Photo of Matthew Sullivan

Email
(202) 342-8580
Bio

Last month, CTIA, the wireless industry association, launched an initiative through which wireless-connected Internet of Things (“IoT”) devices can be certified for cybersecurity readiness.  According to the CTIA announcement, the CTIA Cybersecurity Certification Program (the “Program”) is intended to protect both consumers and wireless infrastructure by creating a more secure foundation for IoT applications that support “smart” cities, connected cars, mobile health apps, home appliances, and other IoT-enabled environments.

The Program was developed in collaboration with the nationwide wireless carriers, along with technology companies, security experts and test laboratories, and builds upon IoT security recommendations from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST).  According to the Program Test Plan, devices eligible for certification include those that contain an IoT application layer that provides identity and authentication functionality and at least one communications module supporting either LTE or Wi-Fi networks.

A device submitted for certification will undergo a series of tests at a CTIA-authorized lab.  The testing will assess the device for one of three certification levels or “categories.” To obtain a Category 1 certification, the device will be reviewed for the presence of “core” IoT device security elements, including a Terms of Service and a customer-facing privacy policy, along with technical elements including password management, authentication and access controls.  A Category 2 certification includes the Category 1 elements, in addition to enhanced security features, such as an audit log, multi-factor authentication, remote deactivation, and threat monitoring. A Category 3 certification features the most comprehensive level of cybersecurity threat testing, and covers elements such as encryption of data at rest, digital signature validation, and tamper reporting, in addition to the elements under Categories 1 and 2.

The Program comes at a time of rapid growth for IoT devices.  According to the latest Ericsson Mobility Report, the global IoT market will expand to 3.5 billion cellular-connected devices in the next five years.  Much of this growth is expected to be driven by the anticipated deployment of 5G technology and enhanced mobile broadband.

The Program will begin accepting devices for certification testing beginning in October 2018.  Details on how to participate in the Program are available on the CTIA website.

On April 8, 2015, the Federal Communications Commission (FCC) Enforcement Bureau announced that AT&T has agreed to a $25 million consent decree to resolve an FCC investigation into alleged consumer privacy violations at AT&T call centers in Mexico, Columbia, and the Philippines. According to the FCC, AT&T violated Section 222 of the Communications Act (the “Act”) by failing to reasonably secure its customers’ personal information, including customers’ names and at least the last four digits of their Social Security numbers, as well as account-related data known as customer proprietary network information (CPNI). The agency further alleged that AT&T’s data security practices at the three call centers were unjust and unreasonable in violation of Section 201 of the Act. The settlement is the FCC’s largest data security enforcement action to date.

The FCC launched its investigation into AT&T in May 2014 after AT&T reported a data breach to the Commission’s CPNI Data Breach Portal. The breach occurred between November 2013 and April 2014 at a third-party call center facility in Mexico under contract with AT&T. According to the FCC, while AT&T did not operate the call center where the breach occurred, AT&T maintained and operated the systems that certain employees at the Mexico call center used to access AT&T customer records, and such systems were governed by AT&T’s data security measures. The FCC asserted that AT&T’s measures failed to prevent or timely detect the breach that lasted 168 days and resulted in the unauthorized access of more than 68,000 customer accounts. The employees as issue sold the data from the customer accounts to an unauthorized third-party who used the information to submit up to 290,000 handset unlock requests through AT&T’s website as part of what appeared to be a fraudulent used or stolen phone trafficking operation. AT&T terminated its relationship with the Mexico call center in September 2014.

In March 2015, AT&T disclosed to the FCC that it was investigating separate data breaches at call centers in Columbia and the Philippines, in which call center employees accessed account data for at least 211,000 customer accounts to obtain unlock codes for AT&T mobile phones. The unauthorized access exposed certain customer CPNI including bill amount and rate plan information, though AT&T’s investigation found no evidence that the CPNI was used or sold to third-parties.

To read more about the terms of the FCC consent decree with AT&T, visit our sister blog here.

The consent decree with AT&T comes six months after the FCC’s first data security enforcement action. In that case, the FCC issued a Notice of Apparent Liability (or NAL) seeking to impose $10 million in fines against TerraCom, Inc. and YourTel America, Inc. for allegedly violating Sections 222 and 201 of the Act by maintaining the sensitive personal data of 300,000 consumers on unencrypted Internet servers. These actions underscore the FCC’s heightened and growing emphasis on consumer privacy and data security, areas that traditionally have been the focus of the Federal Trade Commission, which has brought more than 50 privacy and data security actions across a number of industries during the past 10 years.

Last month, we reported on a bill that would amend a key provision in New Jersey’s restrictive telemarketing law, which prohibited nearly all telemarketing calls to mobile devices, even when the telemarketer had the consent of the mobile device user.  At the end of January, New Jersey Governor Chris Christie signed the bill, S1382.  The amended law only prohibits unsolicited telemarketing calls to mobile devices.  As a result, telemarketing companies can now make sales calls to mobile devices when the call is either (1) made to a customer with whom there is an existing business relationship, or (2) in response to the customer’s written request.

