In what I would describe as an unusual but interesting move by the Federal Trade Commission (FTC), on January 4, 2022, it issued a warning to companies “to remediate Log4j security vulnerability” or face an enforcement action for failing to do so.

In the warning, the FTC acknowledged that the Log4j vulnerability “is being widely exploited by a growing set of attackers.” The exploitation by threat actors “risks a loss or breach of personal information, financial loss, and other irreversible harms.” According to the FTC, there are several laws that require companies to take reasonable steps to mitigate known software vulnerabilities, including the Federal Trade Commission Act and the Gramm-Leach-Bliley Act. “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers and to avoid FTC legal action.”

Since this is a known vulnerability that can be remediated, if companies fail to update the software, “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”

An unusual but very strong message from the FTC that is prudent to follow.

2021 was a rough year for many businesses, but there was at least one winner: in a recent blog post, privacy-focused search engine DuckDuckGo reported a record growth of over 46 percent and now claims to serve more than 27 million Americans. Unlike other search engines, which sell targeted advertisements based on individual user profiles, DuckDuckGo does not track individual consumers. Instead, the search engine makes money by delivering advertisements based on keywords used in a specific search without tracking the user behind the query.

DuckDuckGo is set to capitalize on its strong 2021 showing by launching a new privacy-focused desktop web browser that promises “no complicated settings, no misleading warnings, no ‘levels’ of privacy protection – just robust privacy protection that works by default, across search, browsing, email, and more.” This new offering will be built from the ground up rather than being built upon Google’s popular Chromium browser base. DuckDuckGo CEO Daniel Weinberg claims that this approach, which will leverage the rendering engines built into Windows and MacOS, will allow the company to deliver a faster browsing experience without the myriad of telemetry processes built into conventional browsers.

Since its 2008 founding, DuckDuckGo has expanded well beyond its roots as a search engine alternative. In addition to its search engine, the company now offers a tracker-blocking browser add-on, Android and iOS apps, and an email tracker removal tool (now in beta testing). If this growth trend continues, it could indicate that an increasing number of consumers are placing a premium on privacy. Other tech companies may wish to take note that customers’ desire for privacy-first products is driving a fast-growing market.

*This post was authored by C. Blair Robinson, legal intern at Robinson+Cole. Blair is not yet admitted to practice law.

On January 1, 2022, Broward Health, which operates dozens of health care facilities in Broward County, Florida, notified over 1.3 million individuals that a threat actor gained access to and removed data from its system on October 15, 2021. The data exfiltrated and compromised included individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, financial, insurance and medical information.

According to the notification letter, “the intrusion occurred through the office of a third-party medical provider who is permitted access to the system to provide healthcare services.”

Broward Health is offering the affected individuals credit monitoring. Following the incident, it required a password reset of its users, and implemented multi-factor authentication (MFA) “for all users of its systems.” It also disclosed that it is implementing “minimum security requirements” for devices that have access to its network that are not managed by its internal IT professionals.

Reading between the lines and purely speculating, my guess is that the incident occurred through a third-party medical provider’s device that had access to Broward Health’s system, but that had not deployed MFA, causing or contributing to the intrusion. This breach shows how a third-party can cause an incident if they have access to your network but do not have the same or similar security measure in place as you, and highlights the importance of identifying all users/devices with access to your network, and requiring all users to implementation of security measures consistent with your own.

Last week, Undefined Technologies (UT) a startup drone company based in Miami, Florida, successfully completed a test flight, powered by ion propulsion, that demonstrated significant increases in lifting power and mission time. The flight only lasted 2 minutes and 30 seconds, but the UT team was able to test the aircraft’s performance, flight dynamics, endurance, and noise levels. Two big takeaways: 1) the flight time increased by five times from the prior version of the drone; and 2) the noise levels generated by the drone were less than 85 decibels (the point at which a noise is considered “excessive”).

To understand the subjective nature of noise, the commonly used Noise Scale below compares the levels of noise in decibels (dB) to everyday examples of noise

LEVEL IN DECIBELS   EXAMPLE
110dB+ Jet engine at about 100m
100dB+ Jackhammer (pneumatic drill) at close range
80dB+ Loud highway noise at close range
70dB+ Louder traffic
60dB Quiet traffic noise.
50dB Louder conversation.
40dB Quiet conversation.
30dB Birds flying by.
20dB Watch ticking.
10dB Rustling or falling leaves.

By continuing to test this ion propulsion drone, UT hopes to conduct even longer flight times and achieve noise levels below 70 decibels.

UT has also joined the Aviation Sustainability Center (ASCENT-AERO) to assist in creating science-based solutions to help reduce the environmental impact of aviation. ASCENT-AERO’s goal is to create sustainable aircraft with zero carbon emissions and minimum noise.

UT hopes their drones can be used as the “last mile delivery” solution in urban areas where noise from drones is a large concern. The ultimate goal is to bring a silent drone to the market. More testing and further understanding of the physics will continue, but in order to fully integrate drones into our daily lives, the public would like to see the noise emanating from these drones eliminated or, at least, made unnoticeable. Of course, now comes the concern that there could be a silent drone hovering above you … that you don’t even know is there.

