Alcohol addiction treatment firm caught by Federal Trade Commission disclosing health data for advertising…

April 12, 2024

If there is any doubt about the value of health data and the importance of maintaining strict security look no further than the Federal Trade Commission’s (“FTC”) action against Monument Inc, a New York based alcohol addiction center for selling its users personal health data to, amongst others, Meta and Google without their consent. Under the agreed consent order Monument is banned from disclosing health data for advertising and must obtain consent before sharing for any other purpose. That however is only the tip of a very big administrative iceberg that Monument has to navigate around.  The FTC, as per its usual practice, has set down obligations for implementing procedures and taking action and being monitored by an assessor.  The enforceable undertakings are far better drafted and more encompassing that those, few, undertakings issued by the Information Commissioner.  They are useful to read because they contain clauses that could be incorporated into contracts, terms of settlement and, perhaps if the Information Commissioner became more active, the regulator could use.

The statement from the FTC provides:

The Federal Trade Commission has taken action against an alcohol addiction treatment service for allegedly disclosing users’ personal health data to third-party advertising platforms, including Meta and Google, for advertising without consumer consent, after promising to keep such information confidential.

As part of a proposed order settling the FTC allegations, New York-based Monument, Inc. will be banned from disclosing health information for advertising and must obtain users’ affirmative consent before sharing health information with third parties for any other purpose. Read the rest of this entry »

US Federal Trade Commission takes action against Avast for breaching privacy, claiming it was protecting data but trading consumer’s data

February 25, 2024

The US Federal Trade Commission has taken action against Avast for claiming it represented to consumers that its software would protect their privacy by preventing tracking and collection of browser information while it tracked that browser information and sold it to more than 100 other companies. Avast tracked and collected the data and provided it to a subsidiary, Jumpshot, which from 2014 until 2020 sold that browsing information to some of its clients, including investment nad advertising companies, search enging optimisation firms and data brokers.  In short companies that need data as part of their business activities.  Avast has entered into a consent order whereby it agreed to pay $16.5 million and be prohibited from selling or licensing any web browsing data for advertising purposes.

The FTC generally relies upon representations for jurisdiction to take action.  That is different to the approach taken by the UK regulator, which relies the UK Data Protection Act.  In Australia the regulator relies on its powers under the Privacy Act.  FTC decisions are useful and relevant in the analysis of privacy cases because the principles relating to data security, collection and use are consistent with those principles under the UK, New Zealand and European laws. Given the FTC is a much more active regulator than the Austrlian Office of the Information Commissioner the analysis of the FTC in its complaints and consent orders is particularly useful.  The Australian resources are modest by comparison and often too general. 

The FTC’s very colourful media release provides:

When uttered by a pirate, “Avast!” is a nautical term for “Listen up and cut it out.” And when the FTC says “Avast!” to software company Avast, it means the same thing. UK-based Avast Limited told consumers that using its software would protect their privacy by preventing the tracking and collection of their browser information. But according to the FTC, from 2014 to 2020, guess who was tracking consumers’ browser information and then selling it to more than 100 other companies through an affiliate called Jumpshot? Ironically enough, Avast Limited. We’re not sure how much the $16.5 million financial remedy is in doubloons, but we hope the terms of the proposed settlement will remind other companies to relegate conduct like that to Davy Jones’ Locker.

For consumers concerned about their privacy, Avast’s claims for its anti-virus software and browser extensions were attention-getters. The company promised its products would block “annoying tracking cookies that collect data on your browsing activities.” In a major app store, the company pitched its Avast Mobile Software as way for consumers to “secure your device” by getting “alerted when you install spyware and adware apps that violate your privacy by sending your personal data to their servers.” In describing its desktop software, Avast promised it would “shield your privacy” and “stop anyone and everyone from getting to your computer.” Avast also told people that its software would allow them to “reclaim your browser. Get rid of unwanted extensions and hackers making money off your searches.” The company’s marketing hook for its Avast Secure Browser was its anti-tracking capabilities, promising it would “protect[] your privacy by preventing websites, advertising companies, and other web services from tracking your online activity.”  Read the rest of this entry »

Federal Trade Commission takes action against Blackbaud for inadequate security practices, seeks orders for it to delete unnecessary data

February 14, 2024

The Federal Trade Commission has taken action action against Blackbaud and required it to delete personal data that it does not need. The genesis of this outcome was the poor security practices that let a hacker access a trove of sensitive personal information in 2020, much of it which should not have been kept.  The FTC set out the multiple Blackbaud transgressions; failing to segment data, failing to have multi factor authentication and not notifying customers of the breach.  In this case, as in many others, a data breach doesn’t reveal one flaw but usually a system wide failure. 

The media release provides:

South Carolina-based Blackbaud Inc. will be required to delete personal data that it doesn’t need to retain as part of a settlement with the Federal Trade Commission over charges that the company’s lax security allowed a hacker to breach the company’s network and access the personal data of millions of consumers including Social Security and bank account numbers.

In its complaint, the FTC says that Blackbaud, which provides data services and financial, fundraising, and administrative software services to companies, nonprofits, healthcare organizations, and others, failed to implement appropriate safeguards to secure and protect the vast amounts of personal data it maintains as part of the services it provides to its clients.

“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”

The FTC says that, despite promising customers that it takes “appropriate physical, electronic and procedural safeguards to protect your personal information,” Blackbaud deceived users by failing to put in place such safeguards. For example, the company failed to monitor attempts by hackers to breach its networks, segment data to prevent hackers from easily accessing its networks and databases, ensure data that is no longer needed is deleted, adequately implement multifactor authentication, and test, review and assess its security controls. In addition, the company allowed employees to use default, weak, or identical passwords for their accounts, according to the complaint.

As a result of these failures, a hacker in early 2020 accessed a customer’s Blackbaud-hosted database, according to the complaint. Once logged in, the attacker was able to freely move across multiple Blackbaud-hosted environments by leveraging existing vulnerabilities and local administrator accounts and creating new administrator accounts, according to the complaint. The breach went undetected for three months, allowing the hacker to remove massive amounts of unencrypted sensitive consumer data belonging to Blackbaud’s customers. Read the rest of this entry »

Federal Trade Commission proposes Strengthening Children’s Privacy Rule to limit monetisation of Children’s Data

January 2, 2024

The Federal Trade Commission is proposing changes to the COPPA Rule, the principle regulation relating to the protection of child privacy on line.  COPPA stands for Children’s Online Privacy Protection Act.The purpose is to restrict third parties monetising children’s data.

The release Read the rest of this entry »

Federal Trade Commission takes action against Global Tel*Link Corp for failing to secure Data and notifying consumers

November 20, 2023

The US Federal Trade Commission (“FTC”) is the most active Federal regulator in the United States of privacy and data breaches. It has its fair share of critics but is frenetic compared to Australian regulators. It has announced that it has taken action against Global Tel*Link Corp, a prison communications provider. It alleges that Global failed to secure sensitive personal information of hundreds of thousands of users by posting unencrypted personal information of 650,000 users in the cloud in August 2020 without firewall protection, encryption and monitoring software. It was only when a security researcher alerted the Global that it became aware of the problem. In the meantime hackers accessed billiions of bytes of this exposed data and put it on the dark web and was so advised in September 2020. Global waited 9 months to notify affected customers and in any event only notified 45,000. It has been reported in arstechnica with Prison phone company leaked 600K users’ data and didn’t notify them, FTC says.

