Peter A Clarke

The US Federal Trade Commission (“FTC”) is the most active Federal regulator in the United States of privacy and data breaches. It has its fair share of critics but is frenetic compared to Australian regulators. It has announced that it has taken action against Global Tel*Link Corp, a prison communications provider. It alleges that Global failed to secure sensitive personal information of hundreds of thousands of users by posting unencrypted personal information of 650,000 users in the cloud in August 2020 without firewall protection, encryption and monitoring software. It was only when a security researcher alerted the Global that it became aware of the problem. In the meantime hackers accessed billiions of bytes of this exposed data and put it on the dark web and was so advised in September 2020. Global waited 9 months to notify affected customers and in any event only notified 45,000. It has been reported in arstechnica with Prison phone company leaked 600K users’ data and didn’t notify them, FTC says.

The FTC Read the rest of this entry »

The Federal Trade Commission (“FTC”) and the US Department of Health and Human Services (“HHS”) have jointly released an updated guidance on collecting, using and sharing of Consumer Health Information.   As with Australia, New Zealand and the United Kingdom guidances play an important part of setting out standards and expectations regulators expect of individuals, companies and agencies who handle personal information.  It is something of the myth that the United States has no privacy protections.  In some areas the Federal regulations are very strong and breaches can result in harsh penalties.  One such area is a health data.  The United States has very stringent laws regarding the collection, use and storage of health information.

The guidance is not wholly translatable to the Australian environment.  The US legislation is quite specific and detailed.  That said, principles and methodologies applicable in handling health information is broadly similar.  Principles involved in securing information are virtually identical. 

The media release provides:

Ever wondered about the intersection of some of the health privacy and security-related laws and rules enforced by the Federal Trade Commission and the Department of Health and Human Services? You’re not alone, which is why FTC and HHS have teamed up to update a joint publication – Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule  – that helps businesses learn more about their legal obligations. Read the rest of this entry »

With the Report of Proposed Reforms to the Privacy Act recently released it is apposite that the Federal Trade Commission has recently announced that it is taking action against BetterHelp for sharing its consumers health information, including about mental health problems, with Facebook and other platforms for advertising.  The odious practice was well entrenched and longstanding, commencing in 2013 and not concluding until the media reported on it in 2020. The nature of the data misuse is all the more appalling given BetterHelp repeatedly promised to keep the data private. Instead it monetised the data to target them and others for the service it provides.  BetterHelp has reached a settlement with the FTC. 

Arising from this action

• the FTC’ makes it clear that an email or an IP address by themselves can disclose private information about consumers based on the entity sharing the data.
• the FTC regards a failure to obtain “affirmative express consent” for disclosure of health information to social media companies for advertising purposes to be an unfair practice.

• Companies should:

  • consider carefully whether any of their web pages or apps collect information that could be considered sensitive
  • review their privacy policies and ensure they can be understood
  • train employees regarding privacy
  • develop policies and restrictions on how personal data must be protected

The terms imposed by the FTC are onerous and particularly swingeing compared to the relatively relaxed enforceable undertakings imposed in Australia. 

The media was, as usual, scathing with Fortune’s Counseling service BetterHelp to return $7.8M to customers in FTC settlement after it shared private health data with Facebook and Snapchat and Yahoo’ s Teladoc’s (TDOC) BetterHelp Faces FTC Hurdle, to Pay $7.8M.

The media release provides:

The Federal Trade Commission has issued a proposed order banning online counseling service BetterHelp, Inc. from sharing consumers’ health data, including sensitive information about mental health challenges, for advertising. The proposed order also requires the company to pay $7.8 million to consumers to settle charges that it revealed consumers’ sensitive data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private.

This is the first Commission action returning funds to consumers whose health data was compromised. In addition, the FTC’s proposed order will ban BetterHelp from sharing consumers’ personal information with certain third parties for re-targeting—the targeting of advertisements to consumers who previously had visited BetterHelp’s website or used its app, including those who had not signed up for the company’s counseling service. The proposed order also will limit the ways in which BetterHelp can share consumer data going forward. Read the rest of this entry »

The Federal Trade Commission (the “FTC”) has announced enforcement action against GoodRX for a range of signficant breaches of customer’s information.  This the first time it is using its powers under the Health Breach Notification Rule.

This case highlights the temptations of monetising personal information to generate sales even if that meant disclosing personal health related information.  It also demonstrates that large operations can and often do ignore privacy and data security obligations when using data for financial gain. When the regulator takes action the flaws become very apparent and often make a bad situation much worse.
While the law differs in Australia it is very useful considering these actions because of the methodology the FTC deploys in framing their cases.  The technology is the same in Australia and the United States.  The issues are the same.

