New insider threat: Bad business decisions that put IP at risk

The U.S. FTC forced Weight Watchers to destroy algorithms after it violated privacy laws, giving CISOs another worry over protecting intellectual property.

rules rulebook law compliance regulation by baloon111 getty
balloon111 / Getty

The existence of policies and procedures surrounding the implementation of a business strategy are the hallmarks of maturity within a company’s growth. When insiders make business decisions that violate the law, or those policies, the potential for increased risk to the business is present. We see this most often when individuals in positions of trust violate policy or procedural constraints, whether on purpose (theft) or accidentally (human error) and data goes missing or flies out the door into the public domain.

A recent settlement order, dated March 3, between the Federal Trade Commission (FTC) and Weight Watchers International and its wholly owned subsidiary Kurbo demonstrates what may occur if those insiders evolve a business model that ignores the law. Weight Watchers and Kurbo agreed to pay a fine of $1.5 million, delete information “illegally collected from children under 13,” and “destroy any algorithms derived from the data.”

Self-inflicted wounds, lost intellectual property

In 2017, Volkswagen made a business decision to cheat U.S. emissions tests, was fined $4.3 billion, was forced to buy back millions of vehicles, and found six of its employees indicted. The business decision of Kurbo/Weight Watchers also has consequences. At this time the consequences affect the business. Whether the Department of Justice (DOJ) will pursue criminal charges against personnel has not yet been determined.

DTEX Systems SVP engineering and cyber intelligence, Raj Koo observes how he had never seen an instance where a company agrees to destroy its intellectual property as part of a settlement with the government. “This settlement carries with it a significant audit trail,” he says.

While DTEX’s director, security and business intelligence, Armaan Mahbod, says, “The world is shifting; we can expect to see more of this.” Mahbod notes as the EU and U.S. data protection laws continue to evolve in the direction of individual control over their information, “more transparency in the life of data retention and the right to be forgotten will be the norm.”

Kurbo’s violation of COPPA

According to the FTC, Kurbo focused its marketing efforts on children under the age of 13 in direct violation of the “Children’s Online Privacy Protection Act (COPPA). In 2014 Kurbo (then an independent entity) began marketing a “weight management and tracking service designed for use by children ages eight and older, teenagers and families.” In 2018, Weight Watchers acquired Kurbo and rebranded the Kurbo offering targeting children as young as eight. The court documents show that from 2014 through February 2020, over 279,500 people used Kurbo and at least 18,600 were children under the age of 13.

Kurbo’s app solicited personal identifying information (PII) from registered users, such as name, sex, date of birth, weight, height, phone number, food intake, and activity level on an ongoing basis. Prior to August 2021, data on users, even defunct users, were retained indefinitely. In August 2021, the policy was adjusted and a child’s data was retained for three years, or when a parent requested to deleted it.

The DOJ complaint of February 16, 2022, requested that Kurbo/Weight Watchers be permanently enjoined and given a monetary civil penalty. FTC Chair Lina M. Khan commented on the settlement, “Weight Watchers and Kurbo marketed weight management services for use by children as young as eight, and then illegally harvested their personal and sensitive health information. Our order against these companies requires them to delete their ill-gotten data, destroy any algorithms derived from it, and pay a penalty for their lawbreaking.”

Destruction of algroithms part of Kurbo’s settlement

Kurbo, it would appear, opted early on to ignore COPPA, then strategized how to circumvent the law created to protect minors. The fact that the entity agreed to destroy its own intellectual property speaks volumes, and in fact, may turn out to be more damaging than the monetary fine that the company agreed to pay. As the algorithms were created, one would presume they were market differentiating to engage with users over the age of 13.

Kurbo and Weight Watchers are required to submit a compliance report after one year to the FTC. Additionally, the company has agreed to significant administrative oversight. For a period of ten years, they must create certain records as directed by the FTC and retain those records for a period of five years. These records include personnel records of each person providing services (employee or otherwise), records necessary to demonstrate full compliance, all consumer complaints, copies of all marketing information including screenshots.

Koo’s advice to all companies, “How well a company communicates their policies and ensuring review of the code development lifecycle is key” to assuring companies minimize their risk of running afoul of data protection laws.

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.