Privacy Report: FTC Warns Companies to Remediate Log4j Security Vulnerability
Headlines that Matter for Privacy and Data Security
US News
FTC Warns Companies to Remediate Log4j Security Vulnerability
Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services. Recently, a serious vulnerability in the popular Java logging package, Log4j (CVE-2021-44228) was disclosed, posing a severe risk to consumer products to enterprise software and web applications. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid Federal Trade Commission (FTC) legal action.
Defense Contractor Cybersecurity Recommendations
Defense contractors are targets for hackers who are trying to access sensitive data. The Department of Defense (DOD) is working on a framework to certify that contractors have proper cybersecurity practices in place to protect data. DOD worked with industry and experts on the framework. However, its plans to start certifying contractors are delayed, and DOD hasn’t communicated key details for defense contractors, such as reciprocity between its certification and others. In addition, DOD won’t know how effective the certification is until it sets performance goals. The Government Accountability Office (GAO) recommends that the DOD develop outcome-oriented performance measures.
Advertising Platform OpenX Will Pay $2 Million for Collecting Personal Information from Children in Violation of Children’s Privacy Law
California-based online advertising platform OpenX Technologies, Inc. will be required to pay $2 million to settle FTC allegations that the company collected personal information from children under 13 without parental consent, a direct violation of a federal children’s privacy protection law. The FTC also alleged that despite offering an opt-out option, OpenX collected geolocation information from users who specifically asked not to be tracked. In addition to the $2 million settlement, the order requires OpenX to delete all ad request data it collected to serve targeted ads and implement a comprehensive privacy program to ensure it complies with COPPA and stops collection and retention of personal data of children under 13.
Apple Implements an App Privacy Report
Apple now provides users with greater transparency over the data and privacy activity of apps by creating an App Privacy Report that includes information about data, sensor access, and network activity. Users have access to how many times an app accessed privacy-sensitive data in the past seven days. This can include details about an app’s access to location, photos, camera, microphone, contacts, and more. Users can tap each app and data type to learn more specifics. Users can update privacy settings if an app is accessing data in a way that the user didn’t expect.
New York Attorney General Alerts 17 Companies to Credential Stuffing Cyberattacks
New York Attorney General Letitia James announced the results of a sweeping investigation into “credential stuffing” that discovered more than 1.1 million online accounts compromised in cyberattacks at 17 well-known companies. Attorney General James released a ”Business Guide for Credential Stuffing Attacks” that details the attacks — which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services — and how businesses can protect themselves. Credential stuffing has quickly become one of the top attack vectors online. The OAG found thousands of posts that contained customer login credentials that attackers had tested in a credential stuffing attack and confirmed could be used to access customer accounts at websites or on apps. From these posts, the OAG compiled credentials to compromised accounts at 17 well-known online retailers, restaurant chains, and food delivery services. In all, the OAG collected credentials for more than 1.1 million customer accounts, all of which appeared to have been compromised in credential stuffing attacks. The OAG alerted each of the 17 companies to the compromised accounts and urged the companies to investigate and take immediate steps to protect impacted customers. Every company did so. The companies’ investigations revealed that most of the attacks had not previously been detected.
New York Passes Law Imposing Conditions Automated Employment Decision Tools
New York’s new law on automated employment decision tools was approved and takes effect January 1, 2023. The law states that it is unlawful for an employer to use automated employment decision tools to screen candidates or an employee for an employment decision unless such tool has been the subject of a bias audit, a summary of the results of the bias audit is made publicly available on the website of the employer prior to the use of such tool, and notice is provided to candidates and employees no less than ten business days before use.
