On September 9, FTC Chairwoman Edith Ramirez delivered remarks at the Start For Security workshop, an FTC initiative intended to provide start-ups and developers with the resources and information necessary to integrate effective data security strategies into their products. In her remarks, Ramirez advised companies to establish a “culture of security” by: (i) embedding privacy and security into the development process of apps and other products; (ii) testing the product to ensure that security defaults work properly and controls are secure; and (iii) establishing a “bug bounty” program or a contact point for when flaws, bugs, and vulnerabilities in software are discovered.
Special Alert: Cross-Border Data Transfers Significantly Impacted by EU Court Decision Invalidating Adequacy of U.S.-EU Data Protection Safe Harbor Framework
On October 6, the Court of Justice of the European Union (CJEU) in Schrems v. Data Protection Commissioner (“Schrems”) declared “invalid” a decision of the European Commission that the United States-European Union Safe Harbor framework (Safe Harbor) provides adequate protection for personal data transferred from the European Union (EU) to the United States (U.S.). Thousands of U.S. companies have registered with the U.S. Department of Commerce in order to permit the transfer of personal data from the EU to the U.S.
The EU’s 1995 Data Protection Directive (Directive) requires that the transfer of personal data from an EU country to another country take place only if the other country ensures an adequate level of data protection. For the past 15 years, per a 2000 decision by the Commission of the European Communities, U.S. companies participating in Safe Harbor have been deemed to be meet adequacy standards. Advocate General (AG) Yves Bot of the CJEU issued an opinion in September (“AG Opinion”) calling that 2000 decision invalid. AG Bot’s opinion declared that the existing framework governing that exchange of data fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union” because that framework, in AG Bot’s view, contains holes that can allow access to European’s personal data by the NSA and other U.S. security agencies. “[T]he law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU] which is transferred under the [framework] without those citizens benefiting from effective judicial protection.” And while the FTC and private dispute resolution providers have the power to monitor possible breaches of the framework by private companies, neither has the power to monitor possible breaches by U.S. security agencies. AG Bot stated his belief that, even with an adequacy decision, national Data Protection Authorities retain the power to assess the sufficiency of national data protection regimes outside the EU to which personal data will be transferred. Read more…
On August 28, the FTC announced that it will hold a public event, PrivacyCon, to examine current research and trends in protecting consumer privacy and security. Several “whitehat” researchers, academics, industry representatives, consumer advocates, and a range of government regulators are scheduled to address, among other things, how companies can protect against new security vulnerabilities. PrivacyCon will take place in Washington, D.C. on January 14, 2016.
On August 24, the U.S. Court of Appeals for the Third Circuit affirmed the Federal Trade Commission’s authority to hold companies accountable for their data security practices under Section 5 of the FTC Act (15 U.S.C. § 45(a)), which declares unlawful “unfair or deceptive acts or practices in or affecting commerce.” The unanimous ruling found that “deficient cybersecurity,” practices, which “fail to protect consumer data against hackers,” may be found to be “unfair” practices under the Act, subject to FTC enforcement. The FTC had sued Wyndham for allegedly deficient cybersecurity practices that enabled hackers to obtain payment card information from over 619,000 consumers.
In affirming that the FTC has authority under Section 5 to pursue claims of inadequate data security, the Third Circuit explained that a company’s inadequate data security in the face of foreseeable intrusions falls within the plain meaning of “unfair.” The Third Circuit assured Wyndham that this authority does not enable the agency to dictate the type of locks on hotel room doors or the placement of guards on corporate premises. Nor does it have the authority to sue for every perceived deficiency, just as it would not have the authority to sue supermarkets simply for failing to consistently “sweep up banana peels.” However, the court pointed out that it matters how – and how many – consumers are affected by a company’s practice: “were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under § 45(a).” Read more…
On August 25, a three judge panel of the U.S. Court of Appeals for the Eighth Circuit affirmed a lower court’s decision to deny consumers’ motion to intervene in the FTC’s suit against BF Labs, Inc. d/b/a/ Butterfly Labs (“Butterfly”). Alexander v. Fed. Trade Comm’n, No. 14-3286 (8th Cir. Aug. 25, 2015). Butterfly marketed and sold bitcoin mining computers. In April 2014, two consumers filed a class action suit against Butterfly, alleging “deceptive and unconscionable business practices.” In September 2014, the FTC also filed suit against Butterfly, alleging “deceptive acts or practices.” The FTC sought preliminary injunctive relief, including staying all suits against Butterfly, which the district court granted. The consumers moved to intervene permissively and of right but the district court denied their motion; the consumers appealed the denial of their motion to intervene of right. In order to have standing to intervene, a party must establish injury, causation, and redressability. The Court of Appeals found the consumers failed to show injury because their alleged injury (risk of financial harm) is contingent on various factors, including the FTC winning its case and precluding their recovery. Even if the consumers had standing to intervene, the consumers must meet the requirements of Rule 24(a) of the Federal Rules of Civil Procedure; the intervenor must (i) have a recognized interest in the subject matter of the litigation that; (ii) might be impaired by the disposition of the case; and that (iii) will not be adequately protected by the existing parties. Any government entity, such as the FTC is presumed to be representing the interests of the public. Thus, the consumers had to meet a very high burden to show the FTC was not adequately protecting their interests in the case, which they did not.
