- Increased Adoption of Generative AI and Push to Minimize Algorithmic Biases – Generative AI took center stage in 2023 and popularity of this technology will continue to grow. The importance behind the art of crafting nuanced and effective prompts will heighten, and there will be greater adoption across a wider variety of industries. There should be advancements in algorithms, increasing accessibility through more user-friendly platforms. These can lead to increased focus on minimizing algorithmic biases and the establishment of guardrails governing AI policies. Of course, a keen awareness of the ethical considerations and policy frameworks will help guide generative AI’s responsible use.
- Convergence of AR/VR and AI May Result in “AR/VR on steroids” The fusion of Augmented Reality (AR) and Virtual Reality (VR) technologies with AI unlocks a new era of customization and promises enhanced immersive experiences, blurring the lines between the digital and physical worlds. We expect to see further refining and personalizing of AR/VR to redefine gaming, education, and healthcare, along with various industrial applications.
- EV/Battery Companies Charge into Greener Future. With new technologies and chemistries, advancements in battery efficiency, energy density, and sustainability can move the adoption of electric vehicles (EVs) to new heights. Decreasing prices for battery metals canbatter help make EVs more competitive with traditional vehicles. AI may providenew opportunities in optimizing EV performance and help solve challenges in battery development, reliability, and safety.
- “Rosie the Robot” is Closer than You Think. With advancements in machine learning algorithms, sensor technologies, and integration of AI, the intelligence and adaptability of robotics should continue to grow. Large language models (LLMs) will likely encourage effective human-robot collaboration, and even non-technical users will find it easy to employ robotics to accomplish a task. Robotics is developing into a field where machines can learn, make decisions, and work in unison with people. It is no longer limited to monotonous activities and repetitive tasks.
- Unified Defense in Battle Against Cyber-Attacks. Digital threats are expected to only increase in 2024, including more sophisticated AI-powered attacks. As the international battle against hackers wages on, threat detection, response, and mitigation will play a crucial role in staying ahead of rapidly evolving cyber-attacks. As risks to national security and economic growth, there should be increased collaboration between industries and governments to establish standardized cybersecurity frameworks to protect data and privacy.
Tag: Cybersecurity
Cybersecurity Awareness Dos and Donts Refresher
As we have adjusted to a combination of hybrid, in-person and remote work conditions, bad actors continue to exploit the vulnerabilities associated with our work and home environments. Below are a few tips to help employers and employees address the security threats and challenges of our new normal:
- Monitoring and awareness of cybersecurity threats as well as risk mitigation;
- Use of secure Wi-Fi networks, strong passwords, secure VPNs, network infrastructure devices and other remote working devices;
- Use of company-issued or approved laptops and sandboxed virtual systems instead of personal computers and accounts, as well as careful handling of sensitive and confidential materials; and
- Preparing to handle security incidents while remote.
Be on the lookout for phishing and other hacking attempts.
Be on high alert for cybersecurity attacks, as cybercriminals are always searching for security vulnerabilities to exploit. A malicious hacker could target employees working remotely by creating a fake coronavirus notice, phony request for charitable contributions or even go so far as impersonating someone from the company’s Information Technology (IT) department. Employers should educate employees on the red flags of phishing emails and continuously remind employees to remain vigilant of potential scams, exercise caution when handling emails and report any suspicious communications.
Maintain a secure Wi-Fi connection.
Information transmitted over public and unsecured networks (such as a free café, store or building Wi-Fi) can be viewed or accessed by others. Employers should configure VPN for telework and enable multi-factor authentication for remote access. To increase security at home, employers should advise employees to take additional precautions, such as using secure Wi-Fi settings and changing default Wi-Fi passwords.
Change and create strong passwords.
Passwords that use pet or children names, birthdays or any other information that can be found on social media can be easily guessed by hackers. Employers should require account and device passwords to be sufficiently long and complex and include capital and lower case letters, numbers and special characters. As an additional precaution, employees should consider changing their passwords before transitioning to remote work.
Update and secure devices.
To reduce system flaws and vulnerabilities, employers should regularly update VPNs, network infrastructure devices and devices being used to for remote work environments, as well as advise employees to promptly accept updates to operating systems, software and applications on personal devices. When feasible, employers should consider implementing additional safeguards, such as keystroke encryption and mobile-device-management (MDM) on employee personal devices.
Use of personal devices and deletion of electronic files.
