Skip to main content
You are here: News

News

The following news feed provides an overview of the current activities and news from APPA members.

The articles on this page are updated regularly from members’ news and media pages. If you have any questions or concerns about the content contained in the articles, please contact the respective member. You can locate members’ details underneath each article or on our Contact us page.

Three Companies Settle FTC Charges that They Deceived Consumers About Participation in International Privacy Program

Three U.S. companies have agreed to settle Federal Trade Commission charges that they deceived consumers about their participation in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system.

In separate but similar complaints, the FTC charged that Sentinel Labs, Inc., which provides endpoint protection software to enterprise customers; SpyChatter, Inc., marketer of the SpyChatter private message app; and Vir2us, Inc., which distributes cyber security software; falsely represented in their online privacy policies that they participated in the APEC CBPR system. 

The APEC CBPR system facilitates privacy-respecting data transfers between APEC member economies through a voluntary, enforceable mechanism, which certifies companies as being compliant with APEC CBPR program requirements. The APEC CBPR system is based on nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability.

Companies that seek to participate in the APEC CBPR system must undergo a review by an APEC-recognized accountability agent, which certifies companies that meet the standards. The three companies, however, were not and had never been certified, according to the complaints.

“Cross-border commerce is an important driver of economic growth, and our cross-border privacy commitments help enable U.S. companies to compete around the world,” said Acting Chairman Maureen K. Ohlhausen. “Companies, however, must live up to the promises they make to protect consumer data.”

The complaints allege that the companies violated the FTC Act by making deceptive statements that they participated in the APEC CBPR. The Commission also alleges that SentinelOne falsely claimed that it was a participant in a TRUSTe privacy program.

Under the terms of the settlement with the FTC, the three companies are prohibited from misrepresenting their participation, membership or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization.

The Commission vote to accept for public comment the three consent agreements related to the three companies was 2-0. The FTC will publish descriptions of the three consent agreement packages in the Federal Register shortly. The agreements will be subject to public comment for 30 days, beginning today and continuing through March 24, 2017, after which the Commission will decide whether to make the three proposed consent orders final. Interested parties can submit comments electronically on the Sentinel Labs, Inc., SpyChatter, Inc., and Vir2us, Inc. agreements by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section of each of the three forms.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $40,654.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357).  Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
22 Feb 2017, 11:00pm AEDT

FTC, Maine Attorney General Shut Down Web of Deceptive Supplement Sellers

CogniPrin and FlexiPrin supplement marketers targeted those suffering from poor memory, pain

The Federal Trade Commission and the Maine Office of the Attorney General today announced a complaint and three settlements with dietary supplement marketers who allegedly used radio infomercials deceptively formatted as talk shows and print ads featuring fictitious endorsers to advertise supplements purporting to improve memory and to reduce back and joint pain.

The three court orders resolving charges against six of the nine defendants named in the complaint bar them from making similar deceptive claims, and prohibit them from engaging in a wide range of marketing practices that have caused serious financial injury to consumers.

The FTC and Maine AG allege that defendants XXL Impressions LLC, Jeffrey R. Powlowsky, J2 Response LLP, Justin Bumann, Justin Steinle, Synergixx, LLC, Charlie Fusco, Ronald Jahner, and Brazos Minshew made false and misleading claims that CogniPrin: 1) reverses mental decline by 12 years; 2) improves memory by 44 percent; and 3)  improves memory in as little as three weeks and is clinically proven to improve memory; and that FlexiPrin: 1) reduces joint and back pain, inflammation, and stiffness in as little as two hours; 2) rebuilds damaged joints and cartilage and; 3) has been clinically proven to reduce the need for medication in 80 percent of users and to reduce morning joint stiffness in all users.

In addition, defendants Ronald Jahner and Brazos Minshew, who were featured in ads as medical experts, are charged with providing endorsements without examining the products or exercising their supposed expertise. Further, the complaint alleges that Minshew is not actually an expert in neurology or brain science, as claimed in the radio ads.

The defendants promoted CogniPrin and FlexiPrin primarily through 30-minute radio ads formatted to sound like educational talk shows featuring defendants Jahner and Minshew (using a pseudonym) as purported experts who made unsubstantiated claims about the benefits of the products.

The complaint alleges that the defendants failed to disclose that defendant Jahner, who was presented as an objective medical expert, was paid a percentage of revenues generated from FlexiPrin and CogniPrin sales. In addition, the defendants allegedly used fictitious testimonials in print ads and on the internet to claim the products really worked. The complaint further alleges that defendants Powlowsky, XXL Impressions, J2 Response, Bumann, and Steinle falsely represented that consumers could try CogniPrin free for 30 days, while failing to disclose that consumers would have to enroll in a continuity plan to qualify for the offer, and that they would actually have only 14 days or less to try the product.

The complaint also alleges that these defendants, along with defendants Synergixx and Fusco, deceptively claimed that consumers could try the supplements “risk-free” with an unconditional 90-day money-back guarantee, when there were important undisclosed and burdensome requirements for obtaining refunds, including the return of empty product bottles and payment of significant shipping charges.

In addition, according to the complaint, these defendants failed to make important disclosures to consumers when they “up-sold” consumers negative option buying clubs and discount medical programs with ongoing monthly fees, charging many consumers for poorly disclosed continuity plans they did not want.

Based on this conduct, the agencies charged the defendants with violating the FTC Act, the Electronic Fund Transfer Act (EFTA) and its implementing Regulation E, the Telemarketing Sales Rule, and the Maine Unfair Trade Practices Act.

Defendants Powlowsky, XXL Impressions, J2 Response, Bumann, and Steinle have agreed in two separate proposed court orders to substantial injunctions against making unsubstantiated health efficacy claims. Both orders bar the defendants from making the false or unsubstantiated heath claims challenged in the complaint and require them to have competent and reliable scientific evidence when making health-related claims. They also require the defendants to preserve all scientific evidence supporting claims they make, and bar them from failing to disclose a material connection to a paid endorser.

The orders further bar these defendants from misrepresenting the terms of any negative-option, continuity plans, or “free trial” offers, and require them to get consumers’ express consent before charging them. The orders prohibit the defendants from violating the Restore Online Shoppers’ Confidence Act and require them to comply with the EFTA. The two orders also impose a $6.57 million judgment against defendants, with all but $556,000 suspended due to the defendants’ financial condition.

The order against Powlowsky and XXL Impressions LLC also bans them from direct response marketing of foods, dietary supplements, or drugs for 20 years, while allowing the former to continue his manufacturing brokering business.

The order against the sixth settling defendant bars Minshew from acting as an “expert endorser” unless he has the expertise he claims to have, and requires him to have scientific evidence to support the product claims he makes.

The Commission vote approving the complaint and the three proposed stipulated orders against six defendants was 3-0. The FTC filed the complaint and proposed orders in the U.S. District Court for the District of Maine. Litigation continues against defendants Charlie Fusco, Synergixx, LLC, and Ronald Jahner.

The FTC appreciates the assistance provided by the Maine Office of the Attorney General in bringing this case.

NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by a District Court judge.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
22 Feb 2017, 11:00pm AEDT

FTC Obtains Court Order Against Fake Prize Scheme Defendant

One of the defendants in a fake prize scheme has agreed to settle Federal Trade Commission charges that he provided services for a direct mail scheme that tricked people into thinking they had won $1 million or more if they paid $25 to collect the fake prize. But those who paid received nothing. The operation targeted hundreds of thousands of mostly elderly consumers.

The settlement resolves the charges against Ian Gamberg, who printed and mailed the promotions and participated with other defendants in editing the language and layout of the mailers and envelopes. The promotions were mailed under the names Paulson Independent Distributors, International Procurement Center, Phelps Ingram Distributors, and Keller Sloan & Associates.

Under a stipulated final order, Gamberg is banned from misrepresenting any good or service, including the misrepresentations alleged in the FTC’s complaint. He also is prohibited from failing to clearly disclose that certain distributed promotions are meant to solicit a purchase; that the recipient has not won anything of value; and if a consumer has won anything, the value of the prize. The order also bars Gamberg from selling or otherwise benefitting from consumers’ personal information and failing to dispose of it properly.

The order imposes an $800,000 judgment that will be partially suspended when Gamberg has paid $1,400. The full judgment will become due immediately if he is found to have misrepresented his financial condition.

Litigation continues against the remaining defendants in the scheme, Millenium Direct Incorporated and its principal David Raff.

The case was filed as part of an international initiative against mass-mail fraud, which included actions taken involving law enforcement agencies from Belgium, Canada, the Netherlands, and the United Kingdom. The International Mass-Marketing Fraud Working Group – a network of civil and criminal law enforcement agencies from several countries, and co-chaired by the FTC and the Department of Justice – has identified mass-mail fraud as a major financial threat to consumers.

The Commission vote approving the stipulated final order was 3-0. The U.S. District Court for the Central District of California entered the order on February 13, 2017.

NOTE: Stipulated final orders have the force of law when approved and signed by the District Court judge.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
21 Feb 2017, 11:00pm AEDT

Swiping right and privacy rights

Dating apps are all about getting personal.

But they can also share a lot of your personal information, and not just with your hook ups.

So before sending your smoothest icebreaker, check how you can protect your personal information when sharing your dating profile.

Office of the Australian Information Commissioner
Source: News - OAIC
13 Feb 2017, 11:04pm AEDT

How to say sorry

Here at the Office of the Privacy Commissioner, we have a statutory duty to use our best endeavours to resolve complaints. Many complaints are resolved when the respondent agency simply apologises to the complainant.

Sounds straightforward? Not always. We see a lot of apologies that leave more than a bit to be desired. Here is some practical advice on how to get an apology right.

Firstly…why apologise?

If our Office cannot assist parties to resolve a complaint, then the aggrieved party (the complainant) can initiate proceedings in the Human Rights Review Tribunal. The Tribunal has the ability to compel parties to take certain actions and can award damages of up to $200,000 to successful plaintiffs. 

Even if the action is unsuccessful, defending proceedings in the Tribunal can be very costly for agencies. Costs awards to agencies, if made at all, are usually only a small fraction of the actual money spent by the agency defending the proceedings. Therefore, it makes sense for both parties to resolve the matter so that going to the Tribunal is unnecessary.

Very often, we find that complainants who have a sense of hurt and anger due to the actions of an agency, simply want that hurt recognised, and for an apology to be issued.

In many situations, apologising is simply the right thing to do, and agencies recognise that.

“I’m sorry, not sorry”

In our experience, apology letters are best received when they are kept simple and straightforward. An apology letter is not the place to justify your actions. Nor is it the place to have a subtle dig at the complainant. A good apology should be sincere and to the point.

An apology letter that comes across as grudging, insincere or overly explanatory can actually inflame the situation, not resolve it.

Sometimes, agencies are tempted to write something along the lines of “We are sorry that you think we breached your privacy”. This is not helpful. Complainants are not silly - they can tell when the writer of the letter doesn’t accept there is anything to apologise for, and is only issuing an apology letter to make the situation go away. Part of apologising sincerely is taking ownership of the fact that something went wrong.

We also note that an apology doesn’t necessarily have to assign liability for an action. You can apologise carefully and acknowledge harm without putting your agency in a quandary. “I’m sorry this has happened to you” doesn’t mean that you have created a legal burden.

How to apologise

Don’t get us wrong - an apology letter doesn’t have to use flowery language, beg for forgiveness, or contain a handwritten pledge from the CEO that it will never happen again. 

An apology letter should ideally:

  • acknowledge the hurt caused by the agency’s actions/inactions
  • apologise
  • if appropriate, briefly explain the steps the agency has taken to prevent the issue from occurring again.

A good apology can work wonders. Thanks for reading and happy drafting.

Image credit: Sorry by Denis Yang (via Flickr)

 

Office of the Privacy Commissioner, New Zealand
Source: Blog
13 Feb 2017, 2:33pm AEDT

Centrelink hits trouble with information matching

The controversy embroiling Centrelink, the Australian government agency that provides welfare payments, shows no sign of abating as a public and political backlash continues over its apparent mishandling of a debt recovery programme.

The trouble for Centrelink – and thousands of its clients - started when it began using a computer program to go back up to six years to find discrepancies to issue more notices for overpaid money to be repaid. What the programme did was identify debts by matching the benefit payments made to clients against their Australian Tax Office (ATO) records.

Since July 2016, Centrelink increased the number of debt notices it issued from around 20,000 per year to 169,000 between July and December alone. This might be all good and well, except that it has been shown that up to 20 percent of those notices were based on false assumptions.

These mistakes have caused consternation and outrage. One Centrelink client told an Australian news organisation that he nearly had a heart attack when his account incorrectly showed him owing $9,000. Another explained in this article that she had been unfairly billed for her ex-partner’s debt. One woman said Centrelink wiped her $7,800 debt after she indicated she would take her case to the Ombudsman's office.

Flawed process

The details of the fiasco are not yet entirely clear, but they are expected to become so with an enquiry by the Australia’s Commonwealth Ombudsman. What is apparent is the problems that have arisen were not caused by the matching of information between the ATO and Centrelink. They are instead down to the processes Centrelink has chosen to use in assessing the personal information and in deciding how to act on the results.

The process of sending out assessments of amounts owed by individual clients had also been changed to take out the manual checking done by staff. An internal process has been credited with correcting 37.5 percent of the notices generated in the previous system.

Claims have also been made in various news media suggesting Centrelink has not been using all of the information available to it, and it seems a major part of the inaccuracies in the system is due to the income earned by an individual in part of a year being averaged out over the entire year.

Instead of taking reasonable steps to make sure the information was correct before issuing debt notices, Centrelink appears to have shifted the onus of correction onto its clients. While this might have up-front savings in terms of staff processing time, the change in approach will certainly have added other costs to the agency.

Centrelink had planned that any problems with the notices would be handled through its website. But the website has proven unreliable and often crashed under the increased workload, increasing the stress on clients trying to dispute their debt notices.

Counting the cost

This has put added pressure on Centrelink staff who will now have to engage directly with clients to fix the errors. There’s a human resources cost to this and Centrelink will also have to deal with a rising volume of complaints against it.

There is a substantial reputational cost. The latest loss of public trust and confidence is another blow to the agency’s reputation after this earlier Ombudsman’s investigation in 2011.

But the most significant damage is the avoidable waste of expense, time, and stress imposed on clients and staff because of the new error-filled process.

In New Zealand

By comparison, New Zealanders fare better. Various protections for individuals were designed into the information matching provisions of the New Zealand Privacy Act in 1993. 

Information matching programmes by government agencies are approved by statute and the Privacy Commissioner has a regulatory role to monitor the use of this data matching. There are several steps to get right when matching information held by one government department with information from another.

These protections continue to matter. As the Government invests more in automating its processes and in making greater use of data sets, our Office has a role to play in ensuring that the risks and benefits are assessed up front. This is done by using privacy impact assessment and privacy by design principles to prevent New Zealand agencies from stumbling into the same sort of problems experienced at Centrelink.

Image credit: Centrelink via Wikipedia

 

Office of the Privacy Commissioner, New Zealand
Source: Blog
10 Feb 2017, 7:32am AEDT

From Regulated to Regulator: Two Perspectives on Privacy

Keynote address at 2017 Reboot conference.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
10 Feb 2017, 7:00am AEDT

Privacy and Security in Health Care

Presentation delivered via Skype

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
10 Feb 2017, 7:00am AEDT

Beware the phishers

The salutation on the email simply said “Hi”. It arrived at 4.36am on a public holiday in the inbox of a public facing email address, and it appeared to have been sent from a personal email address belonging to the organisation’s chief executive.

In the organisation’s unguarded response to the email, the personal information of thousands of its members was released into the hands of unknown people. This phishing technique, designed to dupe the unwary, had, in this case, hit its payload.

Within hours of the breach, the management of the New Zealand Nurses Organisation (NZNO) became aware of the error. We have already blogged about this incident. The organisation now had to examine the nature of information lost and the possible implications it might have for the members affected.

Responding to a breach

In the immediate aftermath, the NZNO communicated the breach to its members and the Office of the Privacy Commissioner. The seriousness of the breach could have been worse. As it happened, only the email addresses and names of members were given away. Unusually, this was the only information requested by the phishers.

The NZNO also commissioned an independent review of the incident and its response. The review was undertaken by Prof David Lacey, the managing director of the not-for-profit identity theft prevention and advisory agency, IDCare.

In his report, Prof Lacey suggests the NZNO was specifically targeted because its public facing website had sufficient information on it to facilitate such attacks, that the health industry is a common target of phishing, and its membership is attractive to individuals and organised crime groups that commit such attacks. The likely intention of getting the stolen information was to conduct further phishing attacks in order to deliver malware or related viruses, such as ransomware.

The report explains the source of the phishing email was a domain registered by a large Lithuanian telecommunications and ISP provider which is owned by a Swedish telecommunications carrier. The report notes the domain remains active and the NZNO could legitimately report the abuse of this domain to the ISP provider - although there is no way of retrieving digital information once it has been leaked in this way.

Preventing a future event

While the report sets out a number of observations and recommendations specific to this particular incident, the lessons learned could just about apply to many organisations wanting to avoid or mitigate a data breach caused by phishing.

Prof Lacey notes the NZNO’s overall response was in accordance with the Privacy Act and the Privacy Commissioner’s data breach guidelines. Despite the organisation not having a data breach response plan before the incident - something which it has since rectified - its crisis management was largely effective.

The steps taken by the organisation’s incident response team - the assessment and containment of the incident, and the speed with which impacted individuals were informed - were all deemed to follow best practice.

There are, however, opportunities to enhance the organisation’s management of personal information. These relate to information security, control over information requests, privacy statement enhancements, staff training and a review of what information the organisation collects, how it does so and why.

The report concludes the breach happened because the frontline staff that are likely to have direct contact with cyber criminals via phishing emails, had little or no knowledge of the cyber risks. It is critical for organisations to ensure employees in these roles are supported by awareness and familiarisation training.

A critical element in preventing phishing is for individuals to seek support. In other words, it’s okay to ask a colleague, family member or friend about an email, if the recipient is unsure about its legitimacy.

But the report warns the NZNO, like any other organisation, will never be risk-free of cyber incidents. Putting in place the best possible systems to prevent or respond to a breach is a necessary challenge for all organisations that want to avoid a data disaster. 

The Independent Review into a Cyber Incident for the NZ Nurses Organisation report is available here. 

Image credit: DigitCert blog

Office of the Privacy Commissioner, New Zealand
Source: Blog
9 Feb 2017, 10:45am AEDT

Easy ways to protect your privacy this Safer Internet Day

This Safer Internet Day, take charge of how much personal information you share and make public with these quick privacy tips for using Snapchat, Instagram and Facebook.

Office of the Australian Information Commissioner
Source: News - OAIC
7 Feb 2017, 4:08am AEDT

OAIC launches interactive performance portal

We have released a new interactive performance portal that highlights key results from our 2015–16 Annual Report in a simple and engaging way that, we hope, shows how the OAIC is performing and delivering on key privacy and FOI functions for the Australian community.

Office of the Australian Information Commissioner
Source: News - OAIC
31 Jan 2017, 10:46pm AEDT

Presentation to Destination BC

Presentation to Destination BC at annual meeting.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
26 Jan 2017, 7:00am AEDT

Good Data Protection Policies Enhance Trust in HR Consultancy

Personal Data Protection Commission, Singapore
Source: Personal Data Protection Commission Singapore - Press Room
7 Dec 2016, 1:00pm AEDT

Data Protection by Design Cornerstone of Market Research Firm's PDPA Compliance

Personal Data Protection Commission, Singapore
Source: Personal Data Protection Commission Singapore - Press Room
30 Nov 2016, 12:00pm AEDT

Online Grocer Grows Personal Data Protection Along with Business

Personal Data Protection Commission, Singapore
Source: Personal Data Protection Commission Singapore - Press Room
23 Nov 2016, 1:00pm AEDT

PCPD Joins Hands with Members of the Asia Pacific Privacy Authorities to Promote Privacy Awareness

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
29 Apr 2016, 10:00am AEST

A Community Service Order was imposed on an Insurance Agent for Using Personal Data in Direct Marketing without Consent

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
25 Apr 2016, 10:00am AEST