Consumer Protection Connection

Consumer Protection

NIST Issues New Update to Cybersecurity Framework

Posted in Cybersecurity

On January 10, 2017, the National Institute of Standards and Technology (NIST) released an update to its Cybersecurity Framework, first issued in 2014. The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The new draft provides details on managing cyber supply chain risks, clarifies key terms, and introduces measurement methods for cybersecurity. According to NIST, the new Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 incorporates feedback and suggestions received since 2014, including responses from a December 2015 request for information and comments from attendees of a workshop held in April 2016.

The changes in the latest Framework include a new section on cybersecurity measurement; a more detailed explanation of how to use the Framework for Cyber Supply Chain Risk Management purposes; refinements to better account for authentication, authorization, and identity proofing; and a more thorough explanation of the relationship between Implementation Tiers and Profiles.

NIST is a branch of the U.S. Department of Commerce which provides measurement standards. On February 12, 2013, President Obama issued an Executive Order that called for the development of a risk-based, voluntary set of industry standards and best practices to help organizations manage cybersecurity risks. The Cybersecurity Framework is intended to “help organizations manage cybersecurity risk in the nation’s critical infrastructure, such as bridges and the electric power grid,” and was developed in consultation with industry, academia and government agencies. The Cybersecurity Enhancement Act of 2014 calls for NIST to continue its work on the framework.

Details of the changes can be found in Appendix A of the draft Framework. Comments on the draft will be accepted until April 10, 2017, and should be sent to From ransomware attacks to data breaches at major retailers, health care facilities and others, cybercrime continues to present serious threats to businesses across the supply chain. With these growing risks, it is important for businesses in all sectors to monitor best practices and assess, implement, and re-assess security solutions periodically.

Turn, Inc. Settles with FTC Over Deceptive Consumer Tracking

Posted in Privacy

In 2015, Verizon found itself in hot water over charges it was using a “super cookie” that continued to operate even when users believed they had opted out of mobile phone data tracking. Verizon allegedly then sent the data obtained to a third party for targeted advertising purposes without its customers’ consent. Verizon settled with the FTC in 2015, and now, the third party at the heart of the FTC’s complaint, Turn Inc., has followed suit, agreeing to the terms of a consent order with the FTC on December 20, 2016.

Turn’s demand side platform and data management platform enables sellers to target consumers with digital advertisements. According to the FTC, Turn’s privacy policy indicated that Verizon wireless customers could set their web browser to block targeted advertising or limit cookies, but that web data tracking continued even after customers had taken the appropriate steps to turn it off.

The proposed consent order requires Turn to provide an effective opt-out for consumers who do not want their data used for targeted advertising; place a hyperlink on its homepage to an explanation of what information is collected and used for targeted advertising; and provide an accurate representation of its privacy policy.

Public comments on the proposed agreement will be accepted through January 19, 2017, and interested parties can submit comments here.

California Department of Toxic Substances Control Releases Draft Alternatives Analysis Guide

Posted in Product Safety

On December 12, 2016, the California Department of Toxic Substances Control (DTSC) released a draft Alternatives Analysis (AA) Guide under the state’s green chemistry program, Safer Consumer Products (SCP). Under the SCP program, product designers and manufacturers are encouraged to reduce or eliminate the use of certain targeted chemicals in their products, and the Guide is intended to help businesses navigate the SCP Alternatives Analysis process.  It also provides useful approaches, methods, resources, tools, and examples of best practices.

A webinar to discuss the draft Guide will be held on January 10, 2017; registration information is available here.  The comment period is open now and runs until January 20, 2017.

Clocking in at over 200 pages, the draft Guide is far from light reading, but businesses and trade associations that use chemicals currently or that are potentially targeted in the SCP process should keep close tabs on AA developments  and consider submitting comments. AAs will impose substantial expense on companies and industries, in part because the California SCP legislation establishes proscriptive requirements that no currently available AA tool will meet.

Avoid Being Held Hostage: FTC Releases Ransomware Guidance

Posted in Cybersecurity

New research from security company Kaspersky Labs suggests that the use of ransomware is now so widespread that nearly every moment, a ransomware attack is being launched somewhere in the world on businesses and consumers.

Ransomware, or malicious software that infiltrates computer systems and uses tools like encryption to deny access or hold data “hostage” for a ransom, is becoming an epidemic. According to Kaspersky’s data, ransomware attacks increased threefold between January and September 2016. Forty-two percent of small and medium-sized businesses were hit with ransomware attacks, while individual consumer attacks escalated from one every twenty seconds to one every ten. Ransoms demanded typically range from $500 to $1,000, but some criminals have demanded as much as $30,000, and only one in five small- to medium-sized companies have been able to retrieve their data after payment.

The threat is so great that Federal Trade Commission (FTC) held a workshop on ransomware on September 7, 2016. In her opening remarks, FTC Chairwoman Edith Ramirez cautioned businesses to be aware of the dangers of ransomware, and to adhere to FTC recommendations.

As a follow-up to the workshop, the FTC released ransomware guidelines on November 10, 2016, including a video outlining the dangers. The guidance offers four important steps that the FTC believes businesses should adopt to minimize the risk of ransomware threats:

  • Training and education. Implement education and awareness programs to train employees to exercise caution online and avoid phishing attacks.
  • Cyber hygiene. Practice good security by implementing basic cyber hygiene principles. Cyberhygiene initiatives include important steps:
    • Assess the computers and devices connected to networks to proactively identify the scope of potential exposure to malware.
    • Identify technical measures that can mitigate risk, including endpoint security products, email authentication, intrusion prevention software, and web browser protection.
    • Implement procedures to keep security current. Update and patch third-party software to eliminate known vulnerabilities.
  • Back up your data early and often.
    • Identify business-critical data in advance and establish regular and routine backups.
    • Keep backups disconnected from your network so that you can rely on them in the event of an attack.
  • Prepare for an attack. Develop and test incident response and business continuity plans.

The FTC also advises victims of ransomware on three steps they should adopt in response to attacks:

  • Contain the attack. Disconnect infected devices from your network to keep ransomware from spreading.
  • Restore your computer. If you’ve backed up your files, and removed any malware, you may be able to restore your computer. Follow the instructions from your operating system to re-boot your computer, if possible.
  • Contact law enforcement. Report ransomware attacks to the Internet Crime Complaint Center or an FBI field office. Include any contact information (like the criminals’ email address) or payment information (like a Bitcoin wallet number). This may help with investigations.

Generally, authorities do not recommend that businesses pay the ransom. Too often they simply get higher demands, become targets again, or don’t get the data back.

It is also important for businesses to remember that ransomware attacks often constitute data breaches that may be reportable under federal or state data breach notification laws. Conducting tabletop exercises to educate staff and test preparedness is helpful.

The FTC’s recommendations are consistent with overall steps that the Commission and other experts have recommended to address data breaches. It’s important for business to pay attention to this sort of FTC guidance. The only thing worse than being held hostage by ransomware perpetrators is being held hostage and then also facing an FTC inquiry for alleged failure to adequately safeguard data.

Best Buy Agrees to Pay $3.8 Million for Selling Recalled Products

Posted in Product Safety, Regulations

Mega-retailer Best Buy agreed to pay $3.8 million to settle allegations that the company distributed and sold recalled products, a violation of the Consumer Product Safety Act (CPSA) after the 2008 amendments. U.S. Consumer Product Safety Commission (CPSC) staff alleged that the retailer sold more than 600 recalled units, including over 400 Canon cameras, to consumers, as well as items such as electric ranges (subject to a 2012 recall) and dishwashers (subject to a 2012 recall). Overall, the retailer sold 16 separate products subject to recalls announced between September 2010 and July 2015. CPSC and the retailer jointly reannounced 10 of the recalls in July 2014. In addition to the $3.8 million civil penalty, Best Buy agrees to maintain a compliance program designed to ensure compliance with the CPSA, including program for the appropriate disposal of recalled products. The CPSC asserted that the Company’s prior system failed to accurately identify, quarantine, and prevent the sales of recalled products. In some case, the company apparently failed to permanently block specific product codes, or even reactivated those codes or had them overridden. This occurred even after the company had assured CPSC the measures were adopted to prevent the sale of recalled products.

This settlement is notable for two reasons. First, this announcement is one of several in recent years involving the sale of recalled products, and in this case (as in some previous cases) it involves a retailer that was not the initiator of the recall. The CPSC has increasingly sought to obtain settlements from companies for the further sale of recalled products. In these settlements, the CPSC has generally imposed requirements to implement two separate but related systems: (1) a system for ensuring compliance with the CPSA, and in particular for the reporting of information about substantial product hazards to the CPSC and for the appropriate disposal of recalled products; and (2) a system of internal controls and procedures. The settlement in this case serves notice on all members of the supply chain that they are under an obligation not to sell recalled products.

