SlideShare a Scribd company logo

2016-09-05-Lessons_Learned_From_The_FTC_v1c

Raj Goel
Raj Goel
1 of 56
Download to read offline
Lessons Learned From The FTC (Federal Trade Commission, USA) Raj Goel, CISSP Chief Technology Officer Brainlink International, Inc. raj@brainlink.com / 917-685-7731 Twitter: @RajGoel_NY
Raj Goel, CISSP » Raj Goel, Certified Information Systems Security Professional (CISSP), is an author, entrepreneur, IT expert, and industry leader that specializes in the field of cyber security and privacy law. As the founder of a leading IT consultation firm, Brainlink, Raj has spent more than 20 years developing proven IT solutions for a range of high-profile clients in the financial, construction, architectural, and property management industries. » His uniquely developed Standard Operating Procedure (SOP) Culture (winner of 2015 SmartCEO's Culture Award) has changed the way he and his clients' think about documentation. By developing a business culture that carefully documents each and every task undertaken, SOP Culture allows companies to rapidly increase productivity, eliminate redundancies, and increase quality of service to their clients. » Speaker » "Eat, Sleep, Surveil, Repeat", NYS CyberSecurity - Channelnomics MSP Conference » “Mouseveillance”, NYS Cybersecurity Conference - “Life Of A Child (2014)”, ASIS » “Panopticon: Architecture Of Global Surveillance” - ISSA International Conference » Keynote Speaker » “Panopticon 2013”, NCSL, Government of Netherlands, The Hague, Netherlands (2013) » “Rise of Government & Corporate Surveillance” Government Of Curacao (2013) » "What should MSP’s know about compliance?", Datto Partner Conference (2013) » On-Air Television Cybersecurity Expert » Raj regularly appears on a number of national news channels such as Bloomberg TV, CNBC's On The Money, Fox Business, Columbia News Tonight and more to discuss relevant cybersecurity topics. » Find out more at rajgoel.com, brainlink.com and sopculture.com. To speak to Raj today, reach out right away at (917) 685-7731 or raj@brainlink.com. ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
Media Appearances ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_nyB1
TV Appearances ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny https://www.brainlink.com/category/video-library/
UNPLUGGED (Buy Now!)
©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC Cases & proceedings » https://www.ftc.gov/enforcement/cases- proceedings ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC – ToySmart (2000) » ToySmart sold educational, non-violent toys and collected information on children while it was in business. It’s privacy policies said that it would never share information with 3rd parties. » Toysmart.com went bankrupt tried to auction off the customer database separately as an asset of the company. » "Customer data collected under a privacy agreement should not be auctioned off to the highest bidder," according to Jodie Bernstein, Director of the FTC's Bureau of Consumer Protection. "This settlement protects consumers from a winner-take-all bid in bankruptcy court, ensuring only a family-oriented Web site willing to buy the entire Toysmart Web site has the ability to do so." » Settlement: Anyone who bought ToySmart must adhere to Toysmart’s privacy policies. » - www.steptoe.com/assets/attachments/937.com ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC – Microsoft Passport (2002) » "We believe that Microsoft made a number of misrepresentations, dealing with, one, the overall security of the Passport system and personal information stored on it; two, the security of online purchases made with Passport Wallet; three, the kinds of personal information Microsoft collects of users of the Passport service; and four, how much control parents have over the information collected by Web sites participating in the Kids Passport program," [FTC Chairman] Muris said during the conference call. » The FTC outlined its findings in a six-page complaint. Many of the problems resulted from Microsoft failing to adhere to its own privacy statements about Passport, Passport Wallet or Kids Passport. » No penalties, 20 years of reporting to FTC required. » For 5 years, MS to submit advertising materials and all other documentation pertaining to collection or retention of consumer data. http://news.cnet.com/2100-1001-948922.html ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC - DSW (2005) » “Shoe retailer DSW Inc. agreed to beef up its computer security to settle U.S. charges that it didn't adequately protect customers' credit cards and checking accounts,... » The FTC said the company engaged in an unfair business practice because it created unnecessary risks by storing customer information in an unencrypted manner without adequate protection.... » As part of the settlement, DSW set up a comprehensive data-security program and will undergo audits every two years for the next 20 years. “ » - ComputerWorld.com 12/1/2005 » According to DSW’s SEC filings, as of July 2005, the company’s exposure for losses related to the breach ranges from $6.5 million to $9.5 million. » This is the FTC’s seventh case challenging faulty data security practices by retailers and others. - www.ftc.gov 12/1/2005 ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC – BJ's Wholesale Club (2005) » “According to the FTC, BJ's failed to encrypt customer data when transmitted or stored on BJ's computers, kept that data in files accessible using default passwords, and ran insecure, insufficiently monitored wireless networks. » ...affected financial institutions filed suit against BJ's to recover damages. According to a May securities and Exchange Commission filing, BJ's recorded charges of $7 million in 2004 and an additional $3 million in 2005 to cover legal costs. » Under terms of the settlement, BJ's will implement a comprehensive information-security program subject to third-party audits every other year for the next two decades.“ » - InformationWeek 6/16/2005 ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC - Choicepoint (2006) » “The $10 million fine imposed today by the Federal Trade Commission on data aggregator ChoicePoint Inc. for a data security breach is yet another indication of the increasingly tough stance the agency is taking on companies that fail to adequately protect sensitive data, legal experts said. » And it's not just companies that suffer data breaches that should be concerned. Those companies that are unable to demonstrate due diligence when it comes to information security practices could also wind up in the FTC’s crosshairs, they added. » ChoicePoint will pay a fine of $10 million... » In addition to the penalty, the largest ever levied by the FTC, ChoicePoint has been asked to set up a $5 million trust fund for individuals... » ChoicePoint will also have to submit to comprehensive security audits every two years through 2026. “ » - ComputerWorld.com 01/26/2006 ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC - Sears/Kmart (2009) » In 2009, Sears.com and Kmart.com websites offered to 15% of their visitors, via a pop-up, a chance to “talk directly to the retailer”. This pop-up installed spyware on their customer’s (or potential customer’s) computers! » Consumers probably didn't realize that by "new" and "different," the advertisement meant "all- seeing" and "invasive." Indeed, this software monitored both online and offline behavior, peering into online secure sessions and culling information from consumers' email subject and recipients, online bank statements, drug prescription records, video rental records, and similar histories and accounts. Customers effectively (and blindly) sold their privacy by agreeing to a lengthy terms of service agreement that showed up at the end of a long registration process. The agreement was presented in a small "scroll box"; consumers could only see ten lines of the policy at a time and not until the 75th line could the user find any description of the invasive tracking. » Sears was required to delete all data collected under this program. • - http://www.cdt.org/blogs/erica-newland/ftc-finalizes-terms-sears-deceptive-practices-settlement ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC & OCR – CVS HIPAA (2009) » Largest, joint coordination between OCR, HHS and FTC. » Reviews by OCR and the FTC indicated that: » CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and » CVS failed to adequately train employees on how to dispose of such information properly. » Under the HHS resolution agreement, CVS agreed to pay a $2.25 million resolution amount and implement a robust corrective action plan that requires Privacy Rule compliant policies and procedures for safeguarding patient information during disposal, employee training and employee sanctions for noncompliance. » HHS and FTC also will require CVS to actively monitor its compliance with the resolution agreement and FTC consent order. The monitoring requirement specifies that CVS must engage a qualified independent third party to conduct assessments of CVS compliance and render reports to the federal agencies. The HHS corrective action plan will be in place for three years; the FTC requires monitoring for 20 years. » http://www.hhs.gov/news/press/2009pres/02/20090218a.html ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC – EchoMetrix/Pulse(2010) » Parents paid Echometrix $ 3.99/mo for Sentry Parental Controls. This allowed parents to monitor web surfing, IM, email, etc. » June 2009 – Echometrix launches Pulse – a “market research” program that analyzed web traffic, social media, IM, etc so that marketers could find out what consumers were saying about their products or services. Companies that bought Pulse could retrieve actuals IM, chat and forum posts. » FTC charged that EchoMetrix failed to adequately inform parents that information collected by Sentry would be sold to marketers. EchoMetrix had vague statements buried in their EULA (sound familiar??) » Settlement: - EchoMetrix must destroy the info from Sentry that was copied into the Pulse Database. It cannot use Sentry data for any other purposes. » http://business.ftc.gov/blog/2010/12/ftc%E2%80%99s-echometrix-settlement-eula-ppreciate- guidance-privacy-disclosures ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC – US Search (2010) » US Search charged customers $10 to “lock their records” and prevent them from showing up in searches online. » In it’s settlement, US Search had to refund fees to 5000 customers. » Commissioner Brill said industry should consider providing consumers with meaningful notice about information brokers’ practices, a reasonable means to access and correct consumers’ information, and a reasonable mechanism to opt out of these databases. » http://www.ftc.gov/opa/2011/03/ussearch.shtm ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC – CyberSpy Software (2010) » CyberSpy sold a keylogger, marketed towards parents, spouses and colleagues. They provided their clients with detailed instructions on how to disguise RemoteSpy as an innocuous program. Settlement: » not assist purchasers in falsely representing that the software is an innocuous file; » cause an installation notice to be displayed which must include a description of the nature and function of the program and to which the user must expressly consent; » cause an icon to appear in the task bar on the user’s desktop when the software is running, unless the icon is disabled by a person with administrative rights to the computer; » inform purchasers that improper use of the program may violate state or federal law; » take measures to reduce the risk that the spyware is misused, including license monitoring and policing affiliates; » encrypt data collected by the program that is transferred over the internet; and » remove legacy versions of the software from computers on which it was previously installed http://privacylaw.proskauer.com/2010/06/articles/spyware/ftc-settlement-bars-marketing-of-spyware-for-illegal-uses/. ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC – Google Buzz (2011) » 2009 – Google released Buzz – integrated into Gmail, without warning or user consent. » 2011 – FTC v Google settlement » The first time a comprehensive privacy program (as opposed to a comprehensive security program) was required by an FTC consent decree. » The first time the FTC has enforced the US-EU Safe Harbor Principles for substantive non- compliance. » No monetary penalties, but Google is required to » Implement a comprehensive privacy program » Conduct regular, independent audits for the next 20 years » FTC also noted that the Google Wi-Fi sniffing would have constituted a violation of this settlement. - http://www.huffingtonpost.com/2011/03/30/googles-ftc-privacy-settlement-buzz_n_842490.html - http://privacylaw.proskauer.com/2011/04/articles/ftc-enforcement/ftcgoogle-settlement-marks-two-firsts-in-ftc-privacy- enforcement/ ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC – Chitika (2011) » Chitika buys ad space, and places cookies on end-users browsers. » When consumers opt-ed out, Chitika stopped displaying ads for 10 days. » After 10 days, Chitika re-started displaying ads to opt-out consumers. » FTC charged Chitika with engaging in “deceptive practices” » Per the settlement, Chitika must: » Stop making misleading statements about it’s data collection policies » Every ad must display clear opt-out links with opt-out for 5 years » Destroy all personally identifiable information collected during defective opt-out » Chitika must alert consumers that their previous opt-out was not valid. » - http://www.infolawgroup.com/2011/03/articles/enforcement/privacy-enforcement-update- ftc-settles-with-twitter-and-chitika/ ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC – Twitter (2011) » Twitter promised that “private tweets” were safe. » In 2009, Hackers broke into twitter and make tweets public. » FTC alleged that serious lapses in Twitter’s security allowed hackers to penetrate Twitter. (Hackers brute forced administrative passwords after trying thousands of passwords against Twitter’s login page). » The settlement » Requires Twitter to update it’s privacy & security policies » Twitter must honour privacy choices made by consumers » Independent auditor must assess Twitter’s security every other year for 10 years » http://www.ftc.gov/opa/2011/03/twitter.shtm ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC & OCR – Riteaid HIPAA (2011) » OCR and the FTC indicated that: » Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; » Rite Aid failed to adequately train employees on how to dispose of such information properly; and » Rite Aid did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information. » Rite Aid agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program that includes: » Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them; » Training workforce members on these new requirements; » Conducting internal monitoring; and » Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS. - Rite Aid has also agreed to external independent assessments of its pharmacy stores’ compliance with the FTC consent order. The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years. ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC vs Work-At-Home Scammer (2014) » FTC obtains $26.9 Million Judgment Against Work-at-Home Scammer Who Tried to Hide His Assets from 2010 Court Judgment » Jonathan Eborn was one of the marketers behind a work-at-home scheme that operated under names such as “Google Money Tree,” “Google Pro” and “Google Treasure Chest” and advertised a low-cost kit, claiming consumers would earn $100,000 in six months. » In 2009, the FTC charged Eborn and others with using the scheme to lure consumers into divulging their financial account information and failing to disclose that they would be charged $72.21 a month. » The defendants were banned from negative option marketing and from making misrepresentations to consumers » https://www.ftc.gov/news-events/press-releases/2014/07/ftc-obtains-269-million-judgment-against-work-home-scammer-who ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC vs TRENDnet (2014) » The FTC’s complaint alleged that TRENDnet marketed its SecurView cameras for purposes ranging from home security to baby monitoring, and claimed in numerous product descriptions that they were “secure.” » The cameras had faulty software that left them open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address. » TRENDnet is prohibited from misrepresenting the security of its cameras or the security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit. » TRENDnet also is required to establish a comprehensive information security program designed to address security risks that could result in unauthorized access to or use of the company’s devices, and to protect the security, confidentiality, and integrity of information that is stored, captured, accessed, or transmitted by its devices. The company also is required to obtain third-party assessments of its security programs every two years for the next 20 years. » https://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-order-settling-charges-against-trendnet-inc ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC vs Cruise Line Robocallers (2015) » Cruise Line robocallers sold cruise vacations using political survey robocalls » Political Survey robocalls still legal  » You can’t include a sales pitch in political surveys » https://www.ftc.gov/news-events/press-releases/2015/03/ftc-ten-state-attorneys-general-take-action-against-political ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC vs Oracle (2015) » Oracle was aware of major security issues with Java SE » Oracle promised customers that installing updates to Java SE would make it “safe and secure” » Oracle failed to tell customers that the update may have left older, potentially vulnerable versions of the software intact » Oracle requires to tell consumers during upgrade process is they have outdated versions installs; and give them option to uninstall older versions » https://www.ftc.gov/news-events/press-releases/2016/03/ftc-approves-final-order-oracle-java-security-case ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC vs BMW (2015) » BMW’s MINI division violated Magnuson-Moss Warranty Act by telling consumers that BMW would void their warranty unless they used MINI parts and MINI dealers to perform maintenance and repair work. » “It’s against the law for a dealer to refuse to honor a warranty just because someone else did maintenance or repairs on the car,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “As a result of this order, BMW will change its practices and give MINI owners information about their rights.” » https://www.ftc.gov/news-events/press-releases/2015/03/bmw-settles-ftc-charges-its-mini-division-illegally-conditioned ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC vs Network Solutions (2015) » Network Solutions promised customers full refund if they cancelled within 30 days » NetSol withheld substantial cancellation fees from most refunds. » Settlement bars NetSol from failing to disclose cancellation fees » Requires company to keep records demonstrating compliance for 5 years » https://www.ftc.gov/news-events/press-releases/2015/06/ftc-approves-final-consent-order-against-network-solutions ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC vs Lifelock (2015) - $100M fine » LifeLock to Pay $100 Million to Consumers to Settle FTC Charges it Violated 2010 Order » failed to implement a comprehensive InfoSec program » falsely advertised that it protected consumers’ sensitive data with the same high-level safeguards used by financial institutions » falsely advertised that it would send alerts “as soon as” it received any indication that a consumer may be a victim of identity theft. » failed to abide by the order’s recordkeeping requirements. » https://www.ftc.gov/news-events/press-releases/2015/12/lifelock-pay-100-million-consumers-settle-ftc-charges-it-violated ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC vs (not so) POM Wonderful (2015) » POM Wonderful deceptively advertised that the products could treat, prevent, or reduce the risk of heart disease, prostate cancer, and erectile dysfunction, and were clinically proven to have such benefits. » The Commission issued a final order requiring POM’s future disease treatment and prevention claims to be supported by at least two randomized well-controlled human clinical trials, and other health benefit claims to be supported by competent and reliable scientific evidence. » https://www.ftc.gov/news-events/press-releases/2015/01/statement-ftc-chairwoman-edith-ramirez-appellate-ruling-pom ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC vs Wyndham (2015) » Wyndham franchisee has a data breach » FTC sues Wyndham; Wyndham challenges FTC’s authority – claims franchisor is not responsible for franchisee’s actions » Wyndham loses court challenge » Settlement: • Wyndham to establish comprehensive InfoSec program • If Wyndham has another >10K records breach, Wyndham to notify FTC within 10 days • Wyndham has 20 years of obligations to FTC » https://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-payment ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC vs InMobi (2016) – Don’t track me falsely, Bro! » Firm pays $950,000 penalty for using Wi-Fi signals to secretly track phone users » InMobi claimed that its software collected geographical whereabouts only when end users provided opt-in consent » The software in fact used nearby Wi-Fi signals to infer locations when permission wasn't given » InMobi will pay a civil penalty of $950,000 ; delete all information it collected from children and all information collected from adults who didn't provide their consent. ; InMobi to implement a comprehensive privacy program that will be independently audited every two years for the next two decades. » http://arstechnica.com/tech-policy/2016/06/advertiser-that-tracked-100-million-phone-users-without-consent- pays-950000 ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC vs Practice Fusion (2016) (don’t lie to patients) » FTC Charges It Deceived Consumers About Privacy of Doctor Reviews » The settlement with the FTC will prohibit Practice Fusion from making deceptive statements about the privacy or confidentiality of the information it collects from consumers » Practice Fusion pre-texted patients, asking them to review