In the most recent edition of his CyberSide Chat series, Socially Aware contributor Andy Serwin discusses emerging cybersecurity issues including:

  • The need to strike a balance between the efficiencies of the Internet of Things and the increased cyberattack vulnerability that usually goes along with using extra devices;
  • The pre- and post-cyber-breach steps a company can take to mitigate the damage that could be caused by a theft of the company’s data or an attempt to shut down its systems;
  • The factors companies should consider when determining how much of their resources to dedicate to preventing a cyberattack.

Check out Andy’s insightful presentation:

BigBrotherEye-GettyImages-149355675-600pxIf your company collects information regarding consumers though Internet-connected devices, you will want to take note of the Federal Trade Commission’s (FTC) recent privacy-related settlement (brought in conjunction with the New Jersey Attorney General) with smart TV manufacturer Vizio, Inc. The settlement is significant for four reasons:

  • The FTC reinforces the position it has taken in other actions that the collection and use of information in a way that would surprise the consumer requires just-in-time notice and choice in order to avoid a charge of deception and/or unfairness under Section 5 of the FTC Act.
  • The FTC takes the position that television viewing activity constitutes sensitive data. This marks a departure from its approach of limiting sensitive data to information that, for example, can facilitate identity theft, precisely locate an individual, is collected online from young children or relates to matters generally considered delicate (such as health information).
  • The settlement includes a payment of $1.5 million to the FTC (as well as payment of civil penalties to New Jersey), but the legal basis for the FTC payment is not stated. This could suggest that the FTC will more aggressively seek to obtain injunctive monetary relief in Section 5 cases.
  • Acting Chairwoman Maureen Ohlhausen explicitly noted in a concurring statement her skepticism regarding both the allegation that TV viewing data is “sensitive” and that the FTC’s complaint adequately established that the practices at issue constitute “substantial injury” under the unfairness prong of Section 5.

Leaving aside what the chairwoman’s concurrence may portend for future enforcement efforts, the FTC again seems to be using allegedly bad facts about privacy practices to push the envelope of its authority. Accordingly, with the Internet of Things boom fueling a dramatic increase in the number of Internet-connected devices, companies that either collect information via such devices or make use of such collected information should consider the implications of this enforcement action.

Continue Reading Watch Out: The Federal Trade Commission Continues to Watch the (Alleged) Watchers

Gradient and transparent effect used.

In a major development for cloud and other data storage providers, and further complicating the legal landscape for the cross-border handling of data, a Federal Magistrate Judge in the Eastern District of Pennsylvania ruled for the Department of Justice and ordered Google, Inc., to comply with two search warrants for foreign-stored user data. The order was issued on February 3, 2017 pursuant to the Stored Communications Act, (SCA), and the reasoning of the Court rested heavily on the court’s statutory analysis of the SCA. The ruling is a marked departure from a recent, high-profile Second Circuit decision holding that Microsoft could refuse to comply with a similar court order for user data stored overseas.

The SCA regulates how service providers like Google and Microsoft who store user data can disclose user information. The Magistrate Judge issued two warrants under the SCA for emails sent from Google users in the United States to recipients in the United States. Google refused to fully comply, invoking Microsoft, and the Government moved to compel. In its briefing, Google argued that the SCA can only reach data stored in the United States and that, because Google constantly shuffles “shards” of incomplete user data between its servers across the world, Google could never know for certain what information is stored domestically and what is stored overseas. Therefore, Google argued, the data sought under the warrants was beyond the reach of the SCA. Continue Reading Google Ordered to Comply with Warrant for Foreign-Stored User Data

A close-up on an abstract design of a display, which is warning about a cyber attack. Multiple rows of hexadecimal code are interrupted by red glowing warning text. Part of the display is reflected on a shiny surface. The image can represent a variety of threats in the digital world: data theft, data leak, security breach, intrusion, etc...

Is your company prepared to respond to a data security breach? For many companies, even reading this question causes some anxiety. However, being prepared for what seems like the inevitable—a security breach—can be the difference between successfully navigating the event or not. While we still hear some companies say, “That would never happen to our company!” a significant breach can happen to any company.