Home computers may not have deployed critical security updates, may not be password protected and may not have an encrypted hard drive. To the extent possible, employers should urge employees to use company-issued laptops or sandboxed virtual systems. Where this is not possible, employees should use secure personal computers and employers should advise employees to create a separate user account on personal computers designated for work purposes and to empty trash or recycle bins and download folders.
Prohibit use of personal email for work purposes.
To avoid unauthorized access, personal email accounts should not be used for work purposes. Employers should remind employees to avoid forwarding work emails to personal accounts and to promptly delete emails in personal accounts as they may contain sensitive information.
Secure collaboration tools.
Employees and teams working from home need to stay connected and often rely on instant-messaging and web-conferencing tools (e.g., Slack and Zoom). Employers should ensure company-provided collaboration tools, if any, are secure and should restrict employees from downloading any non-company approved tools. If new collaboration tools are required, IT personnel should review the settings of such tools (as they may not be secure or may record conversations by default), and employers should consider training employees on appropriate use of such tools.
Handle physical documents with care.
Remote work arrangements may require employees to take sensitive or confidential materials offsite that they would not otherwise. Employees should be advised to handle these documents with the appropriate levels of care and avoid printing sensitive or confidential materials on public printers. These documents should be securely shredded or returned to the office for proper disposal.
Develop clear guidelines and train employees on cyberhygiene.
To ensure employees are aware of remote work responsibilities and obligations, employers should prepare clear telework guidelines (and incorporate any standards required by applicable regulatory schemes) and post the guidelines on the organization’s intranet and/or circulate the guidelines to employees via email. A list of key company contacts, including Human Resources and IT security personnel, should be distributed to employees in the event of an actual or suspected security incident.
Prepare for remote activation of incident response and crisis management plans.
Employers should review existing incident response, crisis management and business continuity plans, as well as ensure relevant stakeholders are prepared for remote activation of these plans, such as having hard copies of relevant plans and contact information at home.
| DO | DON’T |
|
|
How a Zero-Day Flaw in MOVEit Led to a Global Ransomware Attack
In an era where our lives are ever more intertwined with technology, the security of digital platforms is a matter of national concern. A recent large-scale cyberattack affecting several U.S. federal agencies and numerous other commercial organizations emphasizes the criticality of robust cybersecurity measures.
The Intrusion
On June 7, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) identified an exploit by “Threat Actor 505” (TA505), namely, a previously unidentified (zero-day) vulnerability in a data transfer software called MOVEit. MOVEit is a file transfer software used by a broad range of companies to securely transfer files between organizations. Darin Bielby, the managing director at Cypfer, explained that the number of affected companies could be in the thousands: “The Cl0p ransomware group has become adept at compromising file transfer tools. The latest being MOVEit on the heels of past incidents at GoAnywhere. Upwards of 3000 companies could be affected. Cypfer has already been engaged by many companies to assist with threat actor negotiations and recovery.”
CISA, along with the FBI, advised that “[d]ue to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks.”
Although CISA did not comment on the perpetrator behind the attack, there are suspicions about a Russian-speaking ransomware group known as Cl0p. Much like in the SolarWinds case, they ingeniously exploited vulnerabilities in widely utilized software, managing to infiltrate an array of networks.
Wider Implications
The Department of Energy was among the many federal agencies compromised, with records from two of its entities being affected. A spokesperson for the department confirmed they “took immediate steps” to alleviate the impact and notified Congress, law enforcement, CISA, and the affected entities.
This attack has ramifications beyond federal agencies. Johns Hopkins University’s health system reported a possible breach of sensitive personal and financial information, including health billing records. Georgia’s statewide university system is investigating the scope and severity of the hack affecting them.
Internationally, the likes of BBC, British Airways, and Shell have also been victims of this hacking campaign. This highlights the global nature of cyber threats and the necessity of international collaboration in cybersecurity.
The group claimed credit for some of the hacks in a hacking campaign that began two weeks ago. Interestingly, Cl0p took an unusual step, stating that they erased the data from government entities and have “no interest in exposing such information.” Instead, their primary focus remains extorting victims for financial gains.
Still, although every file transfer service based on MOVEit could have been affected, that does not mean that every file transfer service based on MOVEit was affected. Threat actors exploiting the vulnerability would likely have had to independently target each file transfer service that employs the MOVEit platform. Thus, companies should determine whether their secure file transfer services rely on the MOVEit platform and whether any indicators exist that a threat actor exploited the vulnerability.
