On December 19, 2022, the United States Federal Trade Commission (“FTC”) announced two separate record-breaking settlements with Epic Games, Inc. (“Epic”), the video game publisher behind the popular online multiplayer game “Fortnite,” totaling over $520 million for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) and use of “dark patterns” to deceive players into making unwanted, in-game purchases. 

Continue Reading Regulators Impose Epic Consequences for Children’s Privacy Rights Violations

For those following data privacy and consumer data protection trends, it should come as no surprise that enacting comprehensive legislation to regulate companies’ use of personal data has continued to be a focal point both internationally and in the U.S., at the federal, state and local levels. 
Continue Reading Navigating the Complex Regulation of Privacy and Data Protection

On January 4, 2022, the Federal Trade Commission (FTC) issued a clear warning to companies to remediate any software vulnerabilities associated with the Java-based Log4j software.  A critical security flaw was identified in Log4j, which is embedded in major software applications and is widely used by businesses in all sectors of the economy, this past December.  The security flaw potentially allows bad actors to gain unfettered access to affected computer systems and to any sensitive information they contain.

The FTC, which increasingly prioritizes privacy and data security enforcement, stressed that companies have a legal duty to mitigate known software vulnerabilities—including Log4j—that risk harm to consumers and may face legal action from the FTC if they fail to do so.

Continue Reading The Federal Trade Commission Warns Companies to Remediate the “Log4j” Software Security Vulnerability

On April 28, 2021, the U.S. Federal Trade Commission (“FTC”) published a blog post reminding corporate boards of directors of their responsibility to oversee data security issues and ensure that consumer and employee data are protected.  The FTC’s post is a continuation of its efforts to “elevate data security considerations to the C-Suite and Board level.”

By way of background, the FTC noted that it has continued to challenge companies’ data security practices on the grounds of allegedly deceptive or unfair conduct.  The Commission is also actively reviewing certain data security rules targeted at safeguarding health records and consumer information held by financial institutions.

Continue Reading FTC to Corporate Boards: Mind Your Data Security

On Monday, November 9, 2020, the U.S. Federal Trade Commission announced a proposed settlement with Zoom Video Communications, Inc. (“Zoom”), a video conferencing provider, regarding allegations that Zoom misrepresented its data security practices to users and designed its product to circumvent certain embedded security features of third-party software.  The proposed settlement requires Zoom to undertake a range of specific remedial measures related to its data security practices.  It also imposes multiple layers of reporting and certification requirements.
Continue Reading FTC Announces Settlement with Zoom Regarding Data Security Practices

Since the end of 2018, the Federal Trade Commission has reportedly been considering how to strengthen the injunctive relief imposed in orders in data security cases.  The FTC began its evaluation with a public hearing in December 2018 on data breaches and data breach assessments.  Several months later, in March 2019, the Commission issued a statement explaining that it was examining the obligations in its orders in data security cases and mandating “new requirements” while “anticipat[ing] further refinements.”  Thereafter, the FTC ultimately issued seven data security orders with specific data security practices and obligations that differed markedly from past orders.
Continue Reading FTC Summarizes a Year of Change in its Data Security Orders

On Tuesday, November 12, 2019, the U.S. Federal Trade Commission (“FTC” or “Commission”) announced a proposed settlement with InfoTrax Systems, L.C. (“InfoTrax”), a third-party service provider, regarding multiple data security failures.  As a result of these security shortcomings, a hacker accessed about one million consumers’ sensitive personal information after more than twenty intrusions into InfoTrax’s network.  This settlement marks one of the first instances in which the FTC has alleged a violation of the FTC Act predicated solely upon the failure to maintain reasonable security measures by a third-party service provider.  The settlement is also notable for a Commissioner’s concurring statement criticizing the settlement’s standard twenty-year term.
Continue Reading Latest FTC Data Privacy Settlement May Signal More Direct Approach to Regulating Data Security

On May 8, 2019, Commissioners from Federal Trade Commission repeated their calls for federal data privacy legislation enforceable by the FTC at a hearing by the House Committee on Energy & Commerce titled “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.”
Continue Reading FTC Commissioners Continue Calls for National Data Privacy and Security Legislation

A recent FTC settlement highlights the need for companies to oversee their service providers, with respect to both collection of personal information and data security practices.

On April 30, 2018, the U.S. Federal Trade Commission (“FTC”) announced a settlement with BLU Products, Inc. (“BLU”), a Florida-based mobile device manufacturer, resolving allegations that BLU shared sensitive consumer data with a third-party service provider in violation of BLU’s privacy policy and the FTC Act.  
Continue Reading FTC Settlement Signals the Importance of Service Provider Oversight

On April 12, 2018, the U.S. Federal Trade Commission (“FTC” or “Commission”) announced an agreement with Uber Technologies, Inc., to expand an August 2017 settlement regarding a 2014 data breach to include new violations arising from a second data breach that Uber discovered in 2016 but did not publicly disclose for over one year.  The revised settlement order imposes new notification, reporting, and records retention obligations on Uber for up to 20 years regarding third-party audits of its privacy program, future data breaches involving personal data, and its bug bounty program.  The proposed settlement order will be open for public comment for 30 days, after which time the Commission is likely to make the order final.

In August 2017, Uber entered into a consent agreement with the FTC related to a data breach that occurred three years before.  The complaint resolved by the 2017 settlement order alleged that, in May 2014, an intruder used an access key publicly posted on the website GitHub to access sensitive personal information of Uber drivers (who the FTC treats as consumers) that Uber stored with a cloud provider.  This information allegedly included unencrypted names, driver’s license numbers, bank account and routing numbers, and Social Security numbers.  The FTC alleged that Uber had failed to (1) “implement reasonable access controls” to safeguard personal data of drivers and riders stored in the cloud, (2) implement reasonable security training and guidance, (3) maintain a written security program, and (4) encrypt certain information stored with the cloud provider.  The complaint charged that Uber’s representations about the security of, and internal monitoring and auditing regarding access to, consumers’ personal information were false or misleading in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

In the 2018 complaint, the FTC alleges that Uber contemporaneously discovered a second data breach that had occurred in the fall of 2016—during the midst of the FTC’s nonpublic investigation into the 2014 breach.  According to the complaint, intruders used an access key that had been posted to a private repository associated with GitHub to download unencrypted files containing personal data of U.S. riders and drivers, including approximately “25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver’s license numbers.”
Continue Reading Revised FTC-Uber data breach settlement to include second breach, criticize ‘bug bounty’ payment