Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • TRO issued against VoIP service provider in card interest reduction scam

    Federal Issues

    On December 5, the FTC and the Ohio attorney general announced that the U.S. District Court for the Western District of Texas issued a temporary restraining order (TRO) against a VoIP service provider and its foreign counterpart for facilitating (or consciously avoiding knowing of) a “phony” credit card interest rate reduction scheme committed by one of its client companies at the center of a joint FTC/Ohio AG action. As previously covered by InfoBytes, the original complaint alleged that a group of individuals and companies—working in concert and claiming they could reduce interest rates on credit cards—had violated the FTC Act, the Telemarketing Sales Rule, and various Ohio consumer protection laws. In addition to obtaining a TRO against the most recent alleged participants, the FTC and Ohio AG amended their July complaint to add the telecom companies as defendants alleging the companies “played a key role in robocalling consumers to promote a credit card interest reductions scheme.”

    Federal Issues FTC State Attorney General Consumer Finance Robocalls Credit Cards TRO Courts FTC Act Telemarketing Sales Rule

  • Buckley Insights: Leveraging open source intelligence for cyber threat modeling

    Privacy, Cyber Risk & Data Security

    The FTC Safeguards Rule, FFIEC Cybersecurity and IT Guidance, and other OCC guidelines (here and here) emphasize the need for cyber threat intelligence (CIT) and threat identification to inform an organization’s overall cyber risk identification, assessment, and mitigation program. Indeed, to successfully implement a risk-based information security program, an organization must be aware of both general cybersecurity risks across all industries, as well as both business-sector risks and organizational risks unique to the organization. Furthermore, proposed revisions to the FTC Safeguards Rule (previously covered by InfoBytes here) emphasize the need for a “through and complete risk assessment” that is informed by “possible vectors through which the security, confidentiality, and integrity of that information could be threatened.”

    Threat modeling is generally understood as a formal process by which an organization identifies specific cyber threats to an organization’s information systems and sensitive information, which provides the management insight regarding the defenses needed; the critical risk areas within and across an information system, network, or business process; and the best allocation of scarce resources to address the critical risks. Even today, generally an accepted threat modeling process involves comprehensive system, application, and network mapping and data flow diagrams. Many threat modeling tools are available free to the public, such as Microsoft’s Threat Modeling Tool, which provides diagramming and analytical resources for network and data flow diagrams, utilizing the STRIDE model (spoofing, tampering, repudiation, information disclosure, denial of service, and escalation of privilege) to inform the user of general cyber-attack vectors that each organization should consider. Generally, between cybersecurity frameworks, such as the NIST Cybersecurity Framework (for risk-based analytical approaches), and threat modeling tools identifying generic cyber threats such as STRIDE (for general or sector-specific cyber risks), an organization can achieve a risk-informed information security program.

    However, with the increasing amount of large-scale data breaches occurring and with the evolving complexity of cybersecurity threats, many regulatory agencies and other industry-based standards institutions have called for a need to go one step further and understand the techniques, tactics, and procedures (TTPs) utilized by hackers using CIT. By using CIT and other threat-based models, organizations can gain insight into potential attack vectors through red-teaming and penetration testing by simulating each phase of a hypothetical attack into the organization’s information system and determine potential countermeasures that can be employed at each step of the kill chain. For instance, Lockheed Martin’s formal kill chain model involves seven steps (reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective) and proposes six potential defensive measures at each step (detect, deny, disrupt, degrade, deceive, and contain). Consequently, an organization can layer its defenses along each step in the kill chain to increase the probability of detection or prevention of the attack. Kill Chain was used as part of a U.S. Senate investigation into the data breach of a major corporation in 2013, identifying several stages along the chain where the attack could have been prevented or detected.