A Flaw Too Many
The attackers exploited a zero-day vulnerability that likely exposed the data that companies uploaded to MOVEit servers for seemingly secure transfers. This highlights how a single software vulnerability can have far-reaching consequences if manipulated by adept criminals. Progress, the U.S. firm that owns MOVEit, has urged users to update their software and issued security advice.
Notification Requirements
This exploitation likely creates notification requirements for the myriad affected companies under the various state data breach notification laws and some industry-specific regulations. Companies that own consumer data and share that data with service providers are not absolved of notification requirements merely because the breach occurred in the service provider’s environment. Organizations should engage counsel to determine whether their notification requirements are triggered.
A Call to Action
This cyberattack serves as a reminder of the sophistication and evolution of cyber threats. Organizations using the MOVEit software should analyze whether this vulnerability has affected any of their or their vendors’ operations.
With the increasing dependency on digital platforms, cybersecurity is no longer an option but a necessity in a world where the next cyberattack is not a matter of “if” but “when;” it’s time for a proactive approach to securing our digital realms. Organizations across sectors must prioritize cybersecurity. This involves staying updated with the latest security patches and ensuring adequate protective measures and response plans are in place.
© 2023 Bradley Arant Boult Cummings LLP
For cybersecurity legal news, click here to visit the National Law Review.
Secure Software Regulations and Self-Attestation Required for Federal Contractors
US Policy and Regulatory Alert
Government contractors providing software across the federal government’s supply chain will be required later this year to comply with a new Secure Software Design Framework (SSDF). The SSDF requires software vendors to attest to new security controls in the design of code used by the federal government.
Cybersecurity Compromises of Government Software on the Rise
In the aftermath of the cybersecurity compromises of significant enterprise software systems embedded in government supply chains, the federal government has increasingly prioritized reducing the vulnerability of software used within agency networks. Recognizing that most of the enterprise software that is used by the federal government is provided by a wide range of private sector contractors, the White House has been moving to impose a range of new software security regulations on both prime and subcontractors. One priority area is an effort to require government contractors to ensure that software used by federal agencies incorporates security by design. As a result, federal contractors supplying software to the government now face a new set of requirements to supply secure software code. That is, to provide software that is developed with security in mind so that flaws and vulnerabilities can be mitigated before the government buys and deploys the software.
The SSDF as A Government Response
In response, the White House issued Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity” (EO 14028), on 12 May 2021. EO 14028 requires the National Institute of Standards and Technology (NIST) to develop standards, tools, and best practices to enhance the security of the software supply chain. NIST subsequently promulgated the SSDF in special publication NIST SP 800-218. EO 14028 also mandates that the director of the Office of Management and Budget (OMB) take appropriate steps to ensure that federal agencies comply with NIST guidance and standards regarding the SSDF. This resulted in OMB Memorandum M-22-18, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” (M-22-18). The OMB memo provides that a federal agency may use software subject to M-22-18’s requirements only if the producer of that software has first attested to compliance with federal government-specified secure software development practices drawn from the SSDF. Meaning, if the producer of the software cannot attest to meeting the NIST requirements, it will not be able to supply software to the federal government. There are some exceptions and processes for software to gradually enter into compliance under various milestones for improvements, all of which are highly technical and subjective.
In accordance with these regulations, the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security issued a draft form for collecting the relevant attestations and associated information. CISA released the draft form on 27 April 2023 and is accepting comments until 26 June 2023.1
SSDF Implementation Deadline and Requirements for Government Suppliers
CISA initially set a deadline of 11 June 2023 for critical software and 13 September 2023 for non-critical software to comply with SSDF. Press reports indicate that these deadlines will be extended due to both the complexity of the SSDF requirements and the fact that the comment period remains open until 26 June 2023. However, CISA has not yet confirmed an extension of the deadline.
Attestation and Compliance with the SSDF
Based on what we know now, the attestation form generally requires software producers to confirm that:
- The software was developed and built in secure environments.
- The software producer has made a good-faith effort to maintain trusted source code supply chains.
- The software producer maintains provenance data for internal and third-party code incorporated into the software.
- The software producer employed automated tools or comparable processes that check for security vulnerabilities.
Software producers that must comply with SSDF should move quickly and begin reviewing their approach to software security. The SSDF requirements are complex and likely will take time to review, implement, and document. In particular, many of the requirements call for subjective analysis rather than objective evaluation against a set of quantifiable criteria, as is usually the case with such regulations. The SSDF also includes numerous ambiguities. For example, the SSDF requires versioning changes in software to have certain impacts in the security assessment, although the term “versioning” does not have a standard definition in the software sector.