According to the FTC:

• since  2011, GoodRx Holdings, Inc is a “consumer-focused digital healthcare platform” based in Santa Monica, California.
• GoodRx advertises, distributes, and sells:
  • health-related products and services directly to consumers, including purported prescription medication discount products branded as “GoodRx” and “GoodRx Gold.”
  • telehealth services, branded as “GoodRx Care,” and previously as “HeyDoctor by GoodRx,” and “HeyDoctor,” through its subsidiary HeyDoctor, LLC (“HeyDoctor”) [2].
• since at least 2017, GoodRx  promised its users that it would share their personal information, including their personal health information, with limited third parties and only for limited purposes; that it would restrict third parties’ use of such information; and that it would never share personal health information with advertisers or other third parties [3]
• GoodRx offers a platform, available through its website (www.GoodRx.com) or mobile application (“Mobile App”), to search for and compare prescription medication pricing at nearby pharmacies, and to obtain prescription discount cards (the “GoodRx Coupon”). Since January 2017, 55.4 million consumers have visited or used GoodRx’s website or Mobile App [16]
• GoodRx  collects:
  • users’ personal and health information, and prompts users to provide their email address or phone number, to access electronic coupons and refill reminders [19].
  • personal and health information when users register for an account, which is required for GoodRx Gold, the product charging a monthly subscription fee. [20]
  • personal and health information from PBMs. When users purchase medication using GoodRx Coupons, the PBM processes the transaction and sends a claims record to GoodRx (“Medication Purchase Data”), containing name, date of birth, and information about the prescription filled [21]

On February 25, 2020, Consumer Reports published Read the rest of this entry »

The Federal Trade Commission (the “FTC”) has its detractors who say it is not assertive enough.  Compared to the Australian Information Commissioner it is frenetic and hyper aggressive.  In a field where the breaches are many most regulators are subject to criticism of not doing enough.  But when the FTC takes action against a company the impact is considerable and painful for the malefactor. As the agreeement the FTC made with EPIC for its violation of the Children’s Online Privacy Protection Act.

EPIC has been fined 4275 million for collecting personal information from children under the age of 13.without parental consent.  It also enabled those children to have access to voice and text chats by default, a practice that could put them into contact with strangers.

As is the way the media has been negative for EPIC with Fortnite maker Epic Games has to pay $520 million for tricking kids and violating their privacy and Fortnite game maker will pay $520M to settle FTC allegations.

The statement of the FTC provides:

The FTC’s $275 million proposed settlement with Epic Games, owner of Fortnite, alleges the company violated the law by collecting personal information from kids under 13 without parental consent and by enabling voice and text chat by default – an unfair practice that put kids and teens in risky contact with strangers. But to borrow a phrase from advertisers, “But wait! There’s more!” Much, much more in the form of a separate $245 million proposed settlement with Epic Games for using digital dark patterns to bill Fortnite players for unintentional in-game purchases.

How much money can a company take in by selling virtual costumes, dance moves, and piñatas shaped like llamas? It won’t surprise Fortnite fans to hear that the answer is billions, especially when, as the FTC alleges, Epic used a host of digital design tricks – dark patterns – to charge consumers for virtual merchandise without their express informed consent. What’s more, the FTC says when people disputed unauthorized charges with their credit card company, Epic locked their accounts, depriving them of access to content they had already paid for. The proposed FTC consent order is the agency’s largest administrative settlement to date. Continue reading for some insightful – and instructive – quotes from consumers and employees who didn’t hold back about their opinions of Epic’s tactics.

For the technological Rip Van Winkles among us, Fortnite is a hit video game with more than 400 million registered users, many of whom are kids. Although people can play the basic version for free, Epic charges for in-game purchases designed to enhance game play. The FTC alleges that with millions of consumers’ credit cards conveniently in hand, Epic failed to adequately explain its billing practices to customers and designed its interface in ways that led to unauthorized charges. You’ll want to read the complaint for details, but here are a few of the dark patterns the company allegedly used.

According to the complaint, Epic set up its payment system so that it saved by default the credit card that was associated with the account. That meant that kids could buy V-Bucks – the virtual currency necessary to make in-game purchases – with the simple press of a button. No separate cardholder consent was required. And although the currency was imaginary, the charges Epic packed on to Mom or Dad’s credit card were very real. What did parents and users have to say about Epic’s methods? Here are some examples:

• • “Hello Epic Games, The charges associated with this account were made without my authorization. This account is associated with my 10 year old son’s account and I am really disappointed that there is no check and balances that alerted me of these charges, and a 10 year old can purchase coins worth almost $500 so easily.”
  • “Epic Games is swindling parents with unauthorized game purchases, tricking young consumers & using shady practices for billing. I authorized a 1-time Epic Games purchase for my 11 yr-old son, only to discover EG did NOT erase my credit card info, & thus my son has been making unauthorized purchases, racking up $140 in less than 8 days after the initial authorized purchase.”

Epic’s own Fraud and Risk Consultant expressed similar concerns internally and recommended that the company require account holders to confirm their CVV numbers before charging the card on file: “This is standard / best practice and it prevents kids from using mom’s credit card without her permission[.]” However, by the time Epic finally took that advice, the company had already billed account holders for millions of V-Bucks transactions – many of which were unauthorized, according to the FTC. Read the rest of this entry »

The Federal Trade Commission (the “FTC”) has been quite an assertive regulator on privacy issues in the United States.  It has its fair share of detractors however it has been successful in developing a body of law relating to businesses not complying with their representations as to privacy and data security.  It has been so successful in that respect that Daniel Solove, a prominent privacy academic in the United States has suggest that the FTC has developed the common law of privacy.  The FTC has developed very effective consent agreements, enforceable undertakings in Australian parlance, should provide a very useful template when drafting obligations on entities in Australia which interfere with Australian’s privacy.  The enforceable undertakings imposed by the Australian Information Commissioner to date are anemic by comparison.  They may also be useful inspiration when, hopefully and eventually, individuals have a right to bring action against companies and government agencies and terms of settlement are required.

The FTC has brought an action against Chegg for careless security which led to four separate data breaches in the space of 3 years being:

• in September 2017, Chegg employees fell for a phishing attack, giving the threat actors access to employees’ direct deposit information
• in April 2018, a former contractor accessed one of Chegg’s S3 databases using an AWS Root Credential  to exfiltrated a database containing personal information of approximately 40 million users of the Chegg platform.  Chegg only discovered this data breach when informed by a threat intelligence vendor
• in April 2019, a senior Chegg executive fell victim to a phishing attack, giving the threat actor access to the executive’s credentials to Chegg’s email platform and exposing personal information about consumers and employees of Chegg.  The email system was in a default configuration state that allowed a bypass of Chegg’s multifactor authentication requirement.
• in April 2020, Chegg’s senior employee responsible for payroll fell victim to a phishing attack, giving the threat actor access to the employee’s credentials to Chegg’s payroll system . W-2 information, including the birthdates and Social Security numbers, of approximately 700 current and former employees, was exfiltrated.

Needless to say the failure of Chegg to improve data security after the first and second data breaches is a focus of the FTC complaint.

The above data breaches are regular enough occurrences in Australia.  The failure to properly remediate and improve data security after a data breach is also all too common with Australian organisations.

The FTC statement Read the rest of this entry »

The Federal Trade Commission (“the FTC”) is taking action against Drizly, an online alcohol supplier, and its CEO, James Rellas, regarding a data breach that exposed personal information of 2.5 million consumers in 2020.  The data breach, it is alleged, was caused by security failures on Drizly’s part.

The core of the complaint is that Drizly:

• failed to implement basic security measures.  They included not requiring employees to use two-factor authentication for GitHub, not limiting employee access to personal data, not having adequate written security policies, or failing to train employees on those procedure;
• stored information on an unsecured platform. Drizly stored login credentials on GitHub contrary to the platform’s own guidance and well-publicized security incidents involving GitHub;
• failed to monitor its network for security threats. The FTC specifically claimed that the failure included not putting a senior executive in charge of ensuring that the data was secure.  It did it monitor its network for unauthorized attempts to access or remove personal data; and
• exposed its customers to hackers and identity thieves. After the data breach personal information that Drizly had collected about consumers was offered for sale on two different publicly accessible sites on the dark web.

The action is by way of administrative complaint, a precursor to formal litigation.  This has resulted in a consent agreement. It is a more assertive process than the Own Motion Investigation that the Australian Information Commissioner uses, on a very sparing basis, in Australia.

An interesting feature of this consent agreement is that the Chief Executive, James Rellas, is accountable for information security under the consent agreement, even if he leaves Drizly and works for another entity.  That is a procedure that the Australian Government should consider in its reforms of the Privacy Act.  Having the power to make orders against directors to ensure proper data security by way of enforceable undertakings would focus their minds.  With this approach the cost is not only to the business.  It is to its officers as well.  Having an order attached to a director wherever he or she went over a period would be something they would dread.