    This threat identification process requires greater detail on adversarial TTPs. Fortunately, MITRE has provided for public consumption its ATT&CK (adversarial tactics, techniques, and common knowledge) platform. ATT&CK collects and streamlines adversarial TTPs in specific detail and provides information on each technique and potential mitigating procedures, including commonly used attack patterns for each. For instance, one tactic identified by ATT&CK is to encrypt data being exfiltrated to avoid detection by data loss prevention (DLP) tools or other network anomaly detection tools and identifies more than forty known techniques and tools that have been used to achieve encrypted transmission. ATT&CK also identifies potential detection and mitigation options, such as scanning unencrypted channels for encrypted files using DLP or intrusion detection software. Thus, instead of a generic data breach risk analysis, organizations can understand specific TTPs that may make data breach detection and analysis more difficult, and possibly take measures to prevent it.

    By leveraging open-source CIT from tools such as ATT&CK and other reports from third-party sources such as government and industry alerts, organizations can begin the process of designing proactive defenses against cyber threats. It is important to note, however, that ATT&CK can only inform an organization’s threat modeling, and is not a threat model itself; additionally, ATT&CK focuses on penetration and hacking TTPs and, therefore, does not examine other threats that organizations may face, including distributed denial of services (DDoS) attacks that threaten the availability of its systems. Such threats will still need to be accounted for in any financial organization’s risk assessment, particularly if such DDoS prevent its clients from accessing their financial accounts and ultimately, their money.

    Privacy/Cyber Risk & Data Security Data Breach FTC OCC FFIEC

  • Washington AG settles deceptive practices allegations with office supply company

    State Issues

    On November 13, the Washington attorney general announced an office supply company has agreed to pay $900,000 to resolve an investigation into deceptive computer repair services. According to the AG’s office, the company allegedly used a software program, called “PC Health Check” or similar names, to facilitate the sale of diagnostic and repair services to retail customers that cost up to $200, regardless of whether their computer was actually infected with viruses or malware. The company claimed that the program, which allegedly detected malware symptoms on consumers’ computers, actually based the results on answers to four questions consumers were asked by a company employee at the beginning of the service, including whether the computer had slowed down, had issues with frequent pop-up ads, received virus warnings, or crashed often. After the questions were asked, the responses were entered into the program and a simple scan of the computer was run. The AG’s office claims that the scan had no connection to the malware symptoms results because an affirmative answer by the consumer to any of the four questions always led to the report of actual or potential malware symptoms. The release also states that in 2012, a company employee informed management that “the software reported malware symptoms on a computer that ‘didn’t have anything wrong with it,’” but that the company continued to sell the repair services until 2016 to an estimated 14,000 Washington consumers. According to the AG’s release, Washington is the only state to reach an agreement with the company over the alleged practices in addition to the $35 million national settlement the company and its software vendor reached with the FTC in March for similar conduct. (Previous InfoBytes coverage here.)

    State Issues State Attorney General Deceptive FTC Enforcement Consumer Protection Settlement

  • FTC settles with technology service provider on data security issues

    Federal Issues

    On November 12, the FTC announced a proposed settlement, which requires a technology service provider to implement a comprehensive data security program to resolve allegations of security failures, which allegedly allowed a hacker to access the sensitive personal information of about one million consumers. According to the complaint, the FTC asserts that the service provider and its former CEO violated the FTC Act by engaging in unreasonable data security practices, including failing to (i) have a systematic process for inventorying and deleting consumers’ sensitive personal information that was no longer necessary to store on its network; (ii) adequately assess the cybersecurity risk posed to consumers’ personal information stored on its network by performing adequate code review of its software and penetration testing; (iii) detect malicious file uploads by implementing protections such as adequate input validation; (iv) adequately limit the locations to which third parties could upload unknown files on its network and segment the network to ensure that one client’s distributors could not access another client’s data on the network; and (v) implement safeguards to detect abnormal activity and/or cybersecurity events. The FTC further alleges in its complaint that the provider could have addressed each of the failures described above “by implementing readily available and relatively low-cost security measures.”

