FTC Releases Cybersecurity Resources for Small Businesses

Small businesses face the same cybersecurity risks as large multinationals but lack a large IT infrastructure to help protect themselves. At the direction of former Federal Trade Commission (FTC) Acting Chairman Maureen Ohlhausen, the FTC launched a new cybersecurity campaign aimed at helping small businesses navigate the ever-evolving cyber landscape, coordinated with the Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST), and the Small Business Administration (SBA). More information about the program and upcoming events is available at the FTC’s website.

Earlier this year, FTC staff published a report detailing the resources available to help small organizations. FTC staff also held several workshops and a result of feedback, the agency developed a series of modules that cover the following topics: Cybersecurity Basics, