Earlier this week, U.S. District Court Judge Esther Salas directed the Federal Trade Commission (“FTC”) and Wyndham Hotels and Resorts to seek mediation to resolve their landmark dispute over whether the FTC has the authority to regulate companies’ data-security practices. As we’ve previously reported, the FTC alleged that Wyndham violated Section 5 of the FTC Act’s prohibition against “unfair practices” by failing to provide “reasonable” security for the personal information of its customers. Although the FTC has settled complaints relying on this broad interpretation of its unfairness authority, this case was closely watched because it was the first time a court had the opportunity to weigh in on the scope of that authority in the privacy and data-security context.
Although not necessarily unprecedented, the mediation order has been cited by some as unusual because the case presents a legal question underpinning a major enforcement and policy priority for the FTC. To the extent, however, that parties traditionally are required to mediate in order to “conserve [judicial] resources,” as was stated in Judge Salas’s order, mediation may help narrow or further focus the dispute.
Following Judge Salas’s earlier denial of Wyndham’s motion to dismiss, in which she rejected each of Wyndham’s challenges to the FTC’s authority, the U.S. Court of Appeals for the Third Circuit agreed to consider the issue on interlocutory review. Therefore, while the order for mediation stays the proceedings in district court, the legal question at issue remains pending before the circuit court.
Researchers at Carnegie Mellon University have designed a website that doles out grades to Android apps based on their privacy practices. The website, privacygrade.org, assigns grades based on a model that measures the gap between people’s expectations of an app’s behavior and how the app actually behaves. The grades range from A+, representing no privacy concerns, to D, representing many concerns.
To determine its grades, the Carnegie Mellon model relies on both static analysis and crowdsourcing. In the static analysis component, Carnegie Mellon’s software analyzes what data an app uses, why it uses such data, and how that data is used. For example, the software assessed whether an app used location data, whether that location data was used to provide location features (such as a map app), or whether that location data was used to provide the user with targeted advertising (or for other purposes). In the crowdsourcing component, Carnegie Melon solicited user privacy expectations for certain apps. For example, researchers asked whether users were comfortable with or expected a certain app to collect geolocation information. Where an app collected certain information and users were surprised by that collection, the surprise was represented in the model as a penalty to the app’s overall privacy grade. Continue Reading
By Randall Friedland
Yesterday, the USA Freedom Act (S. 2685), a bill aimed at curbing the National Security Agency’s (“NSA”) data collection practices, fell two votes short of the 60 votes necessary for cloture in the Senate. The bill was largely blocked by Senate Republicans who expressed concern that the legislation would harm the government’s ability to fight terrorism. Referring to the ongoing terrorist efforts in Iraq and Syria, Senator McConnell commented that it was “the worst possible time to be tying our hands behind our backs.” This is a similar argument that was advanced by Michael Hayden (former director of the CIA and the NSA) and Michael Mukasey (former attorney general) in an op-ed published on Monday in advance of the vote. Senator Leahy, the sponsor of the bill, expressed dismay over the block, stating that “fomenting fear stifles serious debate and constructive solutions.”
This issue will not disappear for long, however, because the NSA’s data collection authority will expire on June 20 of next year if it is not reauthorized in some manner. Notably, the USA Freedom Act has the support of the Obama administration and a coalition of technology companies including Apple, Google, Microsoft, and Yahoo.
By Phil Bradley-Schmieg
The UK Information Commissioner’s Office (ICO) has launched an informal survey of current practices relating to the use of data-enabled medical devices and apps.
The short and anonymous survey explores whether organisations have put in place specific policies and procedures, asset registers, IT security requirements for medical device procurement policies, information governance and incident response processes, and an “end of life” policy for defunct/decommissioned devices.
It also asks high-level questions about the technology being used, such as whether the devices can connect to the Internet, and about the use of medical apps, mobile phones, tablets and dictaphones.
Earlier this week, the FTC notified Verizon by letter that it has closed its investigation into whether Verizon violated Section 5 of the FTC Act by failing to secure certain routers supplied to the company’s broadband subscribers. The FTC’s investigation centered on Verizon’s practice of supplying routers that incorporated an outdated default security setting, an encryption standard known as Wired Equivalent Privacy (“WEP”). According to the FTC, flaws in WEP were identified by researchers in 2004, but Verizon continued until recently to ship some WEP router models. According to the FTC, this left some Verizon subscribers vulnerable to hackers.
