Joseph Molosky

Subscribe to Joseph Molosky's Posts

Despite reaching settlements with more than 50 organizations on data security issues since the late 1990s, no organization seriously challenged the Federal Trade Commission’s (FTC’s) authority to bring such cases until FTC v. Wyndham Worldwide Corp. made headlines in 20121 The case brought rampant speculation from the privacy and data security community on the likely outcome and potential impact on a number of issues, ranging from the FTC’s enforcement authority to national and state data security laws. Recent rulings rejecting Wyndham’s motions to dismiss may not break new ground for the FTC, but the commission’s ability to overcome the first challenges to its data security enforcement authority are significant and continue the agency’s trajectory as the country’s leading data security enforcer.2
Continue Reading The Wyndham Rulings and the FTC’s Leadership on Data Security Enforcement

On March 27, 2014, the Federal Communications Commission (FCC) addressed an outstanding petition1 seeking guidance for compliance with the “prior express consent” requirement of the Telephone Consumer Protection Act (TCPA) for informational text messages.2 In a declaratory ruling, the FCC provided clarification of this requirement, and specifically addressed whether an intermediary may provide such consent. The FCC agreed with group texting service GroupMe, Inc. that, consistent with the TCPA, intermediaries may convey consent provided by others to receive informational text messages.3 However, the FCC made clear that companies ultimately remain liable where intermediaries fail to obtain the required consent. The ruling demonstrates a current trend at the FCC to allow businesses communicating with consumers by text message some flexibility while navigating the TCPA’s increasingly complex requirements.
Continue Reading FCC Clarifies That Consent May Be Provided by Intermediary for Informational Text Messages

The Federal Trade Commission’s (FTC’s) enforcement actions for claims of compliance with Safe Harbor privacy frameworks by U.S. companies have increased significantly over the past few months. In the first two months of 2014 alone, the FTC announced settlements with 13 U.S. companies over allegations that the companies falsely claimed they held current certifications under the U.S.-EU Safe Harbor Privacy Framework.1 The FTC’s focus has not been limited to the EU framework, as three of the settlements include claims that the companies falsely represented holding current certifications under the U.S.-Swiss Safe Harbor Privacy Framework.
Continue Reading FTC Steps Up Enforcement of Safe Harbor Compliance Claims

A data security incident can be daunting for an organization, quickly spurring it into full-blown crisis mode. Once an incident is discovered, IT and security personnel may work around the clock to attempt to identify and fix security vulnerabilities, assess and mitigate any damage from the incident, and report their findings and efforts to senior management. The organization’s attorneys may review the incident from a legal risk perspective and engage experienced outside counsel and forensics firms to better assess how the organization should respond to the incident in light of its legal and contractual obligations. The communications and customer service teams may need to respond to customer inquiries about system performance and strange system behavior, while IT personnel are following emergency protocols to attempt to strengthen system security and investigate the incident. In addition, the communications team may be involved in any required data breach notifications. Finally, senior management will need to analyze technical details and legal advice to make organizational decisions that may significantly affect the organization’s customers, reputation, and bottom line.
Continue Reading Breach Notification: Timing Is Everything