Second, this settlement is yet another data point showing a trend of the increasing high stakes for settling CPSC civil penalty actions. The Best Buy announcement is the first settlement announced in fiscal year 2017 (which began October 1, 2017), but the table below shows the civil penalty trends for the last three federal fiscal years:

CPSC Civil Penalty Settlements: The Numbers

Fiscal Year

No. of Settlements

Total Amount

Average Amount

FY 2014 5 $7.175 million $1.435 million
FY 2015 9 $24.4 million $2.711 million
FY 2016 5 $31.25 million $6.25 million
FY 2017 (as of Oct. 6, 2016) 1 $3.8 million $3.8 million


Given the increasing penalty amounts and the increasing focus by CPSC on actions by all members of the supply chain, careful attention to internal compliance processes and procedures is a must.

Another State AG Weighs in on Children’s Privacy

Posted in Privacy

Texas Attorney General (AG) Ken Paxton announced a settlement with an app developer over concerns that the developer’s apps infringed children’s privacy.

The developer, Juxta Labs, Inc., offers a range of mobile apps and games.  According to the AG’s press release, the company’s apps and social media were easy for children of any age to access.  Some of the apps offered free children’s games that used advertisements and in-app purchases, and transmitted personal information (including internet protocol addresses and geolocation information).  One app in particular – Jott – has apparently become popular among teens because it allows message exchange without resorting to either Wi-Fi or cellular networks (instead, it can operate via a Bluetooth mesh network).

The settlement resolves alleged violations of the Texas Deceptive Trade Practices Act and includes specific commitments to comply with the federal Children’s Online Privacy Protection Act (COPPA).  The Company agreed to implement age-screening and pay a penalty of $30,000.

Following on the heels of a recent settlement by the New York Attorney General, it is clear that state regulators, as well as the Federal Trade Commission (FTC), are closely reviewing children’s privacy practices.

NTIA Announces Multistakeholder Workshop on IoT Security Patching

Posted in Cybersecurity, Data Security

The National Telecommunications and Information Administration (NTIA) has announced it is convening a series of multistakeholder meetings concerning Internet of Things (IoT) Security Upgradability and Patching. The initial meeting will be held in Austin, Texas, on October 19, 2016. An associated Federal Register notice (expected to be published September 19, 2016) describes the short-term goal of this new multistakeholder process as to “develop a broad, shared definition or set of definitions around security upgradability for consumer IoT, as well as strategies for communicating the security of IoT devices to consumers.”

This workshop is an outgrowth of two earlier NTIA initiatives. The first is its March 2015 request for comment to “identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers.” The second is NTIA’s April 2016 request for comment on the benefits, challenges, and potential roles for the government in fostering the advancement of the IoT. Many comments in response to the April request did raise the issue of security.

NTIA notes that, to realize the full potential of IoT, users need reasonable assurance that connected devices, embedded systems, and their applications will be secure. In so noting, NTIA describes the ultimate goal of this multistakeholder initiative as fostering a market that offers more devices and more systems that support security upgrades. This will be accomplished, in part, through increased consumer awareness and understanding. Given the enormous complexity of the IoT environment, this first workshop is expected to focus on the scope and organization of the work.

With the Federal Trade Commission’s (FTC) enforcement agenda focusing on security vulnerabilities and expectations for business practices, and the explosive growth of IoT devices in the marketplace, both security and privacy implications of their use are expected to remain important topics for policy development and for enforcement. To read an article on these and other issues raised by IoT that Keller and Heckman LLP published earlier this year, click here.

FCC Grants TCPA Relief to Energy Utilities and Schools

Posted in Data Security, Privacy

On August 4, 2016, the Federal Communications Commission (FCC) released a Declaratory Ruling granting in part two separate petitions that were filed last year – one by the Edison Electric Institute and American Gas Association, and another by Blackboard, Inc. – regarding application of the Telephone Consumer Protection Act of 1991 (TCPA) to certain types of non-telemarketing, informational “robocalls” placed by energy utilities and schools, respectively.  The TCPA prohibits, among other things, robocalls (calls and texts that are placed using an autodialer or a prerecorded or artificial voice) to mobile numbers unless they are made for an “emergency purpose” or with “prior express consent.”