Next Steps and Ricks of Noncompliance
Critically, the attestations on the new form carry risk under the civil False Claims Act for government contractors and subcontractors. Given the fact that many of the attestations require subjective analysis, contractors must take exceptional care in completing the attestation form. Contractors should carefully document their assessment that the software they produce is compliant. In particular, contractors and other interested parties should use this opportunity to share feedback and insights with CISA through the public comment process.
K&L Gates lawyers in our National Security Practice are closely tracking the implementation of these new requirements.
1 88 Fed. Reg. 25,670.
Copyright 2023 K & L Gates
Clop Claims Zero-Day Attacks Against 130 Organizations
Russia-linked ransomware gang Clop has claimed that it has attacked over 130 organizations since late January, using a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, and was successful in stealing data from those organizations. The vulnerability is CVE-2023-0669, which allows attackers to execute remote code execution.
The manufacturer of GoAnywhere MFT notified customers of the vulnerability on February 1, 2023, and issued a patch for the vulnerability on February 7, 2023.
HC3 issued an alert on February 22, 2023, warning the health care sector about Clop targeting healthcare organizations and recommended:
- Educate and train staff to reduce the risk of social engineering attacks via email and network access.
- Assess enterprise risk against all potential vulnerabilities and prioritize implementing the security plan with the necessary budget, staff, and tools.
- Develop a cybersecurity roadmap that everyone in the healthcare organization understands.
Security professionals are recommending that information technology professionals update machines to the latest GoAnywhere version and “stop exposing port 8000 (the internet location of the GoAnywhere MFT admin panel).”
Copyright © 2023 Robinson & Cole LLP. All rights reserved.
Privacy Tip #358 – Bank Failures Give Hackers New Strategy for Attacks
Hackers are always looking for the next opportunity to launch attacks against unsuspecting victims. According to Cybersecurity Dive, researchers at Proofpoint recently observed “a phishing campaign designed to exploit the banking crisis with messages impersonating several cryptocurrencies.”
According to Cybersecurity Dive, cybersecurity firm Arctic Wolf has observed “an uptick in newly registered domains related to SVB since federal regulators took over the bank’s deposits…” and “expects some of those domains to serve as a hub for phishing attacks.”
This is the modus operandi of hackers. They use times of crises, when victims are vulnerable, to launch attacks. Phishing campaigns continue to be one of the top risks to organizations, and following the recent bank failures, everyone should be extra vigilant of urgent financial requests and emails spoofing financial institutions, and take additional measures, through multiple levels of authorization, when conducting financial transactions.
We anticipate increased activity following these recent financial failures attacking individuals and organizations. Communicating the increased risk to employees may be worth consideration.
Copyright © 2023 Robinson & Cole LLP. All rights reserved.
FTC Launches New Office of Technology
On February 17, 2023, the Federal Trade Commission announced the launch of their new Office of Technology. The Office of Technology will assist the FTC by strengthening and supporting law enforcement investigations and actions, advising and engaging with staff and the Commission on policy and research initiatives, and engaging with the public and relevant experts to identify market trends, emerging technologies and best practices. The Office will have dedicated staff and resources and be headed by Chief Technology Officer Stephanie T. Nguyen.
Article By Hunton Andrews Kurth’s Privacy and Cybersecurity Practice Group
For more privacy and cybersecurity legal news, click here to visit the National Law Review.
Copyright © 2023, Hunton Andrews Kurth LLP. All Rights Reserved.
SUPERBOWL CIPA SUNDAY: Does Samsung’s Website Chat Feature Violate CIPA?
Happy CIPA and Super Bowl Sunday TCPA World!
So, Samsung is under the spotlight with a new CIPA case brought by a self-proclaimed “tester.” You know like Rosa Parks?? Back to that in a bit.
The California Invasion of Privacy Act (“CIPA”) prohibits both wiretapping and eavesdropping of electronic communications without the consent of all parties to the communication. The Plaintiff’s bar is zoning in to CIPA with the Javier ruling.
If you recall, Javier found that “[T]hough written in terms of wiretapping, Section 631(a) applies to Internet communications. It makes liable anyone who ‘reads, or attempts to read, or to learn the contents’ of a communication ‘without the consent of all parties to the communication.’ Javier v. Assurance IQ, LLC, 2022 WL 1744107, at *1 (9th Cir. 2022).
