GRC Viewpoint

Don’t Let Mobile App Compliance Violations Damage Your Business

The California Attorney General recently cited several retail, travel and food service mobile apps for failure to comply with the California Consumer Privacy Act (CCPA). This warning comes amidst an increase in regulatory actions that highlight the growing importance of compliance with mobile app privacy mandates.

Regulatory agencies have increased their efforts to enhance transparency regarding the ways organizations use, collect, share, and safeguard personally identifiable information (PII) across all application types, with mobile app issues on the rise. And with the introduction of Google Play’s Data Safety section and iOS App Nutrition Labels, organizations must now provide greater transparency in their mobile app data management policies within public mobile app stores.

Mobile-enabled organizations can ensure regulatory compliance by adopting a ‘Privacy by Design’ and ‘Trust but Verify’ development approach that aligns with their internal governance, risk and compliance (GRC) program.

Regulatory Actions on Mobile App Privacy and Security Risks

  • In March, the Biden Administration revealed its National Cybersecurity Strategy to increase accountability for software-producing organizations and influence future cybersecurity legislation.
  • In October 2022, the Cybersecurity and Infrastructure Security Agency (CISA) announced BOD 23-01; a directive requiring all federal agencies to perform a number of key actions by April 3 to “make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities.”.
  • In September 2021, the Federal Trade Commission (FTC) issued a policy statement that any health apps and connected devices that collect/use consumer data must comply with the Health Breach Notification Rule.
  • In May 2018, the European Union implemented the General Data Protection Regulation (GDPR) to provide European citizens with greater control over their personal data in the digital economy.

The Consequences of Non-Compliant Mobile Apps

A number of organizations have felt the impact of releasing mobile apps that fail to comply with privacy and security regulatory requirements:

  • GoodRx faced enforcement actions from the FTC after the agency concluded that the company violated the Health Breach Notification Rule by sharing sensitive customer data without consent.
  • The Inspector General of the U.S. The Department of Defense issued a strongly worded management advisory on failure to properly test, manage and secure mobile apps.
  • Tim Hortons received regulatory penalties after a Canadian government investigation found its mobile app secretly tracked and stored geolocation data without user consent even when the app wasn’t in use.
  • The European Union fined British Airways $230 million for violating GDPR after its mobile app leaked 380,00 credit card payments. This caused the airline’s stock to drop over 30% and severely impacted customer relations.
  • Western Union, Equifax and other financial service companies faced financial and reputational damage after mobile app vulnerabilities allowed a personal data breach. A N.Y. Attorney General’s Office investigation led to a settlement and forced the cited companies to increase mobile security measures.

Adopt ‘Privacy by Design’ and ‘Trust but Verify’ Principles

As users become more aware of how mobile-enabled organizations manage their personal data, governments will increase regulatory efforts to ensure that organizations comply with data privacy rights. Organizations cannot afford to ignore these evolving regulations because non-compliance can damage business and brand reputation while leading to fines and other penalties.

To ensure regulatory compliance, organizations should integrate continuous compliance measures into every stage of mobile app development, rather than developing mobile apps first and then testing for compliance afterward. Organizations should leverage proof of controls in the dev pipeline to demonstrate to auditors, regulatory agencies and users that their mobile apps adhere to regulatory requirements. This approach helps mobile app dev and security teams prevent violations, maintain user trust and address security and privacy issues through the entire development and release process.

Organizations should adopt the following ‘privacy by design’ and ‘trust but verify’ principles to ensure their mobile app(s) continuously comply with regulatory requirements:

‘Privacy By Design’

  • Triage mobile app portfolio to assess any existing risk: Organizations should audit their mobile apps to ensure regulatory compliance and proper handling of user data. All stakeholders should be involved in the audit process and understand applicable rules.
  • Eliminate privacy and compliance issues: After the internal audit, organizations must immediately address any software issues discovered within the mobile app, and should also add the necessary features to comply with regulatory requirements, such as the data deletion option for CCPA and GDPR.
  • Create a ‘privacy by design’ framework: After eliminating existing issues, organizations should establish an industry-specific and regulatory-specific privacy by design framework. This framework should include the documentation, training and use of controls to ensure proper requirements, coding practices, testing throughout the entire mobile app development lifecycle to prevent compliance issues.

‘Trust but Verify’

  • Integrate automated security testing : To help dev teams ensure compliance throughout the development process and to avoid release blockers at the end of the pipeline, automate security testing and integrate it with CI/CD and ticketing systems for more efficient workflows.
  • Ensure dev teams continuously test new builds against security standards: Any time devs write new code or introduce third-party code, testing controls should immediately follow to identify and remediate any security and privacy issues as early as possible to ensure continuous compliance.
  • Feed privacy/security issues into ticketing systems: Organizations using automated testing should integrate their solution with ticketing systems for faster remediation. Additionally, tickets should include specific compliance issues,  instructions to fix issues quickly and prevent future issues from arising.
  • Run periodic penetration tests for full coverage: While continuous automated testing covers a significant portion of mobile app testing requirements, organizations should also perform periodic pen tests to uncover potential security, privacy and compliance issues that automation cannot detect.

Don’t let regulatory compliance issues with your mobile app hinder your organization’s success. Embrace  ‘privacy by design’ and ‘trust but verify’ principles to ensure that your mobile app adheres to privacy and security regulatory requirements with confidence.

By Brian Reed, Chief Mobility Officer at NowSecure

About the author: As NowSecure Chief Mobility Officer, Brian Reed brings decades of experience in mobile, apps, security, dev and operations management including NowSecure, Good Technology, BlackBerry, ZeroFOX, BoxTone, MicroFocus and INTERSOLV working with Fortune 2000 global customers, mobile trailblazers and government agencies. At NowSecure, Brian drives the overall go-to-market strategy, solutions portfolio, marketing programs and industry ecosystem. With more than 25 years building innovative products and transforming businesses, Brian has a proven track record in early and mid-stage companies across multiple technology markets and regions. As a noted speaker and thought leader, Brian is a dynamic speaker and compelling storyteller who brings unique insights and global experience. Brian is a graduate of Duke University.

Related Articles

Latest Articles