InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC Approves Modifications to COPPA Safe Harbor Program
On July 31, the FTC announced it has approved TRUSTe’s proposed modifications to its Children’s Online Privacy Protection Rule's (COPPA) safe harbor program. As previously covered in InfoBytes, COPPA regulates what websites and online services are required to do to ensure the protection of children’s privacy and safety online. The safe harbor program allows the FTC to review and approve “self-regulatory guidelines” submitted by industry groups that implement “the same or greater protections for children” as those contained in the COPPA Rule, and subjects approved groups to safe harbor review and disciplinary procedures instead of formal enforcement action. Among the approved modifications is a change which requires all participants to conduct a comprehensive annual internal assessment of any third-party or service provider that collects personal information from children on their websites or through online services.
FTC Announces Weekly Blog on Reasonable Data Security Practices
On July 21, the FTC announced a new initiative as part of ongoing efforts to provide guidance to businesses on protecting and securing consumer data. Each Friday, the FTC will post a new blog that will build on the FTC’s Start with Security principles, and will showcase hypothetical examples using material from closed investigations, FTC law enforcement actions, and questions from businesses. The first blog post, “Stick with Security: Insights into FTC Investigations,” highlights practical approaches for businesses to take in securing consumer data based on examples gleaned from FTC complaints and orders. The post also examines emerging themes from closed FTC data security investigations that did not necessarily result in FTC law enforcement.
FTC to Host Small Business Roundtables Focusing on Cybersecurity
On July 20, the FTC announced it will host a series of public roundtables to discuss pressing challenges facing small businesses when protecting the security of their computers and networks. The feedback will be used to assist the FTC and its partners in creating additional cybersecurity education resources. The Engage, Connect, and Protect Initiative: Small Business and Data Security Roundtables are part of Acting FTC Chairman Maureen K. Ohlhausen’s initiative to help small businesses protect against cyberattacks. Earlier this year, Ohlhausen launched a website designed to provide guidance for small businesses on scams and cyberattacks, many of which lack the resources larger companies have to spend on cybersecurity. (See previous InfoBytes post here.)
The first roundtable will be on July 25 in Portland, Oregon, in partnership with the National Cyber Security Alliance (NCSA), the SBA, and other organizations. On September 6, a second roundtable discussion will convene in Cleveland in collaboration with the SBA and the Council of Smaller Enterprises. The third roundtable in the series, sponsored by the NCSA, will occur later in September in Des Moines, Iowa.
FTC Staff Supports FCC’s Proposal to Reverse Broadband Enforcement Authority
On July 17, FTC staff submitted its comments to the FCC in response to the FCC’s Notice of Proposed Rulemaking on Restoring Internet Freedom (NPRM), in favor of returning broadband enforcement authority to FTC. (See previous InfoBytes coverage here.) The NPRM would reverse a 2015 FCC decision, which changed the classification of broadband internet access service from an “information service to a common carrier service,” and resulted in a loss to the FTC’s authority. Currently, the FTC cannot regulate common carrier activities. FTC staff argued that with the exception of broadband providers, FTC jurisdiction covers virtually all other internet entities. Having one agency with enforcement authority over all internet entities would allow for “consistent standards and consistent application of those standards.” The result, the staff encouraged, would be the creation of a “level playing field for all companies operating in the Internet ecosystem.”
Acting FTC Chairman Maureen K. Ohlhausen endorsed the staff comments and offered support for the NPRM to reverse the 2015 Title II classification of broadband internet access service as a way to “restore the FTC’s ability to protect broadband consumers under its general consumer protection and competition authority.” However, FTC Commissioner Terrell McSweeny dissented, stating that “[u]nless Congress repeals the common carrier exemption in the FTC Act, the FTC could continue to face challenges to its authority over common carriers.” Consequently, “[r]epealing these rules would be harmful for consumers and the marketplace . . . . Rather than roll[ing] back protections, we should augment them with renewed FCC vigor and a change to anachronistic barriers to FTC enforcement.”
FTC Announces Settlement of More Than $104 Million with Company for Selling Sensitive Financial Information
On July 5, the FTC issued a press release announcing a settlement of more than $104 million with a lead generation company for allegedly misleading loan applicants with promises of matching consumers with lenders that could offer the best loan terms. Actually, the FTC asserts, defendants were selling the applications, including sensitive personal information such as Social Security numbers and bank account numbers, to anyone who would pay for them “without regard for how the information would be used or whether it would remain secure.”
