Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/19/2017
10:55 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

3 Companies to Settle FTC Charges They Falsely Claimed Participation in EU-US Privacy Shield Framework

Three U.S. companies have agreed to settle Federal Trade Commission charges that they misled consumers about their participation in the European Union-United States Privacy Shield framework, which allows companies to transfer consumer data from EU member states to the United States in compliance with EU law.

In separate complaints, the FTC alleges that human resources software company Decusoft, LLC, printing services company Tru Communication, Inc. (doing business as TCPrinting.net), and Md7, LLC, which manages real estate leases for wireless companies, violated the FTC Act by falsely claiming that they were certified to participate in the EU-US Privacy Shield. The FTC also alleged that Decusoft falsely claimed participation in the Swiss-U.S. Privacy Shield framework. Despite these claims, all three companies failed to complete the certification process for the Privacy Shield, according to the FTC complaints.

“Today’s actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce,” said Acting FTC Chairman Maureen K. Ohlhausen. “Companies that want to benefit from these agreements must keep their promises or we will hold them accountable.”

The actions against the three companies are the first cases the FTC has brought to enforce the EU-U.S. Privacy Shield framework, which was put in place in 2016 to replace the U.S.-EU Safe Harbor framework. The FTC brought 39 enforcement actions against companies under the U.S.-EU Safe Harbor framework. Like the Safe Harbor, the Privacy Shield is aimed at providing companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring consumer data between the EU and the United States. These cases join the four enforcement actions the FTC has brought related to the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system.

Companies that want to join the Privacy Shield must be subject to the jurisdiction of the FTC or the U.S. Department of Transportation, and certify to the U.S. Department of Commerce that they comply with the Privacy Shield Principles. The Department of Commerce maintains the list of companies that have joined the framework, while the FTC enforces the promises companies make when joining the Privacy Shield.

As part of their settlements with the FTC, the three companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements.

The Commission voted 2-0 to issue the administrative complaints and to accept the consent agreements with the three companies. The FTC will publish a description of the consent agreement packages in the Federal Register shortly. The agreements will be subject to public comment for 30 days, beginning today and continuing through October 10, 2017, after which the Commission will decide whether to make the proposed consent orders final. Interested parties can submit comments electronically by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section for Decusoft, LLC, Tru Communication, Inc., and Md7, LLC.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $40,654.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27225
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.