Posted on

NJ Releases Annual Statistics on Cyber Breaches

snowden cyber

the staff of the Ridgewood

Trenton NJ,  In an effort to educate the public about online privacy risks, Attorney General Gurbir S. Grewal and the New Jersey State Police today announced 2017 statistics regarding data breaches affecting New Jersey residents. The statistics showed that 958 data breaches were reported to State Police in 2017, a 41 percent increase from the 676 breaches reported to State Police in 2016. During 2017, the Attorney General’s Office also over saw a number of significant data privacy investigations, which resulted in $4.8 million in civil settlements with the State.

The single largest data breach reported in 2017 involved Equifax, which affected more than 4 million New Jersey residents. In total, the 958 breaches reported in 2017 affected more than 4.38 million accounts belonging to New Jersey residents( the vast majority of which resulted from the Equifax breach). In 2016, the first year that the Attorney General’s Office collected such data, approximately 116,000 New Jersey account holders were affected by data breaches.

As part of today’s announcement, and in conjunction with National Cybersecurity Month, the Division of Consumer Affairs (DCA) is also releasing tips for New Jersey residents about how they can better protect their sensitive personal information. The effort is part of a broader effort by Attorney General Grewal to strengthen the state’s cybersecurity protections, and follows an announcement earlier this year the creation of a Data Privacy & Cybersecurity Section within the Division of Law (DOL) to investigate data privacy cases and advise state agencies on related matters.

Continue reading NJ Releases Annual Statistics on Cyber Breaches

Posted on

Teen Fashion Website, “i-Dressup” Shut Down for Violating the Children’s Online Privacy Protection Act

i dressup111

August 4,2018

the staff of the Ridgewood blog

Newark NJ, Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs today announced that a California company agreed to shut down its fashion-themed social website for teens and reform its business practices to resolve allegations that the company violated state and federal laws by improperly collecting personal information from more than 2,500 New Jersey children and by failing to appropriately safeguard its users’ account information which was compromised in a 2016 data breach.

The Division alleged that Unixiz, Inc., the company that owned and operated the online social website “i-Dressup”, violated the federal Children’s Online Privacy Protection Act (COPPA) and the New Jersey Consumer Fraud Act, by, among other things, failing to adequately safeguard user information and failing to obtain verifiable parental consent prior to collecting and processing children’s personal information.
“Children are extremely vulnerable on the internet and we must do all we can to protect them from being exploited by advertisers or tracked by internet predators,” said Attorney General Grewal. “We are committed to vigorously enforcing state and federal privacy protections and we will do everything we can to ensure that website operators comply with their duty to provide an extra layer of security on sites catering to young children.”
The allegations against Unixiz stem from an investigation initiated by the Division after media outlets began reporting that the i-Dressup website had been breached by an unknown hacker and that user accounts were vulnerable.
The Division learned through its investigation that more than 24,000 of the compromised i-Dressup accounts belonged to New Jersey residents, 10,101 of whom were under the age of 18. The Division confirmed that 2,519 accounts belonged to children under the age of 13.

The Division also alleged that Unixiz had improperly collected personal information from the 2,519 children – including first and last names, email addresses, birthdates, and gender – without prior verifiable consent from their parents, as required by law.

“As a result of our investigation, Unixiz agreed to shut down the i-Dressup website and to reform its practices to comply with all laws protecting the privacy of children and others online, said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs. “Our cyber fraud unit will continue to monitor the internet for reports of data breaches that affect New Jersey residents and take swift action to hold companies accountable.”
In a Consent Order entered with the Division, Unixiz agreed to put in place measures to obtain verifiable parental consent on all company-operated websites that collect children’s information, as well as measures to provide parents with the ability to review the information that the company is collecting from their child, and to revoke the right of that company to collect or maintain their child’s information. Unixiz also agreed to implement policies and procedures to safeguard users’ account information.

The company also agreed to civil penalties in the amount of $98,618, $34,000 of which has been paid and $64,618 of which will be suspended and automatically vacated after two years, provided that the company complies with the terms of the Consent Order.

The i-Dressup website, which billed itself as a “social hangout website” for teens, offered its users access to fashion and fantasy-based games, and a feature which allowed certain approved users to exchange messages.
The Division, through its investigation, confirmed that the website had actual knowledge that many of its members were under the age of 13, which triggered obligations to comply with COPPA.
COPPA and its regulations apply to operators of commercial websites and online services, including mobile apps, directed to children under 13, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.

The primary goal of COPPA is to provide parents with control over what information is collected from their young children online, including first and last names, home addresses, screen names and other online contact information, telephone numbers, social security numbers, photographs, and IP addresses and other persistent identifiers that can be used to recognize a user over time and across different web sites or online services.