Privacy Shield Update: Ahead of First Joint Review, Europeans Remain Skeptical as FTC Announces Enforcement Actions

On September 8, 2017, the Federal Trade Commission (FTC) announced enforcement actions against three companies alleged to have falsely claimed participation in the EU-U.S. Privacy Shield Framework. The move follows several months of uncertainty surrounding the Framework’s future as EU officials and privacy advocates have questioned its efficacy and validity in the run-up to the first annual joint review set to begin next week.

FTC Enforcement Actions

According to the FTC’s complaints, the three companies claimed on their websites to have self-certified to the EU-U.S. Privacy Shield Framework – and in one instance, also the Swiss-U.S. Privacy Shield Framework – whereas allegedly they had not completed the certification process.

The Commission’s allegations in these cases did not concern substantive violations of the Privacy Shield Principles; rather, they focused on misrepresentations regarding certification status. This should come as no surprise: in an April 13 blog post, the FTC issued a direct warning that it “will pursue enforcement if companies mislead consumers about their participation in Privacy Shield.”

These enforcement actions are likely to be a topic of conversation during the upcoming first annual joint review of the Privacy Shield Framework, which is scheduled to begin next week and will involve representatives from the U.S. Department of Commerce, the European Commission, the Article 29 Working Party and the FTC. Continue Reading

Industry Watchdog Reminds Digital Advertisers of the Importance of Providing Consumers With Transparency and Choice in Latest Enforcement Actions

Two digital advertising companies, Adbrain and Exponential Interactive, were cited in recent decisions by the Better Business Bureau’s Online Interest-Based Advertising Accountability Program (OIBAAP) for not complying with the online advertising industry’s requirements for interest-based advertising (IBA), the practice of tracking users across time and services to build interest profiles on them in order to serve more relevant ads.

The latest in a series of enforcement actions by the OIBAAP for noncompliance with the Digital Advertising Alliance (DAA) Self-Regulatory Principles (Principles), these two cases provide important takeaways for digital advertisers.

Continue Reading

Uber Settles With FTC Over Allegedly Deceptive Privacy And Data Security Practices

Uber, the ride-hailing giant, agreed this week to implement a comprehensive privacy program and to undergo 20 years of privacy and data security audits in order to settle allegations by the Federal Trade Commission (FTC) that Uber did not keep its promises to protect customer data. The FTC had alleged two separate failures by Uber: first, misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second, misrepresenting that it deployed reasonable measures to secure personal information it stored on a third-party cloud provider’s servers. This week’s settlement made clear the FTC’s view that being an early-phase company is no excuse for weak data protection measures or misleading statements regarding consumer data privacy.

The settlement resolved an investigation that began in November 2014, after a series of media reports alleging improper access and use of customer personal information by Uber employees caused an outcry among consumers. One article reported that an Uber executive (now former) had suggested that the company hire “opposition researchers” to look into the “personal lives” of journalists who had raised questions regarding Uber’s business practices. A second article described an internal tracking tool, known as “God View,” that displayed the personal information of riders using Uber’s services.  Continue Reading

Delaware Revamps Its State Data Breach Notification Statute

On Aug. 17, 2017, Delaware revamped its existing data breach notification statute. In doing so, Delaware became the second state (joining Connecticut) to mandate offering individuals affected by a breach of security involving Social Security numbers at least one year of complimentary credit monitoring services. The new law takes effect on April 14, 2018, and includes some minor reworking of definitions to make the entire statute more cohesive, as well as several major new components.

First, the new law expands the definition of “personal information” to include a Delaware resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual: (1) Social Security number; (2) driver’s license number or state or federal identification card number; (3) account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a resident’s financial account; (4) passport number; (5) a username or email address, in combination with a password or a security question and an answer that would permit access to an online account; (6) medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a healthcare professional, or DNA profile; (7) health insurance policy number, subscriber identification number or any other unique identifier used by a health insurer to identify the person; (8) unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes; and (9) an individual taxpayer identification number. Continue Reading

FTC Blog Post Series Makes Common Sense Of Data Security

Recently, data security experts and regulators have said that “businesses should use a common sense approach” when addressing data security. However, rarely do I hear clients or other business professionals speak in those terms. Many organizations find data security to be daunting. It does not have to be. In fact, it can be a matter of common sense.

In 2015, the Federal Trade Commission (FTC) published a business guide called “Start with Security.” The guide is a compilation of lessons learned from cases brought by the FTC incorporated into 10 fundamentals that are applicable to any organization.

