FTC Announces Series of Hearings on Competition and Consumer Protection

Earlier today, the Federal Trade Commission (“FTC”) announced that it will host a series of public hearings on whether “broad-based changes in the economy, evolving business practices, new technologies, or international developments might require adjustments to competition and consumer protection enforcement law, enforcement priorities, and policy.”

FTC Chairman Joe Simons noted that “important and significant questions recently have been raised about whether we should rethink our approach to some of these issues,” and expressed that “[w]e are excited about this new hearings project, and anticipate and look forward to substantial participation from our stakeholders.”

The FTC’s press release noted that the “multi-day, multi-part hearings” will be similar to the FTC’s “Global Competition and Innovation Hearings,” which took place in 1995 at the direction of then-Chairman Robert Pitofsky.  Those hearings were held to address “whether there have been broad-based changes in the contemporary competitive environment that require any adjustments in antitrust and consumer protection enforcement in order to keep pace with those changes.”  The 1995 hearings resulted in a two-volume report, released in May 1996, articulating the FTC’s analysis and recommendations on competition and consumer protection policy. Continue Reading

FS-ISAC Launches Information Sharing Forum for Government Entities

On June 11, 2018, the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) announced the launch of the CERES Forum, an information sharing initiative for central banks, regulators, and supervisors designed to strengthen responses to cyber and physical threats.  The new forum will become operational on July 1, 2018.

Although FS-ISAC primarily comprises private financial institutions and over three dozen government entities, membership in the CERES Forum will be limited to government participants.  To protect the confidentiality of existing FS-ISAC members and ensure information shared within the CERES Forum is kept separate, government participants will be required to follow different processes and access the new forum through a secure standalone portal.

In addition to serving as a trusted medium for central banks, regulators, and supervisors, the CERES Forum’s stated mission is to:

  • Gather and share best practices related to regulatory and compliance controls;
  • Collect feedback about which controls are most effective; and
  • Distribute timely threat intelligence about cyber threats, vulnerabilities, and incidents that could affect CERES Forum members and the wider global financial system.

The launch of FS-ISAC’s CERES Forum reflects the growing trend of sophisticated cyberattacks and data breaches targeting financial institutions, including central banks, around the world.  It is the first information sharing forum tailored to address the needs of central banks, regulators, and supervisors.

Eleventh Circuit LabMD Decision Potentially Limits FTC’s Remedial Powers

The Eleventh Circuit has issued its decision in LabMD v. FTC, a closely watched case in which LabMD challenged the Federal Trade Commission’s authority to regulate the data security practices of private companies. The Court of Appeals declined to decide that issue, instead finding that the FTC’s order requiring LabMD to implement certain data security reforms was unenforceable because it lacked specificity. The court’s decision may nevertheless impact many of the FTC’s consent orders—even those not having to do with data security. Continue Reading

Colorado, Louisiana, and Vermont Add to Recent Trend of Changes to State Data Breach Notification Laws

This spring has seen significant legislative activity with regards to state data breach notification laws, ranging from new laws in Alabama and South Dakota to amendments to existing laws in Oregon, Arizona, and elsewhere.  Continuing this trend, three states recently passed legislation to amend their existing data breach notification laws.  Legislation recently passed in Colorado will require notification of affected individuals and the state Attorney General within 30 days, while recent amendments to Louisiana’s data breach notification law will expand the scope of personally identifiable information (“PII”) covered by the law.  In addition, Vermont recently passed legislation that will create specific data breach notification requirements for “data brokers.”  This post examines each state’s amendments in greater detail below.

Colorado

Through the passage of H.B. 1128, which takes effect on September 1, 2018, Colorado has broadened the definition of PII under its existing data breach notification law, in addition to requiring notification of the state Attorney General and imposing strict notification timelines.  Once the new provisions enter into force, covered entities will be required to notify affected individuals within 30 days of the determination that a breach has occurred.  Colorado joins Florida as the only states that have imposed a 30-day notification deadline for notice to individuals, although Colorado’s law, unlike Florida’s, will not include a provision that allows for an extension of this deadline under certain limited conditions.  In addition, Colorado’s amendments will require notification of the state Attorney General if a covered entity believes that more than 500 state residents have been affected by a breach.  As with individual notifications, the notification to the state Attorney General must be provided within 30 days  after the date of determination of a breach.

Continue Reading

NTIA Requests Comments Regarding International Internet Policy

Earlier this week, the National Telecommunications and Information Administration (NTIA), the executive branch agency responsible for telecommunications and information policy, released a Notice of Inquiry requesting that any interested party—including the private sector, technical experts, academics, and civil society—help the agency determine its international internet policy priorities. In particular, NTIA is seeking comments and recommendations regarding four topics: (1) the free flow of information and jurisdiction, (2) the multistakeholder approach to Internet governance, (3) privacy and security, and (4) emerging technologies and trends.

