Risk
9/19/2017
10:55 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

3 Companies to Settle FTC Charges They Falsely Claimed Participation in EU-US Privacy Shield Framework

Three U.S. companies have agreed to settle Federal Trade Commission charges that they misled consumers about their participation in the European Union-United States Privacy Shield framework, which allows companies to transfer consumer data from EU member states to the United States in compliance with EU law.

In separate complaints, the FTC alleges that human resources software company Decusoft, LLC, printing services company Tru Communication, Inc. (doing business as TCPrinting.net), and Md7, LLC, which manages real estate leases for wireless companies, violated the FTC Act by falsely claiming that they were certified to participate in the EU-US Privacy Shield. The FTC also alleged that Decusoft falsely claimed participation in the Swiss-U.S. Privacy Shield framework. Despite these claims, all three companies failed to complete the certification process for the Privacy Shield, according to the FTC complaints.

“Today’s actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce,” said Acting FTC Chairman Maureen K. Ohlhausen. “Companies that want to benefit from these agreements must keep their promises or we will hold them accountable.”

The actions against the three companies are the first cases the FTC has brought to enforce the EU-U.S. Privacy Shield framework, which was put in place in 2016 to replace the U.S.-EU Safe Harbor framework. The FTC brought 39 enforcement actions against companies under the U.S.-EU Safe Harbor framework. Like the Safe Harbor, the Privacy Shield is aimed at providing companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring consumer data between the EU and the United States. These cases join the four enforcement actions the FTC has brought related to the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system.

Companies that want to join the Privacy Shield must be subject to the jurisdiction of the FTC or the U.S. Department of Transportation, and certify to the U.S. Department of Commerce that they comply with the Privacy Shield Principles. The Department of Commerce maintains the list of companies that have joined the framework, while the FTC enforces the promises companies make when joining the Privacy Shield.

As part of their settlements with the FTC, the three companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements.

The Commission voted 2-0 to issue the administrative complaints and to accept the consent agreements with the three companies. The FTC will publish a description of the consent agreement packages in the Federal Register shortly. The agreements will be subject to public comment for 30 days, beginning today and continuing through October 10, 2017, after which the Commission will decide whether to make the proposed consent orders final. Interested parties can submit comments electronically by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section for Decusoft, LLC, Tru Communication, Inc., and Md7, LLC.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $40,654.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.