In its letter, the FTC explained that the following factors led it to close its investigation:
- Verizon’s overall data-security practices related to its routers.
- Verizon’s efforts to mitigate the risk that subscribers using WEP-model routers would be vulnerable to hackers, including:
- by removing the WEP model routers from distribution centers and setting them to Wi-Fi Protected Access 2 (“WPA2”), ensuring that future distributed routers would be set by default to WPA2;
- by implementing an outreach campaign to subscribers currently using WEP or no encryption, and requesting that those subscribers change their security settings to WPA2; and
- offering upgrades to WPA2-compatible units for subscribers in possession of older, incompatible routers. Continue Reading
The Ninth Circuit recently issued two opinions addressing whether companies should require customers to explicitly agree to key provisions of user terms and other policies.
On Monday, a unanimous three-judge panel issued an opinion in Knutson v. Sirius XM Radio. In this case, the plaintiff purchased a Toyota that included a trial subscription to Sirius. About a month after his trial subscription began, he received a Welcome Kit that included a customer agreement with an arbitration clause.
When Republicans take over the Senate in January, new leaders will control key committees that oversee privacy and data security issues, and their priorities will differ significantly from those of their predecessors. Privacy issues, however, generally tend not to break neatly along party lines and there will remain bipartisan support – and bipartisan opposition – to most initiatives.
But you shouldn’t expect an immediate sea-change in privacy laws, leaders of Covington’s privacy and data security practice said on a post-election conference call on Monday. Although Republicans will have a majority of votes in the Senate next year, they will be short of the 60 votes necessary to bring a bill to the floor. That said, the Republicans will control the agenda.
Below are 10 of the key privacy and data security trends to watch in the next Congress, as identified on the conference call by Covington’s Aaron Cooper, David Fagan, Lindsey Tonsager, Gerry Waldron, and Kurt Wimmer:
By Caleb Skeath
At a recent IAPP privacy event, officials from the FTC and CFPB offered insight into their respective agencies’ future enforcement plans, as well as the shifting landscape of privacy enforcement actions. Although such enforcement actions have historically been the domain of the FTC, the FCC recently entered the privacy enforcement arena, announcing a $10 million fine against two telecommunications carriers on October 24 for failing to protect customer data. While the FTC has broad authority under Section 5 to police unfair and deceptive acts and practices, the FCC relied on its authority under Section 201(b) to prohibit “unjust or unreasonable” practices to support its recent enforcement action. The FCC also announced on October 28 that it joined the Global Privacy Enforcement Network, an organization dedicated to fostering cross-border cooperation among privacy authorities. Prior to the FCC’s joining the Network, the FTC was the only U.S. member.
By David Fagan and Sumon Dantiki
Recently several media outlets reported that the New York State Department of Financial Services (“NYDFS”) sent a letter to many of the nation’s banks, regarding the “level of insight financial institutions have into the sufficiency of cybersecurity controls of their third-party service providers.” The letter requested financial institutions to disclose “any policies and procedures governing relationships with third-party services providers,” and “any due diligence processes used to evaluate” such providers, including law and accounting firms.
On October 23, the Trans-Atlantic Business Dialogue held a briefing session on the EU-U.S. Safe Harbor Agreement. Ted Dean, Deputy Assistant Secretary at the U.S. Department of Commerce, gave an update on the negotiations with the European Commission. Following the Snowden revelations and a resolution of the European Parliament, the European Commission on November 17, 2013, issued a report on Safe Harbor highlighting 13 areas in which the Safe Harbor Agreement should be improved.
Mr. Dean reported that the Department of Commerce and the Commission are close to an agreement on the first 11 points of the Commission report. While he did not explain how these points will be addressed, he confirmed that the negotiations respect the horizontal scope of the Agreement and do not address specific technological developments or, for example, data breach. The two last items on the Commission list, however, are much more difficult to resolve because they relate to the activities of intelligence agencies over which Commerce has no competence. Commerce hopes this matter can be resolved through U.S. government commitments outside the Safe Harbor Agreement itself.
Mr. Dean explained that, in the mind of the U.S. negotiators at least, the discussions on Safe Harbor are quite separate from the discussions on an Umbrella Agreement for the exchange of data among law-enforcement agencies. He could not provide a precise timeline for the conclusion of the negotiations, but hopes to reach agreement on Safe Harbor well within six months. Once they have a deal, they expect to apply the result also to the Swiss-U.S. Safe Harbor Agreement.