FTC Announces Internal Process Reforms in Connection with Civil Investigative Demands

Has your company or client been served with a Civil Investigative Demand (CID)? Overwhelmed? Don’t despair – the future may be brighter, as the Federal Trade Commission (FTC) is now offering more clarity regarding its CID document requests process. On July 17, 2017 FTC Acting Chairman Maureen K. Ohlhausen issued a new internal process reform aimed at promoting clarity, efficiency and transparency, and designed to “reduce unnecessary and undue burdens” associated with FTC investigations.

The reform specifically addresses CIDs in consumer protection cases, and includes a plain-language explanation of the CID process and a more elaborate description of the purpose, scope and types of information sought by the FTC, so recipients can better comply and respond. The FTC will also work to lighten the burden on companies by limiting relevant time periods, expanding the response time and revising existing CID instructions for the production of electronically stored information. The FTC will adhere to its current practice and will follow up on the status of investigations “at least every six months” after companies comply with CIDs. Continue Reading

Oregon Expands Deceptive Trade Practices Act to Include Misrepresentations About PI Usage

Effective January 1, 2018, Oregon will join Pennsylvania and Nebraska in expanding its definition of deceptive trade practices to explicitly include a material misstatement regarding the use of personal information. House Bill 2090 applies to statements “publishe[d] on a website … or in a consumer agreement related to a consumer transaction.” Like the other states’ laws, Oregon’s law does not include a private right of action. However, the Oregon law is significantly broader than Pennsylvania’s and Nebraska’s laws in the following respects:

  • Oregon’s law does not include a mental state requirement. Both Pennsylvania’s and Nebraska’s laws require that the misrepresentation be made “knowingly.”
  • Oregon’s law applies to any “information that the person requests, requires or receives from a consumer” as opposed to limiting coverage to “personal information.”
  • Oregon’s law applies to representations regarding how a person will “use, disclose, collect, maintain, delete or dispose of information,” whereas the Pennsylvania and Nebraska laws apply only to “use.”

The following chart provides additional details regarding the similarities and differences between the three laws:


Nevada Enacts Online Privacy Policy Law; Illinois ‘Right to Know’ Bill Carried Over

Nevada recently became the latest state to pass a law requiring operators of websites and online services to post a public notice regarding their privacy practices. California was the first state to pass such a law in 2004, and Delaware enacted a similar law effective January 1, 2016.  Similar to its predecessors, the new Nevada legislation specifies that the posted notice must:

  • Identify the categories of personally identifiable information (PII) collected through the site;
  • Identify the categories of third parties with whom such PII may be shared;
  • Disclose whether third parties may collect information about a consumer’s online activities over time and across different websites when the consumer uses the site;
  • Provide information about the process for reviewing and requesting changes to PII collected through the site; and
  • List an effective date.

Continue Reading

Revocation of Consent Under the TCPA

The Telephone Consumer Protection Act (TCPA) was enacted as a consumer protection measure against companies that engage in telemarketing practices. The basic principle of the TCPA is that it seeks to prohibit a company from making “any telephone call to any residential telephone line using an artificial or prerecorded voice to deliver a message without the prior express consent of the called party.” 47 U.S.C. § 227(b)(1)(B). The deterrent for such acts is a hefty fine of up to $1,500 per incident (per call in this case, a number that can quickly add up).

But what happens if an individual gives a company “express written consent” and later seeks to revoke that consent? Prior case law, and a 2015 Federal Communications Commission (FCC) ruling, had stated that a consumer who freely gives informed consent may revoke it by “any reasonable means.” There have been various cases where the plaintiffs have successfully claimed that they revoked their initial consent and were therefore entitled to damages under the TCPA. The Second Circuit, in Reyes v. Lincoln Automotive Financial Services, No. 16-2104-cv, however, draws a clear distinction with those rulings and comes out stating that express consent can, in certain cases, be irrevocable. Continue Reading

Deeper Dive: Application of Work-Product Doctrine to Forensic Investigations

In a recent post, we addressed the role a forensic investigation plays in a company’s response to a data security incident. We noted that to maximize the likelihood that a forensic firm’s work will be covered by the work-product doctrine or attorney-client privilege, the engagement letter should include outside counsel and the forensic firm should conduct its investigation at the direction of counsel. At a minimum, the engagement letter should specify that the forensic firm has been engaged to assist counsel in providing legal advice and, when appropriate, should specify that the forensic firm is assisting counsel in anticipation of litigation. Since that post, a new court decision has shed additional light on the factors affecting whether the work-product doctrine will protect a forensic firm’s work from discovery.

In In re Experian Data Breach Litigation, Case No. 8:15-cv-01592-AG-DFM (C.D. Cal. May 18, 2017), the court denied a motion to compel discovery of a forensic firm’s report and related documents, holding that the materials were protected by the work-product doctrine. In Experian, the defendant retained outside counsel shortly after learning of an incident (but before any litigation commenced), and the outside counsel then retained the forensic firm to investigate the incident.

The court considered several facts to be significant in determining that the work-product doctrine applied. As already noted, the forensic firm was retained by outside counsel at a time when it was reasonable to anticipate litigation over the data breach. Additionally, the forensic firm’s report was shared only with outside and in-house counsel, not with the company’s broader incident response team. The company also submitted declarations establishing that the scope of the forensic firm’s engagement was limited to assisting the company’s counsel.  Continue Reading

New York DFS Updates FAQs to Clarify Applicability of Cybersecurity Regulation

With the first compliance deadline now less than two months away, the New York Department of Financial Services (NYDFS) has provided additional clarity concerning its new Cybersecurity Requirements for Financial Services Companies (the “Cybersecurity Regulation”) by publishing an update to previously issued Frequently Asked Questions.