The FTC Read the rest of this entry »

Federal Trade Commission and the US Department of Health and Human Services updates guidance on collecting, using and sharing of Consumer Health Information

September 24, 2023

The Federal Trade Commission (“FTC”) and the US Department of Health and Human Services (“HHS”) have jointly released an updated guidance on collecting, using and sharing of Consumer Health Information.   As with Australia, New Zealand and the United Kingdom guidances play an important part of setting out standards and expectations regulators expect of individuals, companies and agencies who handle personal information.  It is something of the myth that the United States has no privacy protections.  In some areas the Federal regulations are very strong and breaches can result in harsh penalties.  One such area is a health data.  The United States has very stringent laws regarding the collection, use and storage of health information.

The guidance is not wholly translatable to the Australian environment.  The US legislation is quite specific and detailed.  That said, principles and methodologies applicable in handling health information is broadly similar.  Principles involved in securing information are virtually identical. 

The media release provides:

Ever wondered about the intersection of some of the health privacy and security-related laws and rules enforced by the Federal Trade Commission and the Department of Health and Human Services? You’re not alone, which is why FTC and HHS have teamed up to update a joint publication – Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule  – that helps businesses learn more about their legal obligations. Read the rest of this entry »

Federal Trade Commission brings action to stop BetterHelp from revealing information, including mental health information, to Facebook & others for targeted advertising. FTC is seeking $7.8million compensation.

March 14, 2023

With the Report of Proposed Reforms to the Privacy Act recently released it is apposite that the Federal Trade Commission has recently announced that it is taking action against BetterHelp for sharing its consumers health information, including about mental health problems, with Facebook and other platforms for advertising.  The odious practice was well entrenched and longstanding, commencing in 2013 and not concluding until the media reported on it in 2020. The nature of the data misuse is all the more appalling given BetterHelp repeatedly promised to keep the data private. Instead it monetised the data to target them and others for the service it provides.  BetterHelp has reached a settlement with the FTC. 

Arising from this action

  • the FTC’ makes it clear that an email or an IP address by themselves can disclose private information about consumers based on the entity sharing the data.
  • the FTC regards a failure to obtain “affirmative express consent” for disclosure of health information to social media companies for advertising purposes to be an unfair practice.
  • Companies should:

    • consider carefully whether any of their web pages or apps collect information that could be considered sensitive
    • review their privacy policies and ensure they can be understood
    • train employees regarding privacy
    • develop policies and restrictions on how personal data must be protected

The terms imposed by the FTC are onerous and particularly swingeing compared to the relatively relaxed enforceable undertakings imposed in Australia. 

The media was, as usual, scathing with Fortune’s Counseling service BetterHelp to return $7.8M to customers in FTC settlement after it shared private health data with Facebook and Snapchat and Yahoo’ s Teladoc’s (TDOC) BetterHelp Faces FTC Hurdle, to Pay $7.8M.

The media release provides:

The Federal Trade Commission has issued a proposed order banning online counseling service BetterHelp, Inc. from sharing consumers’ health data, including sensitive information about mental health challenges, for advertising. The proposed order also requires the company to pay $7.8 million to consumers to settle charges that it revealed consumers’ sensitive data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private.

This is the first Commission action returning funds to consumers whose health data was compromised. In addition, the FTC’s proposed order will ban BetterHelp from sharing consumers’ personal information with certain third parties for re-targeting—the targeting of advertisements to consumers who previously had visited BetterHelp’s website or used its app, including those who had not signed up for the company’s counseling service. The proposed order also will limit the ways in which BetterHelp can share consumer data going forward. Read the rest of this entry »

Federal Trade Commission commences enforcement action against GoodRx for extraordinary privacy breaches involving sharing consumer sensitive health information for advertising purposes

February 8, 2023

The Federal Trade Commission (the “FTC”) has announced enforcement action against GoodRX for a range of signficant breaches of customer’s information.  This the first time it is using its powers under the Health Breach Notification Rule.

This case highlights the temptations of monetising personal information to generate sales even if that meant disclosing personal health related information.  It also demonstrates that large operations can and often do ignore privacy and data security obligations when using data for financial gain. When the regulator takes action the flaws become very apparent and often make a bad situation much worse.
While the law differs in Australia it is very useful considering these actions because of the methodology the FTC deploys in framing their cases.  The technology is the same in Australia and the United States.  The issues are the same.

