The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: FTC

  • From Vol. 3 No.4 (Feb. 22, 2017)

    Lessons for Connected Devices From the FTC’s Warning Against Unexpected Data Collection 

    In a recently announced $2.2 million settlement with television manufacturer VIZIO, the FTC and the state of New Jersey emphasized the importance of providing notice and consent particularly when connected-device users may not expect the types of data collection and sharing taking place. The action demonstrates the coordination of federal and state enforcement agencies, and the settlement terms serve to inform connected-device companies about the agencies' expectations. In terms of data collection and disclosure, “companies should consider what consumers expect of a device, particularly if it was an analog device that has not been smart in the past,” FTC attorney Megan Cox told The Cybersecurity Law Report. See “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017); and “Privacy, Security Risks and Applicable Regulatory Regimes of Smart TVs” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.2 (Jan. 25, 2017)

    FTC Data Security Enforcement Year-In-Review: Do We Know What “Reasonable” Security Is Yet?

    In 2016 alone, more than 35 million records were reported as compromised in more than 980 data breaches, which made consumers wary of trusting companies to handle their data. This leaves companies wondering what they can do to amplify their data security practices to help avoid consumer distrust and the scrutiny of regulators. The FTC expects “reasonable” security, but what does that mean? In this guest article, Kelley Drye & Warren attorneys Alysa Z. Hutnik and Crystal N. Skelton shed light on the answer to this question by detailing illustrative data security enforcement actions over the past year and the security practices the agency has indicated should be implemented as well as those it has warned should be avoided. See also “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    FTC Priorities for 2017 and Beyond

    From holding events on ransomware, disclosure and marketing tactics, to entering into settlement agreements for the misuse of location data, to tackling APEC’s privacy framework for the first time, 2016 was a busy year for the FTC’s privacy and security enforcement arm. The Commission’s actions indicate that it is intending to keep pace with the latest tech and policy developments. But what is in store for 2017? At IAPP’s recent Practical Privacy Series conference, FTC Commissioner Maureen Ohlhausen discussed the agency’s priorities for the coming year. See also “Demystifying the FTC’s Reasonableness Requirement in the Context of the NIST Cybersecurity Framework (Part One of Two)” (Oct. 19, 2016); Part Two (Nov. 2, 2016).

    Read Full Article …
  • From Vol. 2 No.22 (Nov. 2, 2016)

    Demystifying the FTC’s Reasonableness Requirement in the Context of the NIST Cybersecurity Framework (Part Two of Two)

    Many companies are still wondering how to develop and implement a data security program that meets the FTC’s reasonableness requirement. “There is a hunger for a checklist,” Kelley Drye partner Alysa Hutnik told The Cybersecurity Law Report. Although not necessarily applicable across the board, the NIST Cybersecurity Framework, along with the FTC’s comments on it and its release of a new breach response guide, serve as useful resources. In this second part of our two-part series on the FTC’s data security expectations in the context of the NIST Cybersecurity Framework, in-house and outside counsel discuss how the Framework’s core functions align with the FTC’s requirements. They also provide steps companies of all types and sizes can take to incorporate these functions into their own security practices. Part one explored the implications of the FTC’s recent communication and detailed three initial steps companies should take to meet the FTC’s reasonableness standard. See also “A Behind-the-Curtains View of FTC Security and Privacy Expectations” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    Demystifying the FTC’s Reasonableness Requirement in the Context of the NIST Cybersecurity Framework (Part One of Two)

    The NIST Cybersecurity Framework, while useful, is not a panacea, the FTC recently said, leaving many companies still wondering how to develop and implement a data security program that meets the regulator’s reasonableness requirement. With input from in-house and outside counsel, we examine the FTC’s data security expectations in the context of the NIST Cybersecurity Framework. Part one of this two-part series explores the implications of the FTC’s recent communication, how and when practitioners use the Framework and details three initial steps companies should take to meet the FTC’s reasonableness standard. Part two will cover the Framework’s core functions, how they align with the FTC’s requirements and steps companies can take to incorporate these functions into their own security practices. See also “A Behind-the-Curtains View of FTC Security and Privacy Expectations (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.17 (Aug. 24, 2016)

    Takeaways From the FTC’s Revival of the LabMD Action 

    What constitutes privacy harm? What are reasonable data security practices? Companies and regulators struggle to pin down these pressing questions while technology keeps moving the baseline. In the first data security case litigated before the FTC, the agency provided some answers, finding that the data security practices of LabMD were unfair under the FTC Act. The FTC disagreed with the Administrative Law Judge, who held in November 2015 that the FTC had not shown that LabMD’s conduct caused, or is likely to cause, substantial consumer injury. “The bottom line significance for companies is that you have to have reasonable security at the outset,” Phyllis Marcus, Hunton & Williams counsel, said. “Everything else flows from that. It matters much less what happens to a document once it’s breached or leaked and what actual consumer harm may be down the road than what the security measures were at the outset.” For a discussion of ALJ’s November decision, see “FTC Loses Its First Data Security Case” (Nov. 25, 2015). 

