Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: Section 5

Posted in Health Privacy/HIPAA

ONC Report Identifies Gaps in Data Protection for Health, Wellness, and Fitness Data

A new report from the Department of Health and Human Services Office of the National Coordinator for Health Information Technology highlights data protection gaps in the U.S. for health data from wearable devices, social media, and emerging technologies. The report, “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA,” identifies several areas in which privacy and security protections for health data have lagged behind technological developments that are expanding the collection of health data outside the traditional venues for health care.

Posted in Consumer Privacy

Five Lessons from the FTC’s Latest Native Advertising Action

On March 15, 2016, the Federal Trade Commission reached an agreement with Lord & Taylor to settle charges that the luxury department store brand engaged in allegedly deceptive native advertising practices by failing to disclose and accurately represent its relationship to online magazines and fashion “influencers” who promoted the brand. This latest enforcement action follows the FTC’s release of a policy statement on native advertising practices and a companion set of guidelines for businesses. The action provides a cautionary tale with practical lessons about the importance of transparency in marketing strategies that mimic the look and feel of surrounding content.

Posted in Consumer Privacy

FTC ALJ: Embarrassment/Emotional Harm and Risk of Harm Does Not Satisfy “Substantial Consumer Injury” Prong of Unfairness

On November 13, 2015, the Federal Trade Commission’s Chief Administrative Law Judge dismissed an FTC administrative complaint based on LabMD’s alleged failure to provide “reasonable and appropriate” security for personal information maintained on its computers. The ALJ concluded that the complaint counsel failed to prove that LabMD’s alleged practices constituted an unfair trade practice. Specifically, according to the ALJ’s initial decision, complaint counsel failed to prove by a preponderance of the evidence the first prong of the three-part unfairness test – that the alleged unreasonable conduct caused or is likely to cause substantial injury to consumers as required by Section 5(n) of the FTC Act. The case is notable for being the first data security case tried before an ALJ and only one of two instances where a company has fought the FTC’s decision to move forward with an enforcement action based on allegations that a company has engaged in unfair practices because of inadequate data security practices. Companies have otherwise voluntarily entered into consent decrees without admitting liability. In the other instance where a company did not capitulate to an FTC enforcement action, Wyndham moved to dismiss the FTC’s lawsuit against it in federal district court based on lack of jurisdiction. Wyndham lost in the district court and on an interlocutory appeal the federal court of appeals upheld that ruling, but remanded the case to district court for a trial on the merits which will assess whether Wyndham’s alleged unreasonable data security practices meet the unfairness factors in section 5(n) of the FTC Act. Accordingly, as the ALJ did here, the court in Wyndham will consider whether the practices and the data breaches there caused or were likely to cause substantial consumer injury under the first prong of an unfairness inquiry

Posted in Consumer Privacy, News & Events

Upcoming DC Program Explores Where We Are Headed with Section 5 of the FTC Act

Data privacy and security regulators don’t always agree. Take a look at the Federal Trade Commission for example. In recent years, FTC commissioners have disagreed about the role that cost-benefit analyses should play and the types of consumer harms that should be considered in the FTC’s data privacy and security enforcement actions. For organizations that rely on the collection and use of consumer information, understanding the different viewpoints at the FTC and how those viewpoints may influence future enforcement is vital to evaluating risk. On Thursday, November 5, 2015, the Future of Privacy Forum will look at those issues as it celebrates its new home and its new partnership with Washington & Lee University School Law by hosting a panel discussion addressing the Future of Section 5 of the FTC Act. Panelists David Vladeck (former FTC Consumer Bureau Director David Vladeck) and James Cooper (former Acting Director of the Office of Policy Planning) will look at key Section 5 issues.

