In response to the thousands of mobile applications hitting the market that often rely on consumer data (i.e. contact information, location, photos, etc.), the Federal Trade Commission (“FTC”) released a suggested list of security guidelines for mobile app developers to follow when designing a program. While a no one-size-fits-all checklist can exist, the FTC views these security tips as a way to help protect the developers, consumers, and reputation of the app. The following are 12 suggested security guidelines for mobile application developers to consider:
1. Make someone responsible for security;
2. Take stock of the data you collect and retain;
3. Understand the differences between mobile platforms;
4. Don’t rely on a platform alone to protect your users;
5. Generate credentials securely;
6. Use transit encryption for usernames, passwords, and other important data;
7. Use due diligence on libraries and other third-party code;
8. Consider protecting data you store on a user’s device;
9. Protect your servers, too;
10. Don’t store passwords in plaintext;
11. You’re not done once you release your app. Stay aware and communicate with your users;
12. If you’re dealing with financial data, health data, or kids’ data, make sure you understand applicable standards and regulations
Before getting into the core aspects of this security guideline, make sure to evaluate the ecosystem upon which the app will reside. The FTC comments that while it is important to get the mobile app working and accepted by an app store, a critical third step, the anticipation and prevention of security glitches, is vital to the apps long-term viability.
Posted in Business Law, Data Security & Privacy | Tagged FTC, FTC Mobile App Security Guidelines, Mobile Application Development | Leave a Comment »
A bipartisan group of House and Senate members introduced the USA FREEDOM Act last month in an attempt to restore Americans’ privacy rights by ending the bulk collection of phone records and requiring greater oversight, transparency, and accountability with respect to domestic surveillance programs. The Sensenbrenner-Rokita NSA Reform Bill (another name for the USA FREEDOM Act) includes significant privacy and oversight provisions, detailed reporting on the number and types of FISA (Foreign Intelligence Surveillance Act) orders issued, and the creation of a Special Advocate post, whose purpose is to advocate for the civil liberties and privacy rights before the FISA (Foreign Intelligence Surveillance Act) Court.
Sen. Patrick Leahy (D-VT) and Rep. Jim Sensenbrenner (R-WI) co-authored an op-ed article published in the Politico whereby they highlighted the need to ensure the protection of Americans’ civil liberties, while preserving the intelligence communities ability “to gather information in a more focused way, as was the intent of the PATRIOT Act.” Both Messrs. Leahy and Sensenbrenner agree that Congress must provide our intelligence community with the necessary tools to keep our country safe, but to date, acknowledge that the intelligence community has failed to adequately justify their expansive use of current laws.
If passed and signed into law, the Bill would require that the Applicant (i.e. Government) establish “reasonable grounds” that the tangible things sought are “relevant” and “material” to an ongoing investigation. The Applicant would be required to create a statement of proposed “minimization procedures” to ensure that the search would be as narrowly tailored as possible. The Applicant would also have to submit a statement of facts showing reasonable grounds that disclosure of the Government’s interest in collecting data would result in (a) endangering the life or physical safety of any person; (b) flight from investigation; (c) destruction or tampering with evidence; (d) intimidation of potential witness; (e) interference with diplomatic relations; (f) altering a target that the government has an interest; (g) seriously endangering the national security of the U.S.; and (h) an explanation of how the nondisclosure requirement is narrowly tailored to address a specific harm.
Are these parameters sufficient enough to balance the civil liberties of Americans’ versus protecting our national security? What type of “minimization procedures” would put your mind at rest to ensure that the intelligence community has not overstepped their bounds? Does the legislation go far enough, if at all, in reclaiming what we lost as a result of 9/11, in regards to our privacy rights, business interests, and standing in the international community?
Posted in Business Law, Data Security & Privacy | Tagged Civil Liberties, FISA, NSA, Rep. Jim Sensenbrenner, Rep. Todd Rokita, Sen. Patrick Leahy, USA FREEDOM Act, USA PATRIOT Act | Leave a Comment »
This past Summer the Ponemon Institute and Experian Data Breach Resolution organization released a report stating that most businesses now rank cyber-security risks higher than natural disasters and other major business risks. Despite the paradigm shift of this reality in the boardroom, few companies are still willing to purchase cyber-insurance as part of their overall risk management strategy. An organizations reluctance to purchase cyber-insurance, in spite of evidence suggesting otherwise, can be boiled down to the assessment of four competing priorities: (1) Risk Transfer – buy cyber-insurance in order to transfer risk to a third-party; (2) Risk Acceptance – bearing the risk and budgeting for the eventual losses; (3) Risk Mitigation – taking steps to contain and minimize anticipated risk losses; and (4) Risk Avoidance – eliminating a risk entirely by removing the conditions that created it.
In today’s corporate cyber-world, it is feasibly impossible for most companies to simply “avoid” the risk altogether. Most businesses have to rely upon certain internal controls to mitigate the risk, and then subsequently self-insure for the eventual breach of information. Upon close inspection of a cost-benefit model, this recommendation is the most financially prudent course of conduct. However, the cyber-insurance industry is rapidly evolving to a point where more and more businesses are looking to transfer their cyber-risks to a third-party.
Unlike traditional business insurance, cyber-insurance policies are unique to the issuing carrier, and nothing is standard in the industry at this time. While a sizable third-party market exists to cover losses suffered by a company’s customers, first-party policies that address direct harms to the company itself remain expensive, rare, and largely unattractive.Several factors are to blame for this, including: (1) a lack of actuarial data which results in high premiums for first-party policies that many can’t afford; (2) the widespread, mistaken belief that standard corporate insurance policies and/or general liability policies already cover most cyber risks; and (3) fear that a so-called “cyber hurricane” will overwhelm carriers who might otherwise enter the market before they build up sufficient reserves to cover large losses.
Companies surveyed by Experian and Ponemon reported that of the 56 percent of companies who reported a cyber-related breach, the average cost per incident was $9.4 million in the last 24 months. This figure, however, was only a small fraction of the average maximum financial exposure of $163 million that the companies surveyed (breached or not) believe they could suffer due to a cyber-attack.
The role of third-party insurance versus self-insuring against cyber-security is not always a mutually exclusive investment. Cyber-security requires a comprehensive risk management solution that examines the organizations people, processes, and technology. To properly evaluate the necessary coverage, businesses should categorize and understand its exposure for its own losses and internal expenses, and consider potential liabilities to third parties based on an assessment of that business.
Posted in Data Security & Privacy | Leave a Comment »
A bill passed earlier this Summer by the State of California Senate could potentially subject individuals, within that State, to criminal prosecution for the unauthorized online posting of “explicit” user-generated photos and videos (the practice otherwise known as ”revenge porn”). If passed and signed into law, the bill could potentially pit the rights of victims against people favoring free expression. Advocates on both sides of the legal argument vary on whether existing statutes are extensive enough to warrant the enactment of a new law targeting such specific behavior.
The fundamental issue for determining whether revenge porn should be a criminal offense turns on (1) what a person defines as a ”reasonable expectation” of privacy; and (2) content that is meant for public dissemination – thereby according First Amendment protections.
As The New York Times readily points out in its Blog page, “[c]omplicating matters, nonconsensual pornography, as the practice is sometimes called, doesn’t involve only a victim and a perpetrator. One person might record the image with the subject’s consent and post without consent, while another entity can host it – several Web sites specialize in doing just that – and many other Internet users can in turn spread that image far and wide in a matter of hours, or less.” The “viral” effect can take an otherwise benign, obscure website, and turn the picture into something greater than it would have been had the photo not gone viral.
Posted in Data Security & Privacy | Tagged State of California Senate | Leave a Comment »