FTC Settles False Ad Claim with LifeLock for $100M; CISA Signed into Law; University of Washington Settles HIPAA Claims Arising from 2013 Data Breach; Senators Urge White House to Search Social Media Profiles During Visa Background Checks; FTC Announces COPPA Settlements with App Developers; Cybersecurity Enters the 2016 Presidential Race.
FTC Announces Staggering Sum in Settlement with LifeLock
The FTC announced Thursday that identity protection firm LifeLock would pay $100 million to settle allegations that it violated a 2010 federal court order requiring the firm to secure its customers’ personal data – the largest settlement ever reached by the FTC under an order enforcement action. The FTC alleged that LifeLock failed to maintain an adequate information security program and that the firm misled its customers into believing that LifeLock provided security protections tantamount to those offered by financial institutions.
Cybersecurity Bill Signed into Law
On Friday morning, Congress passed a sizeable omnibus spending bill with several policy riders, including the Cybersecurity Information Sharing Act of 2015 (“CISA”). Under CISA, any “non-federal entity” can now share information with federal government agencies “notwithstanding any other provision of law.” CISA also calls for information sharing portals whereby companies can send information to federal law enforcement authorities, and provides liability protections to those entities who voluntarily share cyber threat indicators or defensive measures with the government. President Obama signed the $1.8 trillion deal into law Friday evening.
University Medical Center Settles HIPAA Suit with HHS
The University of Washington this week agreed to pay a $750,000 civil penalty to settle violations of HIPAA privacy, risk management, and breach notification provisions. The HHS complaints followed a November 2013 breach resulting from an employee downloading an email attachment infected with malware, in which over 90,000 UW patient records were compromised. As part of the settlement, the university agreed to implement a corrective action plan and to submit annual reports detailing its compliance program.
See C&M Health Law Blog for a post authored by Elliot Golding and Stephanie Willis for more details about this settlement.
Lawmakers Encourage Surveillance of Visa Applicants’ Social Media
Sens. Mark Kirk (R-IL) and Joe Manchin (D-WV) on Wednesday sent a letter to President Obama imploring DHS to include “social media screening” as part of the standard background check for visa applicants hoping to enter the United States. These legislators join a chorus of American officials calling for such action in the wake of conflicted revelations that Tashfeen Malik, one of the San Bernadino attackers, openly professed her radicalization and her dedication to the Islamic State on her Facebook page. DHS Secretary Jeh Johnson insisted this week that the Department already uses social media in its background checks, but suggested that the Department would be “doing more.”
FTC Accuses App Developers of COPPA Violations
On Wednesday, two app developers—LAI Systems and Retro Dreamer—agreed to pay a combined $360,000 to settle FTC claims that the companies violated the Children’s Online Privacy Protection Act (“COPPA”). The FTC claimed the companies created apps specifically targeting children, including “Friday Night Makeover,” “Animal Sounds,” and “Ice Cream Drop,” without getting the parental consent or sending the parental notice that COPPA requires. This news follows a series of COPPA actions the FTC has filed against app developers in recent years.
Cybersecurity Enters 2016 Presidential Race
On Friday, news reports indicated that staffers on Sen. Bernie Sanders’ presidential campaign exploited a data security flaw in a DNC contractor’s computer system to view confidential Clinton campaign files. The breach occurred when NGP VAN, a tech firm that manages the Democratic National Committee’s 50-state voter list provided to Democratic presidential candidates, accidentally lowered a firewall between the campaigns, allowing rival campaigns to view other candidates’ files.