At the end of March, Washington, D.C. signed the Security Breach Protection Amendment Act of 2019, which adds some significant changes to D.C.’s existing data breach law, first enacted in 2007. The law is projected to take effect by June 13, 2020. Some of the major changes are summarized below.
Continue Reading D.C. Amends Data Breach Notification Law, Adds Security Requirements
The FTC recently issued comments on how companies can use artificial intelligence tools without engaging in deceptive or unfair trade practices or running afoul of the Fair Credit Reporting Act. The FTC pointed to enforcement it has brought in this area, and recommended that companies keep in mind four key principles when using AI tools. While much of their advice draws on requirements for those that are subject to the Fair Credit Reporting Act (FCRA), there are lessons that may be useful for many.
Continue Reading FTC Provides Direction on AI Technology
The FTC recently settled with smart lock maker Tapplock, Inc., a Canadian company, over allegations that it deceived consumers with false claims about its product’s security practices. These allegations arose based on vulnerabilities that a security researcher demonstrated – not in the aftermath of a data security breach where these complaints often originate.
Continue Reading FTC Settles with Company Over Alleged Deceptive Security Practices
The FTC recently released its annual privacy and security report, providing a snapshot of the issues focused on in the previous year. These reports are often looked at as a signal for insights into the agency’s upcoming priorities. Generally, the report contains a summary of the FTC’s enforcement, advocacy, and rulemaking actions from 2019, a year where we saw several record-setting fines. The report also discusses privacy/security workshops, consumer education, and international engagement. Some of the highlights from 2019 discussed in the report include:
Continue Reading FTC Releases 2019 Privacy and Security Year in Review
The FTC recently summarized three major changes it made to its orders in data security cases. In a blog signaling these changes, the FTC Indicated that some of the things it has been requiring of companies in 2019 are here to stay.
Continue Reading New Trends Emerge in FTC Data Security Orders, Including Emphasis on C-Suite Involvement
The FTC recently settled with LightYear Dealer Technologies, maker of DealerBuilt software, over allegations that the company failed to provide adequate protection for the personal data it houses. The companies’ clients include many car dealers across the country, and allows those dealerships to house consumer information that is collected during the car purchase process. This information includes sensitive personal (Social Security numbers) and financial (payroll information and credit card numbers) information. According to the FTC complaint, a company employee without “guidance or . . . steps to ensure the . . . device was securely configured” attached a new storage device to the company servers. This device created an open connection port during an 18 month period. During that time, no vulnerability scanning, penetration testing, or other diagnostics were conducted, according to the FTC. Instead, the vulnerability went undetected until a hacker exploited it and accessed the backup server for DealerBuilt. As a result, the hacker accessed millions of consumers’ information, including downloading five clients’ information. This information included almost 70,000 Social Security numbers, drivers’ license numbers, and payroll details. The company was, the FTC said, unaware of the breach until it was contacted by an impacted client.
Continue Reading FTC and Car Dealership Software Company Reach Security Settlement
As we enter into the second quarter of the year, the FTC has released its annual report on privacy and data security, and the steps it took in those areas over the course of 2018. The report includes summaries of its actions against companies for alleged violations of the FTC Act, CAN-SPAM, and COPPA, among others. The total cases brought by the FTC in the privacy area by the end of 2018 numbered 75 (with an additional 130 spam and spyware cases), and 65 in the data security and identity theft realm.
Continue Reading FTC Looks Back at 2018
Over the course of 2018, the FTC brought several actions against US companies for violations of the Privacy Shield program. The program, which as we have reported on previously gives participating US companies a mechanism to receive personal information from EU entities. The program is reviewed annually by the EU to determine if, from an EU perspective, it continues to provide “adequate levels of privacy protection.” In December the EU concluded in its report (and accompanying working document) that the program continues to provide sufficient protection levels. The EU commission noted in reaching its conclusion that the Department of Commerce has increased its scrutiny of privacy policies (looking to see if companies are posting correct complaint forms), and pursuing companies who were mentioning their adherence to the program before the certification had been finalized by the Department of Commerce.
Continue Reading A Look Back at 2018 Privacy Shield Enforcement
The Federal Trade Commission recently issued a cyber guide that, while intended for small businesses, can be of help for all businesses. The purpose of the guide, which includes various modules, is to help smaller businesses address data security threats. These modules follow guidance the FTC issued in April, stressing the importance of cyber security preparedness and the help the FTC intended to give to small businesses on that front.
Continue Reading FTC Cyber Guidance for Small Business has Tips Helpful to All
On August 6, the FTC announced that it is seeking comment on a number of topics that are fundamental to its work, including on privacy. These topics will form the basis of its hearings on “Competition and Consumer Protection in the 21st Century”, which it will hold from September through January 2019, as we recently mentioned on this blog. The hearings will cover a variety of topics critical to the FTC, a few of which relate directly to privacy issues. These include:
• The intersection of privacy, big data, and competition, including the benefits and costs of privacy laws, and the benefits, costs and conflicts of such laws existing at different levels of government (federal, state, local, etc.);
• The Commission’s remedial authority to deter unfair and deceptive conduct. This is probably the most significant topic, because it touches on the expansiveness of the Commission’s authority to regulate privacy issues. It follows on Commission Chairman Simons’s recent testimony in the House of Representatives that the Commission may need more and better authority in the privacy realm than its current reliance on Section 5 of the Federal Trade Commission Act’s focus on unfair and deceptive practices;
• The welfare effects and privacy implications of using algorithmic decision tools and predictive analytics; and
• The efficacy of the FTC’s current investigation and remedial processes.
Continue Reading FTC Seeks Comment on Fundamental Privacy Enforcement Issues