Most institutions of higher education are very familiar with the Family Educational Rights Protection Act (FERPA), which applies to all state and local, public and private educational institutions that receive federal funds through programs administered by the U.S. Department of Education (ED). Unless at least one of FERPA’s exceptions applies, institutions risk sanctions from ED – including the potential loss of all federal funding – if they disclose a student’s personally identifiable information (PII) from an education record without the student’s express prior written consent. Beyond FERPA, higher education institutions have additional legal responsibilities to assiduously secure and protect student data from inadvertent disclosure, particularly financial information maintained by an institution regarding students or their families.
The Federal Trade Commission (FTC) has updated its guidance applicable to the Children’s Online Privacy Protection Act (COPPA) to reflect developments in the digital advertising ecosystem and a burgeoning Internet of Things marketplace. The Guidance revises its six-step compliance plan to keep current with developing technology.
The Guidance, which had existed in substantially the same form since 2015, contains three new updates relating to new methods for obtaining parental consent, new products covered by COPPA, and new business models.
The New Jersey “Personal Information and Privacy Protection Act” was signed into law on July 21, 2017 by Governor Chris Christie and will be effective November 1, 2017.
The law restricts the way retail establishments may collect and use the personal information contained in the electronic data embedded in identification cards, such as driver’s licenses. The law responds to concerns raised by reports related to how businesses use and store personal information obtained from scanned driver’s licenses.
Nevada recently joined California as the second state to require that operators of websites and online services post public notices outlining their privacy practices. The Nevada law, which went into effect on July 1, requires that the posted notice on the website or online service do the following:
- Identify the categories of “covered information” collected through the site.
- Describe the process for consumers to review and request changes to the covered information collected through the site.
- Describe the process by which the operator notifies consumers of material changes to the notice.
- Disclose whether third parties may collect information about a consumer’s online activities over time and across different websites when the consumer uses the site.
- List an effective date.
After recent WannaCry ransomware and Petya/notPetya malware attacks exposed the data security vulnerabilities of health care organizations and pharmaceutical companies globally, the Department of Health and Human Services and Office for Civil Rights have rolled out resources to prevent future attacks. The OCR’s resources, such as its Quick-Response Checklist, infographic and informational newsletter, are meant to support health care organizations every step of the way, from planning and contingency plans to response and mitigation procedures.
Earlier this year the FTC launched the IoT Home Inspector Challenge competition to challenge innovators to create a tool that will help protect consumers from security vulnerabilities in the software of home IoT devices. Submissions were received in May and reviewed by a panel of five judges, including security experts from a range of private companies, universities and the government. The FTC announced the winners on July 26, 2017.
Continue reading “And the Winner is….. FTC Announces Winner of IoT Home Device Security Contest”