Photo of Sheila A. MillarPhoto of Tracy P. Marshall

Following the U.S. Supreme Court’s April 22, 2021 decision in AMG Capital Management, LLC v. Federal Trade Commission, which put the brakes on the ability of the Federal Trade Commission (FTC or Commission) to use its Section 13(b) authority to seek monetary penalties for violations of the FTC Act, the Commission has sought another route to possibly recover civil penalties: it revived the agency’s long-dormant Penalty Offense Authority under Section 5(m)(1)(B) of the FTC Act (45 U.S.C. § 45(m)(1)(B)). Section 5(m)(1)(B) allows the Commission to pursue civil penalties in federal court if it satisfies two requirements. First, the FTC must prove that a company knew its conduct violated the FTC Act. To establish actual knowledge, the Commission sends a business a Notice of Penalty Offenses (also referred to as a “Section 205 Synopsis”) that outlines conduct the FTC has determined violates the FTC Act. Second, the FTC must have issued a previous administrative order (other than a consent order) that determined certain specific conduct was unfair or deceptive. If, after receiving notice, a business engages in practices deemed violative, the FTC can pursue civil penalties of up to $43,792 per violation in federal court.

The FTC has flexed this new muscle twice in the past week, sending a Notice of Penalty Offenses to more than 700 businesses regarding fake reviews and misleading endorsements and a Notice of Penalty Offenses to 70 for-profit higher educational organizations in respect of false promises made about graduates’ job and earnings prospects. Notably, while other FTC policy statements and initiatives have garnered dissents, the Commission voted 5-0 to authorize and distribute the notices.

Penalty Offenses Concerning Education. The FTC’s Notices of Penalty Offenses to the educational organizations warned them not to misrepresent, directly or indirectly, the employment prospects of graduates, the demand for particular coursework, a graduate’s potential remuneration, and the extent of the institution’s job placement assistance program. In an accompanying letter, the FTC warned the companies that failure to cease deceptive conduct could result in significant fines. The notices state that receipt of the letter does not reflect an assessment that the recipient has engaged in conduct that might be deemed deceptive or unfair. Rather, it includes the following statement:

Receipt of this Notice puts your company on notice that engaging in conduct described therein could subject the company to civil penalties of up to $43,792 per violation. See 15 U.S.C. § 45(m)(1)(B).

In late 2020, Commissioner Rohit Chopra and FTC attorney Samuel Levine (now Director of the FTC’s Bureau of Consumer Protection) jointly published an article in which they advocated for the FTC to restore its Penalty Offense Authority, which the Commission ceased using in the 1980s. Chopra and Levine argued the Commission could “substantially increase deterrence and reduce litigation risk by noticing whole industries of Penalty Offenses, exposing violators to significant civil penalties, while helping to ensure fairness for honest firms.” While the FTC has gone after for-profit educational organizations for deceptive practices multiple times, this is the first time it has issued Section 5(m)(1)(B) notices to do so.

The FTC created a webpage listing the educational organizations that received Notices, a sample Notice and letter, and links to the administrative orders cited in the Notice (which date from 1980, 1971, and 1952).

Penalty Offenses Concerning Endorsements. The FTC sent another, even larger, batch of Notices of Penalty Offenses on October 13, this time to over 700 companies in diverse industries. The Commission warned the companies that certain conduct related to the use of endorsers and testimonials, such as misrepresenting that an endorser is an actual or recent customer, misrepresenting that an endorsement represents the experience or opinions of ordinary customers, or using an endorsement to make deceptive performance claims, violates Section 5 of the FTC Act. The Commission informed the companies they are on notice that engaging in prohibited conduct could subject them to civil penalties of up to $43,792 per violation.

As with the Notice of Penalty Offenses directed to for-profit educational institutions, the Penalty Offenses Concerning Endorsements website lists the cases the FTC relied on, which date between 1941 – 1984, and includes a sample Notice and letter and a list of recipients.

Many companies have internal policies governing endorsements and testimonials, but the FTC’s recent actions emphasize the importance of reviewing those policies to make sure they are up to date or implementing internal policies if they are not already in place.

