Companies have been pressing the Federal Trade Commission (FTC) for additional guidance on data security, and the agency recently delivered. On August 10, 2015, the FTC issued a public closing letter to Morgan Stanley Smith Barney LLC (Morgan Stanley) regarding the agency’s investigation into concerns that the company “fail[ed] to secure, in a reasonable and appropriate manner, account information related to Morgan Stanley’s Wealth Management clients.”1 In the context of data security investigations, closing letters—which explain why FTC staff opted to close an investigation—have the potential to offer helpful insights on what security measures the FTC considers to be reasonably designed to protect the privacy and security of personal information. Knowing what factors influenced the FTC staff’s decision to close an investigation in one instance is equally instructive as knowing why the staff decided to pursue an enforcement action in another.
Continue Reading FTC Closing Letter Confirms the Importance of Implementing Employee Access Controls
Delaware Enacts New Online Privacy Laws
Beginning January 1, 2016, the recently-enacted “Delaware Online Privacy and Protection Act”1 (DOPPA) will take effect and will impact all companies with online services used by Delaware residents. DOPPA consists of three separate online privacy laws: (1) a law prohibiting certain types of online marketing or advertising to minors;2 (2) a law requiring commercial websites and online services to post privacy policies;3 and (3) a law restricting government access to user records kept by online book service providers.4 The laws are substantively similar to online privacy laws already in effect in other states, and are particularly similar to laws in effect in California. The Consumer Protection Unit of the Delaware Department of Justice can enforce DOPPA’s three laws under the same provisions that it enforces other state consumer protection laws.5 DOPPA does not create a private right of action for any of the three laws.6
Continue Reading Delaware Enacts New Online Privacy Laws
DOJ Issues Guidance for Responding to Cyber Attacks
Cyber attacks can result in significant monetary and reputational damage to a wide range of businesses. Recently, the U.S. Department of Justice (DOJ) increased its efforts to engage businesses on cybersecurity issues. Earlier this year, as part of that effort, the department published a new resource for companies victimized by a cyber attack. The guidance, “Best Practices for Victim Response and Reporting of Cyber Incidents,” is targeted at smaller organizations, but it provides beneficial insights for companies of all sizes, including best practices for preparing for, responding to, and recovering from cyber incidents that are applicable to all organizations.1
Continue Reading DOJ Issues Guidance for Responding to Cyber Attacks
FCC Open Internet Rules Contain Important New Privacy, Data Security, and Transparency Measures
The Federal Communication Commission’s (FCC’s) newly promulgated Open Internet rules (2015 rules)—also known as the net neutrality rules—went into effect on June 12, 2015.1 The new rules apply specifically to broadband Internet access service providers, and not to Internet content, application, and device providers (edge providers). Nonetheless, by design, the rules will have a potentially far-reaching impact on edge providers’ and consumers’ rights and the avenues for redress in the face of harm inflicted by broadband providers. To date, the FCC has yet to receive any formal complaints from companies, though those may well be in the offing, according to some media reports and public statements.2
Continue Reading FCC Open Internet Rules Contain Important New Privacy, Data Security, and Transparency Measures
FCC Issues Omnibus TCPA Declaratory Ruling and Order Addressing Numerous Issues Regarding Calling and Texting Consumers
On July 10, 2015, the Federal Communications Commission (FCC) released its long-anticipated Declaratory Ruling and Order1 addressing twenty-one petitions and requests seeking clarification of, and relief from, various provisions of the Telephone Consumer Protection Act (TCPA) and the FCC’s implementing regulations.2 The order provides some much-needed clarity in certain areas, but commentators have generally concluded that the order has broadened the reach of the TCPA and inserted uncertainty in other areas, making calling or texting consumers an increasingly risky business practice.
Continue Reading FCC Issues Omnibus TCPA Declaratory Ruling and Order Addressing Numerous Issues Regarding Calling and Texting Consumers
Canadian Anti-Spam Legislation Shows Its Teeth with First Enforcement Actions
The Canadian Anti-Spam Legislation (CASL) is now showing that it has strong teeth. CASL requires companies operating in Canada to obtain affirmative opt-in consent prior to sending commercial electronic messages (CEMs), such as emails or text messages, within Canada. In addition, any CEM sent must contain certain identification information and provide recipients with a means of opting out or unsubscribing from future messages. These requirements were enacted in December 2010, and CASL provided a grace period that ended on July 1, 2014. Now that CASL is subject to enforcement, the Canadian Radio-television and Telecommunications Commission (CRTC), which is charged with enforcing CASL, has announced two enforcement actions that should place organizations operating in Canada on notice that violations of the law may result in significant penalties.
Continue Reading Canadian Anti-Spam Legislation Shows Its Teeth with First Enforcement Actions