    Read Full Article …
  • From Vol. 2 No.17 (Aug. 24, 2016)

    Maximizing the Benefits of Big Data Within Permissible Bounds 

    Understanding how data is collected and shared is a critical component of cybersecurity and data privacy compliance. A recent PLI briefing looked at big data through the lens of businesses that use it for marketing, considering the various means by which it is collected, shared and used, the panoply of relevant laws and the related enforcement and litigation landscape. In addition to providing insight on these aspects, the program’s featured speaker, Robert H. Newman, a partner at Winston & Strawn, offered practical guidance for addressing big data issues in contracts and for dealing with data brokers. See also “Keeping Up With Technology and Regulatory Changes in Online Advertising to Mitigate Risks” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.14 (Jul. 6, 2016)

    Enforcing Consumer Consent: FTC Focuses on Location Tracking and Children’s Privacy

    The FTC is using its enforcement power to ensure meaningful choice when it comes to geo-location tracking that companies use to gain key marketing data, particularly when children are involved. The FTC brought an action against the global online advertising company InMobi alleging that the company had tracked millions of mobile app users, including children, even when they had opted out, and had misrepresented its practices to app developers and publishers. In the recent settlement, InMobi agreed to pay a significant fine and comply with a detailed long-term injunction. Donna Wilson, Manatt partner, told The Cybersecurity Law Report that companies should expect a “continued emphasis” from regulators on children’s privacy and geo-location practices, as well as a closer look at “how companies’ conduct in that area lines up with what they are telling either consumers and/or business partners and other third parties.” See also “FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    Securing the Connected Car: Privacy, Security and Self-Regulation

    Much like smartphones, today’s automobiles have become vast data endpoints, equipped with advanced electronics, sensors and computing power. In cars, though, these advancements not only facilitate communications but also enhance safety and the driving experience. As panelists at the recent IAPP Privacy Summit pointed out, a breach can implicate physical safety as well as data privacy. The panelists, including in-house experts at AT&T and General Motors, discussed the threat landscape for connected cars, the current regulatory framework governing cybersecurity of connected cars and how the automobile industry is developing best practices and automobile design to meet consumer expectations while minimizing cybersecurity risk. See also “Designing Privacy Policies for Products and Devices in the Internet of Things” (Apr. 27, 2016)

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    Ten Steps to Minimize Data Privacy and Security Risk and Maximize Compliance

    Increasingly, general counsel, privacy officers and even CEOs are taking on more and more data privacy and security compliance burdens because of the significant legal implications of not just breaches, but failure to comply with a range of privacy and cybersecurity regulations. That applies to international transfers of data as well. In a guest article, Aaron Charfoos, Jonathan Feld and Stephen Tupper, members of Dykema, discuss recent global developments and ten ways companies can ensure compliance with new regulations to increase data security and minimize the risk of enforcement actions. See also “Liability Lessons From Data Breach Enforcement Actions” (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 2 No.6 (Mar. 16, 2016)

    A Behind-the-Curtains View of FTC Security and Privacy Expectations

    As the FTC continues to strongly assert its role in the data protection and privacy space, companies are seeking guidance on best practices to meet the regulator’s expectations. At ALM’s recent cyberSecure conference, Andrea Arias, an attorney in the FTC’s Division of Privacy and Identity Protection, identified the Commission’s enforcement priorities and offered insight on how companies can comply with its rules and policies, noting recent instructive cases. A previous article featured insights from Arias’ fellow cyberSecure panelists, Sachin Kothari, director of online privacy and compliance at AT&T, Inc. and Chaim Levin, chief U.S. legal officer at Tradition Group, on implementing a “privacy-by-design” program for in-house corporate governance structures. See also “FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.4 (Feb. 17, 2016)

    Legal and Regulatory Expectations for Mobile Device Privacy and Security (Part Two of Two)