    The FTC alleges more particularly that, between May 2014 and March 2016, an unauthorized intruder accessed the service provider’s server over 20 times, and in March 2016, “accessed personal information of approximately one million consumers, including: full names; physical addresses; email addresses; telephone numbers; SSNs; distributor user IDs and passwords; and admin IDs and passwords.” Because the information obtained can be used to commit identity theft and fraud, the FTC alleged that the service provider’s failure to implement reasonable security measures violated the FTC’s prohibition against unfair practices.

    The proposed settlement requires the service provider to, among other things, create certain records and obtain third-party assessments of its information security program every two years for the 20 years following the issuance of the related order that would result from the settlement.

    Federal Issues FTC Settlement Privacy/Cyber Risk & Data Security Data Breach Enforcement FTC Act

  • FTC, Utah file action against real estate seminar company

    Federal Issues

    On November 5, the FTC and the Utah Division of Consumer Protection filed a complaint in the U.S. District Court for the District of Utah against a Utah-based company and its affiliates (collectively, “defendants”) for allegedly using deceptive marketing to persuade consumers to purchase real estate training packages costing thousands of dollars. According to the complaint, the defendants violated the FTC Act, the Telemarketing Sales Rule, and Utah state law by marketing real estate training packages with false claims through the use of celebrity endorsements. The defendants’ marketing materials allegedly told consumers, among other things, that they would (i) receive strategies for making profitable real estate deals during seminars included in the packages; and (ii) learn how to access wholesale or deeply discounted properties. The complaint argues, however, that the promises were false and misleading, as, among other things, the seminars promoted additional workshops costing more than $1,100 to attend where consumers largely received general information about real estate investing, along with promotions for “advanced training” costing tens of thousands of dollars. In addition, the discounted properties were typically sold or brokered to consumers by the defendants at inflated prices with concealed markups, the complaint alleges. Among other things, the FTC and Utah Division of Consumer Protection seek monetary and injunctive relief against the defendants.

    Federal Issues FTC Enforcement Consumer Protection State Regulators UDAP Deceptive Courts

  • FTC offers guidance for social media influencer disclosures

    Federal Issues

    On November 5, the FTC released advertising disclosure guidance for online influencers, titled “Disclosures 101 for Social Media Influencers,” which outlines the FTC’s rules for disclosure of sponsored endorsements and provides influencers with tips and guidance covering effective and ineffective disclosures. The guidance reminds influencers that (i) they should disclose any financial, employment, personnel, or family relationship with the brand; (ii) disclosures should be “hard to miss,” by being placed on pictures, stated in the videos, and repeated throughout livestreams; and (iii) language in disclosures should be simple and clear, and in the same language as the endorsement itself.

    For more information on the FTC’s activity covering testimonials and social media influencers, review the recent Buckley Insight, which summarizes several FTC enforcement actions involving online reviews and social media and provides key takeaways for companies considering online advertising and social media campaigns.

    Federal Issues FTC Marketing Advertisement UDAP Deceptive Enforcement Agency Rule-Making & Guidance

  • Buckley Insights: FTC focusing on testimonials and social media influencers

    Federal Issues

    The FTC has stepped up its advertising related enforcement activity in recent months, particularly focusing on companies that fail to clearly and conspicuously disclose underlying connections between testimonial providers and product sellers.  Summarized below are several recent FTC enforcement actions involving online reviews and social media, as well as some key takeaways for companies considering online advertising and social media campaigns.

    Recent FTC Enforcement Actions

    First, in its complaint against a skincare company, the FTC alleged that the company misled consumers by posting reviews written by company employees.  Specifically, the FTC’s allegations included assertions that (i) product reviews posted on a retailer’s website were not “independent experiences or opinions of impartial ordinary users of the products” and therefore, were false or misleading under Section 5 of the FTC Act; and (ii) the failure to disclose the reviews were written by the owner or employees constitutes a deceptive act or practice under Section 5 of the FTC Act, because the information would “be material to consumers in evaluating the reviews of [the company] brand products in connection with a purchase or use decision.”