2021 is behind us. Whether that is positive or negative for you, in my world, it was another record year. A record year of data breaches.

According to The Identity Theft Research Center (ITRC), data breaches in 2021 surpassed the previous record year of 2020 by 17 percent. The incidents ranged from the theft of cryptocurrency (Livecoin went out of business following an attack) to ransomware attacks (Colonial Pipeline), to zero-day vulnerabilities against Microsoft Exchange Server, and finally, the big one: Log4j.

There is speculation that the Log4j vulnerability will last for years. The Log4j vulnerability is so concerning that the FTC issued a warning this week to companies declaring that if companies don’t mitigate the vulnerability, they could be subject to an enforcement action [view related posts here and here].

What does this all mean to us as consumers? Many of us roll our eyes and say “All of our information is out there anyway, so why bother trying to protect it?” I say, don’t give up. Here are a few tips that are still important for protecting your data and your privacy:

  • If your information is compromised, sign up for credit monitoring or a credit freeze if offered.
  • Continue to check your credit report, which you can get for free once a year, to help determine whether any fraudulent accounts have been opened in your name.
  • Protect your Social Security number and driver’s license number. Don’t just give them when asked or fill them in on a form.
  • Mind your cookies.
  • Check the privacy settings on your phone and update them frequently.
  • Opt-in to “do not track” options.
  • Use DuckDuckGo as your browser.
  • Consider the Jumbo privacy app.
  • Read the privacy policies of apps and devices before you download or activate them.
  • Be aware of phishing, vishing, smishing, and qrishing.
  • Understand what IoT devices you have and activate unique passwords for them.
  • Change the default passwords on your home router and wi-fi.
  • Update the software on your devices as soon as you can.

And there are so many more! Check out all of our privacy tips at www.dataprivacyandsecurityinsider.com and don’t give up! Even though 2022 looks to be another whopper year for data breaches, if we don’t try to protect our privacy, then who will?

One of the challenging things about HIPAA (Health Insurance Portability and Accountability Act) enforcement is the fact that both the Office for Civil Rights and State AGs have jurisdiction to assess fines and penalties for HIPAA violations. The old double whammy.

States enforce those rights sparingly, but New Jersey is getting itself on the map by enforcing HIPAA and assessing fines and penalties and/or settling with entities for alleged HIPAA violations. This year, it has already racked up several settlements with companies over alleged violations of both state law and HIPAA.

The most recent settlement involved a case that stemmed from a business email compromise (BEC) incident in which several Regional Cancer Care Associates’ email accounts were compromised through a targeted phishing campaign and the employees disclosed their credentials to a threat actor. As a result of the BEC, the protected health information of more than 105,000 individuals was compromised, including names, addresses, driver’s license numbers, and Social Security numbers.

More than 80,000 of the affected individuals reside in New Jersey, hence the interest of the New Jersey Division of Consumer Affairs (Division) in the AG’s office. The Division alleged violations of both the New Jersey Consumer Fraud Act and HIPAA. According to Acting Attorney General Bruck when announcing the settlement, “New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats. We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short.”

Note to covered entities and business associates in New Jersey: your AG is active in this space, so dusting off your HIPAA compliance program and Written Information Security Program might be a high priority for the new year.

Meta has been hit with two related lawsuits totaling over $150 billion in its first major legal challenge since rebranding. The suits (one filed in California Superior Court and the other in the UK) come from a class representing the Rohingya, a minority Muslim population that has suffered severe systematic violence in Myanmar. The suits allege that the Facebook algorithm promoted hate speech aimed at the Rohingya. The complaint claims that Facebook actively steers users towards extremist groups and contributes to the worsening Rohingya situation. The suit further alleges that high-level Meta executives knew of anti-Rohingya hate speech on the platform and allowed it to remain.

The suit comes at a time when Meta is facing increased calls for regulation from both sides of the political aisle. Many commentators also blame Facebook for contributing to worsening political divides in the United States. The elephant in the room is Section 230 of the Communication Decency Act, which immunizes online platforms from legal repercussions based on the content posted by their users. This lawsuit seems poised to tug at that thread in what may be the start of a new era for online moderation – does the law shield companies that promote hate speech, or does that safe harbor stop at hosting? While Section 230 protects companies that host hate speech, it is silent on the question of promotion and circulation.

The allegation that Meta actively and knowingly contributes to polarization and the expansion of hate groups cuts to the core of social media as an industry. Social media giants make money by keeping users engaged with their platforms, which allows them to both serve ads and gather user profile information to sell to advertisers. Unfortunately, nothing gets users to engage like righteous anger, so content serving algorithms learn to favor inflammatory content that confirms users’ existing biases. This phenomenon, called a “filter bubble,” tends to promote echo chambers and ideological extremism within different pockets of a platform’s userbase. If the court in this case finds that Meta breached a duty by promoting hate speech, it has the potential to upend the industry’s traditional business model.

*This post was authored by C. Blair Robinson, legal intern at Robinson+Cole. Blair is not yet admitted to practice law.

This is the time of year for thought pieces reflecting on the past year or so to speculate on the hot topics for next year. I began to wonder about California Consumer Privacy Act (CCPA) enforcement actions over the past year as this was something that we speculated about not that long ago. The California Attorney General’s office has been busy and has even posted a list on its website of 27 examples of recent California Consumer Privacy Act enforcement actions.

The most common violation on the list is that a company’s privacy policy was non-compliant with CCPA requirements. Of the 27 cases cited, at least 16 had some form of privacy policy violation. Some of the privacy policies failed to provide consumers with the required CCPA rights, failed to state whether the company sold personal information, or failed to provide a method for consumers to submit requests about their data. Other violations included failure to provide notice to consumers of opt-out processes and the failure to include a “Do Not Sell My Personal Information” link. One company even tried to charge consumers for making CCPA requests.

All the cases cited appear to have begun with consumer complaints that resulted in a notice of alleged non-compliance. That notice provided the companies the opportunity to correct their deficiencies. In one privacy policy violation, the company updated its privacy policy in response to a complaint that it failed to provide notice of the required CCPA consumer rights and also failed to state whether it had sold personal information within the past 12 months. The company updated its privacy policy, however it was “not easy to read or understandable to the average consumer, e.g. contained unnecessary legal jargon.” The company received a second notice of non-compliance and then revised its privacy policy accordingly.

Enforcement actions will no doubt continue in 2022, but the lesson learned from 2021 is that for companies that must comply with CCPA, having a CCPA-compliant privacy policy will be a great way to start the new year.

Skyports, a leading drone services provider, recently announced that it has partnered with the Massachusetts Department of Transportation’s (MassDOT) Aeronautics Division to demonstrate how it can link communities in the Cape Cod region using its drone services. This partnership stems from MassDOT’s need to find a solution for connecting some of its remote communities to everyday services like healthcare and logistics, and, more pressingly, to provide emergency medical delivery after a natural disaster. Due to the islands, peninsulas, and offshore energy projects, the Cape Cod region has many hard-to-reach communities. Skyports presents a solution: its drones are capable of safely flying in harsh weather conditions and can carry cargo payloads of up to 100 pounds.

Additionally, the Federal Aviation Administration (FAA) has granted Skyports the approval for beyond visual line of sight (BVLOS) flights during a week-long feasibility project. During the project, MassDOT will explore BVLOS drone operations in Massachusetts, including this reach to remote communities as well as for rail network and road inspections.

MassDOT Aeronautics Administrator, Dr. Jeffrey DeCarlo, said, “MassDOT is excited to be working with Skyports for this first delivery demonstration, helping us establish a foundation for new, innovative drone use cases to support communities across the Commonwealth. The Aeronautics Division established the Drone Program after recognizing the potential of drones to support MassDOT’s traditional inspection and asset management missions. We are now exploring new drone use cases such as emergency delivery and are fortunate to be able to partner with companies like Skyports that are pushing innovative technologies and operations.”

MassDOT currently uses drones as part of its transportation infrastructure program to perform daily flights along the Massachusetts Bay Transportation Authority (MBTA) to inspect rail tracks and document the health of wetlands near construction sites, as well as for mapping highway and airports. MassDOT has now turned to Skyports to assist in its emergency delivery operations and to test flights across Vineyard Sound.

Upon completion of the test flights and demonstrations, Skyports will move permanently into full scale commercial operations in Massachusetts. Skyports then hopes to expand its operations across the U.S.

Another fall-out from the pandemic is that impersonation fraud has increased dramatically. According to the Federal Trade Commission, “the COVID-19 pandemic has spurred a sharp spike in impersonation fraud, as scammers capitalize on confusion and concerns around shifts in the economy stemming from the pandemic.” Impersonation fraud costs “have increased an alarming 85 percent year-over-year, with $2 billion in total losses between October 2020 and September 2021.”

The impersonation fraud scammers use different types of communication to try to get a victim to provide them with personal information that they can then use for fraud, or to obtain money. The scammers try to “trick their targets that they are the government or an established business and then trade on this trust to steal their identity or money.”

The fraudsters usually start the scheme asserting a position of authority to try to scare the victim into believing they owe money for some past debt, to the IRS or the police, for example. Or they try to trick the users into believing there is a problem with a business account (for example, a utility) and that service will be discontinued if they don’t send gift cards right away.

Using scare tactics has worked, to the tune of losses of up to $2 billion. A lot of people have been victimized by these scams, as the average cost of the loss is $1,000.

It has become so “pernicious and prevalent” that the FTC has published Advance Notice of Proposed Rulemaking seeking comments from the public answering questions about the details of the schemes that have been affecting victims so they can learn more about the schemes to assist consumers to protect themselves against them, while also gathering information for enforcement actions against fraudsters.

If you have been the victim of an impersonation scheme or fraud, help the FTC by providing information so it can catch the bad guys and prevent them from hurting someone else.