On July 21, 2017, the FTC announced that it would start a new initiative, Stick with Security, which is a weekly Business Blog post that tackles one of the 10 Start with Security principles. Continue Reading

SEC Cybersecurity Risk Alert Emphasizes Proactive Compliance and Ongoing Vigilance

On August 7, 2017, the Securities and Exchange Commission (SEC) released its latest cybersecurity risk alert, detailing findings from the examination of 75 broker-dealers, investment advisers and investment companies carried out by its Office of Compliance Inspections and Examinations (OCIE) pursuant to its 2015 cybersecurity examination initiative. In contrast with the previous round of examinations, the Cybersecurity 2 Initiative focused more on validating and testing cybersecurity procedures and controls, with the alert highlighting improvements, deficiencies and best practices for registered firms.

Although OCIE noted improvements across the board (with all or “nearly all” broker-dealers leading advisers and investment companies in a number of areas), it also identified a number of deficiencies. Continue Reading

FINRA Video Series Highlights Broker-Dealers’ Common Cybersecurity Deficiencies

In a series of three video programs published on the FINRA website in recent weeks, FINRA provided guidance on common deficiencies it has been seeing in its cybersecurity examinations of member firms, and recommended a number of measures to address these issues. Firms should heed these warnings both so that they are prepared for when FINRA (or SEC or state) examiners come calling and, perhaps more importantly, so that they are as protected as they reasonably can be from the variety of cyberattacks facing the financial industry. Read more >>

Are Industrial Control Systems the Linchpin for Critical Infrastructure Cybersecurity?

Over the past few months, news headlines around the globe have been littered with reports of cyberthreats to the critical infrastructure of countries of all sizes. What were once just ominous theories of catastrophic cyberattacks crippling the nation’s critical infrastructure are now deemed credible threats that critical infrastructure enterprises must consider in their cybersecurity, business continuity and incident response planning.

While the U.S. has not experienced a disruptive critical infrastructure cyberattack to date, such as the 2015 attack on Ukraine’s power grid that left more than 700,000 people without power for several hours, the frequency of cyberattacks on critical infrastructure enterprises is on the rise. This becomes an even greater concern with events such as the Russian hacking of the computer systems of numerous U.S. nuclear plants, which occurred just last month. As is becoming more and more common in attacks targeting critical infrastructure enterprises, these hackers targeted industrial control engineers, who had access to critical industrial control systems (ICS).  Continue Reading

FTC Announces Internal Process Reforms in Connection with Civil Investigative Demands

Has your company or client been served with a Civil Investigative Demand (CID)? Overwhelmed? Don’t despair – the future may be brighter, as the Federal Trade Commission (FTC) is now offering more clarity regarding its CID document requests process. On July 17, 2017 FTC Acting Chairman Maureen K. Ohlhausen issued a new internal process reform aimed at promoting clarity, efficiency and transparency, and designed to “reduce unnecessary and undue burdens” associated with FTC investigations.

The reform specifically addresses CIDs in consumer protection cases, and includes a plain-language explanation of the CID process and a more elaborate description of the purpose, scope and types of information sought by the FTC, so recipients can better comply and respond. The FTC will also work to lighten the burden on companies by limiting relevant time periods, expanding the response time and revising existing CID instructions for the production of electronically stored information. The FTC will adhere to its current practice and will follow up on the status of investigations “at least every six months” after companies comply with CIDs. Continue Reading

Oregon Expands Deceptive Trade Practices Act to Include Misrepresentations About PI Usage

Effective January 1, 2018, Oregon will join Pennsylvania and Nebraska in expanding its definition of deceptive trade practices to explicitly include a material misstatement regarding the use of personal information. House Bill 2090 applies to statements “publishe[d] on a website … or in a consumer agreement related to a consumer transaction.” Like the other states’ laws, Oregon’s law does not include a private right of action. However, the Oregon law is significantly broader than Pennsylvania’s and Nebraska’s laws in the following respects:

  • Oregon’s law does not include a mental state requirement. Both Pennsylvania’s and Nebraska’s laws require that the misrepresentation be made “knowingly.”
  • Oregon’s law applies to any “information that the person requests, requires or receives from a consumer” as opposed to limiting coverage to “personal information.”
  • Oregon’s law applies to representations regarding how a person will “use, disclose, collect, maintain, delete or dispose of information,” whereas the Pennsylvania and Nebraska laws apply only to “use.”

The following chart provides additional details regarding the similarities and differences between the three laws: