As part of its ongoing Brazil outreach initiative, a delegation of the Centre for Information Policy Leadership at Hunton & Williams (“CIPL”) is in Brasilia and Rio de Janeiro the week of March 23, 2015. The delegation will meet with Brazilian government representatives, organizations and experts to discuss global privacy law and best practice developments and other issues of mutual interest, as well as a joint global privacy dialogue workshop in Brazil planned for later this year.
Specifically, CIPL President Bojana Bellamy and several CIPL members will discuss with potential local partners the venue, timing and agenda for the planned global privacy dialogue workshop. Further, in anticipation of the meetings, CIPL has prepared “Preliminary Comments” on the draft Brazilian privacy law that was issued for public consultation at the end of January 2014. The delegation will discuss these comments with Brazilian counterpart organizations, private sector representatives and policymakers. Upon return, CIPL plans to finalize its comments and to formally submit them at the end of April when the consultation period ends.
The Preliminary Comments focus on several key issues in the draft law that are particularly relevant to CIPL’s work and consistent with global privacy trends, including those focused on using organizational accountability and privacy risk management to enable responsible uses of data and facilitate global data flows in the modern information age. Key issues covered in the comments are:
- the draft law’s jurisdictional scope;
- the controller/processor distinction;
- the status of anonymized data;
- principles of processing;
- purpose specifications and “compatibility” of uses;
- consent and its alternatives and exceptions;
- cross-border transfer mechanisms;
- data transferred to Brazil for processing;
- good practices;
- the time frame for effectiveness of the law; and
- the competent authority.
At the global privacy dialogue workshop in Brazil later this year, CIPL hopes to bring together international privacy experts from the private sector, academia and regulatory authorities with their Brazilian counterparts and government officials to discuss the draft Brazilian privacy law and exchange views on other key issues of global concern relating to modern information use and management.
As I promised during my 2014 Derbycon talk (amongst other places), this is an initial release of my complete re-write/re-design of the dnscat service / protocol. It's now a standalone tool instead of being bundled with nbtool, among other changes. :)
I'd love to have people testing it, and getting feedback is super important to me! Even if you don't try this version, hearing that you're excited for a full release would be awesome. The more people excited for this, the more I'm encouraged to work on it! In case you don't know it, my email address is listed below in a couple places.
Where can I get it?
Here are some links:
Wait, what happened to dnscat1?
I designed dnscat1 to be similar to netcat; the client and server were the same program, and you could tunnel both ways. That quickly became complex and buggy and annoying to fix. It's had unresolved bugs for years! I've been promising a major upgrade for years, but I wanted it to be reasonably stable/usable before I released anything!
Since generic TCP/IP DNS tunnels have been done (for example, by iodine), I decided to make dnscat2 a little different. I target penetration testers as users, and made the server more of a command & control-style service. For example, an old, old version of dnscat2 had the ability to proxy data through the client and out the server. I decided to remove that code because I want the server to be runnable on a trusted network.
Additionally, unlike dnscat1, dnscat2 uses a separate client and server. The client is still low-level portable C code that should run anywhere (tested on 32- and 64-bit Linux, Windows, FreeBSD, and OS X). The server is now higher-level Ruby code that requires Ruby and a few libraries (I regularly use it on Linux and Windows, but it should run anywhere that Ruby and the required gems runs). That means I can quickly and easily add functionality to the server while implementing relatively simple clients.
How can I help?
The goal of this release is primarily to find bugs in compilation, usage, and documentation. Everything should work on all 32- and 64-bit versions of Linux, Windows, FreeBSD, and OS X. If you get it working on any other systems, let me know so I can advertise it!
I'd love to hear from anybody who successfully or unsuccessfully tried to get things going. Anything from what you liked, what you didn't like, what was intuitive, what was unintuitive, where the documentation was awesome, where the documentation sucked, what you like about my face, what you hate about my face—anything at all! Seriously, if you get it working, email me—knowing that people are using it is awesome and motivates me to do more. :)
For feedback, my email address is my first name (ron) at my domain (skullsecurity.net). If you find any bugs or have any feature requests, the best place to go is my Issue tracker.
