Happy New Year! The Siskinds Privacy, Cyber and Data Governance team returns in 2025, providing businesses and professionals with monthly updates on technology, privacy, and artificial intelligence (AI) laws in both the U.S. and Canada.
At the end of 2024, there were not many developments in Canada; however, there are many updates this year south of the border in the United States.
Word of the Month: Spear Phishing
The new word for our first publication of 2025 is “Spear Phishing”. Spear Phishing is a type of phishing attack that is tailored to an individual user. Contrast this with “whaling,” which is a specialized type of spear phishing that is targeted at C-suite executives, celebrities, and politicians.
Privacy, Cyber, and Data Governance News Concluding 2024
There are lots of developments from November, December, and immediately into this new year that you should know about.
November 6, 2024: According to Infosecurity Magazine, Google Cloud will be mandating multifactor authentication (MFA) in 2025 because, according to the US Cybersecurity Infrastructure Security Agency, “MFA makes users 99% less likely to be hacked.”
November 9, 2024: According to Krebs, cybercriminals are increasingly using hacked law enforcement emails to send unauthorized emergency data requests to companies requesting personal information to use for criminal purposes.
November 29, 2024: Krispy Kreme suffered “unauthorized activity” on a portion of its computer systems, as disclosed on December 10, 2024, on a filing to the Securities Exchange Commission (SEC).
December 2, 2024: GoodRX, a drug discounter, has agreed to “pay $25 million to settle class-action claims that it wrongly shared consumers’ health information with Meta Platforms, Google and Criteo for ad purposes”, according to MediaPost.
December 4, 2024: Reuters reports that a Chinese hacking group named, “Salt Typhoon” stole a large number of “telephone audio intercepts along with a large tranche of call record data” from at least eight telecommunications and telecom infrastructure firms in the U.S.
December 30, 2024: According to The Guardian, Chinese state-sponsored hackers breached the U.S. Treasury Department, “accessing several employee workstations and unclassified documents.”
Canada: Launch of CAISI, Joint Report published on LifeLabs, and Albertan fined for falsifying Medical Records
November 12, 2024: Canada launches the Canadian Artificial Intelligence Safety Institute (“CAISI”) to “bolster Canada’s capacity to address AI safety risks” and will be housed at Innovation, Science and Economic Development Canada, with its own dedicated office.
November 12, 2024: The Privacy Commissioner of Canada, Philippe Dufresne, is launching an investigation into the World Anti-Doping Agency because of a claim that the organization shared athlete’s personal information (i.e., their biological samples) without their knowledge or consent.
November 13, 2024: The Privacy Commissioner of Canada and other provincial privacy commissioners, issued a joint resolution “calling for action on the growing use of deceptive design patterns that undermine privacy rights.” The press release notes that, “[d]eceptive design patterns manipulate or coerce users into making decisions that may not be in their best interests. These patterns are frequently used on websites and mobile apps, including those that are geared towards younger users, and their prevalence is a growing concern for regulators.” Note that several US comprehensive privacy laws already have defined and explicitly codified deceptive design patterns (A.K.A “dark patterns”).
November 25, 2024: The Office of the Information and Privacy Commissioner of Ontario and British Columbia have published their joint report on the 2019 data breach involving LifeLabs.
December 4, 2024: Saskatchewan’s information and privacy commissioner reported that the health care records of more than 7,000 people were exfiltrated from Innomar, a private clinic, by threat actors, as reported by Canadian Healthcare Technology. The following PHI was exfiltrated: Names, addresses, dates of birth; height, weight; telephone number, email addresses; dates, location of services; health diagnosis/condition; medications/prescriptions; medical record number, patient numbers, health insurance/subscriber number; and signature, lab results, and medical history.
December 16, 2024: The Office of the Information and Privacy Commissioner of Ontario published an update to its Guidance on the Use of Automated License Plate Recognition Systems by Police Services.
December 19, 2024: A former employee of Alberta Health Services was fined $12,000 for falsifying COVID-19 immunization records of nearly 200 people. The offence he was fined for: knowingly using and creating health information in contravention of the Alberta Health Information Act.