The Notice includes various questions regarding each topic that NTIA would like commenters to address (although commenters are free to address issues not specifically raised in the Notice), several of which are notable. For example, the agency states that foreign governments are increasingly imposing restrictions on the free movement of data—sometimes for “legitimate” reasons such as privacy but sometimes for “less valid” reasons such as the stifling of political speech. In light of this trend, NTIA asks commenters to help it identify the most pressing challenges to the free flow of information and expression on the internet. The agency also asks commenters to identify foreign laws and policies that restrict information or expression online (such as court orders to globally remove online information) and the impact that those laws and policies have on U.S. companies.

NTIA also notes that it has historically supported a multistakeholder process to internet governance through organizations such as the Internet Corporation for Assigned Names and Numbers (ICANN) or the International Telecommunications Union (ITU). However, the Notice invites comments on whether this existing multistakeholder process is working effectively. NTIA specifically asks what its priorities should be with respect to ICANN, including whether the agency should unwind the IANA Stewardship Transition, which resulted in management of the internet’s domain name system transitioning from the U.S. government to the private sector.

Finally, the Notice asks commenters the extent to which cybersecurity threats are harming international commerce and what emerging technologies or trends should be the focus of the agency’s international policy discussion.

NTIA’s request for input on international internet policy follows the EU’s GDPR going into effect on May 25, 2018. It appears that the debate around GDPR—and in particular the impact GDPR may have on U.S. internet companies—might have informed some of the questions posed in the Notice. This policy debate has recently made news as GDPR has resulted in changes to internet governance and commerce. For example, ICANN, which is the subject of various questions in the Notice, had to overhaul the WHOIS database that contains contact information of internet domain owners.

Comments are due by July 2, 2018.

Updates to California Auto-Renewal Law Take Effect on July 1, 2018

Companies that offer or are considering subscription-based plans should take note that new requirements for automatic renewal offers (“auto-renewals”) take effect in California on July 1, 2018.  California Senate Bill No. 313 (“SB 313”) amends existing law to extend additional protections to consumers where an auto-renewal offer includes a free gift or trial or where promotional pricing will change once the promotional period ends.  It also requires that certain consumers have the ability to opt-out exclusively online. Continue Reading

Mary Meeker’s Annual Internet Report Includes Insights Into Privacy

This past week, Mary Meeker presented her annual Internet Trends report for 2018 at the Code Conference.  A copy of the slide deck is available here.  The report is widely respected by industry experts, and this year’s presentation included a number of insights that industry stakeholders will find relevant regarding data privacy and technology more broadly.

One of Meeker’s key insights in her report was what she termed the privacy paradox.  Technology companies are increasingly using consumer data to provide consumers with better experiences and lower prices.  However, by collecting more consumer data those same companies need to work to avoid betraying consumers’ trust or running afoul of consumer data protection laws.

Consumers see a real value in technology products, as Meeker highlighted the increasing amount of time people spend online.  U.S. adults spent an average of 5.9 hours per day with digital media in 2017, which was an increase from the 5.6 hours per day in 2016.  Of those 5.9 hours, approximately 3.3 of them were from mobile devices, 2.1 were from desktops or laptops, and 0.6 from other connected devices.

Continue Reading

Federal Appeals Courts Split on Forensic Searches of Devices Seized at Border


Two federal appellate courts are taking sharply different views on whether—and why—government agents must have some amount of suspicion to conduct forensic searches of electronic devices seized at the border.

The Fourth Circuit on May 9, 2018, held that government agents must have reasonable suspicion to conduct forensic searches of cell phones seized at the border.  It said that decision was based on the Supreme Court’s recognition in Riley v. California that phones contain information with a “uniquely sensitive nature.”  The Fourth Circuit and Ninth Circuit are the only two federal appellate courts to require reasonable suspicion for forensic border searches.

In contrast, the Eleventh Circuit on May 23, 2018, rejected that position—and held that no suspicion is required for forensic border searches of electronic devices.  According to the Eleventh Circuit, even after Riley, “it does not make sense to say that electronic devices should receive special treatment because so many people now own them or because they can store vast quantities of records or effects.”

The decisions evince a split in how far courts are willing to apply Riley, including whether that decision has any bearing on border searches, which are a narrow exception to the Fourth Amendment’s warrant requirement.

Fourth Circuit: Riley Applies to Border Searches

In United States v. Kolsuz, the Fourth Circuit analyzed the reasonableness of a forensic search of the cell phone of a Turkish national traveling out of Dulles International Airport who was detained after agents located unlicensed firearms in his luggage.

Kolsuz’s phone was seized at the airport and driven to an off-site facility, where agents used an extraction program that took “a full month, and yielded an 896-page report” about the phone’s contents, according to the court.  That report included Kolsuz’s personal contact lists, emails, messenger conversations, photographs, videos, calendar, web browsing history, and call logs, along with a history of Kolsuz’s physical location down to precise GPS coordinates, the court said.  Notably, the phone remained in airplane mode during the extraction, so that the forensic program obtained only data stored on the phone itself and not data stored remotely in the cloud.

The Fourth Circuit held this was a “border” search, even though it was conducted several miles from the airport after Kolsuz was in custody.  Because the government invoked the border exception in investigating the “transnational offense” of firearms trafficking, the court held there was a “direct link” to the border search rationale, unlike cases in which the government seeks to invoke the border exception “on behalf of its generalized interest in law enforcement and combatting crime.”