The amended law became effective upon signing by Governor Christie.

Last week, the FTC stated support for the National Highway Traffic Safety Administration’s (“NHTSA’s”) approach to privacy and data security within the NHTSA’s proposed regulation relating to vehicle-to-vehicle (“V2V”) communications. The proposed rule, which would incorporate V2V technology into passenger cars and light trucks by 2019, is intended to enhance driver safety by aggregating and sharing data (such as a vehicle’s speed) from surrounding vehicles to generate safety warnings for drivers.

In a comment responding to the NHTSA’s proposed rule, the FTC noted three primary concerns relating to V2V communications, as described during the FTC’s “Internet of Things” workshop in November 2013:

  • The ability of connected car technology to track consumers’ precise geolocation over time;
  • Information about driving habits used to price insurance premiums or set prices for other auto-related products, without drivers’ knowledge or consent; and
  • The security of connected cars, including the ability for third-parties to remotely access a car’s internal computer network

According to the FTC, the NHTSA’s V2V proposed rulemaking appropriately addressed these concerns through a deliberative, process-based approach that included collaboration with multiple industry and consumer stakeholders. The FTC also noted that the NHTSA designed the proposed V2V system to limit the data collected and stored to that which serves the intended safety purposes, and to ensure that the collected data cannot be used to identify a particular individual or vehicle. Lastly, with respect to the security of the collected data, the FTC supports the NHTSA’s decision to help mitigate the potential for unauthorized access to data by keeping the V2V device separate from other onboard computers.

 

On February 19, 2014, the FTC hosted a public seminar on mobile device tracking, the first event in the FTC’s Spring Privacy Series on emerging consumer privacy issues.  The seminar included a tutorial on how retail tracking technology works, along with a panel featuring representatives from consumer groups, and the retail, marketing, and technology industries, who discussed the risks and benefits, consumer awareness and perceptions, and the future of mobile device tracking.

The tutorial on mobile device tracking provided a technical overview of how mobile devices collect information and also send information back to the consumer.  This discussion also covered the practice of “hashing” which makes the information collected non-personally identifiable, but not completely anonymous.

Following the technical overview, the panel discussed the consumer benefits and privacy concerns of mobile device tracking, mainly in the context of brick-and-mortar retailers.  The panel agreed that while the technology has the potential to improve consumers’ shopping experience and help businesses identify how best to display popular products and improve line waits at registers, the collection of data via mobile devices is invisible and passive, and it is difficult for consumers to opt out of mobile device tracking.

For a more detailed overview of the seminar, please click here.

On February 6, the Department of Commerce’s National Telecommunications and Internet Administration (“NTIA”) hosted the first of eight planned multi-stakeholder meetings aimed at creating a voluntary code of conduct to address the growing commercial and government use of facial recognition technology. The meeting included a primer on how facial technology works, current applications, technical privacy safeguards, and gaps in privacy protections that should be addressed during the upcoming sessions. Meeting attendees included government stakeholders, technology industry representatives from companies including Microsoft and FaceFirst, and consumer groups such as Consumer Action and the Center for Democracy and Technology. The second meeting is scheduled for February 25.

Notably, the meeting was held one day after Senator Al Franken (D-Minn.) sent a letter to the head of FacialNetwork.com, the developer of the NameTag facial recognition app for Google Glass users. The letter cited deep concerns with NameTag’s ability to identify individuals from a distance without their knowledge and consent, the lack of federal law governing the use of facial recognition technology, and the potential for abuse by “bad actors.” In the letter, Sen. Franken “strongly urged” the developer to (1) postpone NameTag’s launch until after NTIA establishes its code of conduct; and (2) limit the app’s facial recognition feature to individuals who have given their affirmative consent to be identified.

 

Two new actions announced in the past week indicate that federal and state regulators will continue to aggressively enforce data security and consumer protection laws in the wake of recent high profile consumer data breaches.

Today, the FTC announced a settlement with GMR Transcription Services, Inc. (“GMR”), a provider of medical transcription services, along with two company owners, over claims that GMR employed inadequate data security measures that unfairly exposed the personal information of several thousand consumers to the public Internet. According to the FTC, despite GMR’s public assurances that data maintained in its system would remain private and secure, a service provider working on behalf of GMR inadvertently allowed consumers’ highly sensitive medical information, driver’s license numbers, tax information, and other data to be indexed and searchable through a major search engine. Under the settlement, GMR is prohibited from misrepresenting the extent of its privacy safeguards. The company also must establish a comprehensive data security program that will be subject to biennial independent audits for the next 20 years.