    Companies are capitalizing on increased personal and professional mobile device use by collecting, storing and sharing mobile-generated information to improve products and services and target advertising. During a recent webinar, WilmerHale partners D. Reed Freeman, Jr. and Heather Zachary examined the latest federal, state and self-regulatory privacy and data security expectations tied to mobile devices. In this second installment of our two-part series, Freeman and Zachary address: how to ensure compliance in the use of cross-device advertising and tracking; Telephone Consumer Protection Act lessons; and key differences in Canada and E.U. regulations. Part one covered how practitioners can navigate the regulatory environment for mobile advertising, including self-regulatory guidance and the increasingly important role of the FCC. See also “FTC Chair Addresses the Agency’s Data Privacy Concerns With Cross-Device Tracking” (Nov. 25, 2015).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    So, You Just Got a Letter From the FTC: A Guide for Attorneys (Part Two of Two)

    The receipt of a civil investigative demand from the FTC should not induce panic – a CID is “a vehicle for inquiry and we close far more [cases] than we bring,” Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection, said during a panel at the recent IAPP Practical Privacy Series. Along with Mithal, the panel featured private outside counsel experts Stuart Ingis, a partner at Venable; and Hunton & Williams counsel Phyllis Marcus. They provided advice on how to handle a CID, from the first steps through requesting a closed case, including the view from behind the scenes at the FTC. In this second installment of our two-part series, we cover the FTC’s perspective on the CID process and how best to prepare for and conduct the meetings with the FTC staff and directors. Part one examined best practices for the first steps to take after receiving the CID, as well as strategies for setting up the client for a successful result. See also “FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016“ (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    Legal and Regulatory Expectations for Mobile Device Privacy and Security (Part One of Two)

    With consumers now using mobile devices in nearly every aspect of their personal and professional lives, companies are collecting, storing and sharing information from mobile use for a wide range of initiatives such as improving products and services and targeted advertising. During a recent webinar, WilmerHale partners D. Reed Freeman, Jr. and Heather Zachary examined the latest federal, state and self-regulatory privacy and data security expectations. Part one in this two-part series covers the panelists’ detailed discussion about how practitioners can navigate the regulatory environment for mobile advertising, including self-regulatory guidance and the increasingly important role of the FCC. In part two, Freeman and Zachary address: how to ensure compliance in the use of cross-device advertising and tracking; lessons from the Telephone Consumer Protection Act; and key aspects of the E.U. and Canada’s mobile privacy and data security regulations. See also “FTC Chair Addresses the Agency’s Data Privacy Concerns With Cross-Device Tracking” (Nov. 25, 2015).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    The FTC’s Big Data Report Helps Companies Maximize Benefits While Staying Compliant

    Recognizing the benefits of “big data” and its widespread use, on January 6, 2016, the FTC issued a staff report on best practices for companies to minimize risks of that use, including the potential for discrimination against certain populations. The report, Big Data: A Tool For Inclusion or Exclusion? Understanding the Issues, addresses applicable laws and policy considerations and provides a series of questions to help companies become and remain compliant. See also “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity” (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 20, 2016)

    So, You Just Got a Letter From the FTC: A Guide for Attorneys (Part One of Two)

    Receiving a civil investigation demand (CID) from the FTC can be nerve-wracking, but there are ways to make the process smoother. During the recent IAPP Practical Privacy Series 2015, a panel of government and private outside counsel experts provided advice on how to respond to written requests and steps companies can take to best position themselves in front of the agency, starting with the first telephone call. The panel featured Maneesha Mithal, FTC Associate Director, Division of Privacy and Identity Protection; Venable partner Stuart Ingis; and Hunton & Williams counsel Phyllis Marcus. Part one in this two-part series examines best practices for first steps after receiving the CID, including the first call with the client and the initial contact with the FTC, as well as strategies for setting up the client for a successful result. Part two will cover the FTC’s perspective on the CID process and how best to prepare for and conduct the meetings with the FTC staff and directors. See also “FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016

    The FTC’s Bureau of Consumer Protection was hard at work in 2015, reaching settlements with a wide range of companies on a variety of privacy and data security issues.  During the recent IAPP Practical Privacy Series 2015, Jessica Rich, Director of the Bureau of Consumer Protection and an architect of the FTC’s privacy program, reflected on the agency’s major enforcement actions, reports and relationships in 2015 and what businesses should expect in the coming year.  See also “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity” (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    FTC Loses Its First Data Security Case 

