WannaCry and Why the Surprise Ransomware Attack Shouldn’t Have Surprised Anyone

A Q&A with Matt Ahrens, The Crypsis Group

Last week, the devastating WannaCry attack— considered unprecedented in its scale and speed—hit more than 230,000 computers in 150 countries, including the National Health Service, FedEx, Deutsche Ban and LATAM Airlines, among others. I asked Matt Ahrens of The Crypsis Group about the attack, what made it so dangerous and what it means for organizations trying to improve their cyber security posture.

Continue Reading

Third-Party Vendor Risk in Healthcare

A Q&A with Ozzie Fonseca of Experian
Last year’s data breach at Medical Management, LLC highlights the importance of third-party vendor oversight in the healthcare space. In this specific case, a call center agent at a billing company was copying information and sharing it with an unauthorized third party, leading to the exposure of thousands of patients records from 40 providers. We spoke to Ozzie Fonseca of Experian Data Breach Resolution about its implications for healthcare organizations.

Continue Reading

Protecting Children’s Data Online

A Q&A with Marshall Harrison of Imperium
With the passage of the Children’s Online Privacy Act (COPPA) businesses are scrambling to find effective ways of staying compliant with the regulation. I talked to Marshall Harrison, founder and CEO of Imperium, about the law’s implications and his new product ChildGuardOnline, an FTC-approved parental consent verification solution.

What type of child data is covered under COPPA?
COPPA applies to individually identifiable information about children under the age of 13 that is collected online, such as on a website or mobile application. That information can include the name, home address, phone number or anything else that would allow someone to identify the child, such as hobbies and interests. For instance, if a mobile app operator can tell which website a child has visited online, that is covered by COPPA. If they are collecting an IP address of the child either proactively or even passively, then that is also covered by COPPA.

Please explain the section of the COPPA regulation that requires verifiable parental consent.
Before collecting or using or disclosing any personal information from a child, the operator (either the site owner or developer) has to obtain verifiable parental consent from the child’s parent. In certain circumstances the child’s info could be collected prior to consent—for instance, if they have to collect data such as the child’s name to contact the parent and say “Your child Joe has asked for your consent.” There are some common sense exemptions or exceptions to the rule, but generally the consent has to come first.

How can a company that collects or shares child data comply with the regulation?
Of course, the best thing they could do is consult with an attorney to find out if they are already complying. To be more specific, the operator has to make what is considered a reasonable effort to ensure that before any information is collected from the child the parent gets notice and gives verifiable consent. The operator has to tell the parent who they are, what they do, the nature of the data collected and what they plan to do with it. They also need to tell the parent if the information will be shared with a third party and/or made publicly available on social media. There are a number of ways to get consent—written consent, which can be laborious, an online monetary transaction that might include charging a credit card to prove that the parent is the person they say they are, or a phone or Skype interview with trained personnel. You can also confirm the identity through public record databases or if the information is only internal you can use a procedure such as Email Plus. Finally, you can use a fully compliant service such as ChildGuardOnline. ChildGuardOnline uses the last four numbers of the parent’s SSN or knowledge based authentication (KBA) questions. It also checks sex offender lists and assures the age appropriateness of the parent for the child being given permission. In addition, it allows parents to withdraw their consent at a later date, in addition to other features.

What are the possible penalties for non-compliance?
COPPA is enforced by the federal government but it also provides enforcement rights for states. Some states are very active in consumer protections than others. An operator who violates COPPA can be fined up to $16,000 per violation, which is per child from whom they get the data not pursuant to verifiable consent. The total fine varies due to factors such as the number of violations, the history of violations and the degree of egregiousness. Some large companies have been fined hundreds of thousands of dollars.

People comply with laws or take measures to comply for several reasons. In addition to the FTC there are parents’ groups and educational and religious groups that are monitoring apps and websites targeted to children, and they will go above and beyond to highlight companies that are good citizens, or not. The reality is that many companies—especially those that are nonprofits who share the data or based outside the U.S. or those that don’t save the data and think they are immune to COPPA—that still don’t understand the law and are not compliant.

In summary…
This is a major cyber liability risk issue for any organization that in any manner interfaces with children’s personal information. Protecting private data and transparency regarding usage is paramount. Attorneys General, FTC and plaintiff lawyers are paying close attention to the COPPA regulation. Moreover, the number of websites and, especially, mobile apps with child-directed content is vast, and it appears that very few of these entities are in fact fully complying with the regulation’s key component – getting verifiable parental consent. This requirement alone is daunting, but thanks to companies like Imperium and products such as ChildGuardOnline, solutions are starting to surface.

No more posts.