Last month, bankrupt company RadioShack settled with a coalition of seventeen attorneys general to destroy most of the company’s customer data in its files. The agreement was part of a Bankruptcy Court-approved $26.2 million sale of RadioShack’s assets.
The Federal Trade Commission has published new guidance that “summarizes lessons learned” from the FTC’s 50-plus data security settlements while also announcing a series of data security conferences. In the new guidance titled “Start With Security: A Guide for Business,” the FTC acknowledges that the data security requirements contained in the settlements apply only to the affected companies. However, the settlements—and the FTC’s distillation of them—reveal regulatory expectations and identify risks that can affect companies of all types and sizes. In this post, we summarize the FTC’s new guidance and provide details on the FTC’s data security conferences happening this fall.
Last week, U.S. District Court Judge Edward M. Chen denied AT&T Mobility’s motion to dismiss the Federal Trade Commission’s (FTC’s) October 2014 complaint alleging that AT&T engaged in unfair and deceptive practices in connection with its retail mobile broadband data services. AT&T argued that its status as a common carrier makes it exempt from enforcement of the FTC Act. The court disagreed. At issue is the scope of the common carrier exemption.
On March 4, the U.S. Commerce Department’s National Telecommunications and Information Administration announced it is seeking comments on how to structure a new multistakeholder process to develop best practices for commercial and private unmanned aircraft systems use. NTIA also announced that it will likely hold its first multistakeholder meeting within 90 days.
Two weeks ago, the FTC filed a district court complaint in Arizona against an operation that included three corporations and one individual. While touted as a case against data brokers (“FTC Charges Data Broker with Facilitating the Theft of Millions of Dollars from Consumers’ Accounts”), the single count unfair trade practices action really involves fraudulent and egregious conduct that took advantage of a particularly vulnerable population, but it nevertheless provides a few lessons for the data broker industry generally.
On December 3, 2014, the Federal Trade Commission announced two administrative settlements with a medical Billing Provider, PaymentsMD, LLC, and its former CEO, Michael Hughes, for allegedly misleading thousands of consumers who signed up for an online billing portal by failing to adequately disclose that the company would seek detailed medical information from pharmacies, medical labs, and insurance companies. The FTC’s enforcement of Section 5 does not extend to businesses or organizations covered by the Health Insurance Portability and Accountability Act.
As the keynote speaker for the Winnik Forum, U.S. Federal Trade Commission (FTC) Commissioner Maureen Ohlhausen sat down with Christopher Wolf, Director of Hogan Lovells’ Privacy and Information Management Practice to discuss the evolving role of the FTC as we enter an era of “Big Data” and the “Internet of Things.” Commissioner Ohlhausen offered her views on a flexible approach to protecting consumer data privacy as connected devices continue to evolve. As opportunities arise for additional potential uses of collected data, Commissioner Ohlhausen said organizations and policymakers should consider a “harms-based approach” in which new uses of data would be allowed as long as they do not cause consumer harm and as long as they remain consistent with earlier promises that organizations have made to consumers. The key for Commissioner Ohlhausen is that companies should disclose what data is being collected and keep the promises that they make to consumers about the collection and uses of that data.
It should be standard practice for companies to review the transparency of material disclaimers and disclosures in their advertising before every ad campaign. However, some companies tend to pack material disclosures into fine print or otherwise minimize their significance. The Federal Trade Commission recently signaled to companies that it is paying attention to print and television ad disclosures. This follows the FTC’s renewed attention to online advertising as addressed last year in its updated .com Disclosures guidance for digital advertising
The Federal Communications Commission recently issued a Notice of Apparent Liability for Forfeiture proposing a $10 million penalty against TerraCom, Inc. and YourTel America, Inc. (collectively, the “companies”) for allegedly violating laws protecting consumers’ personal information. Specifically, the FCC alleged that the companies placed the personal data of up to 300,000 consumers at risk by storing Social Security numbers, names, addresses, driver’s licenses, and other proprietary information on unprotected Internet servers that “anyone in the world could access.” The decision is the FCC’s first case involving data security. It is also informative as to the FCC’s current and evolving expectations with regard to carriers’ duties to protect sensitive consumer information, and it underscores the need for organizations in the communications sector to keep a close eye on both FCC and Federal Trade Commission data privacy and security enforcement activity.
The Federal Trade Commission recently submitted comments to the Federal Communications Commission in which it reminded broadband Internet service providers that they are subject to several data privacy and security laws enforced by the FTC. The FTC’s comments underscore why broadband providers – as well as their vendors and business partners – must keep a close watch on both FCC and FTC developments in the privacy and security space.
Writing for Expert Guide: Competition and Antitrust Law, Hogan Lovells attorneys Dean Hansell and Charles Dickinson discuss the FTC’s current consumer protection initiatives and identify emerging areas of focus of the agency’s regulatory initiatives. Hansell and Dickinson also expect that the FTC may be “more willing to push enforcement initiatives” with its current roster of Commissioners and offer that “companies of all sizes would be well-served to understand how their businesses might fall under the FTC’s radar.”
Three weeks after the FTC’s seminar on Consumer Generated and Controlled Health Data, the French data protection authority, the CNIL, held its own workshop on connected health and wellness devices. This blog post summarizes the results of the CNIL workshop.