What's the future hold?
I've spent a lot of time on stability and bugfixes recently, which means I haven't been adding features. The two major features that I plan to add are:
- TCP proxying - basically, creating a tunnel that exits through the client
- Shellcode - a x86/x64 implementation of dnscat for Linux and/or Windows
Once again, I'd love feedback on which you think is more important, and if you're excited to get shellcode, then which architecture/OS that I should prioritize. :)
On March 23, 2015, the Federal Trade Commission announced the formation of the Office of Technology Research and Investigation (“OTRI”), which the FTC describes as “an office designed to expand the FTC’s capacity to protect consumers in an age of rapid technological innovation.”
The OTRI will succeed and expand the focus of the FTC’s previously-created Mobile Technology Unit, which focused on consumer protection issues relating to mobile technologies. The FTC has charged the OTRI with conducting research on technology issues including “privacy, data security, connected cars, smart homes, algorithmic transparency, emerging payment methods, big data, and the Internet of Things.”
On March 24, 2015, the CNIL announced the implementation of a new procedure that will simplify the registration formalities for French affiliates of groups that have implemented Binding Corporate Rules (“BCRs”).
Currently, the CNIL’s prior authorization is required for each type of data transfer outside of the EU when the transfer is based on BCRs. The CNIL now proposes to issue a single authorization decision to each group that has implemented BCRs. The group’s affiliates that are data controllers and bound by the BCRs will then need to submit only a simplified registration for all of their data transfers outside of the EU based on the group’s BCRs. The affiliates will not have to obtain the CNIL’s prior authorization for each data transfer.
The CNIL emphasized that these affiliates will have to keep an updated list of their data transfers, which shall be provided to the CNIL upon request, that includes the following information:
- The general purpose of each data transfer covered by the BCRs;
- The categories of data subjects affected by the data transfer;
- The categories of personal data transferred;
- Information relating to each recipient, such as the (1) name of the company, (2) relevant group that adopted the BCRs, (3) country where the recipient is located, (4) category of data recipient (e.g., parent company, subsidiary, etc.), and (5) the type of data processing operations performed by the recipient on the transferred data.
The CNIL will contact more than 60 multinational companies with BCRs in the coming weeks to discuss the CNIL’s single authorization decision that may be granted to the group. By simplifying the registration requirements for data transfers based on BCRs, the CNIL wishes to further promote BCRs which, in the CNIL’s view, show a strong commitment from multinational organizations to protect personal data.
On March 13, 2015, the U.S. Department of Commerce Internet Policy Task Force (“IPTF”) issued a request for public comment regarding cybersecurity issues affecting the digital economy. The IPTF’s request invites all stakeholders interested in cybersecurity to “identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers.” For each issue identified, the IPTF’s request for comment asks interested parties to opine on a series of questions, including (1) why the issue is suited to a multistakeholder process and (2) why a multistakeholder process would benefit the digital ecosystem.
Comments are due by 5:00 p.m. Eastern Time on May 18, 2015. Comments may be submitted via email to securityRFC2015@ntia.doc.gov or postal mail to the National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue, N.W., Room 4725, Attn: Cybersecurity RFC 2015, Washington D.C. 20230.
On November 16, 2015, the Federal Trade Commission will host a workshop in Washington, D.C., to examine the benefits and privacy risks associated with “cross-device tracking.” The workshop intends to highlight the types of cross-device tracking techniques and how businesses and consumers can benefit from these practices. The workshop also will address related privacy and security risks, and discuss whether self-regulatory programs apply to these practices.
Jessica Rich, Director of the FTC’s Bureau of Consumer Protection said, “[m]ore consumers are connecting with the internet in different ways, and industry has responded by coming up with additional tools to track their behavior.”
Public commentary is encouraged and will be accepted online until October 16, 2015.