Posted in Consumer Privacy, Cybersecurity & Data Breaches

Analysis of FTC v. Wyndham: Third Circuit Affirms FTC Authority to Regulate Data Security

On Monday, August 24, 2015, the U.S. Court of Appeals for the Third Circuit issued its opinion in FTC v. Wyndham Worldwide Corp upholding the authority of the Federal Trade Commissionto oversee cybersecurity practices. The Wyndham case first made headlines in June 2012, when it became the first cybersecurity enforcement action to be litigated instead of being resolved by settlement. Wyndham Worldwide Corp. moved to dismiss the FTC’s claims that allegedly insufficient cybersecurity practices constituted unlawful “unfair” and “deceptive” business practices, arguing that the FTC’s unfairness authority did not extend to cybersecurity, and that the statements in its online privacy policy were not deceptive. Since that time, the case has been closely watched as the District Court for the District of New Jersey and the Third Circuit Court of Appeals considered the issue of whether the FTC had authority to regulate cybersecurity under the unfairness prong of § 45(a) of the FTC Act.

Posted in Cybersecurity & Data Breaches

FTC v. Wyndham: Third Circuit Affirms FTC Authority to Regulate Data Security

The United States Court of Appeals for the Third Circuit’s much anticipated ruling in FTC v. Wyndham has now been released. The court affirmed the FTC’s authority under section 5 of the FTC Act to seek consent decrees or bring enforcement actions against companies that allegedly failed to put in place reasonable cybersecurity practices to protect consumer data. The court also affirmed the district court’s finding that the Federal Trade Commission provided sufficient “fair notice” to Wyndham regarding the cybersecurity practices the agency deems reasonable to avoid liability under the FTC Act. With this decision, the case will now move forward to the merits phase at the district court.

Posted in Consumer Privacy

The Auto Industry Is Serious About Connected Car Privacy

An issue that has started to appear on the privacy agenda is privacy and the “connected car.” Automakers here in the United States have taken the lead on privacy, and have answers to many of the inevitable privacy questions. Late last year the major automakers voluntarily agreed to a set of privacy and data security principles that will regulate how automakers collect, use, and share information. No other industry in the “Internet of Things” ecosystem of which connected cars are a part has done as much or has gone as far as automakers. The automakers understand that without the trust of consumers, new technologies will not be as readily embraced. The Privacy Principles provide a strong basis for such trust.

Posted in Consumer Privacy

The Law of Securing Consumer Data on Networked Computers

The status of consumer data security law in the United States is at a crossroads. Last week, the White House released a discussion draft of its Consumer Privacy Bill of Rights Act of 2015, which would require businesses collecting personal information to maintain safeguards reasonably designed to ensure the security of that information. And yesterday, the Third Circuit held oral argument in FTC v. Wyndham Worldwide Corp., in which the district court last April denied Wyndham’s challenge to the Federal Trade Commission’s data security enforcement efforts.

Posted in Consumer Privacy

FTC Settles Claims Against Medical Billing Provider for Inadequate Data Collection Disclosures

On December 3, 2014, the Federal Trade Commission announced two administrative settlements with a medical Billing Provider, PaymentsMD, LLC, and its former CEO, Michael Hughes, for allegedly misleading thousands of consumers who signed up for an online billing portal by failing to adequately disclose that the company would seek detailed medical information from pharmacies, medical labs, and insurance companies. The FTC’s enforcement of Section 5 does not extend to businesses or organizations covered by the Health Insurance Portability and Accountability Act.

Posted in Cybersecurity & Data Breaches, Privacy & Security Litigation

Federal Judge Upholds FTC’s Authority to Regulate Commercial Data Security Practices

A New Jersey federal judge yesterday issued the much-anticipated opinion in Federal Trade Commission v. Wyndham Worldwide Corp., denying Wyndham’s challenge to the FTC’s authority to regulate data security under Section 5 of the FTC Act. Although it only represents one district court’s findings on the issue, and was not a complete surprise given some of the judge’s statements during oral argument, the Commission for now has dodged a major bullet that threatened to derail its status as the lead commercial data security regulator in the United States.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

FTC Data Security Settlement Highlights Need for Third-Party Vendor Management and Oversight

On January 31, the Federal Trade Commission announced a settlement with GMR Transcription Services following the public exposure of thousands of medical transcript files containing personal medical information. According to the FTC complaint, GMR failed to adequately verify that its overseas service provider implemented reasonable and appropriate security measures to protect personal information being transmitted and processed. This settlement, the FTC’s 50th with respect to data security, highlights the need for companies to engage in thorough vendor management and oversight with respect to data security practices.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA, Privacy & Security Litigation

