Since the end of 2018, the Federal Trade Commission has reportedly been considering how to strengthen the injunctive relief imposed in orders in data security cases.  The FTC began its evaluation with a public hearing in December 2018 on data breaches and data breach assessments.  Several months later, in March 2019, the Commission issued a statement explaining that it was examining the obligations in its orders in data security cases and mandating “new requirements” while “anticipat[ing] further refinements.”  Thereafter, the FTC ultimately issued seven data security orders with specific data security practices and obligations that differed markedly from past orders.
Continue Reading FTC Summarizes a Year of Change in its Data Security Orders

On Tuesday, November 12, 2019, the U.S. Federal Trade Commission (“FTC” or “Commission”) announced a proposed settlement with InfoTrax Systems, L.C. (“InfoTrax”), a third-party service provider, regarding multiple data security failures.  As a result of these security shortcomings, a hacker accessed about one million consumers’ sensitive personal information after more than twenty intrusions into InfoTrax’s network.  This settlement marks one of the first instances in which the FTC has alleged a violation of the FTC Act predicated solely upon the failure to maintain reasonable security measures by a third-party service provider.  The settlement is also notable for a Commissioner’s concurring statement criticizing the settlement’s standard twenty-year term.
Continue Reading Latest FTC Data Privacy Settlement May Signal More Direct Approach to Regulating Data Security

On May 8, 2019, Commissioners from Federal Trade Commission repeated their calls for federal data privacy legislation enforceable by the FTC at a hearing by the House Committee on Energy & Commerce titled “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.”
Continue Reading FTC Commissioners Continue Calls for National Data Privacy and Security Legislation

A recent FTC settlement highlights the need for companies to oversee their service providers, with respect to both collection of personal information and data security practices.

On April 30, 2018, the U.S. Federal Trade Commission (“FTC”) announced a settlement with BLU Products, Inc. (“BLU”), a Florida-based mobile device manufacturer, resolving allegations that BLU shared sensitive consumer data with a third-party service provider in violation of BLU’s privacy policy and the FTC Act.  
Continue Reading FTC Settlement Signals the Importance of Service Provider Oversight

On April 12, 2018, the U.S. Federal Trade Commission (“FTC” or “Commission”) announced an agreement with Uber Technologies, Inc., to expand an August 2017 settlement regarding a 2014 data breach to include new violations arising from a second data breach that Uber discovered in 2016 but did not publicly disclose for over one year.  The revised settlement order imposes new notification, reporting, and records retention obligations on Uber for up to 20 years regarding third-party audits of its privacy program, future data breaches involving personal data, and its bug bounty program.  The proposed settlement order will be open for public comment for 30 days, after which time the Commission is likely to make the order final.

In August 2017, Uber entered into a consent agreement with the FTC related to a data breach that occurred three years before.  The complaint resolved by the 2017 settlement order alleged that, in May 2014, an intruder used an access key publicly posted on the website GitHub to access sensitive personal information of Uber drivers (who the FTC treats as consumers) that Uber stored with a cloud provider.  This information allegedly included unencrypted names, driver’s license numbers, bank account and routing numbers, and Social Security numbers.  The FTC alleged that Uber had failed to (1) “implement reasonable access controls” to safeguard personal data of drivers and riders stored in the cloud, (2) implement reasonable security training and guidance, (3) maintain a written security program, and (4) encrypt certain information stored with the cloud provider.  The complaint charged that Uber’s representations about the security of, and internal monitoring and auditing regarding access to, consumers’ personal information were false or misleading in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

In the 2018 complaint, the FTC alleges that Uber contemporaneously discovered a second data breach that had occurred in the fall of 2016—during the midst of the FTC’s nonpublic investigation into the 2014 breach.  According to the complaint, intruders used an access key that had been posted to a private repository associated with GitHub to download unencrypted files containing personal data of U.S. riders and drivers, including approximately “25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver’s license numbers.”
Continue Reading Revised FTC-Uber data breach settlement to include second breach, criticize ‘bug bounty’ payment

On January 18, the Federal Trade Commission (“FTC”) released its Privacy & Data Security Update: 2017, describing its activities in the areas of consumer privacy and data security during the past year.

The report highlights the breadth of the FTC’s enforcement actions, both under Section 5 of the FTC Act, which prohibits unfair or deceptive