On March 4, 2015, the House of Representatives of Washington passed a bill (HB 1078), which would amend the state’s breach notification law to require notification to the state Attorney General in the event of a breach and impose a 45-day timing requirement for notification provided to affected residents and the state regulator. The bill also mandates content requirements for notices to affected residents, including (1) the name and contact information of the reporting business; (2) a list of the types of personal information subject to the breach; and (3) the toll-free telephone numbers and address of the consumer reporting agencies. In addition, while Washington’s breach notification law currently applies only to “computerized” data, the amended law would cover hard-copy data as well.
The bill introduces a safe harbor for personal information that is “secured,” which is defined to mean the data is encrypted in a manner that “meets or exceeds” the National Institute of Standards and Technology (“NIST”) standard or is otherwise “modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person.” In addition, notice is not required if the breach is “not reasonably likely to subject consumers to a risk of harm.” The bill adds federal preemption language that would exempt certain covered entities from having to comply with the state breach law. With respect to enforcement, the bill would make an organization’s failure to comply with the state’s breach notification law a violation of the Consumer Protection Act.
The bill, which passed the House of Representatives 97-0, will now face the Washington State Senate. It has broad bipartisan support, and if enacted would strengthen the state’s data breach laws.
The Washington legislation was introduced just over a week after Montana’s governor signed into law HB 74, which amends Montana’s existing data breach notification law to expand the definition of personal information to include medical record information and an “identity protection personal identification number” issued by the IRS. The amended law also requires entities to submit to the state Attorney General’s Consumer Protection Office an electronic copy of the notice to affected individuals, and to indicate the date and method of distribution of the individual notice and the number of residents impacted by the breach. The bill was enacted on February 27, 2015, and will take effect on October 1, 2015.
The Memorandum, which does not create legally binding obligations on the FTC or the Dutch DPA, focuses on the following five objectives:
- cooperating when enforcing applicable privacy laws such as the FTC Act and the Dutch Data Protection Act, including sharing relevant information about complaints;
- facilitating research and education about how to protect personal information;
- aiding the mutual exchange of knowledge and expertise between the two entities via training programs and staff exchanges;
- promoting the understanding of economic and legal conditions and theories that impact the enforcement of applicable privacy laws; and
- informing each other of privacy-related developments in their respective countries.
The Memorandum describes specific procedures that the FTC and the Dutch DPA will take to achieve these objectives and notes that each country has the discretion to decide whether to provide assistance to the other on a given privacy-related matter. The Memorandum also discusses protective measures for transmitting information related to a request for assistance on a privacy-related matter, such as encryption or maintaining materials in secured, restricted locations.
In announcing the Memorandum, FTC Chairwoman Edith Ramirez emphasized the importance of cross-border cooperation and stated that “[t]his arrangement with our Dutch counterpart will strengthen FTC efforts to protect the privacy of consumers on both sides of the Atlantic.” Similarly, her counterpart, Chairman of the Dutch DPA Jacob Kohnstamm, noted that entering into the Memorandum marked a great step in efforts to increase cooperation among “data protection and privacy authorities across the globe” which is especially important “[i]n this day and age of increasing cross-border data flows.”
The Memorandum is similar to those previously entered into by the FTC with the UK Information Commissioner’s Office in March 2014 and the Office of the Data Protection Commissioner of Ireland in June 2013.
Yes, I often obtain samples from various sources for my own research.
I am sometimes too lazy/busy to post them but don't mind sharing.
If you are looking for a particular sample, feel free to ask. I might have it.
Send MD5 (several or few samples). I cannot provide hundreds/thousands of samples or any kind of feeds. If you ask for a particular family, I might be able to help if I already have it.
Unfortunately, I do not have time to do homework for students and provide very specific sets for malware with specific features as well as guarantee the C2s are still active. Send your MD5(s) or at least malware family and I check if I have it :) If i have it, I will either send you or will post on the blog where you can download.
If you emailed me in the past and never got an answer, please remind me. Sometimes emails are long with many questions and I flag them to reply to later, when I have time and they get buried or I forget. It does not happen very often but accept my apologies if it happened to you.