According to the FTC:

  • since  2011, GoodRx Holdings, Inc is a “consumer-focused digital healthcare platform” based in Santa Monica, California.
  • GoodRx advertises, distributes, and sells:
    • health-related products and services directly to consumers, including purported prescription medication discount products branded as “GoodRx” and “GoodRx Gold.”
    • telehealth services, branded as “GoodRx Care,” and previously as “HeyDoctor by GoodRx,” and “HeyDoctor,” through its subsidiary HeyDoctor, LLC (“HeyDoctor”) [2].
  • since at least 2017, GoodRx  promised its users that it would share their personal information, including their personal health information, with limited third parties and only for limited purposes; that it would restrict third parties’ use of such information; and that it would never share personal health information with advertisers or other third parties [3]
  • GoodRx offers a platform, available through its website (www.GoodRx.com) or mobile application (“Mobile App”), to search for and compare prescription medication pricing at nearby pharmacies, and to obtain prescription discount cards (the “GoodRx Coupon”). Since January 2017, 55.4 million consumers have visited or used GoodRx’s website or Mobile App [16]
  • GoodRx  collects:
    • users’ personal and health information, and prompts users to provide their email address or phone number, to access electronic coupons and refill reminders [19].
    • personal and health information when users register for an account, which is required for GoodRx Gold, the product charging a monthly subscription fee. [20]
    • personal and health information from PBMs. When users purchase medication using GoodRx Coupons, the PBM processes the transaction and sends a claims record to GoodRx (“Medication Purchase Data”), containing name, date of birth, and information about the prescription filled [21]

On February 25, 2020, Consumer Reports published Read the rest of this entry »

Federal Trade Commission fines EPIC $275 million for privacy violations and requires it to refund customers another $245 million for tricking users

December 22, 2022

The Federal Trade Commission (the “FTC”) has its detractors who say it is not assertive enough.  Compared to the Australian Information Commissioner it is frenetic and hyper aggressive.  In a field where the breaches are many most regulators are subject to criticism of not doing enough.  But when the FTC takes action against a company the impact is considerable and painful for the malefactor. As the agreeement the FTC made with EPIC for its violation of the Children’s Online Privacy Protection Act.

EPIC has been fined 4275 million for collecting personal information from children under the age of 13.without parental consent.  It also enabled those children to have access to voice and text chats by default, a practice that could put them into contact with strangers.

As is the way the media has been negative for EPIC with Fortnite maker Epic Games has to pay $520 million for tricking kids and violating their privacy and Fortnite game maker will pay $520M to settle FTC allegations.

The statement of the FTC provides:

The FTC’s $275 million proposed settlement with Epic Games, owner of Fortnite, alleges the company violated the law by collecting personal information from kids under 13 without parental consent and by enabling voice and text chat by default – an unfair practice that put kids and teens in risky contact with strangers. But to borrow a phrase from advertisers, “But wait! There’s more!” Much, much more in the form of a separate $245 million proposed settlement with Epic Games for using digital dark patterns to bill Fortnite players for unintentional in-game purchases.

How much money can a company take in by selling virtual costumes, dance moves, and piñatas shaped like llamas? It won’t surprise Fortnite fans to hear that the answer is billions, especially when, as the FTC alleges, Epic used a host of digital design tricks – dark patterns – to charge consumers for virtual merchandise without their express informed consent. What’s more, the FTC says when people disputed unauthorized charges with their credit card company, Epic locked their accounts, depriving them of access to content they had already paid for. The proposed FTC consent order is the agency’s largest administrative settlement to date. Continue reading for some insightful – and instructive – quotes from consumers and employees who didn’t hold back about their opinions of Epic’s tactics.

