Tag Archive for: FTC

App-etite for Notification: FTC Says “Welcome to the Jungle” to Mobile Health App Developers in Policy Statement on Health Breach Notification Rule | Wyrick Robbins Yates & Ponton LLP

Last week’s news that the Federal Trade Commission is taking steps to begin rulemaking on consumer privacy and artificial intelligence drew plenty of attention from privacy professionals, and suggests 2022 could be an interesting year for federal regulation of privacy and data security. But that development is only one of a series of moves the Commission has recently made in this space.  In September, a divided Commission issued a Policy Statement that adopts a surprisingly broad interpretation of the FTC’s existing Health Breach Notification Rule, and suggests the FTC is seeking opportunities to use its existing authority to crack down on mobile health apps’ lax privacy and data security practices.

In that Policy Statement, the FTC takes the position that the Health Breach Notification Rule, which applies to “vendors of personal health records,” covers any mobile app that processes health information and that can draw personal information from multiple sources. The FTC also states that the Rule broadly requires notification of any unauthorized access to consumer health information, including the sharing of a consumer’s health information without the consumer’s authorization.

Mobile health app developers should take careful note of the Policy Statement’s interpretations and assess their offerings’ compliance posture accordingly.

Overview of the Health Breach Notification Rule

The FTC issued the Health Breach Notification Rule in 2009 to impose breach notification requirements on companies that process consumer health information, but are not subject to HIPAA. To that end, the Rule requires a “vendor of personal health records” to notify affected consumers and the FTC whenever  “unsecured [personal health record] identifiable health information [is] acquired by an unauthorized person” as a result of “a breach of security of unsecured [personal health record] identifiable health information.” A “vendor of personal health records” is an entity that (1) is not a HIPAA covered entity or business associate and (2) offers or maintains “personal health records.”

“Personal health records” are in turn defined under the Rule as electronic…


FTC bans spyware maker SpyFone, and orders it to notify hacked victims – TechCrunch

The Federal Trade Commission has unanimously voted to ban the spyware maker SpyFone and its chief executive Scott Zuckerman from the surveillance industry, the first order of its kind, after the agency accused the company of harvesting mobile data on thousands of people and leaving it on the open internet.

The agency said SpyFone “secretly harvested and shared data on people’s physical movements, phone use and online activities through a hidden device hack,” allowing the spyware purchaser to “see the device’s live location and view the device user’s emails and video chats.”

SpyFone is one of many so-called “stalkerware” apps that are marketed under the guise of parental control but are often used by spouses to spy on their partners. The spyware works by being surreptitiously installed on someone’s phone, often without their permission, to steal their messages, photos, web browsing history and real-time location data. The FTC also charged that the spyware maker exposed victims to additional security risks because the spyware runs at the “root” level of the phone, which allows the spyware to access off-limits parts of the device’s operating system. A premium version of the app included a keylogger and “live screen viewing,” the FTC says.

But the FTC said that SpyFone’s “lack of basic security” exposed those victims’ data, because of an unsecured Amazon cloud storage server that was spilling the data its spyware was collecting from more than 2,000 victims’ phones. SpyFone said it partnered with a cybersecurity firm and law enforcement to investigate, but the FTC says it never did.

Practically, the ban means SpyFone and its CEO Zuckerman are banned from “offering, promoting, selling, or advertising any surveillance app, service, or business,” making it harder for the company to operate. But FTC Commissioner Rohit Chopra said in a separate statement that stalkerware makers should also face criminal sanctions under U.S. computer hacking and wiretap laws.

The FTC has also ordered the company to delete all the data it “illegally” collected, and, also for the first time, notify victims that the app had been secretly installed on their…


T-Mobile slides on security breach; Facebook shares unfazed by new FTC action

A major cyberattack is never good for business, nor is it good for a company’s stock price.

T-Mobile US Inc. shares slid this week after the company announced it was investigating claims of a security breach. T-Mobile confirmed Aug. 18 that a subset of company customer data had been accessed by unauthorized individuals. This subset included just over 40 million records of former or prospective customers who had previously applied for credit with the carrier, as well as 7.8 million current T-Mobile postpaid customer accounts’ information. Both figures were subsequently raised on Aug. 20.

Analysts told S&P Global Market Intelligence that customers will likely view the incident as an unfortunate reality of having a cell phone and not a reason to switch carriers.

“In reality, most people aren’t negatively affected enough to consider changing providers or getting rid of their cell phones. It’s just an assumed risk,” Recon Analytics analyst Roger Entner said.

However, data from 451 Research’s “Voice of the Connected User Landscape: Connected Customer, Trust and Privacy” survey shows some consumers rethink their relationship with a business if it suffers a data breach that exposes the consumer’s data. Among respondents who had been notified that they were affected by the breach, nearly 1 in 5 respondents reduced business with the company that was breached. About 15% canceled their accounts and switched to new providers.

T-Mobile shares closed at $140.89 apiece, down 2.8% for the week to date.

SNL Image

In streaming, Netflix Inc. shares popped on Aug. 19 to close at $543.71, up 5.4% for the week to date. During the week, news broke that the U.S. Securities Exchange Commission on Aug. 18 charged three former Netflix software engineers and two others with insider trading that netted the group more than $3 million in profits.

Sung Mo “Jay” Jun, a former software engineer at the company, allegedly led the insider trading ring, accessing data on subscriber growth and trading shares of Netflix prior to earnings announcements. The SEC caught the group by using tools that detect when traders have improbable levels of success trading the securities of a company over a period of time.


FTC Questions Big Tech About User Data | Avast

The U.S. Federal Trade Commission (FTC) sent orders this week to nine internet giants, demanding they share details of their data collection processes, including the method and manner in which they collect, use, store, and disclose information about individuals who use their services.

Amazon, Discord, Facebook, Reddit, Twitter, WhatsApp, YouTube, Snapchat owner Snap, and TikTok owner ByteDance were each served with the orders. “Privacy is becoming a major concern for citizens,” commented Avast Security Evangelist Luis Corrons, “and internet companies collect and use people’s data. It only makes sense for the government to learn what they are doing with it and how that data is being handled.”

The inquiry comes at a time when the biggest social media and video streaming services are under scrutiny from several factions. All companies named have been suspected of the improper use of consumer data and/or violations of the federal anti-monopoly law. In a joint statement, FTC Commissioners Chopra, Slaughter, and Wilson wrote, “It is alarming we know so little about companies that know so much about us.” The FTC gave the companies 45 days to respond to the orders.

6-year-old spends over $16,000 on in-app purchases

Real estate broker Jessica Johnson got a shocking surprise when she learned that the charges totaling $16,293.10 on her credit card bill came from her 6-year-old son George making in-app purchases while playing his favorite game on the iPad, Sonic Forces. When the Apple charges began showing up on her Chase bank statements, Johnson thought it must be fraud. She contacted Chase, which informed her that Apple scams are among the most common, and she’d have to contact Apple to resolve the matter. She did so, but learned the charges did originate from her account. In addition, Apple told her that she missed the 60-day window to dispute charges, so there was nothing the company could do. Unfortunately, Johnson had not taken steps to set up the parental controls on her son’s iPad to prevent this kind of situation. Read more on this story at the The New York Post.

International survey reports pandemic’s impact on kids

Over 26,000 children from 137 countries participated…