Doctor’s. » https://www.ftc.gov/news-events/press-releases/2016/06/electronic-health- records-company-settles-ftc-charges-it-deceived ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC vs Lumosity (2016) Brain Training Doesn’t Work » The creators and marketers of the Lumosity agreed to settle FTC charges alleging that they deceived consumers with unfounded claims that Lumosity games can help users perform better at work and in school, and reduce or delay cognitive impairment associated with age and other serious health conditions. » Lumos Labs pays $2M fine; $50M suspended judgement » https://www.ftc.gov/news-events/press-releases/2016/01/lumosity-pay-2-million-settle-ftc- deceptive-advertising-charges ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC vs Amazon (2016) Refund Children’s in-App purchases » Amazon received many complaints from consumers about surprise in-app charges incurred by children » Amazon’s disclosures about in-app charges in “free” software were not sufficient to inform customers about charges » https://www.ftc.gov/news-events/press-releases/2016/04/federal-court- finds-amazon-liable-billing-parents-childrens ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC vs Henry Schein / Dentrix (2016) Don’t Lie To Dentists » FTC alleged Henry Schein Practice Solutions, Inc. falsely advertised the level of encryption it provided to protect patient data. » Made deceptive claims that the software provided industry- standard encryption; ensured dentists met certain regulatory obligations under the HIPAA. » The complaint alleged that the software actually used a less complex data masking process to protect patient data that failed to meet accepted encryption standards » $250K fine; HSPS required to notify customers that the product does not provide industry-standard encryption » https://www.ftc.gov/news-events/press-releases/2016/05/ftc-approves-final-order-henry-schein- practice-solutions-case ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC Health Breach Rule » “If an entity’s employee loses a laptop containing unsecured health information in a public place, the information would be accessible to unauthorized persons, giving rise to a presumption that unauthorized acquisition has occurred. The entity can rebut this presumption by showing that the laptop was recovered, and that forensic analysis revealed that files were never opened, altered, transferred, or otherwise compromised. “ » “Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information” ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
Learn from FTC Health Breach Rule » Differentiates between “unauthorized access” and “acquisition” » (1) the employee viewed the records to find health information about a particular public figure and sold the information to a national gossip magazine; » (2) the employee viewed the records to obtain information about his or her friends; » (3) the employee inadvertently accessed the database, realized that it was not the one he or she intended to view, and logged off without reading, using, or disclosing anything. ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC Health Breach Rule » PHR related entities include non-HIPAA covered entities “that access » information in a personal health record or send information to a personal health record.” » This category could include online applications through which individuals, for example, connect their blood pressure cuffs, blood glucose monitors, or other devices so that the results could be tracked through their personal health records. It could also include an online medication or weight tracking program that pulls information from a personal health record. ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC Health Breach Rule » PHR identifiable health information = » “past, present, or future payment for the provision of health care to an individual,” » e.g. database containing names and credit card information, even if no other information was included ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC Health Breach Rule » 2) “the fact of having an account with a vendor of personal health records or related entity,” » e.g. the theft of an unsecured customer list of a vendor of personal health records or related entity directed to AIDS patients or people with mental illness would require a breach notification, even if no specific health information is contained in that list. » Can you apply this principle to ALL data in your company’s possession? ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
Mobile Ads Can Infer Users’ Medication, Dating Preferences » Mobile ads can now infer the medications that users take, whether they prefer to date men or women, and their location. That's according to Cornell Tech's Vitaly Shmatikov » "These privacy violations are caused primarily by subtle bugs and inconsistencies in mobile advertising software," Shmatikof writes in a summary of the research. » He says that even when companies attempt to protect users' privacy, "advertisers can still extract sensitive information about the user without the user’s knowledge or consent." » http://www.mediapost.com/publications/article/265783/mobile-ads-can-infer-users-medication-dating-pre.html ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC provides IoT Guidance » FTC provides a series of concrete steps that businesses can take to enhance and protect consumers’ privacy and security » “The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” said FTC Chairwoman Edith Ramirez. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.” » https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop- entitled-internet-things-privacy/150127iotrpt.pdf » https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
FTC + NIST Cybersecurity Framework » Blog post provides guidance to businesses on how the cybersecurity framework created by the National Institute for Standards and Technology (NIST) aligns with the FTC’s data security program. » The post outlines the key elements of the NIST framework and how it relates to the FTC’s long-standing approach to data security. » The framework is not a checklist, but rather a method by which a company can identify risks and adjust its security efforts accordingly to ensure they are as effective as possible, which is consistent with the FTC’s focus on reasonable data security. » https://www.ftc.gov/news-events/press-releases/2016/08/ftc-blog-post-outlines-how-nist-cybersecurity-framework-relates ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
John Snow: London Cholera 1849-1854 » 1830 – Cholera kills 60,000 deaths » 1849 – He identified GEOGRAPHIC CLUSTERS of outbreaks » Identified that the WATER SOURCE was the vector long before CHOLERA GERM was identified » Those with BETTER water sources were 20 times LESS LIKELY to die » He did door-to-door validation/census to check water sources and his data » RESULT: London took APPROPRIATE public health safety measures to control contaminated public water sources ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
Dr. Samelweis – 1840s » During 1840’s many women died of childbed fever. Often the child became ill & died as well » Dr. Samelweis noticed that of the 2 clinics he was managing, one had a HIGHER rate of mortality than the other » Mothers were ill during birth or up to 36 hours afterwards » Observed that problem started during the examination of the mother during dilation » The deaths were caused by MEDICAL STUDENTS who had just come from the morgue after performing autopsies and then proceeded to conduct pelvic examinations on laboring mothers. » This contradicted over 2000 YEARS of medical dogma and practices since Hippocrates. » He instituted hand-washing of medical staff between each procedure ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
Getting it Right » Medical marijuana advocates estimate that the aggregate annual sales tax revenue that's paid by the approximately 400 dispensaries in California is $100 million. » - http://www.npr.org/templates/story/story.php?storyId=89349791 » Cost of War on Drugs in 2010 (so far): » $ 23 Billion (and counting) » http://www.drugsense.org/wodclock.htm » What was your overall IT spending last year? How much on questionable security products? ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
Getting it Right » “Anesthesiologists pay less for malpractice insurance today, in constant dollars, than they did 20 years ago. » That's mainly because some anesthesiologists chose a path many doctors in other specialties did not. Rather than pushing for laws that would protect them against patient lawsuits, these anesthesiologists focused on improving patient safety. » Their theory: Less harm to patients would mean fewer lawsuits. “ » - Deaths dropped from 1 / 5,000 to 1 / 200,000 – 300,000 » - Malpractice claims dropped 46% (from $ 332,280 in 1970 to $ 179,010 in 1990's! » Premiums dropped 37% from $ 36,620 to $ 20,572. - http://online.wsj.com/article/0,,SB111931728319164845,00.html ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
Air Force demanded, and purchased, SECURE Desktops » 2006 – After years of attacks, and dealing with a hodge-podge of desktop and server configurations, The US Air Force develops the Secure Desktop Configuration standard. All vendors are required to sell computers to the USAF (and later DOD, other government agencies) with standardized, locked down configurations of: • Windows • MS Office • Adobe Reader • Norton AV • Etc » US Dept Of Energy requires Oracle to deliver it’s databases in a secure configuration developed by the Center for Internet Security (www.cisecurity.org) ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
J&J Tylenol Recall – 1982 » Criminal tampered with retail packages of Tylenol » 7 people died. This was a REAL ZERO DAY attack » INDUSTRY STANDARD: Don’t recall product, replace product quietly » J&J RESPONSE: • Put Customers First • Recall all 31 million bottles (> $100M expense) • Change how medicine bottles are packed (invent tamper proof) • Share patent with industry http://www.nytimes.com/2002/03/23/your-money/23iht-mjj_ed3_.html ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
Contact Information Raj Goel, CISSP Chief Technology Officer Brainlink International, Inc. C: 917-685-7731 raj@brainlink.com www.RajGoel.com www.linkedin.com/in/rajgoel @rajgoel_ny Author of UNPLUGGED Luddites Guide To Cybersecurity http://www.amazon.com/UNPLUGGED-Luddites-Guide-CyberSecurity-Grandparents/dp/0984424830/ The Most Important Secrets To Getting Great Results From IT http://www.amazon.com/gp/product/0984424814 ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
Help Me Help You Have you reviewed your » Business Continuity Plan » Disaster Recovery Plan » Conducted A Data Security Assessment » Developed SOPs? If you haven’t reviewed these within the past 18 months, or if you’ve discovered holes in your plans and processes, feel free to contact me. We can help you better quantify, manage and mitigate your risks. ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
Last Action – Help Someone I am here to HELP. Think of a client/friend/company who has been a victim of Cyber Crime, Is worried about Security or Struggling with IT and Compliance Challenges and needs help… Now help me help them ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny

Recommended

Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Shawn Tuma
 
delphix-ebook-using-data-effectively-compliance-banking-1
delphix-ebook-using-data-effectively-compliance-banking-1delphix-ebook-using-data-effectively-compliance-banking-1
delphix-ebook-using-data-effectively-compliance-banking-1
Jes Breslaw
 
mbiz122710_bitsec
mbiz122710_bitsecmbiz122710_bitsec
mbiz122710_bitsec
bitsec
 
Data Breaches
Data BreachesData Breaches
Data Breaches
sstose
 
11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a
IT Strategy Group
 
Web Analytics and Privacy
Web Analytics and Privacy Web Analytics and Privacy
Web Analytics and Privacy
Piwik PRO
 
SayanMitra.pdf
SayanMitra.pdfSayanMitra.pdf
SayanMitra.pdf
TanayMalhotra
 
Marketing data management | The new way to think about your data
Marketing data management | The new way to think about your dataMarketing data management | The new way to think about your data
Marketing data management | The new way to think about your data
Laurence
 

Recommended

Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Shawn Tuma
 
delphix-ebook-using-data-effectively-compliance-banking-1
delphix-ebook-using-data-effectively-compliance-banking-1delphix-ebook-using-data-effectively-compliance-banking-1
delphix-ebook-using-data-effectively-compliance-banking-1
Jes Breslaw
 
mbiz122710_bitsec
mbiz122710_bitsecmbiz122710_bitsec
mbiz122710_bitsec
bitsec
 
Data Breaches
Data BreachesData Breaches
Data Breaches
sstose
 
11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a
IT Strategy Group
 
Web Analytics and Privacy
Web Analytics and Privacy Web Analytics and Privacy
Web Analytics and Privacy
Piwik PRO
 
SayanMitra.pdf
SayanMitra.pdfSayanMitra.pdf
SayanMitra.pdf
TanayMalhotra
 
Marketing data management | The new way to think about your data
Marketing data management | The new way to think about your dataMarketing data management | The new way to think about your data
Marketing data management | The new way to think about your data
Laurence
 
Piwik PRO The Real Cost of Data Privacy
Piwik PRO The Real Cost of Data Privacy Piwik PRO The Real Cost of Data Privacy
Piwik PRO The Real Cost of Data Privacy
Piwik PRO
 
Privacy Regulations and Your Digital Setup
Privacy Regulations and Your Digital SetupPrivacy Regulations and Your Digital Setup
Privacy Regulations and Your Digital Setup
Piwik PRO
 
FRISS_Insurance fraud report 2020
FRISS_Insurance fraud report 2020 FRISS_Insurance fraud report 2020
FRISS_Insurance fraud report 2020
FinTech Belgium
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?
Hayden McCall
 
2017: Privacy Issues on the Horizon
2017: Privacy Issues on the Horizon2017: Privacy Issues on the Horizon
2017: Privacy Issues on the Horizon
Winston & Strawn LLP
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
The State of Privacy Report
The State of Privacy ReportThe State of Privacy Report
The State of Privacy Report
FigLeaf
 
databreach whitepaper
databreach whitepaperdatabreach whitepaper
databreach whitepaper
Paige Schaffer
 
Webinar Deck - Protect Your Users' Online Privacy
Webinar Deck - Protect Your Users' Online Privacy Webinar Deck - Protect Your Users' Online Privacy
Webinar Deck - Protect Your Users' Online Privacy
Ensighten
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
canadianlawyer
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Shawn Tuma
 
Cybersecurity White Paper 05_2016
Cybersecurity White Paper 05_2016Cybersecurity White Paper 05_2016
Cybersecurity White Paper 05_2016
Jennifer Sharf Adler
 
Issue Paper Year Of The Breach Final 021706
Issue Paper Year Of The Breach Final 021706Issue Paper Year Of The Breach Final 021706
Issue Paper Year Of The Breach Final 021706
Carolyn Kopf
 
Pwc gdpr survey 2018
Pwc gdpr survey 2018Pwc gdpr survey 2018
Pwc gdpr survey 2018
Paperjam_redaction
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
Ulf Mattsson
 
Data Breach Insurance - Optometric Protector Plan
Data Breach Insurance - Optometric Protector PlanData Breach Insurance - Optometric Protector Plan
Data Breach Insurance - Optometric Protector Plan
sarahb171
 
The LegalTech Fund industry briefing April 2020
The LegalTech Fund industry briefing April 2020The LegalTech Fund industry briefing April 2020
The LegalTech Fund industry briefing April 2020
Zach Posner
 
IC3 2019 Internet Crime Report
IC3 2019 Internet Crime ReportIC3 2019 Internet Crime Report
IC3 2019 Internet Crime Report
- Mark - Fullbright
 
*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready
MoEngage Inc.
 
U.S. Data Privacy Report - Patchy preparation for GDPR shows U.S. businesses ...
U.S. Data Privacy Report - Patchy preparation for GDPR shows U.S. businesses ...U.S. Data Privacy Report - Patchy preparation for GDPR shows U.S. businesses ...
U.S. Data Privacy Report - Patchy preparation for GDPR shows U.S. businesses ...
Ebiquity
 
Global Threats| Cybersecurity|
Global Threats| Cybersecurity| Global Threats| Cybersecurity|
Global Threats| Cybersecurity|
paul young cpa, cga
 
B crisis
B crisisB crisis
B crisis
Jose Patrick
 

More Related Content

What's hot

Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
canadianlawyer
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Shawn Tuma
 
Issue Paper Year Of The Breach Final 021706
Issue Paper Year Of The Breach Final 021706Issue Paper Year Of The Breach Final 021706
Issue Paper Year Of The Breach Final 021706
Carolyn Kopf
 

What's hot (20)

Piwik PRO The Real Cost of Data Privacy
Piwik PRO The Real Cost of Data Privacy Piwik PRO The Real Cost of Data Privacy
Piwik PRO The Real Cost of Data Privacy
 
Privacy Regulations and Your Digital Setup
Privacy Regulations and Your Digital SetupPrivacy Regulations and Your Digital Setup
Privacy Regulations and Your Digital Setup
 
FRISS_Insurance fraud report 2020
FRISS_Insurance fraud report 2020 FRISS_Insurance fraud report 2020
FRISS_Insurance fraud report 2020
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?
 
2017: Privacy Issues on the Horizon
2017: Privacy Issues on the Horizon2017: Privacy Issues on the Horizon
2017: Privacy Issues on the Horizon
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
 
The State of Privacy Report
The State of Privacy ReportThe State of Privacy Report
The State of Privacy Report
 
databreach whitepaper
databreach whitepaperdatabreach whitepaper
databreach whitepaper
 
Webinar Deck - Protect Your Users' Online Privacy
Webinar Deck - Protect Your Users' Online Privacy Webinar Deck - Protect Your Users' Online Privacy
Webinar Deck - Protect Your Users' Online Privacy
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
 
Cybersecurity White Paper 05_2016
Cybersecurity White Paper 05_2016Cybersecurity White Paper 05_2016
Cybersecurity White Paper 05_2016
 
Issue Paper Year Of The Breach Final 021706
Issue Paper Year Of The Breach Final 021706Issue Paper Year Of The Breach Final 021706
Issue Paper Year Of The Breach Final 021706
 
Pwc gdpr survey 2018
Pwc gdpr survey 2018Pwc gdpr survey 2018
Pwc gdpr survey 2018
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
 
Data Breach Insurance - Optometric Protector Plan
Data Breach Insurance - Optometric Protector PlanData Breach Insurance - Optometric Protector Plan
Data Breach Insurance - Optometric Protector Plan
 
The LegalTech Fund industry briefing April 2020
The LegalTech Fund industry briefing April 2020The LegalTech Fund industry briefing April 2020
The LegalTech Fund industry briefing April 2020
 
IC3 2019 Internet Crime Report
IC3 2019 Internet Crime ReportIC3 2019 Internet Crime Report
IC3 2019 Internet Crime Report
 
*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready
 
U.S. Data Privacy Report - Patchy preparation for GDPR shows U.S. businesses ...
U.S. Data Privacy Report - Patchy preparation for GDPR shows U.S. businesses ...U.S. Data Privacy Report - Patchy preparation for GDPR shows U.S. businesses ...
U.S. Data Privacy Report - Patchy preparation for GDPR shows U.S. businesses ...
 