Photo of Sheila A. MillarPhoto of Jean-Cyril WalkerPhoto of Anushka N. Rahman

On October 5, 2021, California Governor Gavin Newsom signed a package of environmental legislation into law, including two bills aimed at environmental marketing claims. SB 343, Truth in Labeling for Recyclable Materials, which we previously wrote about here, will significantly affect how recyclability claims can be made. Under AB 1201, compostable and degradable claim restrictions, which previously existed only for plastic products, will apply to all products.

SB 343: Recyclable, recycled content and use of the chasing arrows symbol. SB 343 is designed to restrict recyclability claims for both plastic and non-plastic products and packaging in the state, potentially as early as January 1, 2024, with some exceptions or defenses. The bill declares use of the chasing arrows symbol, the arrow design surrounding the plastic resin identification code (RIC) (which does not incorporate the Mobius loop design), or any other symbol or statement indicating recyclability, to be deceptive or misleading unless the product or packaging is considered recyclable pursuant to statewide recyclability criteria set out in the bill. Equally importantly, the law builds on previously existing requirements under Cal. Bus. & Prof. Code § 17580 that anyone representing in labeling or advertising that a product is not harmful or is beneficial to the environment must document and maintain written records supporting the validity of the representation. While these requirements previously applied to broad environmental claims such as “earth friendly” and “green product,” and while all non-puffery marketing claims should be substantiated, companies do not always maintain a substantiation file with all of the information required under Cal. Bus. & Prof. Code § 17580. By extending the documentation requirements to recyclable claims, the new law may make recyclable claims more difficult and put a larger spotlight on other claims.

A significant issue with the law is that it appears to be in conflict with both guidance from global self-regulatory bodies and the U.S. Federal Trade Commission’s (FTC) Guides for the Use of Environmental Marketing Claims (“Green Guides”). The Green Guides specifically address the use of the RIC, which is required by law in 39 states, noting that inconspicuous use of the RIC (for example, molded into the bottom of a rigid plastic container) does not constitute an unqualified recyclable claim. Conversely, a prominent depiction of the RIC, including in conjunction with a “recyclable” claim, would have to be qualified if the product made of the referenced plastic resin does not meet the criteria for an unqualified recyclable claim under the FTC’s existing guidance. Adding to the confusion, SB 343 recognizes compliance with the Guides for some claims as an affirmative defense.

An ASTM committee now oversees the RIC and recommends a solid triangle design. While state laws still reference the original RIC design with the arrow, it seems unlikely that adopting the solid triangle design would generate enforcement attention by state regulators.

Notably, the law’s restrictions on use of the chasing arrow symbol may affect not only the RIC, but also use of the Mobius loop to convey recycled content. The Green Guides already suggest qualifiers to convey recycled content and recyclable messaging, so using the Mobius loop’s chasing arrows to denote recycled material with an express statement of the percentage involved should not be a violation.

AB 1201: Compostable and degradable claims for products. Previously existing California law included some specific restrictions on the sale of plastic products advertised as compostable and degradable. The requirements were updated only a year ago to, among other changes, remove a reference to a test method for marine degradability, as we noted previously. AB 1201 replaces the term “plastic product” in California’s law restricting compostable and degradable claims and replaces it with “product,” giving the law broader reach. A “product” is defined to include, but is not limited to:

  • A consumer product;
  • A package or a packaging component;
  • A bag, sack, wrap, or other thin plastic sheet film product; and
  • A food or beverage container or a container component, including, but not limited to, a straw, lid, or utensil.

Fiber products that do not contain any plastics or polymers are exempt from the requirement to comply with an applicable standard specification; the legislation does not appear to distinguish between traditional plastics and bioplastics. The law does not change the requirement that biodegradable claims must meet a standard specified by the state, but the latest iteration still does not adopt a reference standard to determine degradability in soil, various landfill or marine conditions. Thus, AB 1201 effectively extends the prior practical ban on degradability claims for plastics to all products that meet the relevant definitions. Some national marketers that meet FTC criteria for degradability claims may include statements explaining that the product is not considered degradable in California.