While the Australian enforceable undertakings are a pale version of what the FTC imposes on companies who have had a data breach or otherwise breached privacy it is worth reviewing how the FTC drafts its complaints and agreements.  They are the gold standard in terms of imposing comprehensive orders which enforce proper privacy practices over a 10 or 20 year period.  It is only a matter of time before Australia will move in this direction.

The statement provides:

Read the rest of this entry »

The US Federal Trade Commission warned as far back as July that it would focus on illegal sharing of highly sensitive health data.  That was preceded with a warning in September 2021 to Health Apps and Connected Device Companies that they had to comply with health breach notification rules.  In June 2021 the FTC settled with Flo Health, a fertility tracking app which inappropriately shared sensitive health data with Facebook and Google. On 11 August 2022 the FTC announced it was embarking on commercial surveillance rule making.

In that context it is not surprising that the FTC has commenced proceedings against Kochava for selling data which tracks people when they are involved in sensitive activities, such as attending health clinics and places of worship.

The media release provides:

The Federal Trade Commission filed a lawsuit against data broker Kochava Inc. for selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations. Kochava’s data can reveal people’s visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities. The FTC alleges that by selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence. The FTC’s lawsuit seeks to halt Kochava’s sale of sensitive geolocation data and require the company to delete the sensitive geolocation information it has collected.

“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”

Idaho-based Kochava purchases vast troves of location information derived from hundreds of millions of mobile devices. The information is packaged into customized data feeds that match unique mobile device identification numbers with timestamped latitude and longitude locations. According to Kochava, these data feeds can be used to assist clients in advertising and analyzing foot traffic at their stores and other locations. People are often unaware that their location data is being purchased and shared by Kochava and have no control over its sale or use. Read the rest of this entry »

The Federal Trade Commission has written an article on its website titled Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data regarding the collection of data from smartphones, apps, connected cars and smart home products and then the misuse of of that data by onselling the to aggregators and data brokers. It clearly highlights how the collection of this data can act as a form of surveillance but more specifically identify places where individuals would not wish to be publicised to the third parties.  Aggregators and data brokers are not a chronic problem as in the United States of America however that doesn’t mean there isn’t a problem.  Organisations and government agencies collect masses of data and it is questionable whether they have a requirement for that personal information and the storage of that information is often not properly protected.  There remains a significant problem with the extent to which people consent to the collection of their data. Organisations almost invariably bury consents into the middle of a privacy policy or at the base of a page, physically or on line, which is difficult to read let alone properly understand.

The FTC article should be read by all privacy practitioners.  While it references US law the principles are universal.  It is also cheering that the FTC will crackdown on these unsavoury practices. Hopefully Read the rest of this entry »

The difference between the attitude and the actions of the Federal Trade Commission (the “FTC”) for privacy breaches and failing to implement proper data security and that of Australia is illustrated in the Consent Agreement between the FTC and CafePress regarding the latter’s data breach, its attempted cover up and its dreadful data security. The FTC imposes robust, stringent and long lasting proscriptions while enforceable undertakings in Australia are infrequent, last a short time and impose quite mild constraints on malefactors.  They are worlds apart. 

CafePress was hacked on 20 February 2019 and the data breach compromised more than 23 million accounts.  More than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates was accessed with some of that information available for sale on the Dark Web. 

CafePress carefully did everything wrong after discovering the data breach including:

• while it patched the vulnerability, a month after the breach, it failed to properly investigate the breach for several months despite additional warnings including a warning in April 2019 from a foreign government
• instead of telling customers that  a hacker had illegally obtained CafePress customer account information it instead only told customers to reset their passwords as part of an update to its password policy.
• CafePress did not inform affected customers until September 2019—one month after the breach was reported widely.
• CafePresses lax security practices still left many consumers at risk. It continued to allow people to reset their passwords on the website by answering security questions associated with customer email addresses, which had previously been stolen by hackers.

CafePress was aware of problems with its data security prior to the 2019 data breach. Through at least January 2018, when CafePress discovered that certain accounts of shopkeepers had been hacked. It also experienced several malware infections to its network prior to the 2019 hack but failed to investigate the source of such attacks.

The FTC took action in March 2022 for the data breach and cover up.

Last week the FTC announced a Consent Agreement with Cafe Press.  The obligations under the Agreement will last 20 years and CafePress has to pay a fine of $500,000. 

The FTC Press Release Read the rest of this entry »