On April 26, the US District Court in Seattle granted the FTC’s motion for summary judgment against Amazon for providing allegedly inadequate parental controls to limit their children’s in-app purchases. Case No. C14-1038-JCC. The FTC alleged that the company’s failure to require more robust password re-entry meant that many in-app purchases by children resulted in unauthorized charges to the parents.
Building upon its 2012 Consumer Protection Report, its 2014 report on Data Brokers, and a public workshop held on September 15, 2014, the FTC issued a new report on January 6, 2016, with recommendations to businesses on the growing use of big data: Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues (“2016 Big Data Report”). Rather than focusing on prior themes of notice, choice, and security, the 2016 Big Data Report addresses only the commercial use of big data consisting of consumer information, and focuses on impacts of such big data uses on low-income and underserved populations.
*This post originally appeared in Law360 on January 7, 2016.
While 2015 was a big year in data, 2016 may prove to be even bigger. Many hot button and game changing topics are being debated in legislative bodies and campaign trails, regulators are focused, and privacy-related litigation continues to rise. Below, we count down the top ten cybersecurity, data protection and privacy issues to watch in 2016.
The Federal Trade Commission (FTC) and Federal Communications Commission (FCC) have been active in recent years in bringing consumer protection enforcement actions, with a particular focus on privacy and data security issues. Recent regulatory action from the FCC associated with “net neutrality,” however, has blurred the line as to where each agency’s jurisdiction begins and ends, particularly for companies offering broadband Internet access service. Recognizing this uncertainty, on November 16, 2015, the FTC and FCC announced that the agencies had signed a “Memorandum of Understanding on Consumer Protection.” The MoU set out that the agencies will work together to “coordinate on agency initiatives where one agency’s action will have a significant effect on the other agency’s authority or programs.”
On November 18, the Federal Trade Commission (FTC) issued final amendments to the Telemarketing Sales Rule (TSR) banning payment methods that the FTC believes are disproportionately used by scammers (the Final Rule). The Final Rule follows the notice of proposed rulemaking (NPRM) that the FTC published on July 9, 2013. While the Final Rule makes some modifications to the proposed amendments to the TSR that were included in the NPRM, the NPRM was not modified significantly and continues to ban remotely created payment orders (including remotely created checks), cash-to-cash money transfers and cash reload mechanisms in both inbound and outbound telemarketing.
In particular, the FTC rejected many industry comments on the grounds that the commenter did not provide examples or data to support its claims, highlighting the importance of hard evidence in making a case during the FTC’s rulemaking process. Moreover, although the American Bankers Association (ABA) argued that the proposed rule would be a direct and impermissible regulation of banks that exceeds the FTC’s authority, the FTC rejected the ABA’s position.
This Sidley Update briefly summarizes the key components of the Final Rule and the FTC’s analysis in support of its rulemaking.
A recent ALJ Initial Decision may prove significant in data breach litigation and provide further aid to companies battling class actions with claims of future injury through identity theft. On November 13, 2015, the administrative law judge hearing the FTC’s action against medical testing laboratory LabMD dismissed the FTC’s case in its entirety. See In re LabMD, Inc., F.T.C. ALJ, No. 9357 (Nov. 13, 2015). The action had its genesis in an investigation of LabMD’s security practices. The investigation began after a report that information from LabMD may have been disclosed on a file-sharing website. The FTC asserted that LabMD had failed to properly protect sensitive data and that information gleaned from its records was being used for identity theft purposes.
On Monday, the U.S. Court of Appeals for the Third Circuit issued its much-anticipated decision in Federal Trade Commission v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015), holding that the Federal Trade Commission has the authority to bring an action under Section 5 of the FTC Act for allegedly “unfair” cybersecurity practices.
On April 10, 2015, the FTC closed its data security investigation of a securities firm after one of its employees moved the personal information of the certain of the firm’s wealth management clients to personal devices and a personal website. Ultimately, the personal data became available on publicly accessible websites.
The Federal Trade Commission released “Start with Security: A Guide for Business” on June 30, 2015. The guide contains ten best practices for addressing issues of data security based on lessons learned from the FTC’s 53 data-security actions to date. Specifically, it identifies “vulnerabilities” that could affect businesses of all sizes and provides some “practical guidance on how to reduce the risks [those vulnerabilities] pose.”
On June 29, the FTC and New Jersey Attorney General announced the filing of a joint complaint, and proposed, stipulated settlement, against an Ohio-based app developer, Equiliv Investments LLC and an individual officer of the company. The federal and state enforcement agencies alleged that Equiliv marketed a free app that users believed would let them earn rewards points for playing games or downloading affiliated apps. The agencies alleged that Equiliv explicitly represented the app was free of malware when in fact the app’s main purpose was actually to load malicious software on the users’ phone to mine virtual currency. Allegedly, the app took control of the devices’ computing resources and degraded the phones’ performance by draining battery life and data plans, and causing the devices to charge slowly. The malware was alleged to pool the computing resources of consumers’ mobile devices to benefit the company’s effort to generate virtual currencies through a peer-to-peer network to compete with other devices in solving complex mathematical equations – a process known as “mining.”