In June 2018, medical laboratory LabMD obtained the first-ever court decision overturning a Federal Trade Commission (FTC) cybersecurity enforcement action. (The team directing that effort – led by Doug Meal and Michelle Visser – joined Orrick in January 2019). There, the Eleventh Circuit held that an FTC cease-and-desist order imposing injunctive relief requiring LabMD to implement “reasonable” data security was impermissibly vague. In the wake of LabMD, the FTC’s new Chairman, Joseph Simons, stated that he was “very nervous” that the agency lacked the remedial authority it needed to deter allegedly insufficient data security practices and that, among other things, the FTC was exploring whether it has additional untapped authority it could use in this space. In this regard, Chairman Simons and Commissioner Rebecca Kelly Slaughter announced that the FTC is examining whether it can “further maximize its enforcement reach, in all areas, through strategic use of additional remedies” such as “monetary relief.” READ MORE
Jon Direnfeld is a litigation partner in the Washington, D.C. office focused on defending tech and data-driven companies against enforcement actions involving critical online and offline sales & marketing activities.
Jon’s enforcement work informs his counseling practice, where he regularly helps clients navigate the patchwork of federal and state “consumer protection” rules and regulations, including statutes and regulations enforced by the Federal Trade Commission (FTC), Consumer Finance Protection Bureau (CFPB), U.S. Department of Justice (DOJ), state AGs, and local district attorneys.
Jon also has substantial expertise in other government enforcement matters, including defending global criminal cartel investigations and antitrust merger investigations. He has also developed an innovative approach to assisting clients maximize recoveries in affirmative price-fixing litigation.
Posts by: Jonathan Direnfeld
As new legislation aimed at facilitating greater cybersecurity information sharing between private industry and government takes effect (i.e., Cybersecurity Information Sharing Act), FinCEN Director Jennifer Shasky Calvery recently called for “financial institutions to include cyber-derived information (such as IP addresses on bitcoin wallet addresses) in suspicious activity reports.” Director Shasky Calvery’s statement dovetails with the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) launched last year that we discussed previously, which lists “threat intelligence and collaboration” through information-sharing forums as one of five key “domains” for assessing cybersecurity preparedness. Regulated entities should take stock of this shifting risk management and compliance landscape, and evaluate the need for changes (and investments) to existing cybersecurity tools necessary for information collection, analysis and sharing.