For the technological Rip Van Winkles among us, Fortnite is a hit video game with more than 400 million registered users, many of whom are kids. Although people can play the basic version for free, Epic charges for in-game purchases designed to enhance game play. The FTC alleges that with millions of consumers’ credit cards conveniently in hand, Epic failed to adequately explain its billing practices to customers and designed its interface in ways that led to unauthorized charges. You’ll want to read the complaint for details, but here are a few of the dark patterns the company allegedly used.

According to the complaint, Epic set up its payment system so that it saved by default the credit card that was associated with the account. That meant that kids could buy V-Bucks – the virtual currency necessary to make in-game purchases – with the simple press of a button. No separate cardholder consent was required. And although the currency was imaginary, the charges Epic packed on to Mom or Dad’s credit card were very real. What did parents and users have to say about Epic’s methods? Here are some examples:

    • “Hello Epic Games, The charges associated with this account were made without my authorization. This account is associated with my 10 year old son’s account and I am really disappointed that there is no check and balances that alerted me of these charges, and a 10 year old can purchase coins worth almost $500 so easily.”
    • “Epic Games is swindling parents with unauthorized game purchases, tricking young consumers & using shady practices for billing. I authorized a 1-time Epic Games purchase for my 11 yr-old son, only to discover EG did NOT erase my credit card info, & thus my son has been making unauthorized purchases, racking up $140 in less than 8 days after the initial authorized purchase.”

Epic’s own Fraud and Risk Consultant expressed similar concerns internally and recommended that the company require account holders to confirm their CVV numbers before charging the card on file: “This is standard / best practice and it prevents kids from using mom’s credit card without her permission[.]” However, by the time Epic finally took that advice, the company had already billed account holders for millions of V-Bucks transactions – many of which were unauthorized, according to the FTC. Read the rest of this entry »

Federal Trade Commission takes action against Chegg, an Ed Tech provider, for exposing personal data of millions of customers due to careless security

November 22, 2022

The Federal Trade Commission (the “FTC”) has been quite an assertive regulator on privacy issues in the United States.  It has its fair share of detractors however it has been successful in developing a body of law relating to businesses not complying with their representations as to privacy and data security.  It has been so successful in that respect that Daniel Solove, a prominent privacy academic in the United States has suggest that the FTC has developed the common law of privacy.  The FTC has developed very effective consent agreements, enforceable undertakings in Australian parlance, should provide a very useful template when drafting obligations on entities in Australia which interfere with Australian’s privacy.  The enforceable undertakings imposed by the Australian Information Commissioner to date are anemic by comparison.  They may also be useful inspiration when, hopefully and eventually, individuals have a right to bring action against companies and government agencies and terms of settlement are required.

The FTC has brought an action against Chegg for careless security which led to four separate data breaches in the space of 3 years being:

  • in September 2017, Chegg employees fell for a phishing attack, giving the threat actors access to employees’ direct deposit information
  • in April 2018, a former contractor accessed one of Chegg’s S3 databases using an AWS Root Credential  to exfiltrated a database containing personal information of approximately 40 million users of the Chegg platform.  Chegg only discovered this data breach when informed by a threat intelligence vendor
  • in April 2019, a senior Chegg executive fell victim to a phishing attack, giving the threat actor access to the executive’s credentials to Chegg’s email platform and exposing personal information about consumers and employees of Chegg.  The email system was in a default configuration state that allowed a bypass of Chegg’s multifactor authentication requirement.
  • in April 2020, Chegg’s senior employee responsible for payroll fell victim to a phishing attack, giving the threat actor access to the employee’s credentials to Chegg’s payroll system . W-2 information, including the birthdates and Social Security numbers, of approximately 700 current and former employees, was exfiltrated.

Needless to say the failure of Chegg to improve data security after the first and second data breaches is a focus of the FTC complaint.

The above data breaches are regular enough occurrences in Australia.  The failure to properly remediate and improve data security after a data breach is also all too common with Australian organisations.

The FTC statement Read the rest of this entry »

Verified by MonsterInsights