Federal Trade Commission

FTC’s Report on Mobile-Device-Security-Update Practices — Summary and Recommendations

Johannes HsuPosted on April 12, 2018

Noting the “astounding” statistics on the use of smartphones and other mobile devices to “shop, bank, play, read, post, watch, date, record, and go” across consumer populations, the FTC has recently re-focused its attention on mobile security issues.^[1] As the amount of information collected on mobile devices, and through applications on those devices, continues to rise exponentially, unsurprisingly, mobile devices have become increasingly fertile grounds for cyberattacks. Against this backdrop, in February 2018 the FTC issued a 134-page report titled Mobile Security Updates: Understanding the Issues (the “Report”). Not long afterward, on April 2, 2018, the FTC appointed a new Acting General Counsel, Alden Abbot, who has substantial experience in the mobile-communication industry, including serving in key legal roles at Blackberry Corporation and the National Telecommunications and Information Administration in the Department of Commerce. Although the Report is narrowly focused on processes for patching vulnerabilities and software updates, the FTC notes that the Report is “part of an on-going dialogue” and that it intends to work with industry, consumer groups, and lawmakers to further the “goals of reasonable security and greater transparency” in its efforts to improve mobile-device security. READ MORE →

No Harm, But Foul? FTC Sues Internet of Things Maker D-Link for Security “Vulnerabilities” Despite No Allegations of Breach

Antony P. Kim, Aravind Swaminathan and Emily TabatabaiPosted on February 6, 2017

Shortly after the new year, the Federal Trade Commission filed suit in the Northern District of California against D-Link Corporation, a Taiwan-based maker of wireless routers, Internet Protocol (IP) cameras, and software used in consumer electronics (such as baby monitors). The complaint alleges that D-Link failed to reasonably secure its products from hackers. Notably, the FTC has not alleged that D‑Link products were exploited by hackers or that a data breach or cyberattack resulted from any alleged security vulnerabilities. Rather, the action is based squarely on security vulnerabilities that “potentially compromis[ed] sensitive consumer information, including live video and audio feeds from D-Link IP cameras” and marketing statements made by D-Link that touted the products’ security features.

CFPB Jumps Into Cyber Enforcement Pool

Aravind Swaminathan and Antony P. KimPosted on March 10, 2016

In a much anticipated move, on March 2, 2016, the Consumer Financial Protection Bureau (CFPB) entered the cybersecurity foray with its first enforcement action against Dwolla, Inc., an online payment processing start-up. Pursuant to its authority under Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010, the CFPB fined Dwolla $100,000 and secured a five-year consent order imposing strict requirements on management and the Board of Directors. This CFPB enforcement action offers important insights into the contours of “reasonable cybersecurity” for certain financial services entities, and important lessons for conducting cybersecurity risk assessments. These issues dovetail with significant activity we recently reported on in the cybersecurity arena by the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), the Federal Trade Commission (FTC), the Department of Health and Human Services’ Office of Civil Rights (HHS-OCR), and a host of other state and federal regulators.

EU-U.S. Privacy Shield is Go…nearly

Christian Schröder, Kolvin Stone, Antony P. Kim and Aravind SwaminathanPosted on March 2, 2016

On 29 February 2016 the European Commission issued the legal texts of the EU-U.S Privacy Shield which aims to replace the defunct EU-U.S Safe Harbor Framework as a legitimate mechanism for transferring personal data from the EU to the U.S.

In contrast to its predecessor, the Privacy Shield contains commitments from US government in relation to controls on access to personal data by public authorities. This is an aspect of the new scheme which aims to address the jurisprudence of the Court of Justice of the European Union and criticisms of the previous Safe Harbor Framework.

Safe Harbor 2.0: Political Agreement Reached – The EU-US Privacy Shield

Kolvin Stone, Christian Schröder, Paul Hansford, Emily Tabatabai, Aravind Swaminathan and Antony P. KimPosted on February 3, 2016

The European Commission has announced that it has reached a deal to replace the EU-US Safe Harbor framework that was declared invalid last year by the Court of Justice of the European Union (“ECJ”). Heralded as the EU-US Privacy Shield (and colloquially referred to as, “Safe Harbor 2.0”), the framework should provide companies with clearer direction on safe transatlantic data transfer.

FTC Enforcement in Schein: Misleading Statements about Encryption and Cybersecurity

Aravind Swaminathan, Antony P. Kim and Emily TabatabaiPosted on January 27, 2016

On January 5, 2015, the Federal Trade Commission (FTC) entered into a consent order with dental software manufacturer Henry Schein Practice Solutions, Inc. (“Schein”) in connection with allegations that Schein had made misleading security-related representations about its software. The consent order underscores that while security-enhanced product features are in high demand, companies must be careful to avoid unfair or deceptive marketing of such features.

FTC/FCC MOU: Even the Justice League Needs It In Writing

Antony P. Kim and Aravind SwaminathanPosted on November 30, 2015

On November 13, 2015, the Federal Trade Commission and the Federal Communications Commission entered into a Memorandum of Understanding to address coordination of consumer protection actions by each agency. Following a wave of what observers perceive as a turf battle between the FTC and FCC (namely the reclassification of broadband internet access services as a common carrier service outside the FTC’s jurisdiction), and a dramatic increase in FCC data security regulatory enforcement actions, the MOU suggests that the FTC and FCC are in fact serious about cooperation and collaboration, especially on data security issues. Although organizations have better transparency and predictability in the enforcement landscape, they should also anticipate more sophisticated investigations based on richer data and improved investigative techniques.

PRIVACY POLICIES AND THE SALE OF CORPORATE ASSETS: It pays to plan ahead to preserve the value of your data assets

Emily Tabatabai, Amy Pasacreta and Matthew FechikPosted on October 20, 2015

Personal data is a valuable corporate asset. At times, the personal information collected from customers (such as email address, mailing address, phone number, etc.) can be a company’s most valuable asset. Unfortunately, when a company attempts to sell this asset, it can find the value of the data significantly diminished due to promises made in a privacy policy the company implemented years before it ever contemplated such a sale.

Trust Anchor