AB 1201 also tightens requirements for a product labeled “compostable” or “home compostable,” which must:

  • Be certified as meeting the applicable standard specification by an approved third-party certification entity. This requirement will apply after January 1, 2024, if an approved third-party certification entity has existed for at least one year prior to the product being sold or offered for sale;
  • After January 1, 2026 (unless conditions for an extension apply), be “an allowable agricultural organic input under the requirements of the United States Department of Agriculture National Organic Program,” unless California’s Department of Resources Recycling and Recovery (“CalRecycle”) determines that it is possible to recover organic waste for use in agricultural applications from the collection of products that are not suitable for such application. In such case, products that are not collected for the purpose of recovering waste for agricultural applications are not subject to this requirement;
  • Not exceed 100 parts per million of total organic fluorine;
  • Be labeled to distinguish the product from a non-compostable product; and
  • Be “designed to be associated with the recovery of desirable organic wastes” unless CalRecycle determines that it is possible to recover organic waste for use in agricultural applications from the collection of products that are not suitable for such application.

This is the first example of a law that mandates third-party certification of an environmental claim or to legislatively incorporate chemical restrictions when making such a claim.

While it remains to be seen how the state will enforce these new legislative requirements, opponents have raised concerns. For example, it is feared that the restrictions in SB 343 will suppress recycling rates and actually result in more waste. The possibility of a First Amendment challenge exists for both laws, and SB 343’s restriction on importing a product into the state that does not comply also raises questions about whether such restriction is an unconstitutional burden on interstate commerce. Assuring that all claims, including environmental claims, are truthful and non-deceptive is a core value for responsible businesses, but national guidance, through instruments like the FTC Green Guides (which are slated for review in 2022), not a proliferation of conflicting state laws, are better for consumers and businesses alike.

Photo of Sheila A. MillarPhoto of Mike Gentine

Alexander Hoehn-Saric, nominated by President Biden for both a seat on the U.S. Consumer Product Safety Commission (CPSC) and the chairmanship of that body, was confirmed late Thursday night by a unanimous voice vote. When he takes his oath of office, Hoehn-Saric will be CPSC’s first permanent chair in more than four years.

Fellow Democrat and current Acting Chair Bob Adler’s term expires October 27, but he can hold over for up to a year or until his nominated replacement, Richard Trumka, Jr., is confirmed. Trumka’s nomination cleared the Senate Commerce, Science, and Transportation Committee and is available for a floor vote, but it’s not clear when that will occur (Hoehn-Saric’s vote came without prior notice, so Trumka’s could likewise happen suddenly). Mary Boyle, currently the agency’s Executive Director and a longtime CPSC staffer, has also been nominated for a currently vacant seat, but her nomination has not yet cleared the Senate Commerce Committee.

Republican Commissioners Dana Baiocco and Peter Feldman last week collaborated to use their then-majority to significantly amend the Fiscal Year 2022 Operating Plan. It’s not clear if this maneuver, which brought fierce dissent from Adler and drew the attention of both Republicans and Democrats on the Hill, spurred Hoehn-Saric’s confirmation, but for the time being the Commission will operate with two Republicans and two Democrats when he takes the chairmanship.

Photo of Sheila A. MillarPhoto of Mike Gentine

The U.S. Consumer Product Safety Commission (CPSC) has approved its Operating Plan (Op Plan) for the 2022 Fiscal Year (FY 22) that begins October 1, 2021, according to a joint statement from its two Republican members, Dana Baiocco and Peter Feldman. The Op Plan is the central governing document for CPSC, outlining the projects and priorities the agency will focus on through a fiscal year. It identifies the objectives for every agency office, the rules and standards the agency intends to issue or advance, and the resources the agency is committing to its many activities.