Similar to 2016-09-05-Lessons_Learned_From_The_FTC_v1c

Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Financial Poise
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
Michael C. Keeling, Esq.
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data Privacy
Gigya
 
Big_data_analytics_for_life_insurers_published
Big_data_analytics_for_life_insurers_publishedBig_data_analytics_for_life_insurers_published
Big_data_analytics_for_life_insurers_published
Shradha Verma
 
Data breach protection from a DB2 perspective
Data breach protection from a DB2 perspectiveData breach protection from a DB2 perspective
Data breach protection from a DB2 perspective
Craig Mullins
 

Similar to 2016-09-05-Lessons_Learned_From_The_FTC_v1c (20)

Global Threats| Cybersecurity|
Global Threats| Cybersecurity| Global Threats| Cybersecurity|
Global Threats| Cybersecurity|
 
B crisis
B crisisB crisis
B crisis
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
 
DATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPERDATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPER
 
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
 
Log Management for PCI Compliance [OLD]
Log Management for PCI Compliance [OLD]Log Management for PCI Compliance [OLD]
Log Management for PCI Compliance [OLD]
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software development
 
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
 
Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings
Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings
Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data Privacy
 
Big data analytics for life insurers
Big data analytics for life insurersBig data analytics for life insurers
Big data analytics for life insurers
 
Big_data_analytics_for_life_insurers_published
Big_data_analytics_for_life_insurers_publishedBig_data_analytics_for_life_insurers_published
Big_data_analytics_for_life_insurers_published
 
CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018
 
Data breach protection from a DB2 perspective
Data breach protection from a DB2 perspectiveData breach protection from a DB2 perspective
Data breach protection from a DB2 perspective
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6
 
Consumer engagement principles
Consumer engagement principlesConsumer engagement principles
Consumer engagement principles
 
About Data Quality And Regulatory Compliance at FI - Shield
About Data Quality And Regulatory Compliance at FI - ShieldAbout Data Quality And Regulatory Compliance at FI - Shield
About Data Quality And Regulatory Compliance at FI - Shield
 
Data opportunities mini whitepaper
Data opportunities mini whitepaperData opportunities mini whitepaper
Data opportunities mini whitepaper
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
 

More from Raj Goel

2017-01-23-Regulatory Compliance Watch - 6 Cybersecurity for Financial Servic...
2017-01-23-Regulatory Compliance Watch - 6 Cybersecurity for Financial Servic...2017-01-23-Regulatory Compliance Watch - 6 Cybersecurity for Financial Servic...
2017-01-23-Regulatory Compliance Watch - 6 Cybersecurity for Financial Servic...
Raj Goel
 
2013-09-13-DATTO_What_Should_MSPs_Know_About_Compliance_v3h
2013-09-13-DATTO_What_Should_MSPs_Know_About_Compliance_v3h2013-09-13-DATTO_What_Should_MSPs_Know_About_Compliance_v3h
2013-09-13-DATTO_What_Should_MSPs_Know_About_Compliance_v3h
Raj Goel
 
2016-10-20-Growing_Your_MSP_with_SOPCulture_SMBTECHFEST_v1c
2016-10-20-Growing_Your_MSP_with_SOPCulture_SMBTECHFEST_v1c2016-10-20-Growing_Your_MSP_with_SOPCulture_SMBTECHFEST_v1c
2016-10-20-Growing_Your_MSP_with_SOPCulture_SMBTECHFEST_v1c
Raj Goel
 
2013-09-23-ASIS59-Raj_Goel_Lessons_Learned_From_Sandy_v1d
2013-09-23-ASIS59-Raj_Goel_Lessons_Learned_From_Sandy_v1d2013-09-23-ASIS59-Raj_Goel_Lessons_Learned_From_Sandy_v1d
2013-09-23-ASIS59-Raj_Goel_Lessons_Learned_From_Sandy_v1d
Raj Goel
 
2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c
2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c
2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c
Raj Goel
 
JSD-RG HIPAA-EHR-BreachNotification Oct20-2009
JSD-RG HIPAA-EHR-BreachNotification Oct20-2009JSD-RG HIPAA-EHR-BreachNotification Oct20-2009
JSD-RG HIPAA-EHR-BreachNotification Oct20-2009
Raj Goel
 
2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...
2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...
2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...
Raj Goel
 
Google Health - NYHIMA
Google Health - NYHIMAGoogle Health - NYHIMA
Google Health - NYHIMA
Raj Goel
 
2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes
Raj Goel
 

More from Raj Goel (13)

2017-01-23-Regulatory Compliance Watch - 6 Cybersecurity for Financial Servic...
2017-01-23-Regulatory Compliance Watch - 6 Cybersecurity for Financial Servic...2017-01-23-Regulatory Compliance Watch - 6 Cybersecurity for Financial Servic...
2017-01-23-Regulatory Compliance Watch - 6 Cybersecurity for Financial Servic...
 
2013-09-13-DATTO_What_Should_MSPs_Know_About_Compliance_v3h
2013-09-13-DATTO_What_Should_MSPs_Know_About_Compliance_v3h2013-09-13-DATTO_What_Should_MSPs_Know_About_Compliance_v3h
2013-09-13-DATTO_What_Should_MSPs_Know_About_Compliance_v3h
 
2016-10-20-Growing_Your_MSP_with_SOPCulture_SMBTECHFEST_v1c
2016-10-20-Growing_Your_MSP_with_SOPCulture_SMBTECHFEST_v1c2016-10-20-Growing_Your_MSP_with_SOPCulture_SMBTECHFEST_v1c
2016-10-20-Growing_Your_MSP_with_SOPCulture_SMBTECHFEST_v1c
 
2013-09-23-ASIS59-Raj_Goel_Lessons_Learned_From_Sandy_v1d
2013-09-23-ASIS59-Raj_Goel_Lessons_Learned_From_Sandy_v1d2013-09-23-ASIS59-Raj_Goel_Lessons_Learned_From_Sandy_v1d
2013-09-23-ASIS59-Raj_Goel_Lessons_Learned_From_Sandy_v1d
 
2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c
2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c
2013-06-26-Is_your_company_Googling_its_privacy_away_brightalk_format_1c
 
JSD-RG HIPAA-EHR-BreachNotification Oct20-2009
JSD-RG HIPAA-EHR-BreachNotification Oct20-2009JSD-RG HIPAA-EHR-BreachNotification Oct20-2009
JSD-RG HIPAA-EHR-BreachNotification Oct20-2009
 
Raj Goel - Social Media & Cloud Computing Threats to Privacy, Security & Libe...
Raj Goel - Social Media & Cloud Computing Threats to Privacy, Security & Libe...Raj Goel - Social Media & Cloud Computing Threats to Privacy, Security & Libe...
Raj Goel - Social Media & Cloud Computing Threats to Privacy, Security & Libe...
 
2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...
2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...
2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...
 
2010 10 27 Isc2 Protecting Consumer Privacy
2010 10 27 Isc2 Protecting Consumer Privacy2010 10 27 Isc2 Protecting Consumer Privacy
2010 10 27 Isc2 Protecting Consumer Privacy
 
Grow your Law Practice Using LinkedIn
Grow your Law Practice Using LinkedInGrow your Law Practice Using LinkedIn
Grow your Law Practice Using LinkedIn
 
Cloud Computing Panel - NYCLA
Cloud Computing Panel - NYCLACloud Computing Panel - NYCLA
Cloud Computing Panel - NYCLA
 
Google Health - NYHIMA
Google Health - NYHIMAGoogle Health - NYHIMA
Google Health - NYHIMA
 