On January 24, California Attorney General Kamala Harris filed a lawsuit against Kaiser Foundation Health Plan (“Kaiser”) for failing to provide its employees with timely notice following a data breach that occurred in September 2011. California’s breach notification law requires that entities provide notice “in the most expedient time possible and without unreasonable delay” following a breach. According to the complaint, Kaiser did not notify affected individuals until March 2012, after completing a forensic investigation into the breach two months earlier. The complaint also alleges that, in conjunction with the data breach, Kaiser violated a California law that prohibits the “public posting” of social security numbers. The numbers were allegedly “publicly posted” because they were stored on an unencrypted hard drive that was later sold at a thrift store in Santa Cruz, CA.

These latest actions serve as a reminder to companies of their obligations both when collecting and storing consumer information and when responding to a data breach.

 

This week, the Federal Trade Commission announced the latest updates to its Frequently Asked Questions (“FAQs”) document to assist online operators as they work to comply with changes to the Children’s Online Privacy Protection (“COPPA”) Rule that went into effect on July 1, 2013. The updated FAQs address the following topics:

  • Share buttons – FAQ D.9 confirms that if an online or mobile app contains embedded buttons or plug-ins that allow children to send email or otherwise post information (for example, through a social network), the operator of such app must obtain verifiable parental consent unless an exception applies. Such consent is required even if the app does not otherwise collect personal information from children.
  • Actual knowledge – FAQs D.10-D.12 describe various instances where an operator of a third-party advertising network will be deemed to have “actual knowledge” that it is collecting personal information directly from users of another Web site or online service directed to children.
  • Information collected from a child-directed site – FAQ K.2 addresses the notice and consent obligations of ad networks that collected personal information through child-directed websites prior to the July 1 rule changes. According to the FTC, in the absence of an applicable exception, the operator must stop collecting information immediately and obtain verifiable parental consent before using any personal information that the operator knows came from the child-directed website or online service.

These updates are the latest in a series of recent updates to the COPPA FAQs (also see here, here, and here) to educate operators of websites and online services directed to children about their obligations under the amended Rule.
 

Two industry organizations announced new initiatives designed to help mobile app developers comply with revisions to the Children’s Online Privacy Protection Act (“COPPA”) Rule, which take effect today.

Today, the Association of Competitive Technologies (“ACT”) launched Moms With Apps, an initiative aimed at highlighting mobile apps that were designed with children’s privacy in mind. According to ACT, Moms With Apps will establish industry standards and best practices designed to assist with COPPA compliance, encourage transparency with respect to privacy practices and app features, and promote apps tailored to children under the age of 13.

On June 25, the Entertainment Software Rating Board (“ESRB”) announced that its privacy seal certification program, ESRB Privacy Certified, now includes services to help mobile app developers comply with the changes to COPPA. ESRB Privacy Certified includes the following suite of services:

• Individualized privacy risk assessment for all online and mobile properties;
• Solutions for obtaining verifiable parental consent for users under age 13
• Guidance on providing concise “short form” privacy disclosures to mobile users;
• Consultation on privacy policy development; and
• Ongoing compliance monitoring and reporting.

Lastly, the FTC announced the availability of new materials to help businesses that operate child-directed websites and mobile apps comply with COPPA. The FTC document, “The Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business,” includes a six-step process for companies to determine their obligations under COPPA. In addition, the FTC also released a video for businesses that explains the Rule changes. The new materials are the latest effort by FTC Staff (also see here, here, and here) to educate operators of websites and online services directed to children about their obligations under the amended Rule.
 

This week, the Federal Trade Commission announced the latest update to its frequently asked questions (“FAQs”) document to assist online operators as they prepare for changes to the Children’s Online Privacy Protection (“COPPA”) Rule, which go into effect on July 1, 2013. The updated FAQs address the parental notice and consent obligations for operators that feature a Facebook “Like” button on their site. The new question and answer (see FAQ I.10) read as follows:

10. I have a child-directed website. Can I put the Facebook Like button on my site without providing notice and obtaining verifiable parental consent?

Section 312.5(c)(8) of the Rule has an exception to its notice and consent requirements where:
• a third-party operator only collects a persistent identifier and no other personal information;
• the user affirmatively interacts with that third-party operator to trigger the collection; and
• the third-party operator has previously conducted an age-screen of the user, indicating the user is not a child.

If the third-party operator meets all of those requirements, and if your site doesn’t collect personal information (except for that covered by an exception), you don’t need to provide notice or obtain consent. This exception doesn’t apply where the third party collects more information than a persistent identifier — for example, where the third party also collects user comments or other user-generated content. In addition, a child-directed website can’t rely on this exception to treat particular visitors as adults and track their activities. If your inclusion of the Facebook Like button satisfies all these criteria, you may rely on this exception under the Rule.

The new Q&A is the latest effort by FTC Staff (also see here, here, and here) to educate operators of websites and online services directed to children about their obligations under the amended Rule.