Section 5

The Federal Trade Commission (FTC) issued a unanimous opinion and order today, vacating the Administrative Law Judge’s (ALJ) initial decision and finding that LabMD’s data security practices were “unfair” under Section 5 of the FTC Act.  In August 2013, the FTC issued a complaint against LabMD, alleging that its failure to implement adequate data security measures led to the disclosure of patient information from LabMD’s networks.  As we previously reported, FTC staff appealed the ALJ’s November 2015 initial decision dismissing the FTC’s complaint against LabMD for allegedly “unfair” data security practices.  The Commission’s Chief ALJ had dismissed the complaint on the ground that there was no injury or likelihood of injury to consumers because there was no evidence of misuse of any of the personal information at issue.  The Commission Opinion reverses that finding and holds that injury, for purposes of the FTC Act, was established on a record of insufficient data security protections.

The Commission’s opinion in LabMD further bolsters the FTC’s authority to regulate corporate data security practices, which was affirmed last year by the Third Circuit in Wyndham.  It also clarifies and expands upon the Commission’s interpretation of the unfairness test under Section 5 of the FTC Act as it relates to data security. 
Continue Reading FTC: LabMD’s Data Security Practices Violated the FTC Act

Earlier this week, the Ninth Circuit heard oral argument in AT&T’s appeal of a lower court decision to not dismiss the Federal Trade Commission’s (FTC’s) complaint alleging that AT&T misled consumers by limiting its “unlimited” data plan for mobile customers.

As we previously reported, in October 2014 the FTC
Continue Reading Ninth Circuit Hears FTC’s Throttling Case Against AT&T

On Friday, March 27, 2015, the Federal Trade Commission and Wyndham Worldwide Corp. filed supplemental briefing in the Third Circuit regarding whether the FTC had made an adjudicative decision that the FTC Act prohibits unreasonable cybersecurity practices and, if not, whether a federal court could hear a case charging a
Continue Reading FTC and Wyndham Present Arguments on Whether FTC has Declared Unreasonable Cybersecurity Practices Unfair

Last week AT&T filed a Reply in support of its Motion to Dismiss challenging the Federal Trade Commission’s (FTC’s) attempt to exercise jurisdiction over the company pursuant to Section 5 of the FTC Act.

As we previously reported, the FTC filed a complaint against AT&T alleging that the company misled consumers by reducing the data speeds for its unlimited mobile data plan customers (i.e., the alleged “throttling program”).  AT&T filed a Motion to Dismiss the complaint in January, arguing that the FTC lacked jurisdiction over the company because its “status” as a common carrier places it squarely within the common carrier exemption to Section 5 of the FTC Act.  The FTC responded that the common carrier exception is a narrow, “activity-based” exception that excludes an entity “only to the degree it is engaged in common carrier activities and not because of its general ‘status’ as a common carrier.”
Continue Reading AT&T: FTC Lacks Jurisdiction Even Under “Activity-Based” Interpretation of the Common Carrier Exemption

Last week the Federal Trade Commission (FTC) opposed a Motion to Dismiss filed by AT&T that challenged the FTC’s attempt to exercise jurisdiction over the company in connection with certain of its mobile broadband service activities.

As we previously reported, the FTC filed a complaint against AT&T in late 2014 alleging that AT&T engaged in unfair and deceptive conduct in violation of Section 5 of the FTC Act when it “throttled” mobile broadband subscribers who were “grandfathered” into the company’s unlimited mobile data plan.  AT&T filed a Motion to Dismiss the complaint in January, arguing that its overall status as a common carrier subject to the Communications Act exempts it from Section 5 of the FTC Act.  The FTC, in turn, last week responded to AT&T by arguing that AT&T’s “status-based” position did not exclude it from the FTC’s jurisdiction on the theory that “the common carrier exemption applies only to the extent AT&T engages in common carrier services.”Continue Reading FTC Says Common Carrier Exemption to Section 5 Jurisdiction is Activity-Based, Not Status-Based

Earlier this week, U.S. District Court Judge Esther Salas directed the Federal Trade Commission (“FTC”) and Wyndham Hotels and Resorts to seek mediation to resolve their landmark dispute over whether the FTC has the authority to regulate companies’ data-security practices.  As we’ve previously reported, the FTC alleged that Wyndham
Continue Reading FTC and Wyndham to Mediate Dispute Over FTC Data-Security Authority

Last week, a federal judge in the District of New Jersey denied Wyndham Hotels and Resorts’ motion to dismiss the FTC’s complaint alleging Wyndham violated the FTC Act by failing to provide reasonable security for its customers’ personal information.  This Covington E-Alert provides a detailed look at the parties’ arguments

Continue Reading Breaking Down the Court’s Decision in FTC v. Wyndham Worldwide Corp.

Earlier today, in a long-awaited decision, Judge Salas of the District of New Jersey denied Wyndham Hotels and Resorts’ motion to dismiss a Federal Trade Commission (“FTC”) lawsuit alleging Wyndham violated Section 5 of the FTC Act by failing to provide “reasonable” security for the personal information of its customers. 

Continue Reading Judge Denies Wyndham’s Motion to Dismiss, Allowing FTC’s Case to Proceed

Today, the Federal Trade Commission announced settlements with two mobile app makers that allegedly failed to provide reasonable security for the personal information collected in connection with their apps.  In complaints against Credit Karma, Inc. and Fandango LLC, the FTC alleged that both companies’ apps failed to validate SSL certificates, a security shortcoming that could have allowed an attacker to connect to the app—and collect unencrypted sensitive information—by presenting an invalid certificate.  (This type of attack is sometimes called a “man-in-the-middle attack.”)  Both respondents agreed to 20-year consent orders requiring, among other things, that they establish comprehensive information security programs. 

These cases are important for a number of reasons:  they reinforce past FTC guidance on the importance of performing security reviews and testing, overseeing service providers, and providing channels whereby security researchers can report vulnerabilities.  But what might be most notable is that in neither case does the FTC specifically allege that the respondent’s practices were “unfair” within the meaning of the Section 5 of the FTC Act.  Instead, both cases appear predicated upon the FTC’s authority to take actions against companies engaged in “deceptive” practices.Continue Reading FTC Announces Settlements with Two Mobile App Providers

Today, the Federal Trade Commission is defending its authority to enforce Section 5 of the FTC Act against  Wyndham Hotels in connection with alleged lax data security procedures.  Following several publicized data security breaches, the FTC investigated Wyndham and concluded that the hotel company failed to employ “reasonable and appropriate&rdquo

Continue Reading The Wyndham Case is Being Argued Today: Why You Should Care