    In the FTC’s first loss in a data breach security case, and the first such case to reach a full adjudication, an administrative law judge dismissed the agency’s complaint against LabMD, Inc. regarding two alleged cybersecurity incidents at LabMD.  The ALJ held, in a lengthy Initial Decision, that the FTC did not meet its burden on the first prong of the three-part test in Section 5(n) of the FTC Act – that LabMD’s conduct caused, or is likely to cause, substantial consumer injury.  Phyllis Marcus, counsel at Hunton & Williams, said the ALJ was “holding the FTC Complaint Counsel, rightfully so, to the fire.  Bald allegations of substantial injury or likelihood of substantial injury” to support an unfairness claim will no longer be sufficient if the case stands.  See also “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity,” The Cybersecurity Law Report, Vol. 1, No. 8 (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    FTC Chair Addresses the Agency’s Data Privacy Concerns with Cross-Device Tracking

    Consumers’ online presence is constantly in motion as they jump from device to device throughout the day.  Companies that want to track consumer activity are using new methods that follow consumers, and the platforms and applications they use, on these various devices.  The FTC recently held a workshop to examine and address privacy issues raised by cross-device tracking.  FTC Chairwoman Edith Ramirez commenced the workshop by explaining the Commission’s goal to allow technological innovation – with all the consumer benefits it offers – while safeguarding consumer privacy.  We highlight the key points of her speech in which she emphasized the importance of effective transparency, notice, choice and security.  See also “In the Wyndham Case, the Third Circuit Gives the FTC a Green Light to Regulate Cybersecurity Practices,” The Cybersecurity Law Report, Vol. 1, No. 11 (Aug. 26, 2015).  

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    Liability Lessons from Data Breach Enforcement Actions

    Inadequate cybersecurity measures can expose companies not only to data breach incidents, but to liability from multiple fronts, including state attorneys general, the FTC and civil litigants.  In a recent panel at the Practising Law Institute, Michael Vatis, a Steptoe & Johnson partner, and KamberLaw partner David Stampley discussed the dynamic enforcement and judicial climate in this space, distilling actionable takeaways from recent settlements with state attorneys general, FTC actions including Wyndham, and evolving consumer litigation jurisprudence.  The enforcement actions and litigations are instructive for companies seeking to fortify their internal information security and data privacy efforts and guard against the risk of liability in the event of a breach.  See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015). 

    Read Full Article …
  • From Vol. 1 No.11 (Aug. 26, 2015)

    In the Wyndham Case, the Third Circuit Gives the FTC a Green Light to Regulate Cybersecurity Practices

    The Wyndham decision makes clear that there is a “‘top cop’ regulatory agency looking over privacy and security practices of private business: the Federal Trade Commission,” Cynthia Larose, a member of Mintz Levin, told The Cybersecurity Law Report.  On August 24, 2015, the Third Circuit denied Wyndham’s motion to dismiss an FTC complaint against it and held that the FTC can pursue Wyndham for allegedly weak data security practices that led to three breaches.  “The FTC is here to stay in the data privacy and security space,” Michael Gottlieb, a partner at Boies, Schiller & Flexner, said.  We examine the decision and its implications.  See also “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity,” The Cybersecurity Law Report, Vol. 1, No. 8 (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 1 No.11 (Aug. 26, 2015)

    FTC Weighs In on the Security of Health Care Data on the Cloud

    Like many industries, the health care sector is relying more heavily on new technology to provide digital medical records that are often stored on cloud-based servers and transmitted electronically.  With the technological advances come privacy and security concerns that the FTC is watching closely.  Cora Han, a senior attorney in the Division of Privacy and Identity Protection at the FTC, recently spoke at a meeting of the Health Care Cloud Coalition, a not-for-profit representing cloud computing, telecommunication, digital health, and healthcare companies in the health care sector.  Han addressed the FTC’s expectations and enforcement efforts for privacy and security related to cloud-based mobile technology companies in the health care industry.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.8 (Jul. 15, 2015)

    The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity

    In its new guidance, “Start with Security,” the Federal Trade Commission is “stating its case why it should be recognized as the preeminent authority in this area,” Stephen Newman, a partner at Stroock, told The Cybersecurity Law Report.  The FTC makes clear in the guidance that it expects companies to put strong cybersecurity practices in place and will hold the companies responsible for lax security measures if a breach does occur.  The guidance also provides valuable compliance advice – it articulates the FTC’s thoughts on how to reduce risk with “fundamentals of sound security” based on “the lessons learned from the more than 50 law enforcement actions the FTC has announced so far.”  We discuss the ten steps the FTC has put forward to enhance cyber compliance, with input from experts.  See “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …