips offered remarks on what he’d like to see come from any potential amendments, namely the balancing act between children's privacy without sacrificing the flourishing of technology and innovation. He also spoke on what he views as a misinterpreted scope of the law—while many are arguing for amendments that would include more stringent provisions on privacy, Phillips views COPPA's intent as one that protects children from online harms unrelated to data collection or advertising. Phillips used education technology as an example of why there should be careful consideration of any potential changes.
Many have decried edtech vendor’s collection and retention of data, but Phillips said those tools support children's development while aiding teachers and parents in educating children. “Just because we are talking about privacy and just because we are talking about kids, more regulation is not necessarily better, including for kids,” Phillips said. “COPPA is all about empowering parents and protecting kids. You should keep that in mind.” Additionally, the FTC extended the deadline to submit comments from October 23 to December 9.
FTC Challenges Bogus Influencer Metrics
Devumi, LLC and its owner and CEO, German Calas, Jr., have agreed to settle the FTC’s first-ever complaint challenging the sale of fake indicators of social media influence, which are important metrics that businesses and individuals use in making hiring, investing, purchasing, licensing, and viewing decisions. According to the FTC’s complaint, now-defunct Devumi, used their websites Devumi.com, TwitterBoost.co, Buyview.co, and Buyplans.co to sell fake indicators of social media influence, including fake followers, subscribers, views, and likes to users of social media platforms, including LinkedIn, Twitter, YouTube, Pinterest, Vine, and SoundCloud.
The FTC alleges the defendants sold fake Twitter followers to actors, athletes, musicians, writers, and others who wanted to increase their appeal as online influencers. The FTC alleges that Devumi also sold fake Twitter followers to motivational speakers, law firm partners, investment professionals, and others who wanted to boost their credibility to potential clients. According to the FTC, Devumi filled more than 58,000 orders for fake Twitter followers, enabling the buyers to deceive potential clients about their social media influence.
The FTC contends that the defendants thereby enabled their customers to deceive both potential viewers and potential music purchasers. By selling and distributing fake indicators of social media influence to users of various social media platforms, the FTC alleges the defendants provided their customers with the means and instrumentalities to commit deceptive acts or practices, which is itself a deceptive act or practice in violation of the FTC Act. The proposed court order settling the FTC’s charges contains both conduct and monetary provisions. It imposes a monetary judgment against German Calas, Jr. of $2.5 million, the amount that the FTC alleges he was paid by Devumi or its parent company. The order specifies that upon payment of $250,000, the remainder of the judgment will be suspended. If Mr. Calas is later found to have misrepresented his financial condition to the FTC, the entire judgment immediately will become due.
State US News
CCPA Could Cost Companies Total of $55 Billion to Get in Compliance
According to an economic impact assessment prepared for the state attorney general’s office by an independent research firm, California’s new privacy law could cost companies a total of up to $55 billion in initial compliance costs.
The review, released publicly by California’s Department of Finance, provided a broad range for the potential costs companies could face to become and stay compliant with the CCPA. On the low end, the researchers estimated that firms with fewer than 20 employees might have to pay around $50,000 at the outset to become compliant. On the high end, firms with more than 500 employees would pay an average of $2 million in initial costs.
The $55 billion researchers estimated companies will initially pay to become compliant is equivalent to about 1.8% of California’s Gross State Product in 2018. In addition, total compliance costs for all companies subject to the law could range from $467 million to more than $16 billion over the next decade, according to the report.
Advocate Behind the CCPA Announces Second, More Expansive Ballot Initiative
On September 24, 2019, the privacy advocate and real estate investor who initially qualified the California Consumer Privacy Act (CCPA) for the November 2018 ballot, Alastair Mactaggart, announced that he would seek to qualify a new consumer privacy initiative for California’s November 2020 ballot.
This 2020 measure comes on the heels of two years of intense legislative negotiation over the meaning and breadth of the CCPA, widely regarded as the strongest privacy protection law in the US Mactaggart reportedly spent over $3 million of his own money to qualify the original CCPA for the ballot in 2018, but ultimately withdrew the measure after reaching a compromise with legislative leaders and the Brown administration to enact the CCPA legislatively last summer. Mactaggart discussed his new proposal—referred to as the California Privacy Rights and Enforcement Act of 2020—at an industry conference this morning.
