2016-09-05-Lessons_Learned_From_The_FTC_v1c
Transcript of 2016-09-05-Lessons_Learned_From_The_FTC_v1c
![Page 1: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/1.jpg)
![Page 2: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/2.jpg)
Lessons Learned From The FTC
(Federal Trade Commission, USA) Raj Goel, CISSP
Chief Technology Officer Brainlink International, Inc.
[email protected] / 917-685-7731 Twitter: @RajGoel_NY
![Page 3: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/3.jpg)
Raj Goel, CISSP » Raj Goel, Certified Information Systems Security Professional (CISSP), is an author, entrepreneur, IT expert, and industry leader that
specializes in the field of cyber security and privacy law. As the founder of a leading IT consultation firm, Brainlink, Raj has spent more than
20 years developing proven IT solutions for a range of high-profile clients in the financial, construction, architectural, and property
management industries.
» His uniquely developed Standard Operating Procedure (SOP) Culture (winner of 2015 SmartCEO's Culture Award) has changed the way he
and his clients' think about documentation. By developing a business culture that carefully documents each and every task undertaken,
SOP Culture allows companies to rapidly increase productivity, eliminate redundancies, and increase quality of service to their clients.
» Speaker
» "Eat, Sleep, Surveil, Repeat", NYS CyberSecurity - Channelnomics MSP Conference
» “Mouseveillance”, NYS Cybersecurity Conference - “Life Of A Child (2014)”, ASIS
» “Panopticon: Architecture Of Global Surveillance” - ISSA International Conference
» Keynote Speaker
» “Panopticon 2013”, NCSL, Government of Netherlands, The Hague, Netherlands (2013)
» “Rise of Government & Corporate Surveillance” Government Of Curacao (2013)
» "What should MSP’s know about compliance?", Datto Partner Conference (2013)
» On-Air Television Cybersecurity Expert
» Raj regularly appears on a number of national news channels such as Bloomberg TV, CNBC's On The Money, Fox Business, Columbia News
Tonight and more to discuss relevant cybersecurity topics.
» Find out more at rajgoel.com, brainlink.com and sopculture.com. To speak to Raj today, reach out right away at (917) 685-7731 or [email protected].
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 5: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/5.jpg)
TV Appearances
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
https://www.brainlink.com/category/video-library/
![Page 6: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/6.jpg)
UNPLUGGED (Buy Now!)
![Page 7: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/7.jpg)
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 8: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/8.jpg)
FTC Cases & proceedings
» https://www.ftc.gov/enforcement/cases-proceedings
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 9: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/9.jpg)
FTC – ToySmart (2000) » ToySmart sold educational, non-violent toys and collected information on children while it was in
business. It’s privacy policies said that it would never share information with 3rd parties.
» Toysmart.com went bankrupt tried to auction off the customer database separately as an asset of the company.
» "Customer data collected under a privacy agreement should not be auctioned off to the highest bidder," according to Jodie Bernstein, Director of the FTC's Bureau of Consumer Protection. "This settlement protects consumers from a winner-take-all bid in bankruptcy court, ensuring only a family-oriented Web site willing to buy the entire Toysmart Web site has the ability to do so."
» Settlement: Anyone who bought ToySmart must adhere to Toysmart’s privacy policies. » - www.steptoe.com/assets/attachments/937.com
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 10: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/10.jpg)
FTC – Microsoft Passport (2002) » "We believe that Microsoft made a number of misrepresentations, dealing with, one, the overall
security of the Passport system and personal information stored on it; two, the security of online purchases made with Passport Wallet; three, the kinds of personal information Microsoft collects of users of the Passport service; and four, how much control parents have over the information collected by Web sites participating in the Kids Passport program," [FTC Chairman] Muris said during the conference call.
» The FTC outlined its findings in a six-page complaint. Many of the problems resulted from Microsoft failing to adhere to its own privacy statements about Passport, Passport Wallet or Kids Passport.
» No penalties, 20 years of reporting to FTC required. » For 5 years, MS to submit advertising materials and all other documentation pertaining to
collection or retention of consumer data. http://news.cnet.com/2100-1001-948922.html
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 11: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/11.jpg)
FTC - DSW (2005) » “Shoe retailer DSW Inc. agreed to beef up its computer security to settle U.S.
charges that it didn't adequately protect customers' credit cards and checking accounts,...
» The FTC said the company engaged in an unfair business practice because it created unnecessary risks by storing customer information in an unencrypted manner without adequate protection....
» As part of the settlement, DSW set up a comprehensive data-security program and will undergo audits every two years for the next 20 years. “
» - ComputerWorld.com 12/1/2005 » According to DSW’s SEC filings, as of July 2005, the company’s exposure for losses
related to the breach ranges from $6.5 million to $9.5 million. » This is the FTC’s seventh case challenging faulty data security practices by retailers
and others. - www.ftc.gov 12/1/2005
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 12: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/12.jpg)
FTC – BJ's Wholesale Club (2005) » “According to the FTC, BJ's failed to encrypt customer data when
transmitted or stored on BJ's computers, kept that data in files accessible using default passwords, and ran insecure, insufficiently monitored wireless networks.
» ...affected financial institutions filed suit against BJ's to recover damages. According to a May securities and Exchange Commission filing, BJ's recorded charges of $7 million in 2004 and an additional $3 million in 2005 to cover legal costs.
» Under terms of the settlement, BJ's will implement a comprehensive information-security program subject to third-party audits every other year for the next two decades.“
» - InformationWeek 6/16/2005
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 13: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/13.jpg)
FTC - Choicepoint (2006) » “The $10 million fine imposed today by the Federal Trade Commission on data aggregator
ChoicePoint Inc. for a data security breach is yet another indication of the increasingly tough stance the agency is taking on companies that fail to adequately protect sensitive data, legal experts said.
» And it's not just companies that suffer data breaches that should be concerned. Those companies that are unable to demonstrate due diligence when it comes to information security practices could also wind up in the FTC’s crosshairs, they added.
» ChoicePoint will pay a fine of $10 million... » In addition to the penalty, the largest ever levied by the FTC, ChoicePoint has been asked to set up
a $5 million trust fund for individuals... » ChoicePoint will also have to submit to comprehensive security audits every two years through
2026. “ » - ComputerWorld.com 01/26/2006
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 14: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/14.jpg)
FTC - Sears/Kmart (2009) » In 2009, Sears.com and Kmart.com websites offered to 15% of their visitors, via a pop-up, a chance
to “talk directly to the retailer”. This pop-up installed spyware on their customer’s (or potential customer’s) computers!
» Consumers probably didn't realize that by "new" and "different," the advertisement meant "all-seeing" and "invasive." Indeed, this software monitored both online and offline behavior, peering into online secure sessions and culling information from consumers' email subject and recipients, online bank statements, drug prescription records, video rental records, and similar histories and accounts. Customers effectively (and blindly) sold their privacy by agreeing to a lengthy terms of service agreement that showed up at the end of a long registration process. The agreement was presented in a small "scroll box"; consumers could only see ten lines of the policy at a time and not until the 75th line could the user find any description of the invasive tracking.
» Sears was required to delete all data collected under this program. • - http://www.cdt.org/blogs/erica-newland/ftc-finalizes-terms-sears-deceptive-practices-settlement
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 15: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/15.jpg)
FTC & OCR – CVS HIPAA (2009) » Largest, joint coordination between OCR, HHS and FTC.
» Reviews by OCR and the FTC indicated that: » CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during
the disposal process; and » CVS failed to adequately train employees on how to dispose of such information properly.
» Under the HHS resolution agreement, CVS agreed to pay a $2.25 million resolution amount and implement a
robust corrective action plan that requires Privacy Rule compliant policies and procedures for safeguarding patient information during disposal, employee training and employee sanctions for noncompliance.
» HHS and FTC also will require CVS to actively monitor its compliance with the resolution agreement and FTC consent order. The monitoring requirement specifies that CVS must engage a qualified independent third party to conduct assessments of CVS compliance and render reports to the federal agencies. The HHS corrective action plan will be in place for three years; the FTC requires monitoring for 20 years.
» http://www.hhs.gov/news/press/2009pres/02/20090218a.html
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 16: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/16.jpg)
FTC – EchoMetrix/Pulse(2010) » Parents paid Echometrix $ 3.99/mo for Sentry Parental Controls. This allowed parents to monitor
web surfing, IM, email, etc. » June 2009 – Echometrix launches Pulse – a “market research” program that analyzed web traffic,
social media, IM, etc so that marketers could find out what consumers were saying about their products or services. Companies that bought Pulse could retrieve actuals IM, chat and forum posts.
» FTC charged that EchoMetrix failed to adequately inform parents that information collected by Sentry would be sold to marketers. EchoMetrix had vague statements buried in their EULA (sound familiar??)
» Settlement: - EchoMetrix must destroy the info from Sentry that was copied into the Pulse Database. It cannot use Sentry data for any other purposes.
» http://business.ftc.gov/blog/2010/12/ftc%E2%80%99s-echometrix-settlement-eula-ppreciate-guidance-privacy-disclosures
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 17: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/17.jpg)
FTC – US Search (2010) » US Search charged customers $10 to “lock their records” and
prevent them from showing up in searches online.
» In it’s settlement, US Search had to refund fees to 5000 customers.
» Commissioner Brill said industry should consider providing consumers with meaningful notice about information brokers’ practices, a reasonable means to access and correct consumers’ information, and a reasonable mechanism to opt out of these databases.
» http://www.ftc.gov/opa/2011/03/ussearch.shtm ©2016 Raj Goel, CISSP / [email protected]
/ 917-685-7731 / @rajgoel_ny
![Page 18: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/18.jpg)
FTC – CyberSpy Software (2010) » CyberSpy sold a keylogger, marketed towards parents, spouses and colleagues. They provided their clients with
detailed instructions on how to disguise RemoteSpy as an innocuous program.
Settlement: » not assist purchasers in falsely representing that the software is an innocuous file; » cause an installation notice to be displayed which must include a description of the nature and function of the
program and to which the user must expressly consent; » cause an icon to appear in the task bar on the user’s desktop when the software is running, unless the icon is
disabled by a person with administrative rights to the computer; » inform purchasers that improper use of the program may violate state or federal law; » take measures to reduce the risk that the spyware is misused, including license monitoring and policing affiliates; » encrypt data collected by the program that is transferred over the internet; and » remove legacy versions of the software from computers on which it was previously installed
http://privacylaw.proskauer.com/2010/06/articles/spyware/ftc-settlement-bars-marketing-of-spyware-for-illegal-uses/.
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 19: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/19.jpg)
FTC – Google Buzz (2011) » 2009 – Google released Buzz – integrated into Gmail, without warning or user consent. » 2011 – FTC v Google settlement » The first time a comprehensive privacy program (as opposed to a comprehensive security program)
was required by an FTC consent decree. » The first time the FTC has enforced the US-EU Safe Harbor Principles for substantive non-
compliance. » No monetary penalties, but Google is required to » Implement a comprehensive privacy program » Conduct regular, independent audits for the next 20 years » FTC also noted that the Google Wi-Fi sniffing would have constituted a violation of this settlement.
- http://www.huffingtonpost.com/2011/03/30/googles-ftc-privacy-settlement-buzz_n_842490.html - http://privacylaw.proskauer.com/2011/04/articles/ftc-enforcement/ftcgoogle-settlement-marks-two-firsts-in-ftc-privacy-
enforcement/
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 20: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/20.jpg)
FTC – Chitika (2011) » Chitika buys ad space, and places cookies on end-users browsers.
» When consumers opt-ed out, Chitika stopped displaying ads for 10 days. » After 10 days, Chitika re-started displaying ads to opt-out consumers.
» FTC charged Chitika with engaging in “deceptive practices” » Per the settlement, Chitika must: » Stop making misleading statements about it’s data collection policies » Every ad must display clear opt-out links with opt-out for 5 years » Destroy all personally identifiable information collected during defective opt-out » Chitika must alert consumers that their previous opt-out was not valid. » - http://www.infolawgroup.com/2011/03/articles/enforcement/privacy-enforcement-update-
ftc-settles-with-twitter-and-chitika/
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 21: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/21.jpg)
FTC – Twitter (2011) » Twitter promised that “private tweets” were safe. » In 2009, Hackers broke into twitter and make tweets public.
» FTC alleged that serious lapses in Twitter’s security allowed hackers to penetrate
Twitter. (Hackers brute forced administrative passwords after trying thousands of passwords against Twitter’s login page).
» The settlement » Requires Twitter to update it’s privacy & security policies » Twitter must honour privacy choices made by consumers » Independent auditor must assess Twitter’s security every other year for 10 years
» http://www.ftc.gov/opa/2011/03/twitter.shtm
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 22: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/22.jpg)
FTC & OCR – Riteaid HIPAA (2011) » OCR and the FTC indicated that: » Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient
information during the disposal process; » Rite Aid failed to adequately train employees on how to dispose of such information properly; and » Rite Aid did not maintain a sanctions policy for members of its workforce who failed to properly
dispose of patient information. » Rite Aid agreed to pay a $1 million resolution amount to HHS and must implement a strong
corrective action program that includes: » Revising and distributing its policies and procedures regarding disposal of protected health
information and sanctioning workers who do not follow them; » Training workforce members on these new requirements; » Conducting internal monitoring; and » Engaging a qualified, independent third-party assessor to conduct compliance reviews and render
reports to HHS. - Rite Aid has also agreed to external independent assessments of its pharmacy stores’ compliance with the FTC consent
order. The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years.
©2016 Raj Goel, CISSP / [email protected]
/ 917-685-7731 / @rajgoel_ny
![Page 23: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/23.jpg)
FTC vs Work-At-Home Scammer (2014) » FTC obtains $26.9 Million Judgment Against Work-at-Home Scammer Who
Tried to Hide His Assets from 2010 Court Judgment » Jonathan Eborn was one of the marketers behind a work-at-home scheme
that operated under names such as “Google Money Tree,” “Google Pro” and “Google Treasure Chest” and advertised a low-cost kit, claiming consumers would earn $100,000 in six months.
» In 2009, the FTC charged Eborn and others with using the scheme to lure consumers into divulging their financial account information and failing to disclose that they would be charged $72.21 a month.
» The defendants were banned from negative option marketing and from making misrepresentations to consumers
» https://www.ftc.gov/news-events/press-releases/2014/07/ftc-obtains-269-million-judgment-against-work-home-scammer-who
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 24: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/24.jpg)
FTC vs TRENDnet (2014) » The FTC’s complaint alleged that TRENDnet marketed its SecurView cameras for purposes ranging
from home security to baby monitoring, and claimed in numerous product descriptions that they were “secure.”
» The cameras had faulty software that left them open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address.
» TRENDnet is prohibited from misrepresenting the security of its cameras or the security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit.
» TRENDnet also is required to establish a comprehensive information security program designed to address security risks that could result in unauthorized access to or use of the company’s devices, and to protect the security, confidentiality, and integrity of information that is stored, captured, accessed, or transmitted by its devices. The company also is required to obtain third-party assessments of its security programs every two years for the next 20 years.
» https://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-order-settling-charges-against-trendnet-inc
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 25: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/25.jpg)
FTC vs Cruise Line Robocallers (2015)
» Cruise Line robocallers sold cruise vacations using political survey robocalls
» Political Survey robocalls still legal
» You can’t include a sales pitch in political surveys
» https://www.ftc.gov/news-events/press-releases/2015/03/ftc-ten-state-attorneys-general-take-action-against-political
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 26: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/26.jpg)
FTC vs Oracle (2015) » Oracle was aware of major security issues with Java SE » Oracle promised customers that installing updates to Java
SE would make it “safe and secure” » Oracle failed to tell customers that the update may have
left older, potentially vulnerable versions of the software intact
» Oracle requires to tell consumers during upgrade process is they have outdated versions installs; and give them option to uninstall older versions
» https://www.ftc.gov/news-events/press-releases/2016/03/ftc-approves-final-order-oracle-java-security-case
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 27: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/27.jpg)
FTC vs BMW (2015) » BMW’s MINI division violated Magnuson-Moss Warranty
Act by telling consumers that BMW would void their warranty unless they used MINI parts and MINI dealers to perform maintenance and repair work.
» “It’s against the law for a dealer to refuse to honor a warranty just because someone else did maintenance or repairs on the car,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “As a result of this order, BMW will change its practices and give MINI owners information about their rights.”