Third Circuit Affirms District Court’s Decision Asserting FTC’s Authority over Companies’ Data Security Practices
On August 24, the U.S. Court of Appeals for the Third Circuit affirmed the Federal Trade Commission’s authority to hold companies accountable for their data security practices under Section 5 of the FTC Act (15 U.S.C. § 45(a)), which declares unlawful “unfair or deceptive acts or practices in or affecting commerce.” FTC v. Wyndham Worldwide Corp., No. 14-3514 (3rd Cir. Aug. 24, 2015). The unanimous ruling found that deficient cybersecurity practices that fail to protect consumer data against hackers may be found to be “unfair” practices under the Act, subject to FTC enforcement. The FTC had sued Wyndham for allegedly deficient cybersecurity practices that enabled hackers to obtain payment card information from over 619,000 consumers. Wyndham argued that it lacked fair notice that the FTC had the authority to police data security practices under Section 5, but the Third Circuit disagreed, pointing out that the FTC has offered specific public guidance on data security over the years, and has filed multiple complaints and consent decrees raising unfairness claims based on inadequate cybersecurity that put companies on notice of its enforcement authority in this space.
On August 17, the FTC announced the resignation of Joshua D. Wright who served as one of the agency’s five commissioners since January 2013. Prior to being appointed as a Commissioner, Wright previously served at the FTC as an inaugural Scholar in Residence in the Bureau of Competition from 2007 to 2008. Wright’s term was set to expire in September 2019, but his resignation will become effective on August 24. Chairwoman Edith Ramirez noted that, “[t]he agency has benefited greatly from his perspective as a lawyer and economist.” Wright will return to his prior position as a professor at George Mason University School of Law.
On August 12, the FTC announced an action against a data broker enterprise for violations of the FTC Act. The FTC’s complaint alleges that, from at least 2011 to 2013, the data broker enterprise (i) sold payday loan applications to Ideal Financial Solutions and other non-lender third party companies for less than market value; and (ii) knew or had reason to know that Ideal Financial used the information to make unauthorized debits from consumers’ bank accounts. The complaint further alleges that the financial information of over 500,000 consumers was provided to Ideal Financial, which resulted in over $7.1 million of unauthorized debits to consumers’ accounts. Three of the defendants have agreed to settle the FTC’s allegations. The proposed settlement orders prohibit all three defendants from selling or otherwise benefitting from consumers’ personal information, and impose a $7.1 million judgment against two defendants and a $3.7 million judgment against the third. The settlement orders are subject to approval by the U.S. District Court for the District of Nevada.
On August 4, the FTC announced a settlement with a California-based company and its employees for allegedly violating the FTC Act and the Credit Repair Organizations Act. According to the associated complaint filed by the FTC in March 2015, the defendants operated a bogus credit repair scheme targeting Spanish-speaking consumers. The FTC alleged that the company and the four named employees deceived consumers with false representations that the company was affiliated with the FTC and false promises that they could repair consumers’ credit reports and guarantee that the consumer would have a credit score of 700 or higher within six months or less for a fee of approximately $2,000. The FTC’s final orders against the individuals and the Company (i) hold the defendants jointly and severally liable for a $2.4 million monetary judgment; (ii) prohibit the defendants from selling or advertising credit repair services to consumers, and from deceiving consumers about any good or service they are selling, and (iii) bar the defendants from benefiting, through sale or otherwise, from having customers’ personal information. The final orders were approved by the Commission in a 5-0 vote and filed in the U.S. District Court for the Central District of California, Western Division on July 30 and August 3.
