Cyber & Legal Risks all over these 45 Security and Privacy Blind Spots!

07 August 2015 Internet, IT & e-Discovery Blog Blog
Authors: Peter Vogel

Everyone should be interested in a recent Blind Spot Report which was created because of the “demand for accountability in respect to privacy protection is growing, and security professionals are finding themselves in part responsible for this issue.”  The International Association of Privacy Professionals (IAPP) issued a report entitled “The Top 45 Security and Privacy” with an example of each blind spot. Here is a sampling of important Privacy Blind Spots:

  1. Enforce Strong Password Policies
  2. Logging IP Addresses May Violate Privacy Policies

In late 2007 Peter Scharr, Germany’s data protection commissioner, argued that Internet Protocol (IP) addresses should be considered personal information, but a court ruling in Washington state in 2009 decided it wasn’t. Which is it, then? As a general rule of thumb, if you can combine an IP address with other information to identify an individual, it should be considered personal information. In either case, only collect IP addresses when there is a specific purpose for that information.  Many organizations make public promises that they don’t capture any personally identifying information. Yet just about every website or web-based application keeps a log of visitors to their sites, most of which capture IP addresses.

  1. Unauthorized Use of Information

In 2012, Spokeo paid the FTC $800,000 to settle charges that it violated federal law by compiling and selling personal information for use by potential employers. The complaint against Spokeo alleged that it violated the Fair Credit Reporting Act by marketing its consumer profiles without making sure they would be used for legal purposes. Many marketers and sales people scheme to aggregate as much information as possible about their targets in order to give their pitches the best chance of success. The interconnectedness of our modern culture makes this type of activity increasingly easy, but just because you can do something, doesn’t mean you should. “Just about every website or web-based application keeps a log of visitors to their sites”

  1. Unintentionally Collecting Information from Children

In an effort to boost its audience, Yelp created a streamlined sign-up process for its mobile app. Unfortunately, Yelp neglected to include a check for the applicant’s date of birth. As a result, it accidentally collected personal information from minors and a $450,000 fine from the FTC for violating the Children’s Online Privacy Protection Act. Regulations aggressively protect minors. If you believe your application or service will be used by minors, make sure to include a date check to verify their eligibility to send you their personal information.

  1. Employees Peeking at Private Information
  2. Personal Defamatory Remarks on an Internal Social Network
  3. Unique Identifiers Put Anonymity at Risk
  4. Collecting Information for Marketing Purposes Without Permission
  5. Emailing Canadians Without Explicit Consent
  6. Regulators Are Increasingly Technically Adept
  7. Responsibility for Sensitive Data Sent to Authorized
  8. Don’t Collect Information that Reveals Habits of the Individual Without Consent
  9. Recording Location Information Puts Anonymity At Risk
  10. Collecting Sensitive Information Without Allowing the User To Opt Out
  11. De-identification of Data Is Difficult; Really Difficult
  12. Don’t Collect Data You Can’t Use

Obviously all businesses have many of these blind spots.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.


Related Services