The proposed order accompanying the settlement states that defendants used deceptive and unfair acts or practices in the course of their lead generation activities, and permanently prohibits defendants from misrepresenting financial products or services to consumers. It also enjoins defendants from selling or transferring a consumer’s personal information unless the consumer has provided consent and provides that defendants may not benefit from any consumer information collected before the entry of the order. Further, defendants must destroy all personal consumer information in any form within 30 days after the order.
In addition to the above settlement terms, the defendants agreed to (i) compliance monitoring, (ii) creating certain records for ten years after the date of entry of the order, and (iii) compliance reporting
Although defendants have filed for bankruptcy, they agreed that the amount owed to the FTC in the settlement will not be dischargeable.
Data Breach Lawsuit Settled for $115 Million
On June 23, one of the nation’s largest health insurers agreed to pay $115 million to settle a data breach class action suit pending in the U.S. District Court for the Northern District of California. In 2015, the insurer announced that it had been hacked and that customer information had been compromised. On June 23, Plaintiffs submitted to the court a memorandum in support of the settlement. The settlement, if approved by the court, will provide almost 80,000 proposed class members with extended credit monitoring for at least two years. Additionally, the settlement will require the insurer to “implement or maintain meaningful, specific changes to its data security practices that directly address the security elements that Plaintiffs believe contributed to the breach,” including hiring independent consultants to perform annual IT risk assessments and compliance reviews, and providing the results of those audits to Plaintiffs’ counsel.
FCC Proposes $120 Million Fine for Spoofed Robocalls
On June 22, the Federal Communications Commission (FCC) announced a proposed fine of $120 million against a telemarketer for violating the Truth in Caller ID Act. The agency claims that the individual made nearly 100 million calls in which he falsified caller ID information in order to display incorrectly the same area code and first three digits as the consumer he was calling. “Neighbor spoofing,” according to the FCC, is an illegal technique used to appear to be calling from the recipient’s own area. If the recipient answered the call, the caller would then offer travel packages falsely claiming to represent well-known hotel and travel companies. The citation and order provides the telemarketer with 30 days to respond to the FCC.
15 State Attorneys General Clarify Data Breach Notification Laws
On June 5, 15 state attorneys general issued a joint letter to an e-commerce hosting company refuting the company’s assertion in its FAQ provided to online retailers that they are not obligated to notify customers of a data breach in situations where credit card CVV numbers were not disclosed. According to claims made by the attorneys general, the company erroneously stated that, pursuant to the identified states’ data breach notification laws, “there is no obligation to notify in those states . . . if your customers’ CVV data was not exposed.” The attorneys general argued that this is incorrect and stated, “[t]he CVV number does not have to be disclosed to trigger our states’ notification obligations.” The letter noted as an example, New York General Business Law § 899-aa(1)(b)(3), which stipulates that companies must provide notification of a data breach to affected customers when a credit or debit card number plus “any required security code, access code, or password” that would permit access to the account is obtained by an unauthorized party. The attorneys general stated that a CVV code is not a required access code because the card can be used without it. The company is required to provide clarification regarding its FAQ to affected client retailers.
FTC Announces Settlement with Operators of Tech Support Scam
On June 7, the FTC announced two settlements in a pending action brought against defendants who allegedly used pop-up internet ads to deceive consumers into believing their computers were infected and then sold unnecessary technical support services to fix the issues. Under the terms of the settlements (available here and here), the defendants (i) will relinquish assets combined at nearly $6 million to provide restitution to victims, and (ii) are banned from marketing, promoting, or misrepresenting technical support products or services in the future. The settlement is part of the FTC’s ongoing efforts to pursue tech support scams through its Operation Tech Trap initiative. (See previous InfoBytes coverage here.)
FTC to Host Third PrivacyCon Event, Issues Call for Presentations
On June 8, the FTC announced it will hold its third PrivacyCon, which will “expand collaboration among leading privacy and security researchers, academics, industry representatives, consumer advocates, and the government” to explore “the privacy and security implications of emerging technologies, such as the Internet of Things, artificial intelligence and virtual reality.” Specific topics will cover ways to quantify the harm when companies fail to secure consumer information, and how to “balance the costs and benefits of privacy-protective technologies and practices.” Additionally, the FTC issued a call for presentations to receive research and input on a several areas such as (i) the “nature and evolution of privacy and security risks”; (ii) “quantifying costs and benefits of privacy from a consumer perspective” and business perspective; and (iii) “incentives, market failures, and interventions.” Presentation submissions must be made by November 17, 2017. The event will take place on February 28, 2018 in Washington, DC.