On July 7, the FTC entered into settlement agreements with two individuals and the entities they operate seeking to permanently restrict them from doing business in the consumer lending industry. According to the FTC’s complaint filed in September 2014, the defendants allegedly operated an online payday lending scheme using personal financial information purchased from third-party lead generators or data brokers to make unauthorized deposits and withdrawals into consumers’ bank accounts, regardless of whether or not the consumer applied for a payday loan. Once the loan proceeds were placed into the consumers’ accounts, the defendants would withdraw “finance charges” from the accounts on a recurring basis, but would not credit the loans’ principal balances for those payments. Collectively, the defendants issued $28 million in payday loans, and extracted over $46.5 million from consumers’ bank accounts over an 11-month period. In addition to being banned from the consumer lending industry, the proposed agreements also order the defendants to pay approximately $52 million in restitution (subject to certain conditions), dismiss any consumer debt that may be owed, and prohibit the defendants from reporting such debts to any credit reporting agency or benefiting from the collection of customers’ personal information.
On June 29, the FTC filed two administrative complaints and issued proposed orders against two Las Vegas auto dealers to resolve allegations that they engaged in misleading advertising practices that misrepresented the purchase price or leasing offers of their vehicles, as well as the amount actually due at signing. In addition, the FTC also contends that the auto dealers failed to disclose other key information in its advertisements, such as the need for a security deposit, whether a down payment was required, and the terms of repayment. Under the proposed consent orders, the FTC will require both dealerships to refrain from misrepresenting the actual cost to purchase or lease a vehicle, and to comply with requirements of the Consumer Leasing Act and the Truth in Lending Act. No monetary judgment is proposed for either auto dealership.
On June 29, a mobile app developer entered into an agreement with the FTC and the New Jersey AG to settle allegations that the developer engaged in deceptive and unfair practices by marketing its rewards app, called “Prized,” as being free of malicious software, also known as “malware.” However, according to the FTC, the true purpose of the mobile app was to uploaded malware onto consumers’ mobile devices capable of mining virtual currencies for the software developer. This process allegedly reduced the battery life of consumers’ devices and caused consumers to burn through their monthly data plans. Under terms of settlement, the developer and accompanying mobile app are (i) prohibited from creating and distributing malicious software, and (ii) required to pay $50,000 to the state of New Jersey, with $5,200 due immediately, and the remaining $44,800 payable if the developer fails to comply with the terms of the consent order or the New Jersey Consumer Fraud Act within three years of the order.
On June 9, the FTC announced that it has provided to the CFPB its 2014 Annual Financial Acts Enforcement Report. The report highlights the FTC’s enforcement, research, rulemaking, and policy development activities with respect to the Truth in Lending Act (Regulation Z), the Consumer Leasing Act (Regulation M), and the Electronic Funds Transfer Act (Regulation E). Areas detailed within the report include enforcement actions related to non-mortgage credit, including auto finance and payday lending, mortgage loan advertising, and forensic audit scams; and consumer and business outreach related to truth in lending requirements. The report, submitted on May 29, will be used to prepare the CFPB’s Annual Report to Congress. The FTC also submitted a copy of the report to the Federal Reserve Board.
FTC Lobbies Michigan Legislature to Repeal Ban On Direct-to-Consumer Sale of Motor Vehicles by Auto Manufacturers
On May 11, the FTC released a statement regarding the agency staff’s May 7 letter to Michigan Senator Booher, which concerns pending SB 268 – an act to regulate the sale and servicing of automobiles. The proposed legislation seeks to create an “exception to current law that prohibits automobile manufacturers from selling new vehicles directly to consumers.” While the letter states that the bill likely will encourage competition and benefit consumers, the staff’s view is that the legislation’s scope is too narrow and “would largely perpetuate the current law’s protectionism for independent franchised dealers, to the detriment of Michigan car buyers.” The focal point of the FTC staff’s letter is that, “absent some legitimate public purpose, consumers would be better served if the choice of distribution method were left to motor vehicle manufacturers and the consumers to whom they sell their products.”
On April 21, the CFPB and the FTC announced a joint enforcement action against a national mortgage servicing company, ordering the company to pay roughly $63 million in relief and penalties for allegedly mishandling home loans for borrowers who were trying to avoid foreclosure. Both regulators allege that from 2010 to 2014, the servicing company failed to honor modifications made to loans it acquired from other firms. According to the complaint, the company allegedly insisted that homeowners make the higher monthly payments and also make payments before providing loss mitigation options. Moreover, the CFPB and FTC claim the company illegally harassed borrowers who fell behind, made false threats, and revealed debts to the borrowers’ employers. The servicing company will pay $48 million in relief to eligible homeowners and a $15 million civil money penalty to the CFPB.