Regulatory

Subscribe to Regulatory via RSS

On March 23, 2018, President Trump signed into law the Consolidated Appropriations Act, 2018, which contained a section entitled the Clarifying Lawful Overseas Use of Data (CLOUD) Act. The CLOUD Act significantly revises the rules underlying law enforcement requests for access to communications information stored abroad, and may have far-reaching implications for companies that collect, transmit, and store such communications.

The CLOUD Act resolves an ambiguity in federal law that increasingly served as a flashpoint between tech companies and law enforcement. Most prominently, this question was posed to the U.S. Supreme Court in United States v. Microsoft Corp, a case originating in 2013 that the Court heard on February 27, 2018. In Microsoft, the United States argued that U.S.-based service providers could be compelled to turn over responsive data when served with a warrant, whether held in America or abroad. Microsoft argued that the government’s warrant authority only reached data held in the U.S. itself. Before the Court handed down a decision, however, the CLOUD Act was passed, and with the case moot, the Court remanded and dismissed it at the request of both sides.
Continue Reading Congress Enacts the CLOUD Act, Granting Law Enforcement Access to Information Stored Abroad, and Mooting U.S. v. Microsoft

In February 2018, the Federal Trade Commission (FTC) released a report that explores the complexities of the mobile ecosystem and makes recommendations for industry to improve the mobile security update process for consumers.

The report is part of the FTC’s effort to address concerns that mobile devices are not receiving the operating system patches they need to defend against attacks. It begins by highlighting that even though three-quarters of Americans own smartphones and increasingly rely on them to store and transfer sensitive information, many devices are not receiving the updates they need to protect against critical security vulnerabilities. As a result, many consumers’ devices are vulnerable to malicious software attacks like spyware, phishing, and ransomware, all of which put consumers at risk of identity theft, fraudulent charges, and similar financial or other risk. As characterized by former Acting Director of the FTC’s Bureau of Consumer Protection Tom Pahl, “[c]onsumers use their mobile devices for a wide range of activities and want to have confidence that when they use them they will be secure,” but “significant differences in how the industry deploys security updates” must be addressed to “make it easier to ensure their devices are secure.”1Continue Reading New FTC Report Recommends Steps to Improve Mobile Security Updates

The Federal Trade Commission (FTC) recently granted a petition by Sears Holding Management requesting that the FTC reopen and modify a 2009 FTC order settling charges that Sears failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software app.

Sears’ 2009 Order

On August 31, 2009, the FTC entered a final order in In the Matter of Sears Holdings Management Corporation after determining that from approximately April 2007 to January 2008, Sears disseminated a desktop software application through its websites that collected sensitive information, such as online bank statements, drug prescription records, and video rental records, yet Sears failed to disclose the scope of the application’s data collection. Among other things, the order required Sears to disseminate all future “tracking applications” in a specified manner, including by making certain disclosures and obtaining express opt-in consent using processes stipulated by the order, for a 20-year term.
Continue Reading FTC Grants Sears’ Petition to Reopen and Modify 2009 Order Concerning Online Browsing Tracking

On June 1, 2018, the Alabama Data Breach Notification Act of 2018 will take effect. In addition to being the last state to enact a breach notification law, Alabama’s new law distinguishes itself in a variety of unique ways.

Consistent with other state breach notification laws, the new law defines “sensitive personally identifying information” maintained in electronic form (covered information) broadly. In addition to government issued forms of identification and financial account numbers, covered information includes an individual’s medical history, mental or physical condition, or medical treatment or diagnostic information when combined with the resident’s name. In addition, usernames or email addresses, in combination with a password or security question and answer, are also classified as covered information, but only if the account is affiliated with the entity that experienced the breach, and only if such credentials would permit access to an online account that is “reasonably likely to contain or is used to obtain” sensitive personally identifying information (i.e., if the username or email address and password grant access to covered information that triggers the notification requirement). These important caveats limit the circumstances in which entities that maintain covered information (covered entities) must notify Alabama residents of breaches involving usernames or email addresses and passwords.
Continue Reading Alabama Becomes Final State to Enact Data Breach Notification Law

On February 26, 2018, the U.S. Court of Appeals for the Ninth Circuit issued an en banc decision in FTC v. AT&T holding that the Federal Trade Commission (FTC) Act’s “common carrier” exemption is activity-based, reversing the panel’s decision that the exemption is status-based, which would have opened a large enforcement gap for telecommunications companies like AT&T. This is an important decision in terms of FTC jurisdiction: it means that the FTC can and will continue to regulate common carriers to the extent that they provide non-common-carrier services, such as mobile internet services.

Section 5 of the FTC Act gives the commission enforcement authority over unfair and deceptive acts or practices, but exempts “common carriers subject to the Acts to regulate commerce.” Unsurprisingly, the question of whether a company qualifies as a “common carrier” under the exemption is a loaded and complicated one. If an entity falls within the exemption, the FTC cannot bring an enforcement action against it for conduct it considers harmful to consumers. Conversely, companies that fall outside the exemption are subject to FTC regulation, leaving them open to liability for unfair or deceptive conduct, and requiring that they comply with a long list of FTC rules.
Continue Reading “Two Cops on the Beat is Nothing Unusual”: Ninth Circuit Reverses Panel Decision, Rules FTC Act’s “Common Carrier” Exemption is Activity-Based