Before you ask, check if it is already available via Contagio or Contagio Mobile.
1. Search the blog using the search box on the right side
2. Search here https://www.mediafire.com/folder/b8xxm22zrrqm4/BADINFECT
3. Search here https://www.mediafire.com/folder/c2az029ch6cke/TRAFFIC_PATTERNS_COLLECTION
4. Search here https://www.mediafire.com/folder/78npy8h7h0g9y/MOBILEMALWARE
On March 4, 2015, the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) announced a new multistakeholder process seeking comments on best practices concerning privacy, transparency and accountability issues related to the use of commercial and private unmanned aircraft systems (“UAS”), otherwise known as drones. The NTIA’s request was made in response to a Presidential Memorandum issued by the White House on February 15 which directed NTIA to facilitate discussion between private sector entities to develop standards for commercial UAS use.
The NTIA is seeking comments, which are due 45 days after the publication of the request in the Federal Register, on the following:
- General Structure and Process – The NTIA seeks comments on how the group’s process should be structured (e.g., (1) whether different working groups should be established to focus on the primary issues, (2) whether the stakeholders should distinguish between various types of UAS, and (3) whether there are existing codes of conduct that could serve as bases for the stakeholders’ work).
- Privacy – The NTIA seeks comments on privacy-related questions including (1) the varying degrees of privacy risk with different types of UAS, (2) whether certain uses of UAS raise unique privacy issues as compared with non-UAS alternatives that could serve the same purpose, and (3) “what specific best practices would mitigate the most pressing privacy challenges while supporting innovation.”
- Transparency – The NTIA seeks comments on transparency-related questions including (1) whether transparency in the use of UAS can enhance privacy or discourage the unsafe use of UAS, (2) whether notice should be provided to the public regarding where UAS are operated, (3) what mechanisms can be used to help the public identify UAS, and (4) how to best keep the public informed of UAS operations that could “significantly impact privacy, anti-nuisance, or safety interests.”
- Accountability – The NTIA seeks comments on accountability-related questions including (1) how those who operate UAS can establish and enforce mechanisms to ensure that privacy protections and transparency policies are enforced within an organization, (2) what rules “would promote accountability,” and (3) “what specific best practices would promote accountable commercial and private UAS operation while supporting innovation.”
As we previously reported, the NTIA also recently launched two other multistakeholder processes: the first seeking to develop industry-wide privacy codes of conduct relating to mobile apps, and the second, which is still underway, seeking to develop a code of conduct regarding the commercial use of facial recognition technology.
Hunton & Williams’ Global Privacy and Cybersecurity practice group and Unmanned Systems Group continue to monitor developments in this multifaceted space in the areas of property and land rights, technology, government relations and lobbying, local and federal regulatory work, privacy, aviation, environmental, product liability, patent work, risk management and insurance.
At every board meeting, whether it’s monthly, whether it’s quarterly, cybersecurity should be on [the agenda]. If not, you’re going to wind up in a situation where you’re having an emergency board meeting to discuss something that has gone wrong.
a former cyber-security adviser in both the Obama and Bush administrations
On March 3, 2015, the Third Circuit heard oral arguments in FTC v. Wyndham Worldwide Corp. (“Wyndham”) on whether the FTC has the authority to regulate private companies’ data security under Section 5 of the FTC Act.
As we previously reported, on June 26, 2012, the FTC announced that it had filed suit against Wyndham and three of its subsidiaries alleging that the company posted misleading representations on Wyndham websites regarding how the company safeguarded customer information. In addition, the FTC alleged that Wyndham failed to maintain reasonable data security practices, leading to three separate data breaches involving hackers accessing sensitive consumer data. In response, Wyndham challenged the FTC’s authority to bring charges against private companies’ data security, arguing that by adopting targeted security legislation such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996, Congress had precluded the FTC’s jurisdiction over data security. Wyndham also argued that before bringing a Section 5 enforcement action, the FTC must publish “rules, regulations, or other guidelines” setting out the acceptable security standards.
