On October 24, 2022, the Federal Trade Commission (“FTC”) issued an order (the “Order”) against the online alcohol marketplace, Drizly, and its CEO, James Cory Rellas, alleging security failures that resulted in a data breach exposing the personal information of approximately 2.5 million consumers. In reaching this conclusion, the FTC alleges that Drizly failed to implement reasonable safeguards to protect the personal information it collected and stored, such as, two-factor authentication for GitHub, access controls for personal data, sufficient written security policies, and appropriate employee training regarding security.
Pursuant to legislation passed in 2021, covered entities and business associates subject to HIPAA and facing potential regulatory enforcement may receive some credit lessening to reduce enforcement penalties if they had implemented Recognized Security Practices (RSPs) within the prior 12 months. However, what may constitute RSPs and how a covered entity or business associate can demonstrate implementation of RSPs to receive such credit had not been clear. Now, the Department of Health and Human Services is seeking to provide clarity. (more…)
*This article first appeared on Law360 on October 14, 2022
A series of coordinated announcements on Oct. 7 lifted the veil on a new trans-Atlantic data transfer mechanism.
This announcement has been hotly anticipated since a joint declaration from the U.S. and European Union governments on March 25, that there was an agreement in principle for a new EU-U.S. Data Privacy Framework.
The key document in the framework process is Executive Order No. 14086 on enhancing safeguards for U.S. signals intelligence activities, accompanied by a detailed fact sheet on the executive order.
On October 5, 2022, a federal jury in the Northern District of California convicted former Uber Chief Security Officer Joseph Sullivan of obstructing a federal proceeding and misprision of a felony for his role in deceiving management and the federal government to cover up a 2016 data breach that exposed personally identifiable information (“PII”) of approximately 57 million users, including approximately 600,000 drivers’ license numbers, of the ride-hailing service. Sullivan, a former federal prosecutor, appears to be the first corporate executive criminally prosecuted—let alone convicted—for his response to a data security incident perpetrated by criminals. Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge.
This article was originally published by the ABA’s ANTITRUST magazine in its Summer 2022 issue.
The Children’s Online Privacy Protection Act (COPPA) and the Federal Trade Commission’s COPPA-enforcing rule have increasing relevance for all businesses that interact directly with consumers online—including companies that do not regard themselves as marketing directly to children. Both the FTC and state Attorneys General are active in enforcing COPPA, and companies can often be caught off guard by government inquiries scrutinizing their compliance. (more…)
Sidley associate Lauren Kitces was featured on Simplify For Success, a podcast series presented by Meru Data and hosted by Priya Keshav. Lauren discussed FTC’s proposed rulemaking regarding data privacy and data security, and shared her thoughts on how to prepare for the FTC enforcement.
The FTC continues its defense of the wide-reaching Advance Notice of Proposed Rulemaking (ANPR) on “Commercial Surveillance and Data Security” that the Commission, by a 3-2 vote, issued in August. (See the supporting statements of Chair Lina Khan and Commissioners Rebecca Slaughter, and Alvaro Bedoya, and the dissenting statements of Commissioners Christine Wilson and Noah Phillips.)
On Thursday, September 8, the FTC hosted a public forum on the notice, featuring remarks by Chair Khan, Commissioner Bedoya, and panels featuring guests representing industry and consumer interests. (more…)
On Thursday, August 11, the Federal Trade Commission (“FTC”) announced that it is exploring rules to crack down on harmful commercial surveillance and lax data security practices. The FTC’s Advance Notice of Proposed Rulemaking (“ANPR”) solicits public comment on whether it should put into effect new rules and restrictions concerning standards and requirements for information security, the ways in which companies collect and process data in commercial contexts, and whether any practices related to the transfer, sharing, selling, or other monetization of personal information should be categorized as unfair or deceptive. The FTC voted 3-2 to publish the notice, with Chair Khan and Commissioners Slaughter and Bedoya voting in favor and issuing separate statements. Commissioners Phillips and Wilson voted against publication and also issued separate dissenting statements. The following Monday, Commissioner Phillips announced he would be leaving the FTC this fall.
*This article first appeared on Law360 on June 16, 2022
Pending lawsuits against Google LLC illustrate how regulators and plaintiffs lawyers are increasingly wielding a dark patterns theory in challenging companies’ practices involving consumers.
The attorneys general of Washington, D.C., Washington state, Texas and Indiana all filed complaints against Google, alleging that the company tricks consumers into providing their location data, on Jan. 24. (more…)
Algorithms touch upon multiple aspects of digital life, and their use potentially falls within several separate – though converging – regulatory systems. More than ever, a ‘joined up’ approach is required to assess them, and the UK’s main regulators are working together to try to formulate a coherent policy, setting an interesting example that could be a template for global approaches to digital regulation. (more…)