Typically, tech evolves at speeds far greater than the law ever could. And for this reason, it’s easy for businesses to adopt new tech and use it how they want with a feeling of impunity.
But, businesses are still responsible for protecting the sensitive information they collect from their customers. So, as helpful as developments in technology can be, they have created a privacy protection minefield for businesses to tiptoe around.
This month, a particularly worrying class action complaint was filed against Disne for allegedly violating the Children’s Online Privacy Protection Act (COPPA. While some parents claim that Disney violated the act by tracking personally identifiable information on children under 13 through their Princess Pets app, a Disney spokesperson maintains that the issue is in a fundamental misinterpretation of the act on the part of the complainants.
Either way, it proves that not even the giants among us are safe from potential legal landslides surrounding tech and privacy.
So, we’ve created this mini case study on a recent scandal with Yahoo, and topped it off with the three best tips we could find (with more examples) to help you keep your clients (and yourself) out of hot water.
Let’s get started:
In September of last year, it was revealed that Yahoo was subject to a major hack in 2014, with personal information scraped from 500m accounts. Yahoo acknowledges they learned about the attack in 2014, but claim that the information did not reach senior management for a proper follow-up.
This attack is particularly significant since Yahoo accounts are attached to other accounts, including banks.
As Alex Holden, the founder of Hold Security, suggested to the New York Times, “The stolen Yahoo data is critical because it not only leads to a single system but to users’ connections to their banks, social media profiles, other financial services and users’ friends and family.”
Although the attack is alarming, the real issue for Yahoo occurred in the aftermath. The public perceived Yahoo’s actions as an attempt to conceal information and regard their statements since the attack was revealed as an attempt to avoid accountability.
In the end, with CEO Marissa Mayer denying any knowledge of the incident, Yahoo lawyer Ron Bell has become the scapegoat for the entire incident.
The Securities and Exchange Commission (SEC) is investigating Yahoo to determine whether the company broke any laws by failing to disclose the breach to investors holding shares in the midst of the disaster. But, they have concluded that they were under no legal obligation to let their customers know.
To say the least, it has been both a legal and PR nightmare.
Hacks are almost inevitable, but to avoid a similar scandal and legal investigation:
Yahoo could have avoided a legal investigation by coming clean about the hack, at least to their investors. And they could have avoided further scandal by disclosing the attack to their customers regardless of whether it was determined to be legally necessary.
They also should have let other institutions that may have been affected by the hack, especially since financial accounts may have been compromised.
Although it did not become an issue for Yahoo, other companies have been investigated and fined when they misinform their customers.
Ashley Madison and Turn Inc. have both been investigated by Federal Trade Commission (FTC) for deceiving their customers about the use of their data. These companies allegedly charged customers to remove personal data from their servers, while retaining some or all of the information collected.
It’s important to be honest about the scope of your technology, what information you collect, and who you share it with. These policies need to be clear and available to anyone who works with you. Otherwise, you’re open to hefty fines or legal action.
Know your encryption
Several businesses including Henry Schein Practice Solutions and Ashley Madison have been investigated by the FTC for exaggerating the effectiveness of their data encryption, with Henry Schein Practice Solutions paying $250,000 in settlements.
It isn’t enough to have encryption, steps need to be taken to ensure it is both adequate and properly characterized to those using it.
To get a better idea of how to protect yourself, see the latest changes to the FTC privacy policies here.