Though Wyndham’s arguments were rejected by the U.S. District Court for the District of New Jersey, Law360 reported that the Third Circuit panel seemed receptive to Wyndham’s arguments, with Judge Thomas L. Ambro stating that the legislative history indicates that the FTC may only be authorized to bring “routine fraud cases” to the court, and the panel also spending a considerable amount of time considering Wyndham’s argument that the FTC’s failed to give sufficient notice of what constitutes “unreasonable” data security practices. According to Law360, the court also seemed unlikely to accept the FTC’s argument that deference should be given to the Eleventh Circuit’s January 2014 ruling in the FTC’s suit against LabMD, in which LabMD also challenged the FTC’s authority to bring an administrative challenge against private companies for data security practices. The Eleventh Circuit ruled that it did not have jurisdiction to evaluate the merits of the case until the FTC takes a reviewable final agency action.
The final outcome of FTC v. Wyndham has the potential to make a significant impact on the FTC’s regulation of consumer data security.
On February 26, 2015, the Department of Education’s Privacy Technical Assistance Center (“PTAC”) issued guidance to assist schools, school districts and vendors with understanding the primary laws regulating student privacy and how compliance with those laws may be affected by Terms of Service (“TOS”) offered by providers of online educational services and mobile applications. The guidance also is intended to aid school districts and schools in implementing separate guidance issued by the PTAC in February 2014. The guidance was accompanied by a short training video directed to teachers, administrators and other relevant staff.
The guidance, Protecting Student Privacy While Using Online Educational Services: Model Terms of Service, states that the TOS offered by providers of online educational services and mobile applications are often “Click Wrap” agreements requiring schools and districts to accept the TOS without an opportunity for negotiation. The guidance explains certain language commonly found in TOS agreements offered by providers of online educational services and mobile applications in order to help schools and school districts better determine whether accepting the TOS could violate any law regulating student privacy, such as the Family Educational Rights and Privacy Act. For example, the guidance states that the “TOS should be clear that data and/or metadata may not be used to create user profiles for the purposes of targeting students or their parents for advertising and marketing, which could violate privacy laws.” The guidance also contains information about provisions in TOS with respect to the definition of “de-identification,” modifications to the TOS and the providers’ use and sharing of student data.
In addition to highlighting common provisions that are potentially problematic from a legal perspective, the guidance provides examples of provisions that are more protective of student privacy and in line with best practices. The guidance also provides a brief explanation of why the commonly found provisions are problematic or in accordance with best practices for student privacy.
Similarly, if you are using "HTTPS Decrypt & Inspect" in Smoothwall, your clients' browsers will afforded some protection from attack, as their traffic will be re-encrypted by the web filter, which does not support downgrading to these "Export Grade" ciphers.
On March 3, 2015, Steven Barnes, the host of the new Penn Law podcast series, Case in Point: Great Minds on Law and Life, interviewed Lisa Sotto, partner and chair of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, and Anita Allen, professor of law and philosophy at the University of Pennsylvania Law School and vice provost for faculty on trends in privacy and cybersecurity, discussing what we mean when we talk about our right to privacy.
The segment provides a thought-provoking overview of the history of privacy and also addresses current topics of interest such as consumer privacy, cloud computing and the growth of sophisticated and damaging data breaches.
View Great Minds on Law and Life podcast.
Read a BuzzFeed Wrap-up of the episode.
Nobody wants anyone looking at their search history. I get it. I mean, look at mine —oh wait, don't—that's quite embarrassing. Those were for a friend, honestly.
Fortunately for us, it's pretty difficult to dig into someone's search history. Google even forces you to log in again before you can view it in its entirety. Most search engines now encrypt our traffic by default, too —some even using HSTS to make sure our browsers always go secure. This is great news for consumers, and means our privacy is protected (with the noticeable exception of the search provider, who knows everything and owns your life, but that's another story).