2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes
 

2016-09-05-Lessons_Learned_From_The_FTC_v1c

  • 1.
  • 2. Lessons Learned From The FTC (Federal Trade Commission, USA) Raj Goel, CISSP Chief Technology Officer Brainlink International, Inc. raj@brainlink.com / 917-685-7731 Twitter: @RajGoel_NY
  • 3. Raj Goel, CISSP » Raj Goel, Certified Information Systems Security Professional (CISSP), is an author, entrepreneur, IT expert, and industry leader that specializes in the field of cyber security and privacy law. As the founder of a leading IT consultation firm, Brainlink, Raj has spent more than 20 years developing proven IT solutions for a range of high-profile clients in the financial, construction, architectural, and property management industries. » His uniquely developed Standard Operating Procedure (SOP) Culture (winner of 2015 SmartCEO's Culture Award) has changed the way he and his clients' think about documentation. By developing a business culture that carefully documents each and every task undertaken, SOP Culture allows companies to rapidly increase productivity, eliminate redundancies, and increase quality of service to their clients. » Speaker » "Eat, Sleep, Surveil, Repeat", NYS CyberSecurity - Channelnomics MSP Conference » “Mouseveillance”, NYS Cybersecurity Conference - “Life Of A Child (2014)”, ASIS » “Panopticon: Architecture Of Global Surveillance” - ISSA International Conference » Keynote Speaker » “Panopticon 2013”, NCSL, Government of Netherlands, The Hague, Netherlands (2013) » “Rise of Government & Corporate Surveillance” Government Of Curacao (2013) » "What should MSP’s know about compliance?", Datto Partner Conference (2013) » On-Air Television Cybersecurity Expert » Raj regularly appears on a number of national news channels such as Bloomberg TV, CNBC's On The Money, Fox Business, Columbia News Tonight and more to discuss relevant cybersecurity topics. » Find out more at rajgoel.com, brainlink.com and sopculture.com. To speak to Raj today, reach out right away at (917) 685-7731 or raj@brainlink.com. ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 4. Media Appearances ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_nyB1
  • 5. TV Appearances ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny https://www.brainlink.com/category/video-library/
  • 7. ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 8. FTC Cases & proceedings » https://www.ftc.gov/enforcement/cases- proceedings ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 9. FTC – ToySmart (2000) » ToySmart sold educational, non-violent toys and collected information on children while it was in business. It’s privacy policies said that it would never share information with 3rd parties. » Toysmart.com went bankrupt tried to auction off the customer database separately as an asset of the company. » "Customer data collected under a privacy agreement should not be auctioned off to the highest bidder," according to Jodie Bernstein, Director of the FTC's Bureau of Consumer Protection. "This settlement protects consumers from a winner-take-all bid in bankruptcy court, ensuring only a family-oriented Web site willing to buy the entire Toysmart Web site has the ability to do so." » Settlement: Anyone who bought ToySmart must adhere to Toysmart’s privacy policies. » - www.steptoe.com/assets/attachments/937.com ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 10. FTC – Microsoft Passport (2002) » "We believe that Microsoft made a number of misrepresentations, dealing with, one, the overall security of the Passport system and personal information stored on it; two, the security of online purchases made with Passport Wallet; three, the kinds of personal information Microsoft collects of users of the Passport service; and four, how much control parents have over the information collected by Web sites participating in the Kids Passport program," [FTC Chairman] Muris said during the conference call. » The FTC outlined its findings in a six-page complaint. Many of the problems resulted from Microsoft failing to adhere to its own privacy statements about Passport, Passport Wallet or Kids Passport. » No penalties, 20 years of reporting to FTC required. » For 5 years, MS to submit advertising materials and all other documentation pertaining to collection or retention of consumer data. http://news.cnet.com/2100-1001-948922.html ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 11. FTC - DSW (2005) » “Shoe retailer DSW Inc. agreed to beef up its computer security to settle U.S. charges that it didn't adequately protect customers' credit cards and checking accounts,... » The FTC said the company engaged in an unfair business practice because it created unnecessary risks by storing customer information in an unencrypted manner without adequate protection.... » As part of the settlement, DSW set up a comprehensive data-security program and will undergo audits every two years for the next 20 years. “ » - ComputerWorld.com 12/1/2005 » According to DSW’s SEC filings, as of July 2005, the company’s exposure for losses related to the breach ranges from $6.5 million to $9.5 million. » This is the FTC’s seventh case challenging faulty data security practices by retailers and others. - www.ftc.gov 12/1/2005 ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 12. FTC – BJ's Wholesale Club (2005) » “According to the FTC, BJ's failed to encrypt customer data when transmitted or stored on BJ's computers, kept that data in files accessible using default passwords, and ran insecure, insufficiently monitored wireless networks. » ...affected financial institutions filed suit against BJ's to recover damages. According to a May securities and Exchange Commission filing, BJ's recorded charges of $7 million in 2004 and an additional $3 million in 2005 to cover legal costs. » Under terms of the settlement, BJ's will implement a comprehensive information-security program subject to third-party audits every other year for the next two decades.“ » - InformationWeek 6/16/2005 ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 13. FTC - Choicepoint (2006) » “The $10 million fine imposed today by the Federal Trade Commission on data aggregator ChoicePoint Inc. for a data security breach is yet another indication of the increasingly tough stance the agency is taking on companies that fail to adequately protect sensitive data, legal experts said. » And it's not just companies that suffer data breaches that should be concerned. Those companies that are unable to demonstrate due diligence when it comes to information security practices could also wind up in the FTC’s crosshairs, they added. » ChoicePoint will pay a fine of $10 million... » In addition to the penalty, the largest ever levied by the FTC, ChoicePoint has been asked to set up a $5 million trust fund for individuals... » ChoicePoint will also have to submit to comprehensive security audits every two years through 2026. “ » - ComputerWorld.com 01/26/2006 ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 14. FTC - Sears/Kmart (2009) » In 2009, Sears.com and Kmart.com websites offered to 15% of their visitors, via a pop-up, a chance to “talk directly to the retailer”. This pop-up installed spyware on their customer’s (or potential customer’s) computers! » Consumers probably didn't realize that by "new" and "different," the advertisement meant "all- seeing" and "invasive." Indeed, this software monitored both online and offline behavior, peering into online secure sessions and culling information from consumers' email subject and recipients, online bank statements, drug prescription records, video rental records, and similar histories and accounts. Customers effectively (and blindly) sold their privacy by agreeing to a lengthy terms of service agreement that showed up at the end of a long registration process. The agreement was presented in a small "scroll box"; consumers could only see ten lines of the policy at a time and not until the 75th line could the user find any description of the invasive tracking. » Sears was required to delete all data collected under this program. • - http://www.cdt.org/blogs/erica-newland/ftc-finalizes-terms-sears-deceptive-practices-settlement ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 15. FTC & OCR – CVS HIPAA (2009) » Largest, joint coordination between OCR, HHS and FTC. » Reviews by OCR and the FTC indicated that: » CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and » CVS failed to adequately train employees on how to dispose of such information properly. » Under the HHS resolution agreement, CVS agreed to pay a $2.25 million resolution amount and implement a robust corrective action plan that requires Privacy Rule compliant policies and procedures for safeguarding patient information during disposal, employee training and employee sanctions for noncompliance. » HHS and FTC also will require CVS to actively monitor its compliance with the resolution agreement and FTC consent order. The monitoring requirement specifies that CVS must engage a qualified independent third party to conduct assessments of CVS compliance and render reports to the federal agencies. The HHS corrective action plan will be in place for three years; the FTC requires monitoring for 20 years. » http://www.hhs.gov/news/press/2009pres/02/20090218a.html ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 16. FTC – EchoMetrix/Pulse(2010) » Parents paid Echometrix $ 3.99/mo for Sentry Parental Controls. This allowed parents to monitor web surfing, IM, email, etc. » June 2009 – Echometrix launches Pulse – a “market research” program that analyzed web traffic, social media, IM, etc so that marketers could find out what consumers were saying about their products or services. Companies that bought Pulse could retrieve actuals IM, chat and forum posts. » FTC charged that EchoMetrix failed to adequately inform parents that information collected by Sentry would be sold to marketers. EchoMetrix had vague statements buried in their EULA (sound familiar??) » Settlement: - EchoMetrix must destroy the info from Sentry that was copied into the Pulse Database. It cannot use Sentry data for any other purposes. » http://business.ftc.gov/blog/2010/12/ftc%E2%80%99s-echometrix-settlement-eula-ppreciate- guidance-privacy-disclosures ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 17. FTC – US Search (2010) » US Search charged customers $10 to “lock their records” and prevent them from showing up in searches online. » In it’s settlement, US Search had to refund fees to 5000 customers. » Commissioner Brill said industry should consider providing consumers with meaningful notice about information brokers’ practices, a reasonable means to access and correct consumers’ information, and a reasonable mechanism to opt out of these databases. » http://www.ftc.gov/opa/2011/03/ussearch.shtm ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 18. FTC – CyberSpy Software (2010) » CyberSpy sold a keylogger, marketed towards parents, spouses and colleagues. They provided their clients with detailed instructions on how to disguise RemoteSpy as an innocuous program. Settlement: » not assist purchasers in falsely representing that the software is an innocuous file; » cause an installation notice to be displayed which must include a description of the nature and function of the program and to which the user must expressly consent; » cause an icon to appear in the task bar on the user’s desktop when the software is running, unless the icon is disabled by a person with administrative rights to the computer; » inform purchasers that improper use of the program may violate state or federal law; » take measures to reduce the risk that the spyware is misused, including license monitoring and policing affiliates; » encrypt data collected by the program that is transferred over the internet; and » remove legacy versions of the software from computers on which it was previously installed http://privacylaw.proskauer.com/2010/06/articles/spyware/ftc-settlement-bars-marketing-of-spyware-for-illegal-uses/. ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 19. FTC – Google Buzz (2011) » 2009 – Google released Buzz – integrated into Gmail, without warning or user consent. » 2011 – FTC v Google settlement » The first time a comprehensive privacy program (as opposed to a comprehensive security program) was required by an FTC consent decree. » The first time the FTC has enforced the US-EU Safe Harbor Principles for substantive non- compliance. » No monetary penalties, but Google is required to » Implement a comprehensive privacy program » Conduct regular, independent audits for the next 20 years » FTC also noted that the Google Wi-Fi sniffing would have constituted a violation of this settlement. - http://www.huffingtonpost.com/2011/03/30/googles-ftc-privacy-settlement-buzz_n_842490.html - http://privacylaw.proskauer.com/2011/04/articles/ftc-enforcement/ftcgoogle-settlement-marks-two-firsts-in-ftc-privacy- enforcement/ ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 20. FTC – Chitika (2011) » Chitika buys ad space, and places cookies on end-users browsers. » When consumers opt-ed out, Chitika stopped displaying ads for 10 days. » After 10 days, Chitika re-started displaying ads to opt-out consumers. » FTC charged Chitika with engaging in “deceptive practices” » Per the settlement, Chitika must: » Stop making misleading statements about it’s data collection policies » Every ad must display clear opt-out links with opt-out for 5 years » Destroy all personally identifiable information collected during defective opt-out » Chitika must alert consumers that their previous opt-out was not valid. » - http://www.infolawgroup.com/2011/03/articles/enforcement/privacy-enforcement-update- ftc-settles-with-twitter-and-chitika/ ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 21. FTC – Twitter (2011) » Twitter promised that “private tweets” were safe. » In 2009, Hackers broke into twitter and make tweets public. » FTC alleged that serious lapses in Twitter’s security allowed hackers to penetrate Twitter. (Hackers brute forced administrative passwords after trying thousands of passwords against Twitter’s login page). » The settlement » Requires Twitter to update it’s privacy & security policies » Twitter must honour privacy choices made by consumers » Independent auditor must assess Twitter’s security every other year for 10 years » http://www.ftc.gov/opa/2011/03/twitter.shtm ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 22. FTC & OCR – Riteaid HIPAA (2011) » OCR and the FTC indicated that: » Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; » Rite Aid failed to adequately train employees on how to dispose of such information properly; and » Rite Aid did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information. » Rite Aid agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program that includes: » Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them; » Training workforce members on these new requirements; » Conducting internal monitoring; and » Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS. - Rite Aid has also agreed to external independent assessments of its pharmacy stores’ compliance with the FTC consent order. The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years. ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 23. FTC vs Work-At-Home Scammer (2014) » FTC obtains $26.9 Million Judgment Against Work-at-Home Scammer Who Tried to Hide His Assets from 2010 Court Judgment » Jonathan Eborn was one of the marketers behind a work-at-home scheme that operated under names such as “Google Money Tree,” “Google Pro” and “Google Treasure Chest” and advertised a low-cost kit, claiming consumers would earn $100,000 in six months. » In 2009, the FTC charged Eborn and others with using the scheme to lure consumers into divulging their financial account information and failing to disclose that they would be charged $72.21 a month. » The defendants were banned from negative option marketing and from making misrepresentations to consumers » https://www.ftc.gov/news-events/press-releases/2014/07/ftc-obtains-269-million-judgment-against-work-home-scammer-who ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 24. FTC vs TRENDnet (2014) » The FTC’s complaint alleged that TRENDnet marketed its SecurView cameras for purposes ranging from home security to baby monitoring, and claimed in numerous product descriptions that they were “secure.” » The cameras had faulty software that left them open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address. » TRENDnet is prohibited from misrepresenting the security of its cameras or the security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit. » TRENDnet also is required to establish a comprehensive information security program designed to address security risks that could result in unauthorized access to or use of the company’s devices, and to protect the security, confidentiality, and integrity of information that is stored, captured, accessed, or transmitted by its devices. The company also is required to obtain third-party assessments of its security programs every two years for the next 20 years. » https://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-order-settling-charges-against-trendnet-inc ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 25. FTC vs Cruise Line Robocallers (2015) » Cruise Line robocallers sold cruise vacations using political survey robocalls » Political Survey robocalls still legal  » You can’t include a sales pitch in political surveys » https://www.ftc.gov/news-events/press-releases/2015/03/ftc-ten-state-attorneys-general-take-action-against-political ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 26. FTC vs Oracle (2015) » Oracle was aware of major security issues with Java SE » Oracle promised customers that installing updates to Java SE would make it “safe and secure” » Oracle failed to tell customers that the update may have left older, potentially vulnerable versions of the software intact » Oracle requires to tell consumers during upgrade process is they have outdated versions installs; and give them option to uninstall older versions » https://www.ftc.gov/news-events/press-releases/2016/03/ftc-approves-final-order-oracle-java-security-case ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 27. FTC vs BMW (2015) » BMW’s MINI division violated Magnuson-Moss Warranty Act by telling consumers that BMW would void their warranty unless they used MINI parts and MINI dealers to perform maintenance and repair work. » “It’s against the law for a dealer to refuse to honor a warranty just because someone else did maintenance or repairs on the car,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “As a result of this order, BMW will change its practices and give MINI owners information about their rights.” » https://www.ftc.gov/news-events/press-releases/2015/03/bmw-settles-ftc-charges-its-mini-division-illegally-conditioned ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 28. FTC vs Network Solutions (2015) » Network Solutions promised customers full refund if they cancelled within 30 days » NetSol withheld substantial cancellation fees from most refunds. » Settlement bars NetSol from failing to disclose cancellation fees » Requires company to keep records demonstrating compliance for 5 years » https://www.ftc.gov/news-events/press-releases/2015/06/ftc-approves-final-consent-order-against-network-solutions ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 29. FTC vs Lifelock (2015) - $100M fine » LifeLock to Pay $100 Million to Consumers to Settle FTC Charges it Violated 2010 Order » failed to implement a comprehensive InfoSec program » falsely advertised that it protected consumers’ sensitive data with the same high-level safeguards used by financial institutions » falsely advertised that it would send alerts “as soon as” it received any indication that a consumer may be a victim of identity theft. » failed to abide by the order’s recordkeeping requirements. » https://www.ftc.gov/news-events/press-releases/2015/12/lifelock-pay-100-million-consumers-settle-ftc-charges-it-violated ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 30. FTC vs (not so) POM Wonderful (2015) » POM Wonderful deceptively advertised that the products could treat, prevent, or reduce the risk of heart disease, prostate cancer, and erectile dysfunction, and were clinically proven to have such benefits. » The Commission issued a final order requiring POM’s future disease treatment and prevention claims to be supported by at least two randomized well-controlled human clinical trials, and other health benefit claims to be supported by competent and reliable scientific evidence. » https://www.ftc.gov/news-events/press-releases/2015/01/statement-ftc-chairwoman-edith-ramirez-appellate-ruling-pom ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 31. FTC vs Wyndham (2015) » Wyndham franchisee has a data breach » FTC sues Wyndham; Wyndham challenges FTC’s authority – claims franchisor is not responsible for franchisee’s actions » Wyndham loses court challenge » Settlement: • Wyndham to establish comprehensive InfoSec program • If Wyndham has another >10K records breach, Wyndham to notify FTC within 10 days • Wyndham has 20 years of obligations to FTC » https://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-payment ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 32. FTC vs InMobi (2016) – Don’t track me falsely, Bro! » Firm pays $950,000 penalty for using Wi-Fi signals to secretly track phone users » InMobi claimed that its software collected geographical whereabouts only when end users provided opt-in consent » The software in fact used nearby Wi-Fi signals to infer locations when permission wasn't given » InMobi will pay a civil penalty of $950,000 ; delete all information it collected from children and all information collected from adults who didn't provide their consent. ; InMobi to implement a comprehensive privacy program that will be independently audited every two years for the next two decades. » http://arstechnica.com/tech-policy/2016/06/advertiser-that-tracked-100-million-phone-users-without-consent- pays-950000 ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 33. FTC vs Practice Fusion (2016) (don’t lie to patients) » FTC Charges It Deceived Consumers About Privacy of Doctor Reviews » The settlement with the FTC will prohibit Practice Fusion from making deceptive statements about the privacy or confidentiality of the information it collects from consumers » Practice Fusion pre-texted patients, asking them to review Doctor’s. » https://www.ftc.gov/news-events/press-releases/2016/06/electronic-health- records-company-settles-ftc-charges-it-deceived ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 34. FTC vs