Why Cloud Computing?


 Why Cloud Computing?

William Gamble, Owner, EMS

Kayla has a new friend. CloudPets produces a toy that talks. It talks with the voice of ‘friends’, hopefully parents, who can send it to the toy. When the toy receives the message it’s little heart blinks. When the child squeezes the toy’s paw it plays the message. Another squeeze and the child’s message gets recorded and delivered to the friend. Cute.But like Kayla (Cayla) a real security, privacy and legal nightmare. CloudPets are joining an ever-growing set of internet of things (IoT) that get personal information, much of it personally identifiable information (PII) and even sometimes Personal Health Information (PHI). Worse CloudPets, Kayla, Hello Barbie, and VTech collected information about children and sometimes lost it. VTech breach lost the records of a reported five million people.Like some of the other toys CloudPets recorded children’s voices. The data was stored in an audio file on the web. Worse, the system used to store the kids’ information was a DBMS, Mongo DB that was in a publicly facing network segment without any authentication required. The database had been indexed with the search engine Shodan. There are simple queries that anyone can run via search engines like Shodan that will point to all of the open MongoDB databases out there at any given time. The amount of information exposed was 821,296 records of registered users including passwords and 2,182,337 voice recordings!Obviously the IoT industry and especially the toy part of that industry has some way to go before they are able to make these things secure. But what are the legal consequences of Cloud pets? Not good. I will start with state consequences, in this case California. Then move on to US federal laws and finally discuss the EU GDPR jurisdiction in the next article.

US State Privacy Laws

Just the name ‘CloudPets’ sort of says it. This product is aimed at children. If the buyers of these stuffed animals had anything like my children’s preferences, the product is aimed at children under the age of 13. Marketing over the web to kids younger than 13 puts you under the jurisdiction of the Children's Online Privacy Protection Act, (15 U.S.C. 6501–6505, 15 U.S. Code § 6501) known as COPPA.COPPA is administered by the FTC and its regulations can be found at 16 CFR Part 312. In general, the law requires the operator of a website that collects personal information from children below the age of 13 must include a privacy notice, a privacy policy and how if obtains consent from parents for collecting this information. According to 16 CFR 312.4 (c)(iv) the operator’s website must contain a “hyperlink to the operator's online notice of its information practices”. As far as I could see the CloudPet website did not have any hyperlink. At the bottom of the web page it had is the following statement “All use of this website is governed by the CloudPets.com Terms of Use, including the CloudPets.com Notice of Privacy and Information Security Practices.” Since this is not a hyperlink to anything, CloudPets appears to violate this rule.The other issue with CloudPet is that by storing the children’s personal information and voices in a insecure web facing data base it violated 16 CFR 312.8, which states that the operator of the website shall “maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.”But what is the penalty? Fines under COPPA are levied by the FTC are theoretically $16,000 per violation, but a review of 11 settlement show that fines are rarely that high. The largest settlement to date was for $3,000,000 which worked out to be about $2.45 per violation. So from a risk perspective COPPA presents a liability of about $1.6 million.

US Securities Law

In fact, the largest danger to CloudPets or any other firm has nothing to do with privacy laws. The real problem, at least for public companies, will be securities laws.A major breach will often trigger notifications to those affected. But what might most be affected will be the company’s stock. In August of 2016 the company responsible for CloudPets, Spiral Toys (STOY) had a market price of $0.85. By March 3 2017 it closed at $0.0035, a fall of 99%. So basically, the failure of CloudPets has meant the failure of Spiral Toys, although it must be admitted that Spiral Toys had many other severe problems. An investigation by the SEC would simply have made things worse.The jurisdiction of the SEC comes from the famous or infamous Rule 10b-5 (17 CFR 240.10b-5 Employment of manipulative and deceptive devices.) The rule makes it unlawful for any person or firm to make an untrue or fail to disclose a material fact. Certainly, a major breach or a known security flaw in a product is material. If the owner of the firm intentionally withheld this fact they could be subject to fines and sanctions from the SEC and for losses from private part who were damaged in the purchase and sale of the firm’s stock. Needless to say, these costs could be higher than many of the other damages.

Conclusion

Regulatory compliance for IT is never simple. Rather than a comprehensive system like the new EU GDPR, the US has laws that provide for specific regulations depending on what service or product you are providing and to whom. The penalties for violations of these regulations often are greater than anything a cyber thief could dream of. But you cannot stop with just the regulations concerning IT, health care or privacy. There regulatory environment is far greater than that and there are various agencies like the SEC whose bite is far worse than the FTCs. Remember it is not about compliance, it is about risk.

Subscribe to Industry Era



 

Events