Privacy Report: Airline Sues Software Provider Over Data Breach

Headlines that matter for privacy and data security.

Federal US News

Delta Sues Software Provider Over Data Breach

Delta Airlines sued its customer service chat provider, [24]7.ai Inc., in New York federal court accusing it of lax digital security practices that allowed a hacker to steal the personal information of more than 800,000 people.

In its complaint, the airline detailed a timeline of the 2017 breach, quoted from security agreements with [24]7, arguing that it should cover the costs Delta incurred following the discovery of the hacking. Delta submitted a [24]7 white paper about security practices that had been shared with the airline as part of the chat company’s bid for the Delta customer service contract. The white paper describes the company’s compliance with its clients’ security protocols, training given to [24]7 employees on best practices for security and its strict company policies on accessing sensitive tools. Nevertheless, Delta said that the inadequate authentication practices that resulted in the breach include multiple [24]7 employees using the same login, giving source code access to users who did not need it, using passwords that were not secure enough, not setting automatic expiration dates for passwords and not requiring multi-factor authentication for source code access.

“Had defendants employed even basic access restrictions, the attackers would not have been able to modify defendants’ source code to allow the collection of PII from visitors on Delta’s website. In other words, the data breach would never have happened,” Delta said.

Email Management Company Settles with FTC

Unroll.me Inc., a company that helps people manage their email list subscriptions but also sells users’ purchasing data, has settled with the FTC after allegations of deceiving consumers. The service misled its users by telling them it needed access to their emails solely to track what newsletters they had signed up for, but the company did not mention that it also scanned user emails to find purchasing receipts it then sold to third parties for market research.

“You need to authorize us to access your emails. Don’t worry, this is just to watch for those pesky newsletters, we’ll never touch your personal stuff,” the company assured consumers who had decided not to sign up after learning that the service required access to their email account. The deceptive messages convinced thousands to change their minds and sign up for Unroll.me, without mentioning that it flipped an anonymized version of that data for profit.

Under the settlement, Unroll.me and its parent company Slice Technologies Inc. agreed to delete purchasing data it collected from those who received the misleading messages unless it gets consent to keep the data. Unroll.me also signed a consent order promising not to misrepresent the extent to which it collects, uses, stores or shares consumer data.

FTC Settles Charges of Falsely Claimed Privacy Shield Compliance

The FTC approved a final consent order settling charges that a background screening company, SecurTest, Inc., falsely claimed to be in compliance with the EU-US and Swiss-US Privacy Shield frameworks. The FTC alleged that while SecurTest initiated a Privacy Shield application in September 2017 with the Department of Commerce, the company did not complete the steps necessary to be certified as complying with the frameworks. Because it failed to complete certification, SecurTest was not a certified participant in the frameworks, despite representations to the contrary on its website.

The settlement with the FTC prohibits SecurTest from misrepresenting its participation in any privacy or security program sponsored by a government, self-regulatory, or standard-setting organization, including the EU-US Privacy Shield and Swiss-US Privacy Shield frameworks. It also must comply with reporting and compliance requirements.

State US News

Online Sock Retailer Resolves Claims of Violating Massachusetts Law requiring WISPs

Bombas, an online retailer of socks, will pay $85,000 to resolve allegations that it violated consumer protection and data security laws by failing to protect the personal information of 1,361 Massachusetts residents online. The Massachusetts AG’s Office began an investigation after receiving a notification from Bombas in May 2018 that its website was breached and the sensitive personal information of more than 1,000 Massachusetts consumers was compromised between September 2014 and early 2015. The breach, which occurred when unauthorized parties installed malicious code into Bombas’ online shopping cart feature, compromised names, addresses, and credit card numbers of thousands of Bombas’ customers.

The AG’s Office alleges Bombas failed to comply with Massachusetts data security regulations because it did not have a written information security program (WISP) that included reasonable safeguards over consumers’ credit card information. In the assurance of discontinuance Bombas agreed to comply with state laws and implement policies to improve the security of its systems and protect its customers’ sensitive data. 

EU News

New Research Exposes Perils of Bogus DSARS with Implications for CCPA

At the Black Hat conference, a security researcher presented research on using access rights available under the GDPR for identity theft purposes. The researcher “attempted to steal as much information as possible” about his fiancé by submitting GDPR access requests in her name to more than 150 companies in the US and UK. 24 percent of the companies provided personal information in response to the bogus requests.

While the study focused on the GDPR, the results are indicative of concerns applicable more broadly to other privacy laws that grant access rights to individuals, including the forthcoming CCPA. This could be particularly problematic in a CCPA context given that the statute defines personal information to include information associated with a consumer’s “household.” The study suggests a number of potential steps that various stakeholders could take to remediate the risk of unauthorized disclosure of personal information in response to access requests. For instance, legislators and regulators could reduce these risks by “assuring businesses that rejecting a suspicious right of access request in good faith will not later result in prosecution if it turns out that the request originated from a legitimate but suspiciously-behaving data subject.”

Covert Recording in Smartphone Era: What do Employers Need to Consider?

The UK Employment Appeal Tribunal (EAT) recently dealt with an employee making a covert recording during a HR meeting and the case sets out some issues for employers to consider. Following an internal restructure, a payroll officer for Phoenix Housing became distressed and believed she had been treated differently throughout the process. After an incident at work, she attended a meeting with HR, which she covertly recorded on her mobile phone. The employee was ultimately dismissed for other reasons and brought an unfair dismissal claim.

The EAT decided she had been unfairly dismissed; however her award was reduced by 30%, 10% of which was attributed to the covert recording. Phoenix House appealed, arguing that the covert recording was a breach of the implied duty of trust and confidence, which amounted to gross misconduct. If they had known about it they would have dismissed her—the tribunal award should therefore be reduced by 100%. The EAT upheld the employment tribunal’s decision to only apply a 10% reduction of the award, considering:

  • The employee was flustered in making the recording, not entirely sure it would be successful;
  • The content of the meeting had not been highly confidential and would have been transcribed in any event;
  • The recording contained elements detrimental to her own case.

Finally, the EAT discussed the fact that covert recording equipment is now readily accessible to employees, with the vast majority of individuals now carrying mobile phones with audio and video recording capabilities. 

Global News

Canadian Federal Privacy Legislation May Change for Digital Age

The Canadian Department of Justice is requesting comments on the Privacy Act, the legal framework governing personal information in the federal public sector, to account for digital transformation which has “reshaped the ways we can flourish as citizens and human beings, how we pursue our personal and public relationships, how we communicate, how we access services, and how we can be supported, regulated, and protected by [the] government.”

In particular, they are seeking comments on (i) government institutions collecting specific personal information publicly available on the Internet and social media, (ii) factors to consider to allow personal information sharing and re-use between authorized services and programs, (iii) applying standards for privacy by design, reasonableness and proportionality, and (iv) how institutions can demonstrate accountability to the public and the Privacy Commissioner.

Continue Reading