Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) reintroduced a pair of bills today relating to the cybersecurity of cars and aircraft, which would impose affirmative security, disclosure, and consent requirements on manufacturers and air carriers. The Security and Privacy in Your Car (“SPY Car”) Act and Cybersecurity Standards for Aircraft to Improve Resilience (“Cyber … Continue Reading
The FTC announced today that it will hold a joint workshop on June 28, 2017 with the National Highway Traffic Safety Administration (NHTSA) to “examine the consumer privacy and security issues posed by automated and connected motor vehicles.” The announcement lists several discussion topics for the upcoming workshop: the types of data vehicles with wireless … Continue Reading
The FTC released public comments yesterday on the National Telecommunications and Information Administration’s (NTIA) draft “Early Stage” Coordinated Vulnerability Disclosure Template released in December 2016. The draft template was released by the NTIA Safety Working Group as part of a multistakeholder process that convened security researchers and software and system developers and owners to address … Continue Reading
The Federal Trade Commission yesterday released its report on cross-device tracking. The report, which follows the Commission’s November 2015 Cross-Device Tracking Workshop, describes some of the current approaches to track consumers across multiple connected devices, discusses industry self-regulatory approaches to protect consumer privacy, and offers recommendations for how to apply longstanding FTC principles like transparency, … Continue Reading
On January 12, 2017, the U.S. Federal Trade Commission announced the adoption of a Swiss-U.S. Privacy Shield, to replace the existing Swiss-U.S. Safe Harbor Agreement. Companies have a three month grace period to switch from the old to the new regime. The Swiss version of the Privacy Shield had to be negotiated following the invalidation … Continue Reading
The FTC announced today that it has reached a settlement with the operators of AshleyMadison.com (Ashley Madison) for alleged data security deficiencies and deceptive trade practices. According to the FTC, Ashley Madison, a dating website for married individuals, was hacked in July 2015, leading to the release of 36 million users’ account and profile information. … Continue Reading
Aura Labs, Inc. (Aura) has settled the FTC’s charges that it deceived consumers in relation to its mobile blood pressure app. The FTC’s complaint alleged that Aura deceptively claimed the app was as accurate as traditional blood pressure cuffs, and also that Aura’s owner posted a 5-star review of the app without disclosing his connection … Continue Reading
In an order released last week, the Eleventh Circuit temporarily delayed enforcement of the Federal Trade Commission’s (FTC) order in the LabMD case. As we reported earlier, the FTC ruled in July that LabMD’s data security practices violated the FTC Act, clarifying and expanding upon the FTC’s authority to regulate corporate data security practices. After … Continue Reading
On Tuesday, the FTC issued new guidance for businesses on responding to data breaches, along with an accompanying blog post and video. The data breach response guidance follows the issuance of the FTC’s “Start with Security” data security guidance last year and builds upon recent FTC education and outreach initiatives on data security and cybersecurity … Continue Reading
On September 16, 2016, the Federal Trade Commission (“FTC”) hosted a workshop on the factors that may contribute to the effect disclosures have on consumer behavior. The workshop, “Putting Disclosures to the Test,” included speakers from a wide range of disciplines and industries, who remarked on aspects of disclosure such as consumer cognition, recognition, and … Continue Reading
The FTC has become the most recent regulator to take a closer look at ransomware and its impact on consumers. During the FTC’s September 7, 2016, Fall Technology Series on Ransomware, Chairwoman Edith Ramirez announced that the FTC will soon release guidance to businesses on how to protect against ransomware. Ransomware is a malicious software … Continue Reading
By Catlin Meade and Jenny Martin On August 31, 2016 the FTC posted a blog addressing whether compliance with the NIST Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”) necessarily constitutes compliance with FTC cybersecurity practices. The FTC answers this question with a resounding “No” and specifically states: “there’s really no such thing as ‘complying … Continue Reading
The Federal Trade Commission (“FTC” or “Commission”) is soliciting public comments on its Standards for Safeguarding Customer Information (“Safeguards Rule”) as part of the systematic review of all FTC rules and guides on a 10-year schedule. The Safeguards Rule was promulgated by the Commission pursuant to the Gramm-Leach-Bliley Act’s (“GLBA”) directive for federal agencies to … Continue Reading
In an opinion released today, the Ninth Circuit dismissed the Federal Trade Commission’s (“FTC”) lawsuit against AT&T for violating Section 5 of the FTC Act due to its throttling practices. AT&T’s practice of throttling the speed of customers with unlimited data plans once they reached a certain data usage threshold had been challenged by the … Continue Reading
The Federal Trade Commission (FTC) issued a unanimous opinion and order today, vacating the Administrative Law Judge’s (ALJ) initial decision and finding that LabMD’s data security practices were “unfair” under Section 5 of the FTC Act. In August 2013, the FTC issued a complaint against LabMD, alleging that its failure to implement adequate data security … Continue Reading
In a blog post published on the Federal Trade Commission (FTC) website, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, recently stated that: “we regard data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device … Continue Reading
A new post on the Covington eHealth blog discusses the new web-based interactive tool released by the FTC, in conjunction with HHS and the FDA, to assist mobile health app developers in navigating applicable federal laws and regulations in the areas of advertising and marketing, medical devices, and data security and privacy. As part of … Continue Reading
By Megan Rodgers The FTC today announced that it reached a settlement with Lord & Taylor over a native advertisement and promotion that relied on social media “influencers” to promote a particular product. This was the first native advertising settlement reached by the FTC since it issued its Policy Statement on Native Advertising in December … Continue Reading
On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) entered into a consent order with online payment systems operator Dwolla, Inc., based on allegations that Dwolla deceived consumers about its data security practices and the safety of its online payment system. The CFPB brought this action under its authority in Sections 1031(a) and 1036(a)(1) … Continue Reading
As noted in our post yesterday, the text of the EU-U.S. Privacy Shield, the upcoming trans-Atlantic data-transfer framework between the EU and U.S. to replace the invalidated U.S.-EU Safe Harbor, has been released by the U.S. Department of Commerce. Commerce’s release coincided with the release of a draft adequacy decision by the European Commission. A … Continue Reading
The FTC has cautioned that a recent settlement holds lessons for companies involved in the Internet of Things. The settlement, announced on Tuesday, was reached with hardware manufacturer ASUS over concerns that its router products carried certain security vulnerabilities. Notably, in addition to alleging that ASUS’s actions violated promises to consumers, the FTC alleged that … Continue Reading
Today (February 2nd, 2016), the European Commission and U.S. Government reached political agreement on the new framework for transatlantic data flows. The new framework – the EU-U.S. Privacy Shield – succeeds the EU-U.S. Safe Harbor framework (for more on the Court of Justice of the European Union decision in the Schrems case declaring the Safe … Continue Reading
On January 6, 2016, the Federal Trade Commission issued its staff report on big data, Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues, following up on the FTC’s workshop on big data in September 2014 and seminar on alternative scoring products in March 2014. The report provides an overview of the characteristics and … Continue Reading
According to a recent analysis by the Congressional Research Service (“CRS”), the extent of state law preemption in recent federal legislative proposals relating to data security is unclear. Several bills introduced in the 114th Congress would impose federal data security or breach notification requirements on covered entities, similar to existing requirements in nearly every state. … Continue Reading