We reported on the forthcoming Cybersecurity Regulation in January and February.

The new FAQs address the applicability of the Cybersecurity Regulation to three different types of entities. [1]

  • New York Branches of Out-of-State Banks. Pursuant to a 1997 Nationwide Cooperative Agreement among state banking regulators, NYDFS “will defer to the home state supervisor for supervision of New York branches.” However, NYDFS “maintains the right to examine branches located in New York” as they still must comply with New York law. Accordingly, NYDFS “strongly encourages all financial institutions, including New York branches of out-of-state domestic banks” to adopt safeguards and protections consistent with the Cybersecurity Regulation.
  • Subsidiaries and Other Affiliates. A Covered Entity must include Affiliates in its Risk Assessment to determine whether they present risks to the Covered Entity’s Information Systems or Nonpublic Information. If so, those risks must be addressed in the Covered Entity’s cybersecurity program and written cybersecurity policy.
  • Exempt Covered Entities. Because the exemptions set forth in Section 500.19 of the Cybersecurity Regulation are “limited in scope,” exempt Covered Entities must still comply with certain provisions of the Cybersecurity Regulation. For example (not listed in the FAQs), a Covered Entity that is exempt under Section 500.19(a) must still conduct a Risk Assessment that informs its cybersecurity program, written cybersecurity policy, access privileges, Third Party Service Provider security policy and data retention practices. Such an exempt Covered Entity also would be required to notify NYDFS of covered Cybersecurity Events and annually certify its compliance to the Superintendent.

We will continue to monitor and provide updates regarding additional NYDFS guidance or interpretations relevant to implementation of the Cybersecurity Regulation.

[1] Note: capitalized terms not defined below are defined in the Cybersecurity Regulation.


Countdown Begins for Cybersecurity Compliance

This month marks an important waypoint for defense contractors subject to the new cybersecurity requirements imposed by the Department of Defense. For contractors subject to the requirements of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (the clause), the deadline for compliance with the clause’s cybersecurity requirements is Dec. 31, 2017, giving covered defense contractors just six months to ensure compliance with the standards prescribed by the clause.

As covered contractors push to meet this deadline, they should keep in mind a few important features of the clause. The clause is required to be included in all Department of Defense contracts ‒ other than contracts for commercially available, off-the-shelf items ‒ but the obligations it imposes on individual contractors can vary considerably. Continue Reading

Ways to Prevent & Prepare for Ransomware Attacks

Ransomware was involved in 10 percent of the 450 breaches handled by our Privacy and Data Protection team in 2016. This week’s news about a global ransomware attack is another example that this trend is on the rise.

Companies, governments and organizations around the world are grappling with what steps they should take to minimize their risks and prepare to respond.

We are currently advising clients who have been affected by this attack and thought you would benefit from these key preventive measures: Continue Reading

US Companies Create Principles for Cybersecurity Risk Ratings

On June 20, 2017, the U.S. Chamber of Commerce announced that a consortium of more than two dozen chamber member companies, including prominent big banks, big-box retailers, and technology giants released a set of principles designed to promote fair and accurate cybersecurity ratings. The creation of the “Principles for Fair and Accurate Security Ratings” comes in response to the recent emergence of several companies, such as BitSight Technologies, CyberGRX, RiskRecon and SecurityScorecard, that collect and analyze publicly accessible data to develop a rating of a company’s cybersecurity risk posture. The data is typically collected without the target company’s knowledge and comes from a variety of sources, such as:

  • Hackers’ forums and data available on the darknet indicating that a company’s data is for sale or its systems have been compromised.
  • Sink-hole technology that monitors all public internet traffic that enters or leaves a company’s network for signs of viruses, malware, spamming software or botnets beaconing to and from the company’s network.
  • Port-scanning tools to identify open ports to a company’s network.
  • Open-source malware intelligence sources intended for companies to use for strengthening cybersecurity defenses that are analyzed by ratings companies to identify compromised companies.
  • Scanning a company’s public-facing systems for indications of vulnerabilities, such as out-of-date operating systems, the absence of multifactor authentication and poor patching practices.
  • Public data breach feeds for indicators of compromise.

Continue Reading

When is a Chair not a Chair? Big Data Algorithms, Disparate Impact, and Considerations of Modular Programming

The DESI VII Workshop titled “Using Advanced Data Analysis in eDiscovery & Related Disciplines to Identify and Protect Sensitive Information in Large Collections” was held on the Strand Campus of King’s College in London on June 12, 2017. DESI VII was particularly focused on privacy, and presented numerous papers that examined emerging protocols and novel techniques for identifying and protecting sensitive information in large collections of data, with specific references to the following four areas:

  • E-Discovery.
  • EU Privacy Policies and the “right to be forgotten.”
  • Audits and Investigations.
  • Public Access Requests.

As part of the proceedings, a presentation and supporting article titled “When is a Chair not a Chair? Big Data Algorithms, Disparate Impact, and Considerations of Modular Programming” focused on the rapid growth in predictive algorithms based on “real world experience” data. This article and its associated presentation also examined a number of challenges associated with algorithms that worked as intended, but as they worked, also demonstrated the law of unintended (and unwanted) consequences. These unintended consequences had very serious legal, regulatory and court of public opinion repercussions that the workshop then discussed in detail. Continue Reading