The Federal Trade Commission sued a Nevada data storage services company over allegations that it misled consumers about its participation in the EU-U.S. Privacy Shield framework and failed to adhere to the program’s requirements before allowing its certification to lapse.

The EU-U.S. Privacy Shield framework establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law. The Department of Commerce administers the framework, while the FTC enforces the promises companies make when joining the program.

In a complaint, the FTC alleges that between January 2017 and October 2018, RagingWire Data Centers, Inc. claimed in its online privacy policy that the company participated in the Privacy Shield framework and complied with the program’s requirements, even though it had allowed its certification to lapse in January 2018. The Department of Commerce warned Raging Wire twice to either remove the claims or take steps to recertify its participation in the Privacy Shield program. The company, however, failed to recertify until it was contacted by the FTC in October 2018.

The FTC also alleges that while RagingWire was a participant of the Privacy Shield program, the company failed to comply with the three following Privacy Shield requirements:

  • To verify annually that it had made accurate statements about its Privacy Shield privacy practices;
  • to maintain a dispute resolution process for consumers who had privacy-related complaints about the company; and
  • to abide by the Privacy Shield requirement that companies that stop participation in the framework affirm to the Department of Commerce that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.

The complaint includes a proposed order that would prohibit RagingWire from misrepresenting its participation in the EU-U.S. Privacy Shield framework, any other privacy or data security program sponsored by the government, or any self-regulatory or standard-setting organization and would require the company to comply with FTC reporting requirements. If its certification of participation in the Privacy Shield framework lapses in the future, RagingWire also would be required to continue to apply the Privacy Shield protections to personal information it collected while participating in the program, or return or delete the information, according to the proposed order.

The Commission voted 5-0 to issue the administrative complaint.

Experian’s five data breach predictions for 2020 include:

  1. Cybercriminals will leverage text-based “smishing” identity theft techniques to target consumers participating in online communities. As more Americans continue to join like-minded groups on social media to provide financial support to social causes or political candidates, cybercriminals can solicit unsuspecting consumers with fraudulent messages via SMS text to seek bank account details or other sensitive information.
  2. Hackers will take to the skies to steal consumer data from devices connected to unsecure networks. As cities install more free public Wi-Fi systems, the more than one million drone devices operating in the U.S. today may be armed with affordable mobile hacking devices to steal sensitive data from consumers and businesses on the streets below.
  3. Cybercriminals will use deepfake technology to disrupt the operations of large commercial enterprises and create geo-political confusion. Artificial intelligence technology can manipulate C-suite executives and government leaders’ appearance and voice to blur the lines of what is real and what isn’t.
  4. Burgeoning industries, such as cannabis retailers and cryptocurrency entities will be targeted for cyberattacks as a result of online activism or “hacktivism.” As a form of protest, hackers may seek to gain access to controversial companies’ sensitive data due to their prevalence in society and increased cash flow.
  5. Cybercriminals will execute a major hack of the mobile point-of-sale platforms used to process transactions. The proliferation of mobile payment options would allow cybercriminals to access payment data over unsecured networks and target large venues such as concerts or major sporting events.