» https://www.ftc.gov/news-events/press-releases/2015/03/bmw-settles-ftc-charges-its-mini-division-illegally-conditioned
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 28: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/28.jpg)
FTC vs Network Solutions (2015) » Network Solutions promised customers full refund if
they cancelled within 30 days » NetSol withheld substantial cancellation fees from
most refunds. » Settlement bars NetSol from failing to disclose
cancellation fees » Requires company to keep records demonstrating
compliance for 5 years » https://www.ftc.gov/news-events/press-releases/2015/06/ftc-approves-final-consent-order-against-network-solutions
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 29: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/29.jpg)
FTC vs Lifelock (2015) - $100M fine » LifeLock to Pay $100 Million to Consumers to Settle FTC Charges it
Violated 2010 Order » failed to implement a comprehensive InfoSec program » falsely advertised that it protected consumers’ sensitive data with
the same high-level safeguards used by financial institutions » falsely advertised that it would send alerts “as soon as” it received
any indication that a consumer may be a victim of identity theft. » failed to abide by the order’s recordkeeping requirements. » https://www.ftc.gov/news-events/press-releases/2015/12/lifelock-pay-100-million-consumers-settle-ftc-charges-it-violated
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 30: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/30.jpg)
FTC vs (not so) POM Wonderful (2015)
» POM Wonderful deceptively advertised that the products could treat, prevent, or reduce the risk of heart disease, prostate cancer, and erectile dysfunction, and were clinically proven to have such benefits.
» The Commission issued a final order requiring POM’s future disease treatment and prevention claims to be supported by at least two randomized well-controlled human clinical trials, and other health benefit claims to be supported by competent and reliable scientific evidence.
» https://www.ftc.gov/news-events/press-releases/2015/01/statement-ftc-chairwoman-edith-ramirez-appellate-ruling-pom
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 31: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/31.jpg)
FTC vs Wyndham (2015) » Wyndham franchisee has a data breach » FTC sues Wyndham; Wyndham challenges FTC’s authority – claims
franchisor is not responsible for franchisee’s actions » Wyndham loses court challenge » Settlement:
• Wyndham to establish comprehensive InfoSec program • If Wyndham has another >10K records breach, Wyndham to notify
FTC within 10 days • Wyndham has 20 years of obligations to FTC
» https://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-payment
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 32: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/32.jpg)
FTC vs InMobi (2016) – Don’t track me falsely, Bro! » Firm pays $950,000 penalty for using Wi-Fi signals to secretly track phone
users » InMobi claimed that its software collected geographical whereabouts only
when end users provided opt-in consent » The software in fact used nearby Wi-Fi signals to infer locations when
permission wasn't given » InMobi will pay a civil penalty of $950,000 ; delete all information it
collected from children and all information collected from adults who didn't provide their consent. ; InMobi to implement a comprehensive privacy program that will be independently audited every two years for the next two decades.
» http://arstechnica.com/tech-policy/2016/06/advertiser-that-tracked-100-million-phone-users-without-consent-pays-950000
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 33: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/33.jpg)
FTC vs Practice Fusion (2016) (don’t lie to patients) » FTC Charges It Deceived Consumers About Privacy of
Doctor Reviews » The settlement with the FTC will prohibit Practice
Fusion from making deceptive statements about the privacy or confidentiality of the information it collects from consumers
» Practice Fusion pre-texted patients, asking them to review Doctor’s.
» https://www.ftc.gov/news-events/press-releases/2016/06/electronic-health-records-company-settles-ftc-charges-it-deceived
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 34: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/34.jpg)
FTC vs Lumosity (2016) Brain Training Doesn’t Work » The creators and marketers of the Lumosity agreed to
settle FTC charges alleging that they deceived consumers with unfounded claims that Lumosity games can help users perform better at work and in school, and reduce or delay cognitive impairment associated with age and other serious health conditions.
» Lumos Labs pays $2M fine; $50M suspended judgement » https://www.ftc.gov/news-events/press-releases/2016/01/lumosity-pay-2-million-settle-ftc-
deceptive-advertising-charges
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 35: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/35.jpg)
FTC vs Amazon (2016) Refund Children’s in-App purchases » Amazon received many complaints from
consumers about surprise in-app charges incurred by children
» Amazon’s disclosures about in-app charges in “free” software were not sufficient to inform customers about charges
» https://www.ftc.gov/news-events/press-releases/2016/04/federal-court-finds-amazon-liable-billing-parents-childrens
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 36: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/36.jpg)
FTC vs Henry Schein / Dentrix (2016) Don’t Lie To Dentists » FTC alleged Henry Schein Practice Solutions, Inc. falsely advertised
the level of encryption it provided to protect patient data. » Made deceptive claims that the software provided industry-
standard encryption; ensured dentists met certain regulatory obligations under the HIPAA.
