What’s Old Is New Again: FTC Takes Rare Step of Withdrawing and Reissuing Expanded Data Security Settlement with Uber in Light of 2016 Data Breach

Christopher OlsenEdward HolmanBy Christopher Olsen and Edward Holman on Posted in Cybersecurity, Privacy, Regulatory

On April 12, 2018, the Federal Trade Commission (FTC) announced that it was withdrawing its proposed August 2017 privacy and data security settlement with Uber Technologies and issuing a new and expanded proposed settlement.1 According to the FTC, the reason for this extraordinary step was to address additional allegations of misconduct by the ride-sharing company in connection with a data breach it suffered in 2016. The revised complaint includes new factual allegations regarding that breach,2 and the revised consent order includes significant new reporting obligations for the company regarding future breaches, new obligations for the order’s mandated privacy program, and additional reporting and recordkeeping obligations that will last for longer periods of time.3

Those that closely follow the FTC know that any modifications to consumer protection settlements after they have been proposed by the FTC are extremely rare, so it’s worth taking a closer look at what triggered this unusual action and the important new insight it provides into the FTC’s current thinking on what it considers unreasonable security practices. Additionally, the FTC’s revised complaint provides, for the first time, concrete guidance on what it considers “legitimate” uses of a bug bounty program. Continue Reading

Federal Judge Allows Researchers’ First Amendment Challenge to CFAA’s “Access” Provision to Move Forward

Kelly SingletonBy Kelly Singleton on Posted in Litigation, Privacy

On March 30, 2018, in Sandvig v. Sessions,1 the U.S. District Court for the District of Columbia held that a group of academic researchers can move forward with their First Amendment challenge to the Computer Fraud and Abuse Act (CFAA),2 a federal law that criminalizes, among other things, accessing a computer in a manner that “exceeds authorized access.”

The CFAA was enacted in the early 1980s in response to concerns that there were not enough criminal laws on the books to address emerging computer crimes.3 In its early days, the statute narrowly prohibited harmful computer misuse such as malicious hacking and attempts to break into government computers. In 1986, however, Congress began passing a series of amendments that significantly expanded the statute’s reach. Today, many view the CFAA as an overbroad, vague law that criminalizes standard computer conduct in the digital age. Others view it as a pragmatic tool to deter unwanted computer misuse that harms businesses and consumers alike. As a result, the outcome of this case will have implications for individuals who seek to obtain data through means like scraping, and websites that seek to deter unwanted conduct through contract-based restrictions on access to their services. Continue Reading

Federal Court Challenges FTC’s Litigation Authority in FTC v Shire ViroPharma

Libby WeingartenBy Libby Weingarten on Posted in Litigation, Regulatory

In a novel interpretation of the Federal Trade Commission (FTC) Act, the U.S. District Court for the District of Delaware recently held in FTC v. Shire ViroPharma that the FTC had failed to plead the facts necessary to invoke its authority to sue for permanent injunction in federal court because it did not allege an ongoing or imminent violation of the FTC Act. This ruling could broadly impact the FTC’s authority to litigate cases in federal court for past violations of the FTC Act and prevent the FTC from seeking permanent injunctive relief in federal court unless the defendant is currently violating, or is about to violate, the act.

Factual Background

The FTC had brought suit against Shire for anti-competitive use of the U.S. Food and Drug Administration’s (FDA’s) citizen petition process to delay generic competition. The FTC alleged that the company exploited the FDA’s petition process to an extraordinary degree, submitting more than 46 regulatory and court filings. The company’s attempts to delay competition were ultimately unsuccessful, as Shire lost its legal challenges to the FDA, and the company was no longer engaged in the practice at the time the FTC’s complaint was filed. Nevertheless, the FTC’s complaint alleged that Shire had succeeded in delaying generic entry at great cost to consumers and demanded relief. Continue Reading

Congress Enacts the CLOUD Act, Granting Law Enforcement Access to Information Stored Abroad, and Mooting U.S. v. Microsoft

Beth GeorgeBrett WeinsteinBy Beth George and Brett Weinstein on Posted in Cybersecurity, Privacy, Regulatory

On March 23, 2018, President Trump signed into law the Consolidated Appropriations Act, 2018, which contained a section entitled the Clarifying Lawful Overseas Use of Data (CLOUD) Act. The CLOUD Act significantly revises the rules underlying law enforcement requests for access to communications information stored abroad, and may have far-reaching implications for companies that collect, transmit, and store such communications.

The CLOUD Act resolves an ambiguity in federal law that increasingly served as a flashpoint between tech companies and law enforcement. Most prominently, this question was posed to the U.S. Supreme Court in United States v. Microsoft Corp, a case originating in 2013 that the Court heard on February 27, 2018. In Microsoft, the United States argued that U.S.-based service providers could be compelled to turn over responsive data when served with a warrant, whether held in America or abroad. Microsoft argued that the government’s warrant authority only reached data held in the U.S. itself. Before the Court handed down a decision, however, the CLOUD Act was passed, and with the case moot, the Court remanded and dismissed it at the request of both sides. Continue Reading

New FTC Report Recommends Steps to Improve Mobile Security Updates

Matthew StaplesKelly SingletonBy Matthew Staples and Kelly Singleton on Posted in Cybersecurity, Regulatory

In February 2018, the Federal Trade Commission (FTC) released a report that explores the complexities of the mobile ecosystem and makes recommendations for industry to improve the mobile security update process for consumers.

The report is part of the FTC’s effort to address concerns that mobile devices are not receiving the operating system patches they need to defend against attacks. It begins by highlighting that even though three-quarters of Americans own smartphones and increasingly rely on them to store and transfer sensitive information, many devices are not receiving the updates they need to protect against critical security vulnerabilities. As a result, many consumers’ devices are vulnerable to malicious software attacks like spyware, phishing, and ransomware, all of which put consumers at risk of identity theft, fraudulent charges, and similar financial or other risk. As characterized by former Acting Director of the FTC’s Bureau of Consumer Protection Tom Pahl, “[c]onsumers use their mobile devices for a wide range of activities and want to have confidence that when they use them they will be secure,” but “significant differences in how the industry deploys security updates” must be addressed to “make it easier to ensure their devices are secure.”1
Continue Reading

FTC Grants Sears’ Petition to Reopen and Modify 2009 Order Concerning Online Browsing Tracking

Tracy ShapiroLibby WeingartenBy Tracy Shapiro and Libby Weingarten on Posted in Cybersecurity, Regulatory

The Federal Trade Commission (FTC) recently granted a petition by Sears Holding Management requesting that the FTC reopen and modify a 2009 FTC order settling charges that Sears failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software app.

Sears’ 2009 Order

On August 31, 2009, the FTC entered a final order in In the Matter of Sears Holdings Management Corporation after determining that from approximately April 2007 to January 2008, Sears disseminated a desktop software application through its websites that collected sensitive information, such as online bank statements, drug prescription records, and video rental records, yet Sears failed to disclose the scope of the application’s data collection. Among other things, the order required Sears to disseminate all future “tracking applications” in a specified manner, including by making certain disclosures and obtaining express opt-in consent using processes stipulated by the order, for a 20-year term. Continue Reading

LexBlog