As outlined in the joint statement, the approved FY 22 Op Plan:

  • Increases CPSC’s presence at the nation’s ports by adding 27 new inspectors;
  • Adds resources to the Field Operations team within CPSC’s Office of Compliance;
  • Reinstates the specialized Children’s Product Defect Team within Compliance;
  • Expands the agency’s laboratory facilities;
  • Directs CPSC staff to pursue mandatory rulemaking regarding “Support Pillows and Nursing Support Products;”
  • Increases the budget of the Office of Communications by nearly 25 percent; and
  • Works to address data security recommendations of the CPSC Inspector General (IG), including those the IG made in response to the massive unauthorized disclosure of sensitive company and consumer data the agency revealed in 2019.

However, the approval of the FY 22 Op Plan is not without controversy. As the joint statement notes, the Commission voted 2-1 to approve the plan. A separate statement by Acting Chairman Robert Adler, notes that the approved plan reflects “over 50 amendments [Baiocco and Feldman offered] with no advance notice” in what Adler describes as “Government by Ambush.” Later, CPSC’s Secretary released the Record of Commission Action (RCA) for the vote – the official document stating the outcome of the decision – stating that “[U]pon request for review by the Acting Chairman, the Acting General Counsel determined that the vote . . . is null and void because the Decision Making Procedures were not followed.” Adler subsequently issued a further statement, highlighting the RCA and raising both procedural and substantive objections.

As the basis of the Acting General Counsel’s position was not reflected in the RCA, and the Decision Making Procedures are a “For Official Use Only” internal document, there are two possible options. If the Acting General Counsel’s determination is based on procedural and not substantive concerns, a vote could presumably be re-taken in accordance with the Decision Making Procedures. If the basis of the determination is both substantive and procedural, CPSC would be left without an Op Plan until some consensus emerges.

As of this writing, it is not clear what legal effect the 2-1 vote to approve the plan has, if any, or whether CPSC actually has a plan for its 2022 Fiscal year. Assuming the vote stands (if, for example, Baiocco and Feldman vote to overrule the Acting General Counsel), the Baiocco and Feldman amendments address a variety of subjects. Many are institutional topics, such as a direction to the agency to adopt the Inspector General’s (IG’s) recommendations along with provisions to strictly limit CPSC’s ability to use paid spokespersons or influencers, to ban all CPSC staff from using TikTok on any CPSC-issued device, and to prohibit the agency from distributing any of its messaging through the app (presumably based on security concerns). Some amendments narrow, expand, or shift CPSC’s FY 22 safety priorities. Among these is a direction to the Office of Import Surveillance to place more emphasis on high-volume ports instead of the greater focus on de minimis (e.g., direct-to-consumer) imports that the staff draft Op Plan had proposed. Commissioners Baiocco and Feldman describe this alignment as “consistent with . . . Congressional mandates.”

Of note to manufacturers of e-cigarettes, the amended Op Plan directs staff “to increase enforcement activity of the Child Nicotine Poisoning Prevention Act [CNPPA] . . . including removal of noncompliant liquid nicotine containers from commerce.” Field agents have already prioritized CNPPA compliance, generally focused on removal and destruction of non-compliant inventory from retail and distribution outlets. To date, consumer-level recalls have not been conducted.

The internal disagreement over the Op Plan is another sign of an agency in flux. As Adler’s statement notes, three Democratic nominees await confirmation by the Senate. However, only two of those three – Alexander Hoehn-Saric, nominated for Chairman, and Richard Trumka, Jr. – have cleared the Commerce Committee. The Committee vote on the third nominee, current CPSC Executive Director Mary Boyle, was pulled from the agenda of the most recent hearing. As Trumka is nominated for the seat Adler currently holds, if he and Hoehn-Saric are confirmed but Boyle is not, CPSC would face a 2-2 party split, albeit with a confirmed chair for the first time in more than four years. Regardless, the business community wants and needs an effective, fair, and appropriately focused national product safety agency, so will need to continue to monitor CPSC developments closely.

UPDATE:

The dispute over the purported procedural issues in the FY 22 Op Plan vote saw two remarkable developments after we posted this article.