    In a 3-2 vote the Commission approved an administrative consent order, which notably does not include any monetary relief for consumers. The order prohibits the company from misrepresenting the status of an endorser, which includes misrepresentations that the endorser or reviewer is an “independent or ordinary user of the product.” requires the company and owner to “clearly and conspicuously, and in close proximity to that representation, any unexpected material connection between such endorser and (1) any Respondent; or (2) any other individual or entity affiliated with the product.”

    In dissent, two Commissioners objected to the lack of monetary relief, stating, “[t]hat monetary relief can be difficult to calculate should not deter the FTC from seeking it. When the agency’s estimates are uncertain, the Commission sometimes demands no monetary relief whatsoever, which leads to under-deterrence of blatant fraud and dishonesty. This needs to change.”

    Second, the FTC also charged a now-defunct company and its owner with selling social media followers and subscribers to motivational speakers, law firm partners, investment professionals, and others who wanted to boost their credibility to potential clients, as well as to actors, athletes, and others who wanted to increase their social media appeal. According to the FTC, the company “provided such users of social media platforms with the means and instrumentalities for the commission of deceptive acts or practices,” in violation of Section 5(a) of the FTC Act.

    The Commission unanimously voted to file the proposed court order, which bans the company from selling or assisting others in selling “social media influence.” The order, which was later approved by a federal district court, imposes a $2.5 million monetary judgment against the company owner, but suspends the majority upon the payment of $250,000.

    In a business-focused blog post released in conjunction with the enforcement actions noted above, the FTC:

    • Reminds marketers that when “people at the helm” are “calling the illegal shots,” the FTC will name them in their individual capacities in actions;
    • Emphasizes that companies must instruct their employees and agents to clearly disclose in reviews any material connection to the product; and
    • States that the truth-in-advertising provisions of the FTC Act apply to companies that claim to be “strictly B2B,” if they are providing others with the means and instrumentalities for deception.

    Relatedly, in February 2019, the FTC approved final consent orders with two marketing companies for, among other things, misrepresenting paid endorsements as independent consumer opinions. The companies allegedly hired Olympic athletes to endorse a mosquito repellent on social media and formatted advertisements to appear as independent statements of impartial publications. The FTC argued that the company failed to disclose, or disclose adequately, that (i) the Olympians were paid to endorse the mosquito repellent; and (ii) the online consumer reviews were by individuals who were reimbursed for buying the product and included statements by the owner and employees of the public relations firm hired to promote the product.

    The final consent orders (here and here) require that each company to cease the misrepresentations and notify future endorsers of their responsibility “to disclose clearly and conspicuously, and in close proximity to the endorsement, in any print, radio, television, online, or digital advertisement or communication, the endorser’s unexpected material connection to any Respondent or any other individual or entity affiliated with the product or service.”

    Key Takeaways for Online Advertising and Social Media Campaigns:

    • These complaints and consent orders incorporate the basic concepts of the FTC’s Endorsement Guides, which address how the prohibition against deceptive practices in section 5 of the FTC Act applies to endorsements and testimonials in advertising.  As an FTC blog post puts it:

    Suppose you meet someone who tells you about a great new product. She tells you it performs wonderfully and offers fantastic new features that nobody else has. Would that recommendation factor into your decision to buy the product? Probably.

    Now suppose the person works for the company that sells the product – or has been paid by the company to tout the product. Would you want to know that when you’re evaluating the endorser’s glowing recommendation? You bet. That common-sense premise is at the heart of the Federal Trade Commission’s (FTC) Endorsement Guides.