Lumosity (2016) Brain Training Doesn’t Work » The creators and marketers of the Lumosity agreed to settle FTC charges alleging that they deceived consumers with unfounded claims that Lumosity games can help users perform better at work and in school, and reduce or delay cognitive impairment associated with age and other serious health conditions. » Lumos Labs pays $2M fine; $50M suspended judgement » https://www.ftc.gov/news-events/press-releases/2016/01/lumosity-pay-2-million-settle-ftc- deceptive-advertising-charges ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 35. FTC vs Amazon (2016) Refund Children’s in-App purchases » Amazon received many complaints from consumers about surprise in-app charges incurred by children » Amazon’s disclosures about in-app charges in “free” software were not sufficient to inform customers about charges » https://www.ftc.gov/news-events/press-releases/2016/04/federal-court- finds-amazon-liable-billing-parents-childrens ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 36. FTC vs Henry Schein / Dentrix (2016) Don’t Lie To Dentists » FTC alleged Henry Schein Practice Solutions, Inc. falsely advertised the level of encryption it provided to protect patient data. » Made deceptive claims that the software provided industry- standard encryption; ensured dentists met certain regulatory obligations under the HIPAA. » The complaint alleged that the software actually used a less complex data masking process to protect patient data that failed to meet accepted encryption standards » $250K fine; HSPS required to notify customers that the product does not provide industry-standard encryption » https://www.ftc.gov/news-events/press-releases/2016/05/ftc-approves-final-order-henry-schein- practice-solutions-case ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 37. ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 38. FTC Health Breach Rule » “If an entity’s employee loses a laptop containing unsecured health information in a public place, the information would be accessible to unauthorized persons, giving rise to a presumption that unauthorized acquisition has occurred. The entity can rebut this presumption by showing that the laptop was recovered, and that forensic analysis revealed that files were never opened, altered, transferred, or otherwise compromised. “ » “Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information” ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 39. Learn from FTC Health Breach Rule » Differentiates between “unauthorized access” and “acquisition” » (1) the employee viewed the records to find health information about a particular public figure and sold the information to a national gossip magazine; » (2) the employee viewed the records to obtain information about his or her friends; » (3) the employee inadvertently accessed the database, realized that it was not the one he or she intended to view, and logged off without reading, using, or disclosing anything. ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 40. FTC Health Breach Rule » PHR related entities include non-HIPAA covered entities “that access » information in a personal health record or send information to a personal health record.” » This category could include online applications through which individuals, for example, connect their blood pressure cuffs, blood glucose monitors, or other devices so that the results could be tracked through their personal health records. It could also include an online medication or weight tracking program that pulls information from a personal health record. ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 41. FTC Health Breach Rule » PHR identifiable health information = » “past, present, or future payment for the provision of health care to an individual,” » e.g. database containing names and credit card information, even if no other information was included ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 42. FTC Health Breach Rule » 2) “the fact of having an account with a vendor of personal health records or related entity,” » e.g. the theft of an unsecured customer list of a vendor of personal health records or related entity directed to AIDS patients or people with mental illness would require a breach notification, even if no specific health information is contained in that list. » Can you apply this principle to ALL data in your company’s possession? ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 43. ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 44. Mobile Ads Can Infer Users’ Medication, Dating Preferences » Mobile ads can now infer the medications that users take, whether they prefer to date men or women, and their location. That's according to Cornell Tech's Vitaly Shmatikov » "These privacy violations are caused primarily by subtle bugs and inconsistencies in mobile advertising software," Shmatikof writes in a summary of the research. » He says that even when companies attempt to protect users' privacy, "advertisers can still extract sensitive information about the user without the user’s knowledge or consent." » http://www.mediapost.com/publications/article/265783/mobile-ads-can-infer-users-medication-dating-pre.html ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 45. FTC provides IoT Guidance » FTC provides a series of concrete steps that businesses can take to enhance and protect consumers’ privacy and security » “The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” said FTC Chairwoman Edith Ramirez. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.” » https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop- entitled-internet-things-privacy/150127iotrpt.pdf » https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 46. FTC + NIST Cybersecurity Framework » Blog post provides guidance to businesses on how the cybersecurity framework created by the National Institute for Standards and Technology (NIST) aligns with the FTC’s data security program. » The post outlines the key elements of the NIST framework and how it relates to the FTC’s long-standing approach to data security. » The framework is not a checklist, but rather a method by which a company can identify risks and adjust its security efforts accordingly to ensure they are as effective as possible, which is consistent with the FTC’s focus on reasonable data security. » https://www.ftc.gov/news-events/press-releases/2016/08/ftc-blog-post-outlines-how-nist-cybersecurity-framework-relates ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 47. ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 48. John Snow: London Cholera 1849-1854 » 1830 – Cholera kills 60,000 deaths » 1849 – He identified GEOGRAPHIC CLUSTERS of outbreaks » Identified that the WATER SOURCE was the vector long before CHOLERA GERM was identified » Those with BETTER water sources were 20 times LESS LIKELY to die » He did door-to-door validation/census to check water sources and his data » RESULT: London took APPROPRIATE public health safety measures to control contaminated public water sources ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 49. Dr. Samelweis – 1840s » During 1840’s many women died of childbed fever. Often the child became ill & died as well » Dr. Samelweis noticed that of the 2 clinics he was managing, one had a HIGHER rate of mortality than the other » Mothers were ill during birth or up to 36 hours afterwards » Observed that problem started during the examination of the mother during dilation » The deaths were caused by MEDICAL STUDENTS who had just come from the morgue after performing autopsies and then proceeded to conduct pelvic examinations on laboring mothers. » This contradicted over 2000 YEARS of medical dogma and practices since Hippocrates. » He instituted hand-washing of medical staff between each procedure ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 50. Getting it Right » Medical marijuana advocates estimate that the aggregate annual sales tax revenue that's paid by the approximately 400 dispensaries in California is $100 million. » - http://www.npr.org/templates/story/story.php?storyId=89349791 » Cost of War on Drugs in 2010 (so far): » $ 23 Billion (and counting) » http://www.drugsense.org/wodclock.htm » What was your overall IT spending last year? How much on questionable security products? ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 51. Getting it Right » “Anesthesiologists pay less for malpractice insurance today, in constant dollars, than they did 20 years ago. » That's mainly because some anesthesiologists chose a path many doctors in other specialties did not. Rather than pushing for laws that would protect them against patient lawsuits, these anesthesiologists focused on improving patient safety. » Their theory: Less harm to patients would mean fewer lawsuits. “ » - Deaths dropped from 1 / 5,000 to 1 / 200,000 – 300,000 » - Malpractice claims dropped 46% (from $ 332,280 in 1970 to $ 179,010 in 1990's! » Premiums dropped 37% from $ 36,620 to $ 20,572. - http://online.wsj.com/article/0,,SB111931728319164845,00.html ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 52. Air Force demanded, and purchased, SECURE Desktops » 2006 – After years of attacks, and dealing with a hodge-podge of desktop and server configurations, The US Air Force develops the Secure Desktop Configuration standard. All vendors are required to sell computers to the USAF (and later DOD, other government agencies) with standardized, locked down configurations of: • Windows • MS Office • Adobe Reader • Norton AV • Etc » US Dept Of Energy requires Oracle to deliver it’s databases in a secure configuration developed by the Center for Internet Security (www.cisecurity.org) ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 53. J&J Tylenol Recall – 1982 » Criminal tampered with retail packages of Tylenol » 7 people died. This was a REAL ZERO DAY attack » INDUSTRY STANDARD: Don’t recall product, replace product quietly » J&J RESPONSE: • Put Customers First • Recall all 31 million bottles (> $100M expense) • Change how medicine bottles are packed (invent tamper proof) • Share patent with industry http://www.nytimes.com/2002/03/23/your-money/23iht-mjj_ed3_.html ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 54. Contact Information Raj Goel, CISSP Chief Technology Officer Brainlink International, Inc. C: 917-685-7731 raj@brainlink.com www.RajGoel.com www.linkedin.com/in/rajgoel @rajgoel_ny Author of UNPLUGGED Luddites Guide To Cybersecurity http://www.amazon.com/UNPLUGGED-Luddites-Guide-CyberSecurity-Grandparents/dp/0984424830/ The Most Important Secrets To Getting Great Results From IT http://www.amazon.com/gp/product/0984424814 ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 55. Help Me Help You Have you reviewed your » Business Continuity Plan » Disaster Recovery Plan » Conducted A Data Security Assessment » Developed SOPs? If you haven’t reviewed these within the past 18 months, or if you’ve discovered holes in your plans and processes, feel free to contact me. We can help you better quantify, manage and mitigate your risks. ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny
  • 56. Last Action – Help Someone I am here to HELP. Think of a client/friend/company who has been a victim of Cyber Crime, Is worried about Security or Struggling with IT and Compliance Challenges and needs help… Now help me help them ©2016 Raj Goel, CISSP / raj@brainlink.com / 917-685-7731 / @rajgoel_ny