First, Acting Chairman Adler’s assertion that the Acting General Counsel had – and even could – determine that the 2-1 vote that had passed the Op Plan as amended was “null and void” stirred the ire of Senator Roger Wicker (R-MS) Ranking Member of the Senate Committee on Commerce, Science & Transportation, which oversees CPSC. Urging Adler to reverse his course, Wicker wrote on September 29:

There is no way to interpret this action except as a brazen act of sabotage by an acting Chairman who found himself on the losing side of a vote. During my tenure as Ranking Member and formerly as Chairman of the Senate Commerce Committee . . . I have never seen a vote by the Senate-confirmed commissioners of an independent agency nullified by an Acting General Counsel.

The Commerce Committee Chair, Maria Cantwell (D- WA), has not weighed in on the dispute among the Commissioners.

Second, without further delay, the Commission voted on October 1  – again 2-1, with Adler in the minority –that “[t]he General Counsel has no authority . . . to nullify a vote of the Commission,” adding that, even if such authority existed, the vote approving the amended FY 22 Op Plan was proper and thus the plan, as amended, was approved on September 24, 2021.

At this writing, it is not clear if there will again be an effort to challenge this second vote.

Photo of Sheila A. MillarPhoto of Tracy P. MarshallPhoto of Anushka N. Rahman

With millions of Internet of Things (IoT) devices from phones to smart home censors flooding the market every year, effective cybersecurity to help mitigate risks to devices is vital. New guidance from The National Institute of Standards and Technology (NIST), IoT Non-Technical Supporting Capability Core Baseline (NISTIR 8259B), is intended to help manufacturers identify the non-technical capabilities they need to support device and system cybersecurity controls and to communicate with customers and third parties effectively. NISTIR 8259B is one of four documents recently released by NIST to help manufacturers and federal agencies manage cybersecurity, which include IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements (SP 800-213), Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline (NISTIR 8259C), and Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government (NISTIR 8259D).

The guidance notes that “both device cybersecurity capabilities and non-technical supporting capabilities are vital to customers’ abilities to achieve their needs and goals.” While IoT devices are typically secured through technological capabilities, NISTIR 8259B focuses on the non-technical supporting capabilities that “that manufacturers or third parties take in support of the initial and ongoing security of IoT devices.” The guidance identifies four primary non-technical areas of cybersecurity:

  • Documentation, which ensures that customers and third parties have the information they need to ensure their device and its data are secure;
  • Information and query reception, which helps businesses respond to questions customers and others may have about a device’s security and operation;
  • Information dissemination, which ensures that customers are kept in the loop about any newly discovered security issues or device or related systems updates; and
  • Education and awareness, to assist customers and others in understanding how to secure and protect IoT software, hardware, and systems.

The guidance contains several tables that lay out detailed steps of common actions for organizations to consider taking and encourages organizations to add other non-technical capabilities where needed. NIST also updated its IoT catalog for device technical cybersecurity capabilities and supporting non-technical capabilities.

As IoT devices continue to rise in popularity, it is vital for manufacturers to ensure that their products come designed not only with effective cybersecurity technology but a plan for communicating with customers and third parties, keeping detailed records, and efficient methods for responding to questions. NISTIR 8259B gives organizations a helpful place to start, and this and other NIST guidance on IoT security may be relevant to the ongoing NIST cybersecurity labeling initiative.

 

Photo of Sheila A. MillarPhoto of Anushka N. Rahman

On August 31, 2021, the National Institute of Standards and Technology (NIST) released its draft white paper, DRAFT Baseline Security Criteria for Consumer IoT Devices. The draft white paper is in response to Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” which requires NIST, in collaboration with other agencies, to educate the public on Internet-of-Things (IoT) security. The draft white paper proposes baseline security criteria for consumer IoT products as part of a cybersecurity labeling program and builds on NIST’s Secure Software Development Framework (SSDF) and other NIST documents. NIST is not establishing its own labeling program but instead seeks to identify minimum requirements for programs, which it must do by February 6, 2022.

NIST’s summary sets out the timelines and objectives, along with some general principles. Labeling should:

  • Encourage innovation in manufacturers’ IoT security efforts, leaving room for changes in technologies and the security landscape.
  • Be practical and not be burdensome to manufacturers and distributors.
  • Factor in usability as a key consideration.
  • Build on national and international experience.
  • Allow for diversity of approaches and solutions across industries, verticals, and use cases – so long as they are deemed useful and effective for consumers.