This all comes a little unstuck though - sometimes we want to be able to see inside searches. In a web filtered environment it is really useful to be able to do this. Not just in schools where it's important to prevent searches for online games during lessons, but also in the corporate world where, at the very least, it would be prudent to cut out searches for pornographic terms. It's not that difficult to come up with a handful of search terms that give potentially embarrassing image results.
So, how can we prevent users running wild with search engines? The first option is to secure all HTTPS traffic with "decrypt and inspect" type technology —your Smoothwall can do this, but you will need to distribute a certificate to all who want to use your network to browse the web. This certificate tells the browser: "trust this organisation to look at my secure traffic and do the right thing". This will get all the bells and whistles we were used to in the halcyon days of HTTP: SafeSearch, thumbnail blocking, and search term filtering and reporting.
Full decryption isn't as easy when the device in question is user-owned. The alternative option here is to force SafeSearch (Google let us do this without decrypting HTTPS) but it does leave you at their mercy in terms of SafeSearch. This will block anything that's considered porn, but will leave a fair chunk of "adult" content and doesn't intend to cover subjects such as gambling —or indeed online games. You won't be able to report on any of this either, of course.
Some people ask "can we redirect to the HTTP site" - this is a "downgrade attack", and exactly what modern browsers will spot, and prevent us from doing. We also get asked "can we resolve DNS differently, and send secure traffic to a server we have the cert for?" - well, yes, you can, but the browser will spot this too. You won't get a certificate for "google.com", and that's where the browser thinks it is going, so that's where it expects the certificate to be for.
In conclusion: ideally, you MITM or you force Google's SafeSearch & block access to other search engines. For more information read our whitepaper: 'The Risks of Secure Google Search'. It examines the problems associated with mandatory Google HTTPS searches, and suggests methods which can be used to remedy these issues.
Featured news: Superfish, new malware warnings, universal SSL
Read Mozilla’s directions for getting Superfish out of Firefox (Feb. 27), Sophos on Superfish removal (Feb. 20), and a Fortinet Superfish FAQ. (Feb. 20) ESET also has a wise piece on unwarranted panic and false positives. (Feb. 20) Note: We hope we don’t ever have to write the word “Superfish” again.
Google Safe Browsing expands Chrome warnings: New warnings let users know when they’re about to visit a site known for encouraging downloads of unwanted or suspicious software. (Feb. 23)
Feedback and data-driven updates to Google’s Project Zero disclosure policy (Feb. 13)
Universal SSL: Public beta version of new CloudFlare service encrypts data from the browser to the origin for free. (Feb. 24)
Malware news + vulnerabilities
Google releases free, cloud-based web application security scanner that can help App Engine developers check for cross-site scripting and mixed content vulnerabilities. (Feb. 19)
Highlights from Internet Identity’s 2014 eCrime Trends Report (Feb. 25)
Fortinet: Decoy files used to spread CTB-Locker ransomware (Feb. 16)
SiteLock on a security flaw in the UpdraftPlus premium WordPress plugin (Feb. 17)
Security news + perspectives
In case you missed it: After six years, StopBadware is shutting down its community forum. Details and recommended alternatives here.
Automattic: WordPress 4.1.1 is out! This one’s a maintenance release. (Feb. 18)
ESET on exploits: What are they, and how do they work? (Feb. 27)
DreamHost’s Mika E. talks about the virtues of open source and his experience writing plugins for WordPress. (Feb. 10)
SiteLock: How you can tell if a website is secure (Feb. 24)
Sucuri: Why websites get hacked (Feb. 26)
On March 2, 2015, HuffPost Live interviewed four cybersecurity experts in response to a top financial regulator’s warning of an “Armageddon-type cyber event” that could eventually affect the U.S. economy. Lisa Sotto, partner and chair of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, was featured, describing the threat as legitimate and stressing that hackers are becoming more creative, sophisticated and motivated. She also emphasized that cybersecurity is a high-level governance issue for companies, not an IT matter.
The segment addressed the question of how companies can protect themselves and provided examples of previous attacks and their repercussions.
View HuffPost Live’s segment on Regulator Warns of ‘Cyber 9/11’ Attacks on Banks.
