[TheRecord] FTC: Health app and connected device makers must disclose data breaches

The Federal Trade Commission approved a policy statement Wednesday that warns makers of health apps and connected devices that collect health-related information to comply with a decade-old data breach notification rule.

The policy is part of a shift towards more aggressive enforcement on technology issues at the agency under the leadership of Chair Lina Khan, who signalled more scrutiny of data-based ecosystems connected to such apps and devices may be down the line. 

While the rule provides some measure of accountability, “a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” Khan said in a statement, adding that the Commission “should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”

The FTC developed its Health Breach Notification Rule in 2009 after being tasked with studying and devising ways to protect health information as part of the American Recovery and Reinvestment Act. The rule was designed to require vendors not covered under other medical information related privacy laws like Health Insurance Portability and Accountability Act (HIPAA) to disclose breaches of health information—including to users, the agency, and the media in some cases. 

Since the rule was first issued, there’s been an explosion of apps related to tracking everything from fertility and menstruation to mental health as well as connected devices that collect health-related information, like fitness trackers. 

In March, Senator Bob Menendez (D-NJ) and Congresswomen Bonnie Watson Coleman (D-NJ) and Mikie Sherrill (D-NJ) sent a letter to the FTC urging it to enforce the Health Breach Notification Rule against mobile apps that leak data. The letter cited a Wall Street Journal report about Flo Period & Ovulation Tracker, a popular fertility monitoring app, sharing sensitive information with third parties. 

In June, the agency finalized a settlement with the app’s developer requiring that the company get user consent before sharing personal health information and go through an independent review of its privacy practices. However, that action was based on the agency’s broader ability to protect consumers from unfair and deceptive practices, rather than the specific Health Breach Notification Rule. 

The agency announced a review of the rule last year and previously released guidance suggesting the makers of health-tracking apps should app makers consider if they fell under its purview. The new policy statement makes the warning more explicit, with the agency noting that failure to comply could result in “monetary penalties of up to $43,792 per violation per day.”

The post FTC: Health app and connected device makers must disclose data breaches appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2019-07-19

Security Lessons From a New Programming Language www.darkreading.com/application-security/security-lessons-from-a-new-programming-language/d/d-id/1335300?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple A security professional needed a secure language for IoT development. So he wrote his own, applying learned lessons about memory and resources in the process. It’s never good when ‘Magecart’ and ‘bulletproof’ appear in the same sentence, but here we are www.theregister.co.uk/2019/07/18/magecart_ukraine_hosting/ Researchers with security shop Malwarebytes […]

Read More

[ZDNet] Singapore sends out drones to watch over reservoirs

All posts, ZDNet

Drones programmed to monitor water quality and activities initially will be deployed over two reservoirs, before another four are added to the roster later this year, and will slash 5,000 man-hours from the current 7,200 man-hours spent a year on these tasks. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SANS ISC] Example of Danabot distributed through malspam, (Fri, Aug 13th)

All posts, Sans-ISC

Introduction Danabot is an information stealer known for targeting banking data on infected Windows hosts. According to Proofpoint, Danabot version 4 started appearing in the wild in October 2020. We recently discovered a Danabot sample during an infection kicked off by an email attachment sent on Thursday 2021-08-12. Today’s diary reviews this Danabot infection. The […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.