In light of this and the close scrutiny that the high-profile breaches reported over the past year have received, many companies have taken the opportunity to consider their preparedness and ability to respond quickly and decisively to such an incident. We have prepared for our readers who are in-house attorneys or privacy officers the following checklist highlighting some steps that companies may consider taking so that they can be better prepared in the event that a significant breach incident occurs.

  1. Make Friends With Your IT/IS Department.

It is important to be familiar with your company’s risk tolerance and approach to information security in order to develop an understanding of your company’s security posture. The time to explore these issues isn’t after a breach has happened, so ask your colleagues in your company’s information technology or information security departments the basic questions (e.g., What’s DLP?) and the tough questions (e.g., Why haven’t we addressed the data security concerns raised in last year’s audit?). You would rather learn, for example, that your company does not encrypt its laptops before one is stolen. Continue Reading Preparing for a Data Security Breach: Ten Important Steps to Take

CaptureThe latest issue of our Socially Aware newsletter is now available here.

In this edition, we provide five tips for reducing potential liability exposure in seeking to exploit user-generated content; we examine a Ninth Circuit decision highlighting the control that social media platform operators have over the content and data that users post to those platforms; we discuss five questions that companies should ask themselves to help prepare for a ransomware attack; we explore a controversial California court decision that narrows an important liability safe harbor for website operators; we review a federal court decision that illustrates the importance of securing clear and affirmative assent to electronic contracts; we take a look at some recent enforcement actions that indicate a shift toward requiring clearer and potentially more burdensome disclosures from companies engaged in interest-based advertising; and  we examine a recent Northern District of California decision holding that a mobile app developer was not be liable under the Telephone Consumer Protection Act for a text initiated by one of the app’s users.

All this—plus an infographic illustrating the impact of incorporating user-generated content in marketing campaigns.

Read our newsletter.

The Internet of Things is apparently to blame for the Web outage that paralyzed the online world earlier this month.

Justin Timberlake took down his “ballot selfie” from Instagram after Tennessee authorities made clear that it was illegal.

Presumably in order to help facilitate compliance with guidance from regulators in the United States, United Kingdom and elsewhere, YouTube is making available to video creators an easy-to-use “sponsored content” notification that they can opt to have appear during the first few seconds of their videos.

Will blockchain technology be the next big wave of disruption for the music industry?

With Tinder’s new feature, online daters can be sure their profiles feature the photos most likely to get right-swipes.

When the chief digital officer at New York’s Metropolitan Museum of Art lost his job, he turned to social media for advice.

The NFL’s new social media policy promises to impose hefty fines on member teams that post videos or animated GIFs of games, or use Facebook Live or Periscope to stream anything in the stadium.

When a Russian tech entrepreneur’s friend died, she used artificial intelligence and his old text messages to create a futuristic memorial.

Employed but curious about new job opportunities? Now you can change your LinkedIn profile to secretly signal to recruiters that you’re in the market for a new gig.

Guess what percentage of Americans one researcher predicts will own a virtual reality headset in 2016?

Could Google Flights be the ticket to finding the best possible fare to your 2016 winter holiday destination?

The California Supreme Court agreed to hear Yelp’s case arguing that requiring the company to remove a one-star review of a law firm “creates a gaping hole” in the immunity that shields internet service providers from suits related to user-generated content.

Images, videos and quoted tweets no longer count toward Twitter’s 140-charter limit.

Google is undertaking cutting-edge efforts to battle online trolls.

Only 28 websites are registered under North Korea’s top level .kp domain.

Chinese law enforcement agencies investigating criminal cases can now secretly request access to personal information posted on social media services.

Back here in the United States, Twitter’s bi-annual transparency report shows that between January and June the platform received 2,520 information requests from U.S. law enforcement agencies.

The Department of Transportation issued a 15-point list of safety expectations for driverless cars.

Relationship Science, a repository of information about influential people and their connections, is opening its database to everyone, a change that could put the company in competition with LinkedIn.

Content marketers need to publish how many articles a week to make a difference?! Sigh.

Building an audience on Snapchat seems pretty arduous, too.

Concerned that your identity may have been stolen in some of the major hacking attacks in the last three years? Take this quiz to learn your minimum level of exposure and what you can do about it.

