Federal Trade Commission

No Harm, But Foul? FTC Sues Internet of Things Maker D-Link for Security “Vulnerabilities” Despite No Allegations of Breach

Shortly after the new year, the Federal Trade Commission filed suit in the Northern District of California against D-Link Corporation, a Taiwan-based maker of wireless routers, Internet Protocol (IP) cameras, and software used in consumer electronics (such as baby monitors). The complaint alleges that D-Link failed to reasonably secure its products from hackers. Notably, the FTC has not alleged that D‑Link products were exploited by hackers or that a data breach or cyberattack resulted from any alleged security vulnerabilities. Rather, the action is based squarely on security vulnerabilities that “potentially compromis[ed] sensitive consumer information, including live video and audio feeds from D-Link IP cameras” and marketing statements made by D-Link that touted the products’ security features.

READ MORE

CFPB Jumps Into Cyber Enforcement Pool

Financial Institutions

In a much anticipated move, on March 2, 2016, the Consumer Financial Protection Bureau (CFPB) entered the cybersecurity foray with its first enforcement action against Dwolla, Inc., an online payment processing start-up.  Pursuant to its authority under Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010, the CFPB fined Dwolla $100,000 and secured a five-year consent order imposing strict requirements on management and the Board of Directors.  This CFPB enforcement action offers important insights into the contours of “reasonable cybersecurity” for certain financial services entities, and important lessons for conducting cybersecurity risk assessments.  These issues dovetail with significant activity we recently reported on in the cybersecurity arena by the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), the Federal Trade Commission (FTC), the Department of Health and Human Services’ Office of Civil Rights (HHS-OCR), and a host of other state and federal regulators.

READ MORE

EU-U.S. Privacy Shield is Go…nearly

Privacy Shield

On 29 February 2016 the European Commission issued the legal texts of the EU-U.S Privacy Shield which aims to replace the defunct EU-U.S Safe Harbor Framework as a legitimate mechanism for transferring personal data from the EU to the U.S.

In contrast to its predecessor, the Privacy Shield contains commitments from US government in relation to controls on access to personal data by public authorities. This is an aspect of the new scheme which aims to address the jurisprudence of the Court of Justice of the European Union and criticisms of the previous Safe Harbor Framework.

READ MORE

Safe Harbor 2.0: Political Agreement Reached – The EU-US Privacy Shield

Safe Harbor

The European Commission has announced that it has reached a deal to replace the EU-US Safe Harbor framework that was declared invalid last year by the Court of Justice of the European Union (“ECJ”).  Heralded as the EU-US Privacy Shield (and colloquially referred to as, “Safe Harbor 2.0”), the framework should provide companies with clearer direction on safe transatlantic data transfer.

READ MORE

FTC Enforcement in Schein: Misleading Statements about Encryption and Cybersecurity

encryption

On January 5, 2015, the Federal Trade Commission (FTC) entered into a consent order with dental software manufacturer Henry Schein Practice Solutions, Inc. (“Schein”) in connection with allegations that Schein had made misleading security-related representations about its software.  The consent order underscores that while security-enhanced product features are in high demand, companies must be careful to avoid unfair or deceptive marketing of such features.

READ MORE

FTC/FCC MOU: Even the Justice League Needs It In Writing

data security

On November 13, 2015, the Federal Trade Commission and the Federal Communications Commission entered into a Memorandum of Understanding to address coordination of consumer protection actions by each agency.  Following a wave of what observers perceive as a turf battle between the FTC and FCC (namely the reclassification of broadband internet access services as a common carrier service outside the FTC’s jurisdiction), and a dramatic increase in FCC data security regulatory enforcement actions, the MOU suggests that the FTC and FCC are in fact serious about cooperation and collaboration, especially on data security issues.  Although organizations have better transparency and predictability in the enforcement landscape, they should also anticipate more sophisticated investigations based on richer data and improved investigative techniques.

READ MORE

PRIVACY POLICIES AND THE SALE OF CORPORATE ASSETS: It pays to plan ahead to preserve the value of your data assets

privacy policy

Personal data is a valuable corporate asset.  At times, the personal information collected from customers (such as email address, mailing address, phone number, etc.) can be a company’s most valuable asset.  Unfortunately, when a company attempts to sell this asset, it can find the value of the data significantly diminished due to promises made in a privacy policy the company implemented years before it ever contemplated such a sale.

READ MORE