Global News
Firefox Now Offers Universal Opt-Out Tool
The newest version of Mozilla’s Firefox browser now includes the “Global Privacy Control” tool, which aims to enable consumers to opt out of the sale or transfer of their data on a universal basis, as opposed to opting out site-by-site. The Global Privacy Control, developed by privacy advocates, was released last year as a downloadable extension, and a setting in some browsers. Mozilla was among the original supporters of the initiative, but didn’t take steps to incorporate the feature into Firefox until recently. California’s current privacy law, the California Consumer Privacy Act, requires companies to honor consumers’ requests to refrain from selling their data, and the state’s top law enforcement official says companies that collect residents’ personal data must comply with opt-out requests sent through the Global Privacy Control.
EDPB Adopts Guidelines on Personal Data Breach Notification
The EDPB adopted guidelines on personal data breach notification. The new guidelines are intended to complement the previous Article 29 Working Party’s general guidance, and the new guidelines include more specific recommendations and provide best practices. There are also several fictitious cases provided that are based on typical cases from the regulators’ collective experience with data breach notifications. The guidance is organized by attack-type: ransomware, data exfiltration attacks, internal human risk source, lost or stolen devices and paper documents, mispostal, and other cases such as social engineering.
Irish DPC Publishes Final Version of Guidance on Fundamentals for Child-Oriented Approach to Data Processing
The Data Protection Commission (DPC) published the final version of its guidance, “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing” (the Fundamentals). This is the culmination of an intensive project over the last three years that has involved three separate stakeholder consultation processes (including direct consultation with children), engagement with experts in the area of children’s rights, expansive research and a two-stage drafting process. The Fundamentals introduce child-specific data protection interpretative principles and recommended measures that will enhance the level of protection afforded to children against the data processing risks posed to them by their use of/ access to services in both an online and offline world. The Fundamentals will also assist organizations that process children’s data by clarifying the principles, arising from the high-level obligations under the General Data Protection Regulation (GDPR), to which the DPC expects such organizations to adhere.
Tax Administration Fined For Discriminatory And Unlawful Data Processing
The Dutch Data Protection Authority (DPA) has imposed a €2.75 million fine on the Dutch Tax Administration. The fine was imposed because, for many years, the Tax Administration processed data on the (dual) nationality of childcare benefit applicants in an unlawful, discriminatory, and therefore improper manner. This constituted serious violations of the GDPR, the law governing privacy. The Tax Administration should have deleted the data on dual nationality of Dutch nationals back in January 2014. By unnecessarily retaining nationality data in its systems, the Tax Administration acted in a discriminatory way. Entitlement to childcare benefits is not contingent on nationality but on lawful residence in the Netherlands.
Data Protection and Privacy Expectations for Online Advertising Proposals
The Information Commissioner of the United Kingdom puts forward an Opinion on data protection and privacy expectations for online advertising proposals to provide guidance to market participants about how they can demonstrate a genuine adherence to the principles of data protection by design and by default, and bring forward proposals that effectively address the range of data protection and privacy harms that are characteristic of current approaches to online advertising. For example, the Opinion notes that online tracking, for any purpose, must not be carried out at the expense of individual rights or compliance with the broader provisions of the law.
Italian Garante’s Updated Guidelines on Cookies and Other Tracking Technologies Go Into Effect
The Italian Data Protection Authority (Garante) adopted a new version of its guidelines for cookies and other tracking mechanisms, and these guidelines entered into force on January 9, 2022. The guidelines ban cookie walls, prohibit reposting cookie banners for consent when a user has already expressed preferences, require that banners must include an “x” in the corner so users can close the banner, require a cookie policy explaining the consequences of closing the banner, and require a link to the full privacy policy in the cookie banner.
CNIL Issues 30 New Cookie Notices
The French data protection authority (CNIL) issued roughly 60 cookie notices and 30 new orders to organizations not offering the ability to refuse cookies as easily as accepting them. To date, CNIL has issued orders to nearly 90 entities. CNIL’s recent investigations showed that cookies subject to consent were automatically deposited before acceptance by the user, information banners were not compliant because they do not allow the user to refuse the deposit of cookies as easily as accepting them, and information banners were ineffective because cookies subject to consent were still deposited after the user expressed refusal.
- Related Practices