United States: A flurry of privacy laws take effect
December 26, 2024: The U.S. Department of Justice (DOJ) issued the final rule to implement Executive Order 14117 of February 28, 2024 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern), by prohibiting and restricting certain data transactions with certain countries or persons. This is particularly significant if your business deals with certain bulk information or U.S. government-related data, and your subprocessors are or may be processing such data in countries of concern (i.e., China, Cuba, Iran, North Korea, Russia and Venezuela)
January 1, 2025: The Delaware Personal Data Privacy Act, the Iowa Consumer Data Protection Act, the Nebraska Data Privacy Act, the New Hampshire Data Privacy Act, and the New Jersey Data Privacy Act all take effect on January 1, 2025 (except for New Jersey’s, which comes into effect January 15).
U.S. Federal Trade Commission (FTC) Rules and Enforcement
November 6, 2024: The FTC settled with Sitejabber, a business offering an AI-enabled consumer review platform, after allegations that “it collected ratings and reviews for its online business clients from consumers at the time of purchase, before they received or had the chance to experience the products or services they bought.” Sitejabber then used these ratings and reviews to allegedly “deceptively inflate the average ratings and review counts of its clients on the company’s review platform” and misled consumers into “believing that a business’ high review count and high rating means that . . . customers have had positive experiences with the business’ products or services.”
November 26, 2024: The FTC published a blog post recommending that the manufacturers of “smart” products disclose how long their products would receive software updates.
December 3, 2024: The FTC proposed a settlement order with Mobilewalla, a data broker, to settle allegations that the data broker collected large amounts of consumers’ personal information, including location data, indirectly without taking reasonable steps to verify consumers’ consent.
Mobilewalla essentially collects consumer information from real-time bidding exchanges and other data brokers and aggregates the information into standard audience segments. Mobilewalla then sells access to its data (including raw location data, which could include sensitive location data) and to its audience segments (e.g., “Young Mothers,” “Music Lovers,” “Pregnant Women,” “Hispanic churchgoers,” “members of the LGBTQ+ community”, etc.).
According to the complaint, Mobilewalla did not take reasonable steps to confirm with their data suppliers that consumers consented to Mobilewalla’s collection and use of their personal information. “Mobilewalla does not contractually require its suppliers to obtain consumer consent. Typically, Mobilewalla has merely relied on vague contractual assurances that the suppliers’ sale of consumers’ information complied with applicable law.” Additionally, “Mobilewalla fail[ed] to take reasonable steps to verify that its suppliers have obtained consumer consent. For example, although in 2020, Mobilewalla began requiring its suppliers to certify annually that they had consumers’ consent to collect and transfer their information, Mobilewalla failed to implement any procedures to verify the accuracy of these certifications, such as requesting and reviewing consumer notices.”
Additionally, the FTC alleges that “the data sold by Mobilewalla can be used to identify individual consumers and their visits to sensitive locations, such as visits to houses of worship, political protests, and doctors’ offices” and that the sale of such data “poses an unwarranted intrusion into the most private areas of consumers’ lives and causes or is likely to cause substantial injury to consumers.” This is significantly heightened because the FTC alleges that Mobilewalla has the practice of “indefinitely retaining consumers’ location information.
The FTC alleges the following counts: unfair sale of sensitive location information unfair targeting based on sensitive characteristics; unfair collection of consumer information from real-time-budding exchanges; unfair collection and use of consumer location information without consent verification; and unfair retention of consumer location information.
Likewise, see another recent, similar settlement between the FTC and Gravy Analytics and Venntel.
December 17, 2024: Grubhub will settle allegations with the FTC and the state of Illinois that it:
- knowingly lured consumers by misrepresenting delivery fees (i.e., by advertising that the consumer will pay a single, low-cost amount for their delivery services, but then add on additional undisclosed fees);
- used deceptive enrolment tactics to lure consumers to sign up for its subscription program (e.g., advertising “unlimited free delivery” yet continuing to add on numerous fees);
- made enrollment into its subscription program fast and easy, while obstructed consumers from cancelling the subscription program by failing to provide an easy cancellation mechanism (and instead “buries the cancellation option behind a series of pages in consumers’ account settings that many consumers have difficulty locating”);
- has employed a “fraud detection system that has blocked [consumers] from completing orders and sequestered their gift card balances . . .[,] even when consumers complain or verify that they are not fraudsters . . . [depriving] many bona fide [consumers] of their gift card balances and . . . [of] their [paid] accounts to complete delivery orders”;
- falsely represented an affiliation with certain restaurants without those restaurants’ permission;
- pressured such unaffiliated restaurants to sign contracts with Grubhub when such restaurants request removal from the Grubhub platform; and
- mislead drivers about how much they will get paid (e.g., advertised that drivers can earn $26 per hour, when in reality, the median earnings were only about $11 an hour).
See the complaint for more information. Grubhub will pay “$25 million of a $140 million judgment, which was partially suspended based on Grubhub’s inability to pay, but which Grubhub will have to pay immediately if it turns out it lied on sworn financial statements supplied to the FTC during settlement talks. See the FTC’s press release.
U.S. Federal Communications Commission (FCC) Enforcement
November 21, 2024: The FCC proposes a $734,872 fine against a China-based smart home device manufacturer Eken “for apparent violations of FCC rules that require the company to designate an agent located in the United States.” FCC investigators sent a “formal Letter of Inquiry to the company’s U.S. designated agent—which, under FCC rules, is a required domestic point-of-contact for the agency when it needs to serve or otherwise contact a company that holds FCC device certifications.” Note the parallel with the designation of a representative in the EU under Article 27 of the GDPR.
U.S. Consumer Financial Protection Bureau (CFPB)
November 21, 2024: The CFPB finalized a rule to supervise certain large nonbank companies that offer digital funds transfer and payment wallet apps (i.e., those handling more than 50 million transactions per year).
U.S. Health and Human Services (HHS), Office for Civil Rights (OCR) Enforcement
December 5, 2024: The OCR announced a $548,265 civil monetary penalty against Children’s Hospital Colorado following receipt of brief reports in 2017 and 2020, relating to email phishing and cyber-attacks. The first breach arose from a phishing attack that “compromised an email account containing 3,370 individuals’ PHI” because “multi-factor authentication was disabled on an email account.” The second breach arose when “workforce members gave permission to unknown third parties to access their email accounts.” The Children’s Hospital also failed to train certain employees on the HIPAA Privacy Rule, and they failed to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems.
New York: More Fines—Remember to Patch your Information and Operational Technologies
November 21, 2024: NY fined GEICO and Travelers Insurance for having poor data security which led to the driver’s licenses of more than 120,000 New Yorkers being compromised. The root cause was a consumer quoting tool that prefilled consumer information, which threat actors were able to exploit.
December 9, 2024: NY fined HealthAlliance, Inc., a not-for-profit, that operates healthcare facilities in NY. In particular, HealthAlliance used telemedicine to connect patients with relevant providers and accordingly deployed certain networking products provided by Citrix to facilitate the telemedicine. On July 18, 2023, Citrix publicized certain cybersecurity vulnerabilities that affected the products used by HealthAlliance, and Citrix published patches for those vulnerabilities. HealthAlliance immediately initiated its patch management protocol; however, due to technical issues, HealthAlliance was unable to successfully apply one of the patches. Despite its inability to patch the vulnerability, HealthAlliance kept the relevant, vulnerable application online to avoid disruptions to its services. A few months later, HealthAlliance suffered a data breach whereby malicious threat actors exfiltrated the personal information of 273,733 NY residents.
December 19, 2024: NY fined auto insurance company, Noblr, $500,000 for failing to protect the personal information of 80,000 New Yorkers from a data breach. “Noblr discovered scammers exploiting the prefill vulnerability in January 2021. Noblr did not monitor its site traffic in real time causing delays in detecting the attack. This failure to monitor site traffic also made it difficult to distinguish malicious activity from legitimate consumer inquiries. The attack on Noblr’s auto-quoting tool exposed the data of approximately 80,000 New York residents.”
California: Fines for Failure of Data Brokers to Register
December 23, 2024: PayDae, Inc., doing business as “Infillion,” and The Data Group, LLC, were fined by the California Privacy Protection Agency $54,200 and$46,600 respectively for failing to register with the CPPA as a Data Broker and pay the stipulated annual fees.
Putting privacy first: Your path to compliance starts here.
It is crucial for businesses to establish a comprehensive privacy program. At Siskinds, our Privacy Concierge program offers custom subscription programs.
To discover how Siskinds can assist you in meeting your privacy compliance needs, or if you have any questions related to this blog post, contact myself, Savvas Daginis at [email protected], or a lawyer on our Siskinds’ Privacy, Cyber & Data Governance Team.