Federal Trade Commission

Over the last several years, the Federal Trade Commission (FTC) has regularly used its authority under Section 5 of the FTC Act to bring cases against companies due to their allegedly unreasonable data security measures. The FTC has paid particular attention to the safeguards that manufacturers have implemented in electronic devices sold to consumers.  Recently, D-Link Systems Inc., a router manufacturer, successfully challenged the FTC’s position that a Section 5 claim can be supported based solely on the existence of a data security vulnerability without any evidence that the vulnerability was actually exploited resulting in consumer harm.

The FTC’s Authority. Under Section 5 of the FTC Act, the FTC can investigate and obtain injunctive and equitable relief against companies that engage in unfair or deceptive acts or practices.  To establish that a company’s practices are unfair, the FTC must show that the practices cause or are likely to cause substantial injury to consumers that is not reasonably avoidable by them, and that is not outweighed by countervailing benefits to them.

The FTC’s Position is that “Unreasonable” Data Security Is an “Unfair” Practice. In its complaints, the FTC commonly alleges that a company’s unreasonable data security measures are an unfair act or practice that violates Section 5.  Typically, to support its position that consumers were harmed, the FTC points to evidence of both (a) a vulnerability created by the allegedly unreasonable data security practices, and (b) exploitation of such vulnerability to gain unauthorized access to data or systems.  It would seem that exploitation is necessary to create a nexus between a vulnerability and any consumer harm.  But, to the surprise of many, the FTC has also filed complaints against companies alleging only the existence of a vulnerability, without evidence that such vulnerability actually was exploited.  In at least two cases, the FTC has alleged that the risk of cyber attack from a vulnerability was alone enough to satisfy the Section 5 requirement that the practice “causes or is likely to cause substantial consumer injury.”
Continue Reading Court Deals Blow to FTC’s Position on Unfair Data Security Practices

With the election of current California Attorney General Kamala Harris to the U.S. Senate, Governor Jerry Brown was tasked with appointing her replacement. On December 1, he announced that his pick is U.S. Representative Xavier Becerra, head of the House Democratic caucus.

Becerra was first elected to the House in 1992 and has also served

Wages may be stagnant in the United States, but one thing on the rise is the price of getting on the wrong side of the Federal Trade Commission.

Effective August 1, 2016, the maximum civil penalty dollar amount  for violating section 5 of the Federal Trade Commission Act, or failing to comply with COPPA or

This post was written by Timothy J. Nagle.

Yesterday, the Office of the Comptroller of the Currency issued OCC Bulletin 2013-29 on Third-Party Relationships. The document rescinds OCC Bulletin 2001-47 and OCC Advisory Letter 2000-9, both of which had served as the basis for supplier management practices and inspections for many years. It is much

In June 2013, the Federal Trade Commission (FTC) and Ireland’s Office of the Data Protection Commissioner signed a memorandum of understanding establishing a mutual assistance and information exchange program to secure compliance with data protection and privacy laws on both sides of the Atlantic.

The privacy and data protection laws between Ireland and the United

Today, the Federal Trade Commission released detailed guidance on privacy in the mobile environment – at the same time it announced its largest-ever settlement with an app developer for alleged privacy violations. Combined with aggressive action on mobile privacy issues by the California attorney general’s office, Mobile Privacy Disclosures provides every company associated with

This post was also written by Amy S. Mushahwar.

This morning the FTC released a supplemental notice of proposed rulemaking on the Children’s Online Privacy Protection Act (COPPA) Rule. This is not a final rule. The notice suggests further modifications to proposed definitions released in the September 2011 Notice of Proposed Rulemaking on the

This post was also written by Christopher G. Cwalina and Amy S. Mushahwar.

Today, in a ceremony with much fanfare, Secretary of Commerce John Bryson and Federal Trade Commission Chairman John Liebowitz outlined the Obama administration’s privacy blueprint for a “consumer bill of rights.” Shortly thereafter, the Department of Commerce released its long-awaited consumer privacy

This post was written by Amy S. Mushahwar.

The Federal Communications Commission (FCC) acted today to tighten its rules under the Telephone Consumer Protection Act (TCPA) and conform them, to the extent possible, with the more stringent rules already in place at the Federal Trade Commission (FTC) under the Telephone Sales Rule (TSR). This change

On September 15, Barnes & Noble (“B&N”) acquired several of Borders’ intellectual property assets, including a database of customer information, as part of Borders’ bankruptcy auction.  The sale of those assets hit a potential roadblock on Thursday, though, when a New York bankruptcy judge refused to approve the transaction, saying that he needed more time