The proposed labeling criteria set out in the draft white paper builds off of NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline and NISTIR 8259B, IoT Non-Technical Supporting Capability Core Baseline. NISTIR 8259B itself is new guidance released last month, and is intended to help manufacturers identify the non-technical capabilities they need to support device and system cybersecurity controls and to communicate with customers and third parties effectively. NISTIR 8259B is one of four documents recently released by NIST to help manufacturers and federal agencies manage cybersecurity, which include IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements (SP 800-213), Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline (NISTIR 8259C), and Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government (NISTIR 8259D).

NIST hosted an informative workshop on the proposed labeling criteria and related issues as previously announced on September 14–15. The workshop featured a variety of stakeholders, including representatives from federal agencies with experience in labeling programs, such as the Environmental Protection Agency (EPA), Federal Trade Commission (FTC) and Consumer Product Safety Commission (CPSC), as well as international experts. The workshop included discussions on how to define a “consumer,” what should be in scope for a labeling program, limits of a labeling program, and achieving global harmonization, among many other topics. Recurring themes included assuring that a cybersecurity label avoids conveying a false sense of security and the need to keep labels simple.

Comments on the draft white paper are due October 17, 2021, and can be submitted to labeling-eo@nist.gov. NIST has already received feedback on important details, which were discussed during the workshop. With the growth of IoT devices, an IoT labeling scheme will likely have significant impact on many industry sectors, so interested stakeholders may wish to consider submitting comments.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

On September 13, 2021, President Biden nominated Alvaro Bedoya for Commissioner of the Federal Trade Commission (FTC) to replace outgoing FTC Commissioner Rohit Chopra. Earlier this year, President Biden nominated Chopra to head the Consumer Financial Protection Bureau (CFPB). If confirmed, Bedoya would round out the slate of FTC commissioners and solidify the agency’s Democratic majority.

Bedoya is the founding director of the Center on Privacy and Technology at Georgetown University Law Center, where he is a visiting professor of law. He has a background in privacy law and policy, with a special interest in facial recognition technology. Bedoya’s work on facial recognition technology led the National Institute of Standards and Technology (NIST) to conduct the first comprehensive bias audit of face recognition algorithms and paved the way for a federal law that requires bias testing in airport face recognition systems, Section 1919 of the FAA Reauthorization Act of 2018. Previously, Bedoya served as the first chief counsel to the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law.

Naming a nominee with a strong background in privacy to serve on the FTC is consistent with the Administration’s support for strengthening privacy and cybersecurity. This commitment is reflected in the Build Back Better Act, which earmarks $1 billion to create a new privacy bureau within the FTC dedicated to stopping unfair and deceptive acts and practices related to privacy violations, data security incidents, identity theft, and other data abuses.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

As the Labor Day weekend approaches, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are warning U.S. entities to remain alert and protect against the rising incidence of ransomware attacks over holidays and weekends. A joint cybersecurity advisory issued on August 31, 2021 reviews recent ransomware attacks that occurred over holiday weekends, describes some of the tactics, techniques, and procedures commonly used by ransomware attackers, and offers some best practices and mitigation strategies for entities that experience a ransomware or other data security incident. As ransomware and other types of cyberattacks become more frequent and sophisticated, and as U.S. and international data security and breach notification laws and reporting requirements become more stringent, it is important for all organizations to implement security programs and incident response plans, continuously assess their programs and plans, and monitor for threats.

According to the advisory, criminal cyberattacks have escalated dramatically in the last year. The number of ransomware attacks in particular increased by 20% including a 225% increase in ransom demands. And these numbers are continuing to rise. Most frequently, ransomware attackers use phishing or brute force on unsecured remote desktop protocol (RDP) endpoints to gain network access. Other common techniques identified in the advisory include precursor or dropper malware, exploitation of software or operating system vulnerabilities, exploitation of service providers with access to networks, and use of stolen credentials.

