Eleventh Circuit LabMD Decision Significantly Restrains FTC’s Remedial Powers in Data Security and Privacy Actions

The U.S. Court of Appeals for the Eleventh Circuit recently released its highly anticipated decision in the long-running case pitting the now-defunct medical laboratory LabMD against the Federal Trade Commission (FTC), vacating the FTC’s data security order. In reaching its conclusion, the court held that the order’s requirement that LabMD establish a comprehensive information security program was unenforceable. This holding has broad implications for the FTC’s remedial powers in data security and privacy actions going forward, as requirements to establish a comprehensive security or privacy program have become common in FTC security and privacy settlements over the past 16 years. If the court’s decision stands, the FTC will likely need to enjoin specific acts or practices in its security and privacy orders, rather than relying on broad requirements that companies implement comprehensive security or privacy programs.

Click here to read our complete WSGR Alert on the Eleventh Circuit’s LabMD decision.

What’s Old Is New Again: FTC Takes Rare Step of Withdrawing and Reissuing Expanded Data Security Settlement with Uber in Light of 2016 Data Breach

On April 12, 2018, the Federal Trade Commission (FTC) announced that it was withdrawing its proposed August 2017 privacy and data security settlement with Uber Technologies and issuing a new and expanded proposed settlement.1 According to the FTC, the reason for this extraordinary step was to address additional allegations of misconduct by the ride-sharing company in connection with a data breach it suffered in 2016. The revised complaint includes new factual allegations regarding that breach,2 and the revised consent order includes significant new reporting obligations for the company regarding future breaches, new obligations for the order’s mandated privacy program, and additional reporting and recordkeeping obligations that will last for longer periods of time.3

Those that closely follow the FTC know that any modifications to consumer protection settlements after they have been proposed by the FTC are extremely rare, so it’s worth taking a closer look at what triggered this unusual action and the important new insight it provides into the FTC’s current thinking on what it considers unreasonable security practices. Additionally, the FTC’s revised complaint provides, for the first time, concrete guidance on what it considers “legitimate” uses of a bug bounty program. Continue Reading

Federal Judge Allows Researchers’ First Amendment Challenge to CFAA’s “Access” Provision to Move Forward

On March 30, 2018, in Sandvig v. Sessions,1 the U.S. District Court for the District of Columbia held that a group of academic researchers can move forward with their First Amendment challenge to the Computer Fraud and Abuse Act (CFAA),2 a federal law that criminalizes, among other things, accessing a computer in a manner that “exceeds authorized access.”

The CFAA was enacted in the early 1980s in response to concerns that there were not enough criminal laws on the books to address emerging computer crimes.3 In its early days, the statute narrowly prohibited harmful computer misuse such as malicious hacking and attempts to break into government computers. In 1986, however, Congress began passing a series of amendments that significantly expanded the statute’s reach. Today, many view the CFAA as an overbroad, vague law that criminalizes standard computer conduct in the digital age. Others view it as a pragmatic tool to deter unwanted computer misuse that harms businesses and consumers alike. As a result, the outcome of this case will have implications for individuals who seek to obtain data through means like scraping, and websites that seek to deter unwanted conduct through contract-based restrictions on access to their services. Continue Reading

Federal Court Challenges FTC’s Litigation Authority in FTC v Shire ViroPharma

In a novel interpretation of the Federal Trade Commission (FTC) Act, the U.S. District Court for the District of Delaware recently held in FTC v. Shire ViroPharma that the FTC had failed to plead the facts necessary to invoke its authority to sue for permanent injunction in federal court because it did not allege an ongoing or imminent violation of the FTC Act. This ruling could broadly impact the FTC’s authority to litigate cases in federal court for past violations of the FTC Act and prevent the FTC from seeking permanent injunctive relief in federal court unless the defendant is currently violating, or is about to violate, the act.

Factual Background

The FTC had brought suit against Shire for anti-competitive use of the U.S. Food and Drug Administration’s (FDA’s) citizen petition process to delay generic competition. The FTC alleged that the company exploited the FDA’s petition process to an extraordinary degree, submitting more than 46 regulatory and court filings. The company’s attempts to delay competition were ultimately unsuccessful, as Shire lost its legal challenges to the FDA, and the company was no longer engaged in the practice at the time the FTC’s complaint was filed. Nevertheless, the FTC’s complaint alleged that Shire had succeeded in delaying generic entry at great cost to consumers and demanded relief. Continue Reading

Congress Enacts the CLOUD Act, Granting Law Enforcement Access to Information Stored Abroad, and Mooting U.S. v. Microsoft

On March 23, 2018, President Trump signed into law the Consolidated Appropriations Act, 2018, which contained a section entitled the Clarifying Lawful Overseas Use of Data (CLOUD) Act. The CLOUD Act significantly revises the rules underlying law enforcement requests for access to communications information stored abroad, and may have far-reaching implications for companies that collect, transmit, and store such communications.

The CLOUD Act resolves an ambiguity in federal law that increasingly served as a flashpoint between tech companies and law enforcement. Most prominently, this question was posed to the U.S. Supreme Court in United States v. Microsoft Corp, a case originating in 2013 that the Court heard on February 27, 2018. In Microsoft, the United States argued that U.S.-based service providers could be compelled to turn over responsive data when served with a warrant, whether held in America or abroad. Microsoft argued that the government’s warrant authority only reached data held in the U.S. itself. Before the Court handed down a decision, however, the CLOUD Act was passed, and with the case moot, the Court remanded and dismissed it at the request of both sides. Continue Reading

New FTC Report Recommends Steps to Improve Mobile Security Updates

In February 2018, the Federal Trade Commission (FTC) released a report that explores the complexities of the mobile ecosystem and makes recommendations for industry to improve the mobile security update process for consumers.

The report is part of the FTC’s effort to address concerns that mobile devices are not receiving the operating system patches they need to defend against attacks. It begins by highlighting that even though three-quarters of Americans own smartphones and increasingly rely on them to store and transfer sensitive information, many devices are not receiving the updates they need to protect against critical security vulnerabilities. As a result, many consumers’ devices are vulnerable to malicious software attacks like spyware, phishing, and ransomware, all of which put consumers at risk of identity theft, fraudulent charges, and similar financial or other risk. As characterized by former Acting Director of the FTC’s Bureau of Consumer Protection Tom Pahl, “[c]onsumers use their mobile devices for a wide range of activities and want to have confidence that when they use them they will be secure,” but “significant differences in how the industry deploys security updates” must be addressed to “make it easier to ensure their devices are secure.”1
Continue Reading

LexBlog