Describing the measure as “new rights in response to new technology,” Mactaggart said the measure would ensure consumers greater control over “sensitive personal information” such as race, health, sexual orientation, and geolocation data than is provided under current law. He expects broad opposition from the business community, but expresses poll-driven optimism that the new measure will be adopted by California’s voters. If approved, the new measure is to take effect on January 1, 2021.
Critics Say AG’s Proposed CCPA Regulations Add Confusion
At a surprise news conference, California Attorney General Xavier Becerra stood with nine members of his staff touting the proposed regulations as a victory. “Though they are to be made public today, these proposed regulations have taken a year to get to this point,” Becerra said. “And they reflect changes from the legislature up until last month and feedback from the public during four public forums in the last year.”
At a high level, the regulations focus on four specific areas of the CCPA:
- Restoring choice
- Restoring control
- Restoring transparency
- Fostering innovation
Some of those tasked with complying with the CCPA or helping their clients do not agree that the document is a win. Several attorneys have commented that the regulations confuse more than they clarify, creating additional ambiguities and burdens for businesses.
United States and United Kingdom Sign First Bilateral Executive Agreement Under the CLOUD Act
The United States and the United Kingdom entered into the world’s first-ever CLOUD Act Agreement that will allow American and British law enforcement agencies, with appropriate authorization, to demand electronic data regarding serious crime, including terrorism, child sexual abuse, and cybercrime, directly from tech companies based in the other country, without legal barriers. Under its terms, law enforcement, when armed with appropriate court authorization, may go directly to tech companies based in the other country to access electronic data, rather than going through governments.
New Model Adopted by German Data Protection Authorities Conference for Calculating GDPR Fines
The DSK is the joint coordination body of the German data protection authorities. It has recently set out a new model for calculating EU General Data Protection Regulation fines, which, if adopted and applied, is likely to lead to high GDPR fines, more frequently at the top end of the maximum fine limits under Article 83.
Some German authorities have started applying this new model in practice; for example, the Berlin data protection commissioner has already announced her intention to impose multimillion GDPR fines based on this model. Some of the first cases defending clients against fines calculated under this new model are being heard. The largely linear calculation method, starting with revenue, leads to serious penalty risks, especially for companies and groups with high turnover.
China Releases Its Version of COPPA
China has released its own version of the US Children’s Online Privacy Protection Act (COPPA). The Cyberspace Administration of China released the final version of the “Measures on Online Protection of Children’s Personal Data,” effective October 1. The measures provide further clarity on how to protect children’s personal data online under the framework of China's Cyber Security Law.
Not only do the measures have a broader application than COPPA — they apply to any collection, storage, processing, transfer and disclosure of personal data of children under 14 and do not look at whether a website is direct to children — but these measures also include prescriptive requirements on management measures to safeguard children’s personal data, including appointing a dedicated person to protect children’s personal data.
Future updates/clarifications are expected. At this time, it seems as though foreign websites operators and online service operators that target children in China may also be subject to the measures.
Other Global News
IAPP Releases Updated Privacy Vendor Report
The IAPP has released the latest version of its 2019 Privacy Tech Vendor Report. Since the report’s last iteration earlier this year, 48 new vendors have entered the marketplace. The IAPP Tech Vendor Report now has more than 250 vendors listed in its pages. The report also covers the recent major investments made in the privacy tech space over the past 12 months as venture capitalists and angel funders turn their eyes toward the market and the demand for privacy tech services continues to increase.
How Uber, eBay, and Pitney Bowes Built Principles-Based Global Privacy Programs
At the IAPP’s recent Privacy. Security. Risk 2019 conference, a panel of in-house privacy professionals discussed ways that businesses can globalize their privacy programs, based on their first-hand experiences. The program featured Derek Care, director, privacy at Uber; Raymond Umerley, vice president and chief data protection officer at Pitney Bowes; and Aaron Weller, strategic privacy advisor at eBay.
One of the panelists outlined 11 important steps that organizations can follow to develop and implement an effective privacy program:
- Governance and oversight
- Personal information inventory
- Accountability supported by documentation
- Risk assessments
- Implement reasonable security measures
- Develop clear externally facing privacy notices
- Enable individuals to exercise control over their data
- Implement privacy by design and by default
- Vendor management
- Incident response