The five most popular bots on Botlist last week.

Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. Some ransomware encrypts files (called Cryptolocker).

The news has been filled this year with reports of ransomware attacks against companies and government agencies, including even law enforcement. Ransomware refers to a type of malware that encrypts or otherwise restricts access to a machine or device. As part of the attack, the attacker will demand that the victim pay a ransom in order to receive the encryption key or otherwise recover access to the compromised machine.

The reality is that ransomware attacks have been proliferating against all types of companies and organizations. Ransomware is a profitable business for underground circles, and we expect to see continued targeting. Because these attacks may be isolated to a single machine, they frequently do not impact a company’s business continuity or result in a noticeable service disruption. In response to an infection, companies may be able to obtain the technical assistance needed to defeat the attack. Free online resources exist that will identify which ransomware infected your system and provide victims with known decryption keys. In other cases, companies may determine that the data loss is not significant and/or that backups exist, allowing them to rebuild the computer by reformatting the hard drive and reinstalling a clean operating system, applications and data. In other cases though, companies pay the ransom.

Ransomware attackers frequently use many of the same tools and tactics, such as spear phishing, as do other hackers. Unlike many hackers, however, ransomware attackers are not focused on stealing data that can be sold or used for illicit purposes (e.g., credit card information and trade secrets). Instead, ransomware is about economic extortion. The attackers prevent a company from being able to access its own system or data, and they make a demand. Usually, they want money, but that could change. Imagine a hacker who holds data and systems hostage in return for the company’s releasing a public statement, making a divestiture or a arranging for a senior executive’s departure? The distinction between routine malware and ransomware is important to manage the scope of the threat. While some companies may not maintain data that is of value to cyber thieves (although that is becoming less and less the case, as evidenced by the proliferation of W-2 tax information phishing attacks), every company is a potential target of a ransomware attack. Continue Reading 5 Questions to Help Prepare for a Ransomware Attack

Our Morrison & Foerster colleague and Socially Aware contributor Miriam Wugmeister has published a thought provoking and insightful op-ed piece in The Hill on how companies that are the targets of cyberattacks are too often treated as suspects, rather than victims, by regulators.

In her op-ed, titled Stop Victim Shaming in Cyberattacks, Miriam points out that defending the American people and economy from hostile state or state-sponsored actors is critical for both economic and national security reasons. However, while our state and federal law enforcement agencies vigorously protect people from criminals and assist victims of crimes, companies that publicly disclose that they have been the victim of a cybercrime are not treated like a typical victim by federal and state regulators. Instead, they are investigated by numerous agencies, including the Federal Trade Commission, the State Attorneys General, and the Security and Exchange Commission, while often simultaneously sued by consumers, business customers, and shareholders. In the face of the onslaught of cyber threats, U.S. companies are charged with defending themselves in cyberspace or facing legal liability.

How did we arrive at holding those victimized by a cybercrime liable for the damage inflicted upon them? You can read Miriam’s The Hill op-ed here.

 

Facebook introduced technology that disables ad blockers used by people who visit the platform via desktop computers, but Adblock Plus has already foiled the platform’s efforts, at least for now.

A look at Twitter’s 10-year failure to stop harassment.

Are mobile apps killing the web?

LinkedIn sues to shut down “scrapers.”

The FTC is planning to police social media influencers’ paid endorsements more strictly; hashtags like #ad may not be sufficient to avoid FTC scrutiny. Officials in the UK are cracking down on paid posts, too.

Dan Rather, Facebook anchorman.

The U.S. Olympic Committee sent letters to non-sponsoring companies warning them against posting about the games on their corporate social media accounts.

How IHOP keeps winning the love & affection of its 3.5 million Facebook fans.

A Canadian woman whose home was designated a Pokémon Go “stop” is suing the app’s creators for trespass and nuisance. We saw that coming.

There’s a website dedicated to helping Snapchat users fool their followers into thinking they’re out on the town.

Facebook has been wooing premium content owners, but TV companies are reportedly resisting.

PETA got a primatologist to submit an amicus curiae brief supporting its suit alleging a monkey who took a selfie is entitled to a copyright for the image.