The Declaratory Ruling confirms that:

(1) Energy utilities are deemed to have the requisite “prior express consent” to place robocalls regarding matters “closely related to the utility service” (namely, calls regarding planned or unplanned service outages or service restoration, calls regarding meter work, tree trimming, or other field work, calls regarding payment or other problems that threaten service curtailment, and calls about potential brown-outs due to heavy energy use) if placed to numbers provided by customers; and

(2) Schools can lawfully place certain types of robocalls to members of the school communities pursuant to the “emergency purpose” exception in the TCPA (namely, calls concerning weather closures, incidents of threats and/or imminent danger due to fires, dangerous persons, or health risks, and unexcused absences), and schools are deemed to have the requisite “prior express consent” to place other types of robocalls that are “closely related to the school’s mission” (namely, notifications of upcoming teacher conferences and general school activities) if placed to numbers provided by the recipients.

For a more detailed summary of the Declaratory Ruling, click here.

While the FCC largely granted the relief requested by the petitioners regarding the type of consent that is required to place “robocalls,” the agency reminded businesses of their obligation to comply with other TCPA requirements when placing robocalls, such as the opt-out requirements and ceasing robocalls to numbers that have been reassigned to new subscribers.  TCPA litigation is on the rise, and the FCC has adopted stringent requirements for automated calls and texts, so all businesses should ensure that they understand their obligations when using these technologies to communicate with current and former customers, employees, and others.

Shielded: EU Approves Privacy Pact with the U.S., Fee Schedule Proposed

Posted in Cybersecurity, Privacy

The European Commission (EC) approved the EU–U.S. Privacy Shield on Tuesday, July 12, after European Union member states, through the Article 31 committee, approved the pact the previous week (more on the draft adequacy decision back in March here and the earlier agreement laying out the Privacy Shield here). The decision will allow U.S. companies that have self-certified to process the data of European citizens, while giving EU citizens greater privacy protections and the ability to file suit in U.S. courts to redress alleged privacy invasions. The Privacy Shield took immediate effect upon notification to Member States on July 12, and will be published in the Federal Register within 30 days of the Article 31 committee approval. Companies who want to self-certify compliance with the Privacy Shield can do so starting August 1, 2016, and will be required to pay a cost recovery fee according to a fee schedule dependent on annual revenues (the fee ranges from $250 to $3,250, for companies from $0 to over $5 billion in annual revenues).

The EC’s approval is the culmination of months of negotiations between EU and U.S. authorities on data transfer mechanisms in the wake of the European Court of Justice’s (ECJ) Schrems v. Data Protection Commissioner decision in October 2015 (Case C-362/14) invalidating the EU–U.S. Safe Harbor Agreement. The Schrems decision deemed the previous Safe Harbor Framework inadequate and concluded that Data Protection Authorities (DPAs) could independently evaluate whether EU citizens’ right to privacy would be protected by the Safe Harbor.

The Privacy Shield imposes more robust obligations on participating U.S. companies to protect the personal data of Europeans than the prior Safe Harbor as the basis to continue to transfer data between the U.S. and the EU. New requirements include the following:

  • Companies handling employee data must commit to comply with EC and DPAs’ decisions in their privacy policies;
  • Companies processing individuals’ data must commit to following the Privacy Shield Principles in privacy policies, making the commitment enforceable under U.S. law;
  • Companies must include a link to the U.S. Department of Commerce’s (DOC) Privacy Shield website;
  • Companies must inform individuals of:
    • their rights to access their own personal data,
    • the requirement that the company must disclose information in response to lawful requests from government authorities, and
    • the company’s liability where data is transferred onward to third parties; and
  • Companies must respond promptly to requests and inquiries from the DOC, and must make public any Privacy Shield–related Federal Trade Commission (FTC) or court orders based on non-compliance with the Privacy Shield.

European citizens will also have redress for alleged misuse of their data through new obligations of companies to respond to complaints and through no-charge alternative dispute resolution, among other routes. They will also be able to enforce privacy rights against U.S. government entities in U.S. courts based on the Judicial Redress Act, passed earlier this year and signed by President Obama on February 24, 2016. Adoption of a law recognizing this right was a key element in the negotiation process.

The deal also requires the DOC and FTC to engage in more robust monitoring and enforcement. U.S. law enforcement and national security access to EU citizens’ personal data will have to be the exception, and “must be used only to the extent necessary and proportionate.” An annual joint review of the Privacy Shield will also be conducted.

