At a glance.
- US guidance on civil cyber-fraud.
- Settlement in fertility clinic data breach.
- US Federal Trade Commission draws attention to the amount of data collected by Internet providers.
Guidance on preventing civil cyber-fraud.
Earlier this month, the US Department of Justice (DOJ) launched its “Civil Cyber-Fraud Initiative,” a program led by the department’s Civil Fraud Section to impose penalties on government contractors and grant recipients who put US data at risk under the False Claims Act (FCA). Violations of the FCA include supplying flawed cybersecurity products, misrepresenting cybersecurity capabilities, and intentionally failing to disclose data breaches. The experts at JD Supra discuss several questions contractors should consider in order to determine whether they’re in compliance with the FCA. They recommend entities establish a process of investigation and remediation for complaints related to cybersecurity, make sure their cybersecurity protocols meet current standards, and accurately report their controls and capabilities to the government, all while keeping abreast of the evolving reporting requirements.
Settlement reached for fertility clinic data breach.
TAPinto reports that a settlement has been reached for a data breach that compromised the private information of over 14,000 fertility clinic patients in 2016 and 2017. Over the course of several sessions, an intruder or intruders gained unauthorized access to the systems of Diamond Institute for Fertility and Menopause, LLC, based out of the state of New Jersey, and viewed private patient data. The subsequent investigation by the Division of Consumer Affairs revealed that, by deactivating technological protections, Diamond Institute violated the New Jersey Consumer Fraud Act, the federal Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, and the HIPAA Security Rule, exposing the sensitive data to intrusion for over five months. The fertility specialist has agreed to pay $495,000 to strengthen its data handling protocols. Acting Attorney General Andrew J. Bruck explained, “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”
Data collection isn't all baked into the cookies.
Reuters reports that US Federal Trade Commission chair Lina Khan, in speaking about a staff report on Internet providers' data collection practices, called the amount of data collected "staggering." In sum, the report says, "The agency staff found that some companies collected data about browsing histories, what is streamed, sensitive characteristics like race and sexual orientation and real-time location, which it found were sometimes shared with third parties."
Daniel Markuson, digital privacy expert with NordVPN, wrote to offer an opinion on consumers' options. They're not that many of them, apparently:
“If the data collected by ISP is not by relying on browser cookies, but amassed through traffic inspection or supercookies, then there is little consumers can do. They can either (1) reject the ISP data collection policy (if this option exists–usually hidden the legal language. ISPs may not provide an opt out option, so customers can only agree with these policies, or don't use the ISP service), or (2) or use a VPN, which prevents ISPs from inspecting their customers traffic or effectively using supercookies.
“Blocks of services and the subsequent discoveries of traffic monitoring, collection, and trade have led to an increased demand for VPN. For example, in April 2017 President Trump signed the executive order repealing FCC’s regulation that Internet providers should ask permission before tracking and selling user data. NordVPN user inquiries climbed by 200%, reflecting a national anxiety about internet privacy policy.”