The U.S. Court of Appeals for the Eleventh Circuit has ordered the FTC to halt enforcement of its data security order against LabMD while LabMD challenges the action.
To recap the events leading up to this stay, a data security company allegedly obtained sensitive data from LabMD via a peer-to-peer file-sharing program. Allegedly, after LabMD refused to purchase the company’s security products, it reported the alleged data security vulnerability to the FTC. The FTC accused LabMD of unfair practices in failing to provide reasonable and appropriate security for customers’ personal information, which was allegedly likely to cause harm to customers. In 2015, an Administrative Law Judge dismissed the case, finding that the FTC failed to prove LabMD’s practices were likely to cause substantial customer injury. In July 2016, upon appeal to the full Commission, the FTC reversed the ALJ decision. Although LabMD stopped operating in 2014, the FTC nevertheless ordered LabMD to implement several information security compliance measures because the Lab still maintains medical records. LabMD appealed to the Eleventh Circuit and filed a motion to stay the FTC’s order.
On August 31, 2016, the Federal Trade Commission published “The NIST Cybersecurity Framework and the FTC” on its blog. The post describes how, in many ways, the FTC’s enforcement actions are “aligned” with the NIST Cybersecurity Framework and that many of the Commission’s enforcement actions can be analyzed under the Framework’s five core principles. The post also makes plain, however, that a company’s compliance with the Framework is not necessarily required, nor is adoption of the Framework clearly sufficient to satisfy the Commission’s requirement that companies establish “reasonable” cybersecurity practices. (more…)
The Federal Trade Commission hosted its fourth Start with Security event in Chicago, IL on June 15, 2016. This event was the latest installment of the Start with Security business education initiative launched last summer to engage in proactive outreach with the business community on information security standards and FTC expectations at a time when the FTC’s authority to reactively regulate data security was being challenged in federal court. In addition to the Start with Security events, the FTC also responded by synthesizing their 50+ data security settlements into “10 practical lessons” to guide companies looking to proactively comply with FTC data security expectations.
*This piece originally appeared in Fortune Magazine on May 10, 2016.
As our online footprints grow in size and scope, it is more important than ever for Internet companies to protect us against hackers and disclose how they use our personal data. The Federal Trade Commission was long the main privacy cop enforcing these essential consumer protections. But last year, the FTC’s sister agency—the Federal Communications Commission—reclassified broadband ISPs as common carriers outside the FTC’s jurisdiction. Unless the courts reverse that decision, there are now two privacy cops on the Internet beat. The FCC polices ISPs like Verizon, Charter, and Sprint, while the FTC continues policing everyone else, from Google and Facebook to Apple and Amazon.
*This article originally appeared in the FinTech Law Report, Volume 19, Issue 2 for March/April 2016.
On November 18, 2015, the Federal Trade Commission (FTC) issued final amendments to the Telemarketing Sales Rule (TSR) banning payment methods that the FTC believes are disproportionately used by scammers (Final Rule). The Final Rule was published in the Federal Register on December 14, 2015.
On April 26, the US District Court in Seattle granted the FTC’s motion for summary judgment against Amazon for providing allegedly inadequate parental controls to limit their children’s in-app purchases. Case No. C14-1038-JCC. The FTC alleged that the company’s failure to require more robust password re-entry meant that many in-app purchases by children resulted in unauthorized charges to the parents.
Building upon its 2012 Consumer Protection Report, its 2014 report on Data Brokers, and a public workshop held on September 15, 2014, the FTC issued a new report on January 6, 2016, with recommendations to businesses on the growing use of big data: Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues (“2016 Big Data Report”). Rather than focusing on prior themes of notice, choice, and security, the 2016 Big Data Report addresses only the commercial use of big data consisting of consumer information, and focuses on impacts of such big data uses on low-income and underserved populations.
*This post originally appeared in Law360 on January 7, 2016.
While 2015 was a big year in data, 2016 may prove to be even bigger. Many hot button and game changing topics are being debated in legislative bodies and campaign trails, regulators are focused, and privacy-related litigation continues to rise. Below, we count down the top ten cybersecurity, data protection and privacy issues to watch in 2016.
The Federal Trade Commission (FTC) and Federal Communications Commission (FCC) have been active in recent years in bringing consumer protection enforcement actions, with a particular focus on privacy and data security issues. Recent regulatory action from the FCC associated with “net neutrality,” however, has blurred the line as to where each agency’s jurisdiction begins and ends, particularly for companies offering broadband Internet access service. Recognizing this uncertainty, on November 16, 2015, the FTC and FCC announced that the agencies had signed a “Memorandum of Understanding on Consumer Protection.” The MoU set out that the agencies will work together to “coordinate on agency initiatives where one agency’s action will have a significant effect on the other agency’s authority or programs.”
On November 18, the Federal Trade Commission (FTC) issued final amendments to the Telemarketing Sales Rule (TSR) banning payment methods that the FTC believes are disproportionately used by scammers (the Final Rule). The Final Rule follows the notice of proposed rulemaking (NPRM) that the FTC published on July 9, 2013. While the Final Rule makes some modifications to the proposed amendments to the TSR that were included in the NPRM, the NPRM was not modified significantly and continues to ban remotely created payment orders (including remotely created checks), cash-to-cash money transfers and cash reload mechanisms in both inbound and outbound telemarketing.
In particular, the FTC rejected many industry comments on the grounds that the commenter did not provide examples or data to support its claims, highlighting the importance of hard evidence in making a case during the FTC’s rulemaking process. Moreover, although the American Bankers Association (ABA) argued that the proposed rule would be a direct and impermissible regulation of banks that exceeds the FTC’s authority, the FTC rejected the ABA’s position.
This Sidley Update briefly summarizes the key components of the Final Rule and the FTC’s analysis in support of its rulemaking.