When cybercriminals infiltrate networks and databases, they often gain unauthorized access to personal information, including sensitive personal information like Social Security numbers, banking or credit card account information, and health information. Responding to ransomware and other attacks necessarily triggers a company’s data breach response plan.

Responding to any data breach, whether or not it is associated with a ransomware demand, requires good planning so that the organization is positioned to understand and comply with the myriad federal, state, and international notification and reporting requirements. For example, companies that are publicly traded must identify material risks to the business in their periodic reports to the U.S. Securities and Exchange Commission, and the Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act impose notification and reporting requirements that may apply depending on the types of information compromised. In addition, many states have adopted a data security law, and all 50 states have enacted a data breach notification law (for an overview of U.S. data breach notification laws, click here).

Minimize Risk

The joint cybersecurity advisory offers the following guidance to minimize attacks:

  • Establish a baseline understanding of the network architecture and routine activity;
  • Review data logs to compare standard performance to suspicious or anomalous activity;
  • Watch out for unusual inbound and outbound network traffic, compromised administrator privileges or escalation of permissions on an account, theft of login and password credentials, a substantial increase in database read volume, geographical irregularities in access and login patterns, attempted user activity during anomalous logon times, and attempts to access folders on a server that are not linked to the HTML within the pages of the web server, and baseline deviations in the type of outbound encrypted traffic;
  • Use intrusion prevention systems and automated security alerting systems;
  • Employ honeytokens to track data outside the network; and
  • Use cyber hygiene services.

Mitigation

The FBI and CISA also advise that organizations implement mitigation strategies to reduce the likelihood of compromise and loss in the event of an attack, such as the following:

  • Continuously and actively monitor for ransomware threats over holidays and weekends, and assign IT security employees who will be “on call” during these times;
  • Make an offline data backup;
  • Advise individuals to not click on suspicious links;
  • Secure and monitor RDP or other potentially risky services;
  • Update the organization’s operating system (OS) and software;
  • Scan for vulnerabilities;
  • Require strong passwords;
  • Use multifactor identification;
  • Secure network(s): implement segmentation, filter traffic, and scan ports;
  • Secure user accounts; and
  • Implement an incident response plan.

In the event of a ransomware attack, the FBI and CISA recommend turning off all networked devices and isolating the infected system from all networks and any other potential networking capabilities.

The pre-Labor Day joint cybersecurity advisory is a timely reminder that because cybercriminals increasingly target organizations over holidays and weekends when staffing may be reduced, it is important that organizations never drop their guard and continue to monitor for and defend against attacks. Ensuring that strong preventative and mitigation strategies are in place will help businesses avoid missteps that make their networks vulnerable to attack. As the saying goes, an ounce of prevention is worth a pound of cure.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

The Federal Trade Commission (FTC) took the unprecedented step of removing one of the approved Safe Harbor organizations under the Children’s Online Privacy Protection Act (COPPA) for failing to provide effective monitoring and assessment of its member companies’ websites, as required under the COPPA Rule. Earlier this year, Commission staff warned Aristotle International, Inc., whose Safe Harbor program was approved in 2012, that it was concerned about Aristotle’s monitoring practices and was considering withdrawing approval. On June 1, Aristotle informed the FTC that it was leaving the COPPA Safe Harbor program, and on August 4, the FTC announced that it had removed the company from the list.

Pursuant to Section 312.11(a) of the COPPA Rule, industry groups or other persons can apply to the FTC for approval of self-regulatory program guidelines. Approved programs must provide substantially the same or greater protections for children as those outlined in the COPPA Rule. Businesses that fully adhere to an approved COPPA Safe Harbor program will be deemed in compliance with the COPPA Rule for enforcement purposes under § 312.11(g), which provides incentives to businesses to support self-regulatory programs.

The August 4 press release announcing Aristotle’s removal from the COPPA Safe Harbor list included a troubling comment by the FTC’s Bureau of Consumer Protection’s Acting Director, Sam Levine, that may spell changes ahead for Safe Harbor programs: “There is a clear conflict of interest when self-regulatory organizations are funded by the website operators and app developers they are supposed to police, so we will be closely scrutinizing other children’s privacy oversight outfits to determine whether they are living up to their obligations.”