    • The dissenting commissioners in the skincare product case suggested that the FTC should have obtained “monetary relief” for consumers rather than simply order the company to comply with the law in the future, implying that the company should have been required to make refunds to consumers. The FTC doesn’t have the power to obtain civil penalties for deceptive practices unless the practice violates a specific regulation or order, but many states do have that power.
    • The FTC Endorsement Guides don’t have the force of law of a formal regulation but they influence enforcement decision of not only the FTC, but also other federal and state and local agencies. Some of the principles in the Guides have very wide application.  For example:
    • An endorsement “relating the experience” of one or more people is considered to be a representation that their experience is typical of what most people can achieve with a product or service.
      • For example, an ad in which a consumer says “I saved $100 a month on my mortgage by going through XYZ Mortgage” is deemed to be a claim that most consumers will experience the same result.
      • A statement that “results not typical,” or even “based on the experiences of a few people—you probably won’t have similar results” usually won’t cure the deceptive impact of a claim by an endorser that he or she achieved certain results, unless the advertiser can provide empirical testing “demonstrating that the net impression of its advertisement with such a disclaimer is non-deceptive.”
    • As with any advertising claim, the implied claim of typicality in an endorsement must be substantiated, i.e., the advertiser must have data showing that the results actually are typical.

    ***

    If you have any questions about the enforcement actions noted above or marketing and advertising related issues, please contact a Buckley attorney with whom you have worked in the past.

    Federal Issues FTC Marketing Advertisement Deceptive UDAP Enforcement

  • FTC announces two actions involving fraudulent social media activity and online reviews

    Federal Issues

    On October 21, the FTC announced two separate actions involving social media and online reviews. In its complaint against a skincare company, the FTC alleged that the company misled consumers by posting fake reviews on a retailer’s website and failed to disclose company employees wrote the reviews. The FTC asserted that the retailer’s customer review section is “a forum for sharing authentic feedback about products,” and the company and owner “represented, directly or indirectly, expressly or by implication, that certain reviews of [the company] brand products on the [retailer’s] website reflected the experiences or opinions of users of the products.” The FTC argued that the failure to disclose that the owner or employees wrote the reviews constitutes a deceptive act or practice under Section 5 of the FTC Act because the information would “be material to consumers in evaluating the reviews of [the company] brand products in connection with a purchase or use decision.” In a 3-2 vote, the Commission approved the administrative consent order, which notably does not include any monetary penalties. The order prohibits the company from misrepresenting the status of an endorser and requires the company and owner to disclose the material connection between the reviewer and the product in the future.

    The FTC also entered into a proposed settlement with a now-defunct company and its owner for allegedly selling fake social media followers and subscribers to motivational speakers, law firm partners, investment professionals, and others who wanted to boost their credibility to potential clients; as well as to actors, athletes, and others who wanted to increase their social media appeal. According to the FTC, the company “provided such users of social media platforms with the means and instrumentalities for the commission of deceptive acts or practices,” in violation of Section 5(a) of the FTC Act. The Commission unanimously voted to approve the proposed court order, which bans the company from selling or assisting others in selling “social media influence.” The proposed order imposes a $2.5 million monetary judgment against the company owner, but suspends the majority upon the payment of $250,000.

    Federal Issues FTC Act Deceptive UDAP Disclosures Fraud FTC

  • 22 AGs and FTC Commissioner Chopra oppose HUD’s disparate impact proposal

    Federal Issues

    On October 18, 22 state attorneys general submitted comments opposing HUD’s proposed rule amending the agency’s interpretation of the Fair Housing Act’s disparate impact standard (also known as the “2013 Disparate Impact Regulation”), arguing the proposal would “render disparate impact liability a dead letter under the Fair Housing Act (FHA).” As previously covered by InfoBytes, in August, HUD issued the proposed rule, to bring the rule “into closer alignment with the analysis and guidance” provided in the 2015 Supreme Court ruling in Texas Department of Housing and Community Affairs v. Inclusive Communities Project, Inc. (covered by a Buckley Special Alert) and to codify HUD’s position that its rule is not intended to infringe on the states’ regulation of insurance. Specifically, the proposal codifies the burden-shifting framework outlined in Inclusive Communities, adding five elements that a plaintiff must plead to support allegations that a specific, identifiable, policy or practice has a discriminatory effect. Moreover, the proposal provides methods for defendants to rebut a disparate impact claim.