The court next addressed the level of suspicion required to conduct a forensic search of an electronic device seized at the border.  It held that “[a]fter Riley, . . . a forensic search of a digital phone must be treated as nonroutine border search, requiring some form of individualized suspicion.”  According to the Fourth Circuit, the “key to Riley’s reasoning is its express refusal to treat such phones as just another form of container, like the wallets, bags, address books, and dairies covered by the search incident [to arrest] exception.”  Given that refusal, the court held that “cell phones are fundamentally different . . . from other objects subject to government searches.”

Eleventh Circuit:  Riley Does Not Apply to Border Searches

In United States v. Touset, the Eleventh Circuit rejected this reasoning.  Touset involved the forensic search of two laptops, two hard drives, and two tablets seized at the border after a U.S. citizen arrived at Atlanta’s Hartsfield-Jackson International Airport.  The forensic searches revealed child pornography on two laptops and the two hard drives—although the court does not explain how those forensic searches were conducted.

According to the Eleventh Circuit, “the Fourth Amendment does not require any suspicion for forensic searches of electronic devices at the border.”  That is because the Supreme Court has afforded greater protection to persons than to property and does not distinguish between searches of “different types of property,” the court said.  It held there was “no reason why the Fourth Amendment would require suspicion for a forensic search of electronic device when it imposes no such requirement for a search of other personal property.”

To reach that conclusion, the Eleventh Circuit relied on its March 2018 decision in United States v. Vergara, which held that Riley does not apply to border searches because that decision was limited to the search-incident-to-arrest doctrine.  (Vergara did not address the issue of what level of suspicion was required, because the defendant in that case only argued a warrant was needed—and the court held it was not.)  It also distinguished Riley by finding that the rationales supporting the border exception still had force when applied to digital information—unlike the rationales supporting the search-incident-to-arrest exception.

Indeed, the Eleventh Circuit suggested that “if we were to require reasonable suspicion for searches of electronic devices, we would create special protection for the property most often used to store and disseminate child pornography.”  It found “no reason” to “create a special rule that will benefit offenders who now conceal contraband in a new type of property.”

Effect Unclear Given CBP Guidance

The practical implications of these cases are not yet clear—particularly because U.S. Customs and Border Protection in January issued guidance requiring reasonable suspicion for forensic searches of electronic devices seized at the border.  Given that guidance (summarized in our prior post), it is possible that agents may conduct fewer forensic searches without reasonable suspicion, reducing the frequency with which this issue is litigated.  Still, because the guidance contains an exception allowing for suspicionless forensic searches in cases of “national security concern,” the issue may arise more frequently in that particular context.

Lawsuit Alleges That Self-Checkout Videos Violate the Song-Beverly Act

A class-action lawsuit filed last month alleges that Wal-Mart’s video recording technology at its self-service checkout kiosks collects “personal identification information” in violation of the California Song-Beverly Act Credit Card Act of 1971 (“Song-Beverly Act”).  The Song-Beverly Act, like analogous statutes in several other states, generally prohibits businesses from recording customers’ “personal identification information” as a condition of accepting a credit card payment.

The Complaint alleges that video recordings of a person’s eye color, hair color, and facial features constitute “personal identification information” under the Song-Beverly Act, and that clearer recordings of these features require different treatment than those made using ordinary security cameras.  The Complaint further alleges that because this information allegedly is captured “throughout the entire duration of the customer’s credit card transaction,” the recording violates the statute.  The Complaint characterizes the recordings as “valuable biometric data” that allegedly is collected for Wal-Mart’s “prospective business purposes, including but not limited to targeted marketing campaigns.”

Wal-Mart has removed the lawsuit to federal district court.  It remains to be seen whether these novel allegations prove accurate or gain traction under the Song-Beverly Act, which to this point has not been applied to video recording technologies like those used at self-checkout kiosks.

GDPR Applies From Today

The much discussed and long-awaited General Data Protection Regulation (“GDPR”) applies from today, May 25, 2018.  It will update and harmonize data protection laws across the EU, and sets out comprehensive rules in relation to personal data handling, as well as the rights of individuals over their personal data.

It is unclear how aggressively the data protection authorities (“DPAs”) will seek to be in the near future when it comes to using their new powers under the GDPR, and how quickly investigations will get underway, and fines imposed.  Many DPAs have suggested they are simply not ready to carry out the extra responsibilities given to them, which may lead to an ‘informal grace period’ for many companies who themselves have struggled to ensure they are fully GDPR-compliant by today.

Information Commissioner for the UK, Elizabeth Denham, stressed two days ago that becoming compliant is “an evolutionary process for organisations” and that “organisations must continue to identify and address emerging privacy and security risks in the weeks, months and years beyond 2018.”  These echo sentiments from a blog post she wrote in December 2017, in which she also set out that if companies can demonstrate that they “have the appropriate systems and thinking in place” then they will “find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world.”

As ever, we will continue to monitor key developments in relation to the GDPR, and will provide further updates.

LexBlog