Here, Plaintiff Garcia claims that Defendant both wiretaps the conversations of all website visitors and allows a third party to eavesdrop on the conversations in real time during transmission. Garcia v. Samsung Electronics America, Inc.
To enable the wiretapping, Plaintiff claims that Defendant has covertly embedded software code that functions as a device and contrivance into its website that automatically intercepts, records and creates transcripts of all conversations using the website chat feature.
To enable the eavesdropping, Defendant allows at least one independent third-party vendor to secretly intercept (during transmission and in real time), eavesdrop upon, and store transcripts of Defendant’s chat communications with unsuspecting website visitors – even when such conversations are private and deeply personal.
But Plaintiff currently proceeds in an individual action but if Samsung does not take appropriate steps to fully remedy the harm caused by its wrongful conduct, then Garcia will file an amended Complaint on behalf of a class of similarly aggrieved consumers.
Now back to Civil Rights.
According to this Complaint, Garcia is like Rosa Parks, you know, the civil rights activist. Why?
Well, because “Civil rights icon Rosa Parks was acting as a “tester” when she initiated the Montgomery Bus Boycott in 1955, as she voluntarily subjected herself to an illegal practice to obtain standing to challenge the practice in Court.”
Because Wiretapping and civil rights are similar right??
Disgusted.
The Plaintiff’s bar has no problem muddying the waters to appeal to the courts.
Do better.
CIPA is some dangerous stuff. Websites use chat features to engage with consumers all the time. It seems like it is easier to communicate via chat or text than to sit on a call waiting for an agent – assuming you get an agent. But maybe not?
Stay safe out there TCPA World!
Til next time Countess!! back to the game, GO EAGLES!!! #Phillyproud
© 2023 Troutman Firm
What’s New in 5G – February 2023
The next-generation of wireless technologies – known as 5G – is expected to revolutionize business and consumer connectivity, offering network speeds that are up to 100 times faster than 4G LTE, reducing latency to nearly zero, and allowing networks to handle 100 times the number of connected devices, enabling the “Internet of Things.” Leading policymakers – federal regulators and legislators – are making it a top priority to ensure that the wireless industry has the tools it needs to maintain U.S. leadership in commercial 5G deployments. This blog provides monthly updates on FCC actions and Congressional efforts to win the race to 5G.
Regulatory Actions and Initiatives
Spectrum
-
The FCC grants relief to a 600 MHz licensee serving Tribal Nations, giving it more time to complete and deploy its wireless network.
-
On January 4, 2023, the FCC’s Wireless Telecommunications Bureau (“WTB”) released an Order granting a third request by Pine Cellular Phones, Inc. (“Pine Cellular”) to extend its construction deadline for one of its 600 MHz licenses by one year from January 9, 2023 to January 9, 2024. In 2019, Pine Cellular was a winning bidder in the Broadcast Incentive Auction (Auction No. 1002) of two 600 MHz licenses. After the licenses were awarded, the FCC prohibited the use of funding from the Universal Service Fund for equipment and services deemed to pose a national security risk. Pine Cellular planned to rely on that now-prohibited equipment to meet its construction requirement, but it has since been unable to acquire and install compliant equipment due, in part, to global supply chain issues. The WTB granted Pine Cellular’s request because it recognized that the only way for Pine Cellular to fulfill its construction requirement is to remove and replace all prohibited equipment in its network and that termination of the license would not facilitate the provision of wireless broadband service, particularly to the Choctaw Nation, which is covered by Pine Cellular’s license.
-
-
The FCC grants additional licenses for spectrum in the 2.5 GHz band for commercial wireless services.
-
The WTB released a Public Notice on January 5, 2023, announcing the grant of four additional licenses for spectrum in the 2.5 GHz band, the auction for which concluded on August 29, 2022. A list of the licenses, sorted by licensee, is available here. And list of the same licenses, sorted by market, is available here.
-
-
The FCC takes further action to enable commercial operations through spectrum sharing in the 3.5 GHz band.
-
On January 10, 2023, the WTB and Office of Engineering and Technology (“OET”) released a Public Notice approving the new Environmental Sensing Capability (“ESC”) sensor deployment and coverage plans of Federated Wireless in the 3.5 GHz band. Federated Wireless is now authorized to operate its ESC sensors to protect federal incumbents in Alaska and must, among other things, operate in conjunction with at least one Spectrum Access System (“SAS”), which manages non-federal access to the 3.5 GHz band, that has been approved for commercial deployment.