    In the comment letter, the attorneys general argue that the proposal ignores “the Supreme Court’s binding interpretation of the FHA” in Inclusive Communities, stating that the Court “emphasiz[ed] the continued importance of the FHA’s disparate impact theory of liability in advancing the nation’s efforts to advance justice and equality.” Additionally, the attorneys general suggest that the proposal ignores HUD’s statutory mandate and is “arbitrary and capricious in light of its numerous substantive defects.” The attorneys general assert that no changes to the rule are necessary, as there are no revisions “that would add clarity, reduce uncertainty, decrease unwarranted regulatory burdens, or otherwise assist in determining lawful conduct.” The letter concludes with a threat of a “meritorious legal challenge” should HUD approve the changes.

    Similarly, on October 16, FTC Commissioner, Rohit Chopra, voiced his concerns with the proposal in a comment letter, stating that it “appears to fundamentally misunderstand how algorithms, big data, and machine learning work in practice,” and that “it would provide safe harbors to the same technologies at issue in HUD’s own action against [a social media company].” Chopra opposes HUD’s proposal for three reasons: (i) algorithms can provide discriminatory results because they are not neutral; (ii) safe harbors should not be created “around technologies that are proprietary, opaque, and rapidly evolving”; and (iii) incentives are distorted by “outsourcing [the] liability for algorithmic discrimination to third parties.” Chopra concludes that the proposal should not be finalized because it “moves enforcement against discrimination backwards.”

    Federal Issues Agency Rule-Making & Guidance HUD Fair Housing Act Disparate Impact Fair Lending FTC State Attorney General

  • CFPB Private Education Loan Ombudsman's annual report focuses on debt relief scams

    Federal Issues

    On October 15, the CFPB Private Education Loan Ombudsman published its annual report on consumer complaints submitted between September 1, 2017 and August 31, 2019. The report, titled Annual Report of the CFPB Student Loan Ombudsman, is based on approximately 20,600 complaints received by the Bureau relating to federal and private student loan servicing, debt collection, and debt relief services. The report focuses primarily on complaints and student loan debt relief scams, which are, according to Private Education Loan Ombudsman Robert G. Cameron, “two subjects that, if promptly addressed, may have the greatest immediate impact in preventing potential harm to borrowers.” Of the 20,600 complaints, roughly 13,900 pertained to federal student loans with approximately 6,700 related to private student loans. Both categories reflect a decrease in total complaints from previous years. The report also notes that the Bureau handled roughly 4,600 complaints related to student loan debt collection.

    The report goes on to discuss collaborative efforts between federal and state law enforcement agencies, including the CFPB, FTC, Department of Education, and state attorneys general, to address student loan debt relief scams. According to the report, the FTC’s Operation Game of Loans (previous InfoBytes coverage here) has yielded settlements and judgments totaling over $131 million for the past two years, while Bureau actions (taken on its own and with state agencies) have resulted in judgments exceeding $17 million.

    The report provides several recommendations, including that policymakers, the Department of Education, and the Bureau “assess and consider the sharing of information, analytical tools, education outreach, and expertise” to prevent borrower harm, and that when harm occurs, “reduce the window in which harm is occurring through timely identification and remediation.” With regard to student loan debt relief scams, the report recommends, among other things, that enforcement should be expanded “beyond civil enforcement actions to criminal enforcement actions at all levels.”

    Federal Issues CFPB Student Lending Debt Collection Debt Relief Consumer Complaints FTC

Pages

Upcoming Events