The FTC remains committed to enforcing representations about compliance with public privacy promises and privacy self-regulatory or certification programs. The FTC announced late last week (on July 14, 2016), for example, that it sent warning letters to 28 companies that claimed to be participating in the certification program under the Asia-Pacific Economic Cooperative’s (APEC) Cross-Border Privacy Rules (CBPR) system. Companies can be certified as compliant with the CBPR program if they comply with nine data privacy protection principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability.

The FTC’s actions to enforce U.S. companies’ promises about adhering to the APEC CBPR align with its obligation to take enforcement actions under the Privacy Shield. Regulatory scrutiny of representations about cross-border privacy practices are likely to increase in coming months and years as both the FTC and EU regulators have every reason to establish the Privacy Shield as a reliable and safe way to that personal data transferred to the U.S. is handled appropriately.

Proliferating laws and regulations governing privacy and data security make the compliance challenge ever more complex for global businesses. The new regime under the EU General Data Protection Regulation (GDPR) coming into force in 2018 adds an extra-territorial twist, requiring all companies doing business internationally to become familiar with the new requirements and begin now to implement new compliance measures. (See our GDPR compliance checklist here as a starting point.) Staying on top of privacy is more important than ever in an ever-changing landscape.

The Scrutiny Continues: Social Media Activities Continue to Draw Consumers and Consumer Protection Enforcement Alike

Posted in Advertising, Enforcement

Since we last wrote about how marketers can craft social media policies to offer engaging promotions while meeting the scrutiny of regulators, social media has continued to be a popular venue for marketers to reach consumers. The Federal Trade Commission (FTC) has also kept the spotlight on compliance with the FTC Guides Concerning Use of Endorsements and Testimonials in Advertising, targeting companies that fail to meet obligations to disclose “material connections” when working with influencers to promote products in social media. Some recent FTC actions are summarized below.

  • In July 2016, Warner Bros. Home Entertainment, Inc., settled with the FTC over charges that the company deceived consumers by running a marketing campaign for the video game Middle Earth: Shadow of Mordor in 2014 without properly disclosing that online influencers, including the prominent PewDiePie, were allegedly paid from hundreds to tens of thousands of dollars to generate “buzz” for the game. These influencers posted gameplay videos on social media sites including YouTube without, according to the FTC, incorporating clear statements that the videos were sponsored. Although Warner Bros. did require some disclaimers about sponsorship, this information was generally only visible if consumers clicked on a button to reveal more details in a description about the video. The company allegedly also pre-approved at least one video without adequate sponsorship disclosure.
  • In June 2016, the FTC settled claims with SmartClick Media LLC, doing business as “Doctor Trusted,” relating to a certification program that allegedly represented to consumers that products sold on websites were independently evaluated by doctors using their medical expertise, when in fact they were not. The company used seals on websites that appeared to operate independently from SmartClick, including health-product review sites, but which were in fact operated by SmartClick. Although SmartClick had hired freelance doctors to conduct some reviews, these reviews were allegedly cursory, and the seals were sold to—and appeared on—800 websites. The FTC’s order imposed a judgment of $603,588 on the defendants, which was to be suspended upon their payment of $35,000.
  • In March 2016, the FTC finalized an order settling charges that Machinima, Inc. engaged in deceptive advertising by failing to disclose that it paid “influencers” to post YouTube videos that endorsed Microsoft Xbox One games as well as the platform. The FTC first announced the proposed order in September 2015, alleging that the company paid endorsers $15,000 and $30,000 for posting videos on the popular video playing platform that resulted in 250,000 views and 730,000 views, respectively. The settlement did not involve a financial payment by Machinima, but the company agreed not to violate the FTC’s deception policy in the future. Microsoft and its advertising agency both received closing letters in 2015 that found them partially responsible, but the FTC concluded that these companies’ failures were “one-offs.”

*          *          *          *          *

The social media landscape is no longer new. Companies are expanding social media initiatives with good reason – because it’s where the eyeballs are. But all companies, large and small, must take care to assure that their social media initiatives, particularly those involving influencers, comply with the FTC’s guidelines on endorsements.  A word to the wise: The FTC staff, just like consumers, is looking at social media sites like YouTube, Pinterest and others. The difference is that the FTC is on the lookout for violations of its rules and guidelines.

Consumer Protection Connection