-
In addition, the WTB and OET released a Public Notice on January 12, 2023, certifying that the SAS operated by RED Technologies SAS (“RED”) has satisfied the FCC’s testing requirements and been approved to begin its initial commercial deployment (“ICD”), subject to certain conditions. After RED operates its ICD, it is required to submit a report, and assuming that the report is satisfactory, RED will then receive authorization to operate for a five-year term.
-
-
The FCC revises its framework for making public safety spectrum in the 4.9 GHz band available for commercial wireless services.
-
On January 18, 2023, the FCC released an Order and Further Notice of Proposed Rulemaking establishing rules that provide for a nationwide Band Manager for public safety operations in the 4940-4990 MHz (“4.9 GHz”) band. The Order replaces the previous framework for the 4.9 GHz band, which allowed states to lease the spectrum to third parties, including commercial entities, through a designated statewide lessor. The new framework will allow the Band Manager to coordinate all use of the spectrum nationwide, including by making it available for secondary, non-public safety use – such as commercial 5G wireless services – by allowing non-public safety entities to lease unused 4.9 GHz band spectrum. The Further Notice seeks comment on implementing the new leasing framework and selecting the Band Manager. Comments and reply comments on the Further Notice will be due 30 days and 60 days, respectively, after publication in the Federal Register.
-
Other Agency Actions
-
The Federal Aviation Administration proposes requirements to help foster coexistence between 5G operations in the C-band and aircraft relying on radio altimeters.
-
On January 22, 2023, a Notice of Proposed Rulemaking issued by the Federal Aviation Administration (“FAA”) was published in the Federal Register. The Notice proposes to update the FAA’s existing Airworthiness Directive (“AD”) regarding the coexistence of licensees of spectrum in the 3.7-4.2 GHz band (“C-band”) and radio altimeters. Specifically, the FAA proposes interference tolerance requirements for radio altimeters and requirements that all aircraft operating under its rules meet power spectral density requirements to operate in the contiguous U.S. after February 2, 2024. The FAA has determined that radio altimeter tolerant airplanes will not experience unsafe conditions at any airport identified by the FAA as a 5G market. It has also determined that any 5G C-band provider that maintains the mitigated actions, which are based on the power levels to which Verizon and AT&T previously agreed, will not have an effect on the safety of transport and commuter airplanes with radio altimeters that meet the interference tolerance requirements. The FAA will assess changes in the agreed-upon power levels. Comments on the FAA’s proposals are due February 10, 2023.
-
-
The Department of Defense seeks comment on developing a spectrum roadmap.
-
On January 4, 2023, the Department of Defense (“DoD”) released a Request for Information seeking input to support the development of a Next-Generation Electromagnetic Spectrum Strategic Roadmap, which Congress requested of DoD in a June 2022 letter. Among other things, DoD requests input on its ability to use commercial systems for its operations and spectrum sharing. The deadline for providing input is February 10, 2023 at 2:00 pm ET.
-
5G Networks and Equipment
-
The FCC reminds rip-and-replace funding recipients of their reporting obligations.
-
On January 11, 2023, the FCC’s Wireline Competition Bureau released a Public Notice reminding parties that receive funding from the FCC’s Reimbursement Program to remove and replace equipment that poses a national security risk of their obligation to file their Reimbursement Program spending reports. The spending reports, which, among other things, must include a detailed accounting of the covered equipment and services that have been removed and replaced, are due by February 10, 2023.
-
©1994-2023 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.
Privacy Tip #359 – GoodRx Settles with FTC for Sharing Health Information for Advertising
According to the press release, the FTC alleged that GoodRx failed “to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.”
In the proposed federal court order (the Order), GoodRx will be “prohibited from sharing user health data with applicable third parties for advertising purposes.” The complaint alleged that GoodRx told consumers that it would not share personal health information, and it monetized users’ personal health information by sharing consumers’ information with third parties such as Facebook and Instagram to help target users with ads for personalized health and medication-specific ads.
The complaint also alleged that GoodRx “compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles. GoodRx then used that information to target these users with health-related advertisements.” It also alleges that those third parties then used the information received from GoodRx for their own internal purposes to improve the effectiveness of the advertising.
The proposed Order must be approved by a federal court before it can take effect. To address the FTC’s allegations, the Order prohibits the sharing of health data for ads; requires user consent for any other sharing; stipulates that the company must direct third parties to delete consumer health data; limits the retention of data; and implement a mandated privacy program. Click here to read the press release.
Copyright © 2023 Robinson & Cole LLP. All rights reserved.