On May 7, 2014, the Federal Trade Commission (FTC) held a seminar on Consumer Generated and Controlled Health Data (CGHD) that included participants from government, industry, and advocacy organizations. The seminar—which consisted of opening remarks by FTC Commissioner Julie Brill, brief presentations by FTC representatives on health information data flows and sharing of CGHD with third parties, and a panel discussion moderated by FTC attorneys Kristen Anderson and Cora Han—examined the potential benefits and risks of CGHD.
Last week, the Administrative Law Judge handling the Federal Trade Commission’s complaint against LabMD issued a pair of rulings that will require the Bureau of Consumer Protection to testify about the information security standards on which the FTC intends to rely at trial in order to prove that LabMD’s data security practices were inadequate. The ALJ’s rulings open up inquiry into issues at the center of the debate surrounding the FTC’s authority under Section 5 of the Federal Trade Commission Act: what are the data security standards that the FTC expects companies to meet, and has the FTC given the private sector adequate advance notice of these standards?
As part of its 2014 Spring Privacy Series, the Federal Trade Commission in March held a seminar to examine alternative scoring products and the possible benefits and risks of their growing use. During the seminar, FTC attorneys Katherine Armstrong and Andrea Arias of the Division of Privacy and Identity Protection moderated a panel discussion between various stakeholders that included public interest groups, the data industry, and academics.
On April 10, 2014, the Department of Justice and Federal Trade Commission issued a joint policy statement on the antitrust implications of sharing cybersecurity information to help facilitate the flow of cyberintelligence throughout the private sector. The statement addresses the long-standing concern that sharing cyberintelligence may violate antitrust law under certain circumstances and explains the analytical framework for such arrangements to make it clear that legitimate cyberintelligence exchanges will not raise antitrust issues.
A New Jersey federal judge yesterday issued the much-anticipated opinion in Federal Trade Commission v. Wyndham Worldwide Corp., denying Wyndham’s challenge to the FTC’s authority to regulate data security under Section 5 of the FTC Act. Although it only represents one district court’s findings on the issue, and was not a complete surprise given some of the judge’s statements during oral argument, the Commission for now has dodged a major bullet that threatened to derail its status as the lead commercial data security regulator in the United States.
The Federal Trade Commission (“FTC”) has settled with two mobile application developers, Fandango and Credit Karma, over charges that they misrepresented the security of their mobile applications. According to the FTC, the developers failed to provide reasonable and appropriate security when their mobile applications transmitted consumers’ sensitive information. The particular issues noted by the FTC in its complaints against the developers differ to some degree, but the complaints share a common thread: the developers disabled the Secure Sockets Layer (SSL) protocol, which authenticates and encrypts communications across networks. In our post, we provide a high-level description of how SSL works, summarize the FTC’s complaints against Fandango and Credit Karma, and identify some important takeaways from these settlements.
The Hogan Lovells Privacy Team looks forward to seeing many of you this week at the International Association of Privacy Professionals (IAPP) Global Privacy Summit in Washington, D.C. We are delighted to once again participate in the Summit as a gold level sponsor and hope you will visit us at Booth 7 in the Exhibition Hall to learn more about our Global Privacy and Information Management Practice. Hogan Lovells attorneys will also be featured at a number of breakout sessions.
On January 31, the Federal Trade Commission announced a settlement with GMR Transcription Services following the public exposure of thousands of medical transcript files containing personal medical information. According to the FTC complaint, GMR failed to adequately verify that its overseas service provider implemented reasonable and appropriate security measures to protect personal information being transmitted and processed. This settlement, the FTC’s 50th with respect to data security, highlights the need for companies to engage in thorough vendor management and oversight with respect to data security practices.
LabMD recently announced its plans to wind down operations, citing its ongoing legal battle with the Federal Trade Commission over the company’s data security practices as a major cause. In a letter dated January 6, LabMD president Michael Daugherty informed the company’s customers and workforce that the medical testing laboratory would no longer be accepting new specimens after January 11 and that the company’s phones and internet access would be discontinued shortly thereafter. Daugherty’s letter blamed the FTC’s “debilitating investigation and litigation” as a major source of the company’s decision to wind down operations.
Less than two months after the European Commission issued a report urging the Federal Trade Commission to step up enforcement of the EU-U.S. Safe Harbor framework, the FTC announced a settlement with twelve companies — including an Internet service provider, makers of consumer goods, three National Football League teams, and a developer of mobile applications — over allegations that they deceptively claimed to be certified under Safe Harbor. According to the FTC, each of these companies represented that they maintained a active Safe Harbor certification with the U.S. Department of Commerce when in fact they did not.
The Federal Trade Commission (FTC) recently approved appropriately implemented “knowledge-based authentication” as a method for obtaining verifiable parental consent (VPC) under the Children’s Online Protection Act (COPPA). To be “appropriately implemented,” operators should assess whether any knowledge-based authentication technology:
•Generates “dynamic, multiple choice questions”;
•Asks “a reasonable number of questions with an adequate number of possible answers” to ensure that “the probability of correctly guessing the answer is low”; and
•Uses “questions of sufficient difficulty that a child age 12 or under in the parent’s household could not reasonably ascertain the answers.”
The FTC’s action provides online operators some welcome flexibility in implementing COPPA-compliant VPC strategies and demonstrates that the FTC will give serious consideration to VPC proposals.