Cybersecurity

Subscribe to Cybersecurity via RSS

On March 15, 2022, the Federal Trade Commission (FTC) announced it had filed a complaint against Residual Pumpkin Entity, LLC, formerly doing business as CafePress, and PlanetArt LLC, which bought CafePress in 2020 (collectively, CafePress). The FTC alleged that CafePress, an online platform used by consumers who bought or sold customized t-shirts, mugs, and other merchandise, had, among other things, failed to implement reasonable security measures, and misrepresented that it would use email addresses for order notification and receipt, when in fact it used email addresses for marketing purposes. As part of the proposed settlements with Residual Pumpkin and Planet Art, each is required, among other things, to implement, annually assess, test, and monitor a comprehensive written information security program. Residual Pumpkin also would be required to pay a $500,000 penalty.
Continue Reading FTC Issues Complaint and Proposed Settlement with Online Retailer for Deceptive and Unfair Security and Privacy Practices

On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules that would require current and periodic reporting of material cybersecurity incidents as well as more detailed disclosure of cybersecurity risk management, expertise, and governance. This alert summarizes the proposed changes, which are subject to public comment until the later of May 9, 2022 or 30 days after publication in the Federal Register.
Continue Reading SEC Proposes New Cybersecurity Reporting and Enhanced Standardized Disclosure

On February 16, 2022, the Federal Trade Commission (FTC) filed a proposed settlement order in federal court in its case against WW International, Inc (formerly known as Weight Watchers International, Inc.) and its subsidiary Kurbo, Inc. (Kurbo) to resolve allegations that the defendants violated the Children’s Online Privacy Protection Act and its implementing rules (COPPA).1 The FTC alleged that the defendants violated COPPA by failing to provide required notices and obtain verifiable parental consent prior to collecting, using, and disclosing personal information from children using their weight loss app. As part of the proposed settlement, the defendants are required to, among other things: 1) update their procedures to ensure that they obtain verifiable parental consent before collecting personal information from children, 2) destroy all of the personal information they obtained in violation of COPPA as well as any models or algorithms based on that information, and 3) pay a civil penalty of $1.5 million.
Continue Reading FTC Settles with Weight Watchers in First Children’s Privacy Case Requiring Deletion of Algorithms

On February 2, 2022, the UK privacy regulator (i.e., the Information Commissioner’s Office or the ICO) issued new model clauses to support data transfers from the UK. Subject to approval by the UK Parliament, the new model clauses will become effective March 21, 2022. Companies transferring personal data outside the UK will have until March 21, 2024 to update existing contracts, but should use the new model clauses for any new contracts they sign as of September 21, 2022.

Background
Continue Reading New Model Clauses for Personal Data Transfers Outside the UK

So you’re a fintech startup, buying a fintech company, or expanding the technical capabilities of your financial business. Or you’re a tech company that is getting into the payments space. Where do you start when it comes to figuring out what consumer protection laws apply to you? You should be aware that, for the past several years, the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) have been actively enforcing consumer protection laws in the fintech space. For example, the FTC has recently brought cases involving an online lender that allegedly charged undisclosed fees, a mobile banking app that falsely promised high interest rates and 24/7 access to funds, promoters of cryptocurrency money-making schemes, and tech platforms offering in-app purchases. The CFPB most recently shuttered a VC-backed online lender for false advertising related to interest rates and loan amounts. Earlier last year, the CFPB had obtained refunds and a civil penalty against a fintech company for enabling merchants to obtain loans for consumers without their authorization.
Continue Reading Fintech and Financial Privacy: Regulatory Developments on the Use of Financial Data

On December 6, 2021, the Belgian Data Protection Authority (Belgian DPA) issued its recommendation on biometric data processing (Recommendation).[1] The Recommendation provides guidance on how to comply with the General Data Protection Regulation (GDPR) when processing biometric data.
Continue Reading Belgian Data Protection Authority Clarifies Key Rules on Biometric Data Processing