On February 27, 2015, the White House released a highly-anticipated draft of the Consumer Privacy Bill of Rights Act of 2015 (the “Act”) that seeks to establish baseline protections for individual privacy in the commercial context and to facilitate the implementation of these protections through enforceable codes of conduct. The Federal Trade Commission is tasked with the primary responsibility for promulgating regulations and enforcing the rights and obligations set forth in the Act.
The Act’s baseline of consumer protections would apply broadly (with certain stated exceptions) to the privacy practices of covered entities that collect, create, process, retain, use or disclose personal data in or affecting interstate commerce. “Personal data” is broadly defined under the Act as “any data … under the control of a covered entity, not otherwise generally available to the public through lawful means, and … linked, or as a practical matter linkable by the covered entity, to a specific individual, or linked to a device that is associated with or routinely used by an individual.” The Act carves out from the definition of personal data several types of information, including de-identified data, cybersecurity data and employee data that is collected or used by an employer in connection with an employee’s employment status.
The Act sets forth individual rights for consumers and corresponding obligations of covered entities in connection with personal data. Key examples of the proposed privacy protections and obligations include:
- Transparency. Covered entities shall provide individuals with clear, timely, conspicuous and easily understandable notice about the entity’s privacy and security practices. The Act sets forth various content requirements for such notices.
- Individual Control. Individuals must be provided with reasonable means to control the processing of their personal data that are proportionate to the privacy risk to the individual and are consistent with context, which is defined to mean the circumstances surrounding a covered entity’s processing of personal data.
- Respect for Context. If a covered entity processes personal data in a manner that is not reasonable in light of context, the entity must conduct a privacy risk analysis, and take reasonable steps to mitigate any identified privacy risks. If the privacy risk analysis is conducted under the supervision of an FTC-approved Privacy Review Board, the covered entity may be excused from certain heightened requirements under this section.
- Focused Collection and Responsible Use. Covered entities may collect, retain and use personal data only in a manner that is reasonable in light of context. This limitation requires businesses to consider ways to minimize privacy risk, as well as to delete, destroy or de-identify personal data within a reasonable time after fulfilling the purposes for which the personal data were first collected.
- Security. Covered entities are expected to identify reasonably foreseeable internal and external risks to the privacy and security of personal data that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of the information. Based on this analysis, covered entities must establish, implement and maintain safeguards reasonably designed to ensure the security of such personal data, including but not limited to protecting against unauthorized loss, misuse, alteration, destruction, access to, or use of the business’ information.
- Access and Accuracy. Upon request, a covered entity must provide an individual with reasonable access to, or an accurate representation of, personal data that pertains to the individual and is under the control of the covered entity. This obligation entails providing the individual with a means to dispute and resolve the accuracy and completeness of his or her personal data.
- Accountability. Covered entities must take measures appropriate to the privacy risks associated with its personal data practices, including training employees, conducting internal or independent evaluations, building appropriate consideration for privacy and data protections into the design of systems and business practices, and contractually binding third parties to comply with similar requirements prior to disclosing personal data to them.
Under the Act, a violation of the relevant requirements constitutes an unfair or deceptive act or practice in violation of Section 5 of the FTC Act. While the attorney general of any state may bring a federal enforcement action for injunctive relief based on an alleged violation causing harm to a substantial number of the state’s residents, the FTC has the right to intervene as a party and assume lead responsibility for the prosecution. In an action brought or prosecuted by the FTC, the covered entity also may be liable for a civil penalty of up to $25 million under certain circumstances. The Act offers covered entities a safe harbor against enforcement actions when they have complied with an FTC-approved code of conduct for data governance that provides equivalent or greater protections for personal data than that of the Act. In addition, the Act does not offer a private right of action to individuals.
Notably, the Act preempts state and local laws to the extent they impose requirements with respect to personal data processing, but it does not preempt states’ general consumer protection laws, health or financial information laws, or data breach notification laws. With respect to federal preemption, the Act does not modify, limit or supersede the privacy or security provisions of federal laws, including the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996.