LabMD Blames its Shutdown on FTC Legal Battle over Security Protections

LabMD recently announced its plans to wind down operations, citing its ongoing legal battle with the Federal Trade Commission over the company’s data security practices as a major cause. In a letter dated January 6, LabMD president Michael Daugherty informed the company’s customers and workforce that the medical testing laboratory would no longer be accepting new specimens after January 11 and that the company’s phones and internet access would be discontinued shortly thereafter. Daugherty’s letter blamed the FTC’s “debilitating investigation and litigation” as a major source of the company’s decision to wind down operations.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA, Privacy & Security Litigation

FTC Files Complaint Against Healthcare Company LabMD, Alleging Inadequate Security Controls

On August 28, the Federal Trade Commission (FTC) filed an administrative complaint against medical testing laboratory LabMD based on allegations that the company engaged in “unfair acts or practices” by failing to employ “reasonable and appropriate measures to prevent unauthorized access to personal information.” The FTC’s action in this case stems from an incident in which a file containing personal information on approximately 9,300 individuals allegedly was shared on a peer-to-peer (P2P) network from a company computer with P2P file-sharing software installed. The complaint follows other recent FTC actions in which the agency has relied on its Section 5 authority under the FTC Act to claim that companies’ exposure of data to P2P networks constituted an unlawful, unfair data security practice. The FTC’s action against LabMD makes clear that institutions governed by the Health Insurance Portability and Accountability Act (HIPAA) must also be mindful of the FTC’s increasing enforcement activity related to security controls, including actions against healthcare providers.

Posted in Consumer Privacy

FTC Text Spam Enforcement on the Rise

On March 7, the FTC announced a major new initiative cracking down on text message spammers and drove home the point by commencing eight new lawsuits against alleged spammers. In eight complaints filed in four different federal courts across the country, the FTC has charged a total of twenty-nine defendants, alleging that they collectively sent […]

Posted in Consumer Privacy

Myspace Settles with FTC Regarding “Constructive Sharing” of PII with Third-Party Advertisers

this blog entry details the FTC’s settlement and consent decree with Myspace, and enforcement action that focused on the fact that a “Friend ID”, despite being non-PII, was linked to a user’s Myspace profile so that third-party advertisers could use the Friend ID to easily obtain the PII resident on a user’s profile. In effect, the FTC took the position that by sharing the Friend IDs with third parties, Myspace also constructively shared all of the PII accessible from a user’s Myspace profile with those third parties, in violation of privacy policy promises not to share. As such, this enforcement action may signal that a business canntt get around promises not to share PII with third parties simply by sharing a piece of non-PII that enables a third party subsequently to obtain access to PII maintained by that business.

Posted in Consumer Privacy

FTC Announces Settlement with Facebook

The Federal Trade Commission this afternoon announced a proposed consent decree with the prominent social network Facebook, settling allegations that Facebook violated Section 5 of the FTC Act by failing to live up to representations made to consumers regarding its privacy practices. Among other remedial measures, the FTC required Facebook to obtain independent privacy compliance audits for the next 20 years. Along with the FTC’s recent consent decrees with Google and Twitter, the FTC now effectively has regulatory oversight over the privacy and data security practices of the three most prominent social networking companies in the United States.

Posted in Consumer Privacy

FTC Announces Proposed Google Buzz Settlement: First Time FTC Requires Comprehensive Privacy Program

The FTC today announced a proposed settlement with Google relating to charges that Google used deceptive practices and violated its own privacy policies when Google launched its social network “Google Buzz”. For the first time ever, the FTC is requiring a “Comprehensive Privacy Program” and affirmative consent to any new or additional uses of previously collected data.

Posted in Consumer Privacy

FTC: Opt-Out Should Mean Opt-Out

The Federal Trade Commission (FTC) yesterday announced a settlement with Chitika, Inc. over its failure to honor consumers’ choice in contravention of representations made in its online privacy policy. The announcement is notable in that it comes in the wake of the FTC’s December 2010 Preliminary Staff Report and is the FTC’s first consent settlement relating to […]