At a Glance.
- Missouri’s Secretary of State has been accused of withholding critical cybersecurity reviews of election authorities.
- The state of Iowa files a lawsuit against TikTok alleging that the application has misled parents on the inappropriate content on the social media platform.
Missouri’s secretary of state accused of withholding cybersecurity reviews of election authorities.
An audit report, conducted by Missouri’s Scott Fitzpatrick, has accused Missouri Secretary of State, Jay Ashcroft, of withholding cybersecurity reports. This audit report alleges that Ashcroft has refused to provide Fitzpatrick with copies of the cybersecurity reviews of Missouri’s 116 local election authorities.
Fitzpatrick cites House Bill 1878, passed in 2022 by the Missouri General Assembly, which requires the State Secretary’s office to receive cybersecurity reviews every two years and submit those reviews to the state auditor’s office. Fitzpatrick stated that “the law clearly provides [his] audit staff with the authority to receive and review this information” and that it was “disappointing the Secretary of State’s Office stood in the way of [his] efforts to perform a thorough analysis of how the new cyber security reviews have been implemented.”
Ashcroft’s office issued a formal response that stated sharing the cybersecurity reports would risk revealing confidential information. At this time, the state auditor’s office is not seeking legal action against Ashcroft or his office.
This report comes after Missouri ended its participation in the Electronic Registration Information Center (ERIC), a national system designed to improve voter roll accuracy, access to voter registration, and reduce election costs. This decision was also criticized in Fitzpatrick’s audit report, as he cited that Ashcroft made this decision without consulting any stakeholders or creating any plans to replace ERIC. Fitzpatrick’s report discussed how this change has negatively impacted the state’s ability to correct inaccurate voter records.
When Ashcroft terminated this partnership, he alleged that ERIC had failed to address voter fraud and instead focused its efforts on adding names to voter rolls. However, this audit report counters these claims stating that Ashcroft did not fully evaluate the benefits of ERIC before ending the partnership.
While this accusation, at the moment, has no associated legal action, it does expand on a broader conversation related to election security. With the 2024 US presidential election primaries currently taking place and the presidential election later this year, election security is a contentious debate subject across the US. Safeguarding elections is a critical cybersecurity focus as both internal and external actors look to disrupt election proceedings and results. As both federal agencies and state offices look to secure the upcoming elections, voters should pay greater attention to what initiatives governmental bodies are taking. These actions, or lack thereof, could have wide-sweeping impacts on how voter information is secured and used as well as how elections are secured across the US. Voters should hold offices accountable to properly conduct cybersecurity reviews, share their findings, and implement measures that secure election proceedings.
Iowa sues TikTok alleging that the app misled parents about inappropriate content.
The state of Iowa sued TikTok, accusing the social media platform of misrepresenting the prevalence of inappropriate content on the platform to avoid implementing parental controls. The lawsuit alleges that TikTok has falsely stated that there are insignificant amounts of adult content on its app so the application can maintain its “12+” age rating in application stores.
The complaint claims that the app “intends to evade the parental controls on Apple devices by rating its app ‘12+’” and that “if TikTok correctly rated its app, it would receive a ‘17+’ age rating, and parental restrictions on phones would prevent many kids from downloading it.”
With Iowa suing the social media platform, this marks the second time that the company has been sued by a state government. In December 2022, Indiana filed a similar lawsuit, claiming that the application misled markets by claiming that it was appropriate for children ages 13 to 17. However, this case was dismissed by a state judge in November 2023. TikTok has released a statement claiming that it has “industry-leading safeguards in place for young people, including parental controls and time limits for those under 18.”
This new case marks a continuation of Iowa paying greater attention to the social media platform as the Iowan governor, Kim Reynolds, issued a ban on using TikTok on state-owned devices in late 2022. This current lawsuit seeks to force TikTok to correct its statements as well as create financial penalties for the harm caused to Iowan consumers.
While the court case will take some time to either be dismissed or settled, this new lawsuit shows that the US government is taking the impact of social media sites more seriously, especially when concerning children. While these lawsuits will not directly impact individuals for some time, parents should be aware of the risk that social media platforms can pose to their children and be aware of the government's growing involvement in regulating the industry. Additionally, social media companies and associated social media data brokers should be aware of increased governmental focus on the industry, and the associated regulatory impacts that would come with greater governmental oversight. These efforts follow the trend of states becoming increasingly concerned with child safety in the cyber world.
Other Noteworthy Stories.
What: The Australian, US, and UK governments have sanctioned a Russian hacker over their involvement in the Medibank breach in 2022. With these sanctions, each nation has frozen the hacker's assets as well as barred anyone from dealing with the hacker.
Why: These sanctions mark the first time the Australian government has used its cyber sanctions framework, created in 2021, to target an individual. With these sanctions, the Australian government has signaled its intentions to address the large volume of state-sponsored hackers targeting the nation’s critical infrastructure, businesses, and homes. According to an Australian governmental report, there is an attack roughly every six minutes against Australian assets. While these sanctions will not likely deter future attacks, they do signal the government's clear intention to begin addressing cybersecurity more seriously.
What: The UK government has published a new code of practice on cybersecurity governance aimed at targeting directors and other senior business leaders.
Why: The goal of these new governance codes is to increase the amount of responsibility that boardroom executives have when managing cybersecurity. With these new codes, organizations operating within the UK should understand both their increased responsibilities as well as the associated legal ramifications. The new code highlights the following areas for business leaders to focus on:
- Risk Management
- Cyber Strategy
- Incident Planning and Response
- Assurance and Oversight
What: The Biden administration is preparing to release an executive order that aims to prevent foreign adversaries from accessing the personal data of American citizens. While the administration has not yet released the new executive order, the order will direct the US Attorney General and Department of Homeland Security to restrict data transactions involving US citizens.
Why: With this upcoming executive order, the administration looks to reduce hostile foreign adversaries from being able to access American personal data. Currently, the draft has reportedly focused on ways that foreign adversaries are gaining access to Americans’ “highly sensitive” personal data through existing legal means, such as through data brokers.
These efforts highlight the administration’s continuing effort to address the large cybersecurity gaps that exist within the US. By passing this order, the administration will continue its efforts to reduce the volume of cyber attacks on US citizens as well as increase the nation’s overall cybersecurity defense posture.
What: The Federal Trade Commission (FTC) has prohibited InMarket Media from selling or licensing precise user location data.
Why: The settlement is part of allegations that the Texas-based company did not inform or seek consent from consumers before using their location information for advertising and marketing purposes. The FTC announced that InMarket will “be prohibited from selling, licensing, transferring, or sharing any product or service that categorizes or targets consumers based on sensitive location data.” Additionally, InMarket has been ordered to destroy all location data it had previously collected.
With the FTC’s announcement banning InMarket from selling location data, the agency continues its efforts to regulate data broker activity within the US. While InMarket has been barred from selling location data, this incident reflects a greater issue where the personal data of US citizens is being shared with thousands of companies by data brokers, often without their explicit knowledge. US citizens and organizations should expect agencies, like the FTC, to continue these efforts and reign in data brokers working within the US.