While the Acting Director’s statement reflects a concern over conflicts of interest as it pertains to Aristotle, it also appears to question the role, nature, and purpose of self-regulatory programs, as reflected in COPPA and the COPPA Rule. Antipathy towards the notion of industry self-regulation is reflected also in recent proposed legislation introduced by Rep. Castor (D- FL). But self-regulatory advertising and privacy programs, which are commonly funded by the “industry groups” authorized to apply for recognition under COPPA, provide enormous benefits to consumers, businesses, and regulators, as the FTC has recognized for decades.

Businesses play an essential role in the success and effectiveness of self-regulatory programs. Their financial support and input help to ensure that the organizations that serve them meet their respective legal compliance responsibilities. Self-regulatory programs not only help check on a participant’s compliance but also serve as a vehicle for businesses to air practical concerns about compliance burdens, assess implications of technological advancements and consumer interfaces, and put forward innovative ideas that can make compliance easier and less expensive. The Safe Harbor provisions of COPPA and other self-regulatory frameworks are intended to promote flexibility and efficiency by allowing businesses to tailor their compliance programs and to reward participants’ good faith efforts to comply with the law.

As the FTC continues to discuss potential changes to the COPPA Rule in its ongoing review, initiated in 2019, FTC oversight of COPPA Safe Harbor organizations is sure to be discussed. In his statement on a 2020 notice accepting a proposed consent agreement with Miniclip for falsely representing it participated in a COPPA Safe Harbor organization, Commissioner Rohit Chopra suggested a number of possible changes to the Safe Harbor framework. Some of these suggestions are already reflected in the COPPA Rule. For example, the Rule requires that Safe Harbor organizations monitor and assess members’ adherence to COPPA and their own privacy notices and provides for revocation of approval.

If a COPPA Safe Harbor organization fails to adhere to applicable rules, or neglects to exercise proper oversight of its members, it can and should be sanctioned by the FTC as a violation of the Rule. However, the assumption underlying the criticism that industry funding of self-regulatory programs necessarily removes their independence is contradicted by more than twenty years of largely successful COPPA Safe Harbors and has implications for other longstanding privacy and advertising self-regulatory programs and dispute resolution mechanisms. Foreclosing industry-led Safe Harbor organizations from exploring other revenue options or programs, as some have suggested, or forcing public disclosure of all documents and interactions with participants, will undermine the usefulness and value of the Safe Harbor process. Careful thought should be given to how to best assure that COPPA Safe Harbor organizations fully comply with their oversight responsibilities under COPPA while maintaining appropriate incentives to attract business participants and maintain the financial viability and independence of the Safe Harbor organization.

Photo of Sheila A. Millar

The Children’s Advertising Review Unit (CARU), a division of BBB National Programs, recently updated its Self-Regulatory Guidelines for Children’s Advertising. Important updates include:

  • To align with the Children’s Online Privacy Protection Act (COPPA), the Guidelines now apply to national advertising primarily directed to children under the age of 13 instead of under 12, regardless of the medium involved.
  • The Guidelines outline criteria used to assess whether a national ad is primarily directed to children.
  • The Guidelines confirm that placement or integration of a product, service, character, or brand in editorial, educational, entertainment, or other non-commercial content is not within scope unless it constitutes an endorsement.
  • The Guidelines respond to the rise of influencer marketing by incorporating principles of the FTC Guidelines on Endorsements and Testimonials.
  • A new section specifies that in-app and in-game advertising may not use unfair, deceptive, or other manipulative tactics to encourage such purchases, and requires that methods for exiting an ad are “clear and conspicuous.” Games and apps with in-game purchases must make clear that such transactions involve real currency.
  • Reflecting the growing societal focus on diversity and inclusion, another new provision of the Guidelines urges advertisers to refrain from depicting or encouraging negative social stereotyping, prejudice, or discrimination.
  • The privacy section of the previous version of the Guidelines has been removed and published separately.

The new Guidelines take effect January 1, 2022.