Amazon Fined $30.8 Million Over Alexa and Ring Data Privacy Issues
The US Federal Trade Commission (FTC) has fined Amazon a total of $30.8 million to settle charges that inadequate security practices compromised Ring and Alexa user privacy. The FTC has charged “Ring with compromising its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.” The FTC also charged Amazon with “violat[ing] the Children’s Online Privacy Protection Act Rule (COPPA Rule) and deceiv[ing] parents and users of the Alexa voice assistant service about its data deletion practices.”
This is a small fine when you look at Amazon’s overall revenue, but the Ring product line is about a $200M business – hopefully a Ring line of business manager is now a convert to why building security in is good for profitability.
Back when Ring was new, (pre-Amazon), it was a little distressing the level of access their support staff had to my device. Now that they are part of a larger entity, there is no excuse to not limit access and restrict information sharing. Amazon claims to have addressed this years ago. With today's privacy rules, running fast and loose isn't going to fly; you need to make sure you're using separation of duties, implement data protection and deletion practices in accordance with all applicable regulations such as COPPA, GDPR, HIPAA, CCPA, etc.
While Amazon may dispute the charges, this settlement indicates that Amazon believed their data privacy policies were loose enough to have violated privacy protection rules. The settlement should become a case study for every organization that maintains user data. The study should focus on data collection; data use by company employees; reporting of data misuse; and data retention. The $30.8 million settlement seems a small price to pay for such an egregious violation of data privacy protection rules.
It will be interesting to see if the Irish Data Protection Commission (Amazon’s EU Headquarters is based in Dublin, Ireland) will investigate if the same issues impact the data of any EU residents. If so, this could be a costly lesson on respecting the human rights of their customers for Amazon.
Three possibilities here: oversight or poor management, where $30.8 million might focus management's attention, or it is part of the business plan and $30.8 million is merely a cost of doing business?
William Hugh Murray
Read more in
Gov Infosecurity: Ring Settles FTC Allegations of Poor Cybersecurity, Privacy