» The complaint alleged that the software actually used a less complex data masking process to protect patient data that failed to meet accepted encryption standards
» $250K fine; HSPS required to notify customers that the product does not provide industry-standard encryption
» https://www.ftc.gov/news-events/press-releases/2016/05/ftc-approves-final-order-henry-schein-practice-solutions-case
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 37: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/37.jpg)
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 38: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/38.jpg)
FTC Health Breach Rule » “If an entity’s employee loses a laptop containing unsecured health
information in a public place, the information would be accessible to unauthorized persons, giving rise to a presumption that unauthorized acquisition has occurred. The entity can rebut this presumption by showing that the laptop was recovered, and that forensic analysis revealed that files were never opened, altered, transferred, or otherwise compromised. “
» “Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information”
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 39: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/39.jpg)
Learn from FTC Health Breach Rule » Differentiates between “unauthorized access” and “acquisition” » (1) the employee viewed the records to find health information
about a particular public figure and sold the information to a national gossip magazine;
» (2) the employee viewed the records to obtain information about his or her friends;
» (3) the employee inadvertently accessed the database, realized that it was not the one he or she intended to view, and logged off without reading, using, or disclosing anything.
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 40: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/40.jpg)
FTC Health Breach Rule » PHR related entities include non-HIPAA covered entities “that
access » information in a personal health record or send information to a
personal health record.”
» This category could include online applications through which individuals, for example, connect their blood pressure cuffs, blood glucose monitors, or other devices so that the results could be tracked through their personal health records. It could also include an online medication or weight tracking program that pulls information from a personal health record.
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 41: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/41.jpg)
FTC Health Breach Rule
» PHR identifiable health information =
» “past, present, or future payment for the provision of health care to an individual,”
» e.g. database containing names and credit card information, even if no other information was included
©2016 Raj Goel, CISSP / [email protected]
/ 917-685-7731 / @rajgoel_ny
![Page 42: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/42.jpg)
FTC Health Breach Rule » 2) “the fact of having an account with a vendor of personal health
records or related entity,”
» e.g. the theft of an unsecured customer list of a vendor of personal health records or related entity directed to AIDS patients or people with mental illness would require a breach notification, even if no specific health information is contained in that list.
» Can you apply this principle to ALL data in your company’s possession?
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 43: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/43.jpg)
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 44: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/44.jpg)
Mobile Ads Can Infer Users’ Medication, Dating Preferences » Mobile ads can now infer the medications that users take,
whether they prefer to date men or women, and their location. That's according to Cornell Tech's Vitaly Shmatikov
» "These privacy violations are caused primarily by subtle bugs and inconsistencies in mobile advertising software," Shmatikof writes in a summary of the research.
» He says that even when companies attempt to protect users' privacy, "advertisers can still extract sensitive information about the user without the user’s knowledge or consent."
» http://www.mediapost.com/publications/article/265783/mobile-ads-can-infer-users-medication-dating-pre.html
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 45: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/45.jpg)
FTC provides IoT Guidance » FTC provides a series of concrete steps that businesses can take to
enhance and protect consumers’ privacy and security » “The only way for the Internet of Things to reach its full potential
for innovation is with the trust of American consumers,” said FTC Chairwoman Edith Ramirez. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
» https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf
» https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 46: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/46.jpg)
FTC + NIST Cybersecurity Framework
» Blog post provides guidance to businesses on how the cybersecurity framework created by the National Institute for Standards and Technology (NIST) aligns with the FTC’s data security program.
» The post outlines the key elements of the NIST framework and how it relates to the FTC’s long-standing approach to data security.
» The framework is not a checklist, but rather a method by which a company can identify risks and adjust its security efforts accordingly to ensure they are as effective as possible, which is consistent with the FTC’s focus on reasonable data security.
» https://www.ftc.gov/news-events/press-releases/2016/08/ftc-blog-post-outlines-how-nist-cybersecurity-framework-relates
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 47: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/47.jpg)
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 48: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/48.jpg)
John Snow: London Cholera 1849-1854 » 1830 – Cholera kills 60,000 deaths
» 1849 – He identified GEOGRAPHIC CLUSTERS of outbreaks
» Identified that the WATER SOURCE was the vector long before CHOLERA GERM was identified
» Those with BETTER water sources were 20 times LESS LIKELY to die
» He did door-to-door validation/census to check water sources and his data
» RESULT: London took APPROPRIATE public health safety measures to control contaminated public
water sources
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 49: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/49.jpg)
Dr. Samelweis – 1840s » During 1840’s many women died of childbed fever. Often the child became ill & died as well
» Dr. Samelweis noticed that of the 2 clinics he was managing, one had a HIGHER rate of mortality
than the other » Mothers were ill during birth or up to 36 hours afterwards » Observed that problem started during the examination of the mother during dilation » The deaths were caused by MEDICAL STUDENTS who had just come from the morgue after
performing autopsies and then proceeded to conduct pelvic examinations on laboring mothers.
» This contradicted over 2000 YEARS of medical dogma and practices since Hippocrates. » He instituted hand-washing of medical staff between each procedure
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 50: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/50.jpg)
Getting it Right » Medical marijuana advocates estimate that the aggregate annual sales tax
revenue that's paid by the approximately 400 dispensaries in California is $100 million.
» - http://www.npr.org/templates/story/story.php?storyId=89349791
» Cost of War on Drugs in 2010 (so far): » $ 23 Billion (and counting) » http://www.drugsense.org/wodclock.htm
» What was your overall IT spending last year? How much on questionable
security products?
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 51: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/51.jpg)
Getting it Right » “Anesthesiologists pay less for malpractice insurance today, in constant dollars,
than they did 20 years ago.
» That's mainly because some anesthesiologists chose a path many doctors in other specialties did not. Rather than pushing for laws that would protect them against patient lawsuits, these anesthesiologists focused on improving patient safety.
» Their theory: Less harm to patients would mean fewer lawsuits. “
» - Deaths dropped from 1 / 5,000 to 1 / 200,000 – 300,000 » - Malpractice claims dropped 46% (from $ 332,280 in 1970 to $ 179,010 in 1990's! » Premiums dropped 37% from $ 36,620 to $ 20,572.
- http://online.wsj.com/article/0,,SB111931728319164845,00.html
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 52: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/52.jpg)
Air Force demanded, and purchased, SECURE Desktops » 2006 – After years of attacks, and dealing with a hodge-podge of desktop and
server configurations, The US Air Force develops the Secure Desktop Configuration standard. All vendors are required to sell computers to the USAF (and later DOD, other government agencies) with standardized, locked down configurations of: • Windows • MS Office • Adobe Reader • Norton AV • Etc
» US Dept Of Energy requires Oracle to deliver it’s databases in a secure
configuration developed by the Center for Internet Security (www.cisecurity.org)
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 53: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/53.jpg)
J&J Tylenol Recall – 1982 » Criminal tampered with retail packages of Tylenol » 7 people died. This was a REAL ZERO DAY attack » INDUSTRY STANDARD: Don’t recall product, replace product
quietly » J&J RESPONSE:
• Put Customers First • Recall all 31 million bottles (> $100M expense) • Change how medicine bottles are packed (invent tamper proof) • Share patent with industry http://www.nytimes.com/2002/03/23/your-money/23iht-mjj_ed3_.html
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 54: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/54.jpg)
Contact Information
Raj Goel, CISSP Chief Technology Officer Brainlink International, Inc. C: 917-685-7731 [email protected] www.RajGoel.com www.linkedin.com/in/rajgoel @rajgoel_ny Author of
UNPLUGGED Luddites Guide To Cybersecurity http://www.amazon.com/UNPLUGGED-Luddites-Guide-CyberSecurity-Grandparents/dp/0984424830/
The Most Important Secrets To Getting Great Results From IT http://www.amazon.com/gp/product/0984424814
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 55: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/55.jpg)
Help Me Help You Have you reviewed your
» Business Continuity Plan » Disaster Recovery Plan » Conducted A Data Security Assessment » Developed SOPs?
If you haven’t reviewed these within the past 18 months, or if you’ve discovered holes in your plans and processes, feel free to contact me. We can help you better quantify, manage and mitigate your risks.
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny
![Page 56: 2016-09-05-Lessons_Learned_From_The_FTC_v1c](https://reader031.fdocuments.in/reader031/viewer/2022030213/589b08e91a28abb85d8b5a2f/html5/thumbnails/56.jpg)
Last Action – Help Someone
I am here to HELP.
Think of a client/friend/company who has been a victim of Cyber Crime, Is worried about Security or Struggling with IT and Compliance Challenges and needs help…
Now help me help them
©2016 Raj Goel, CISSP / [email protected] / 917-685-7731 / @rajgoel_ny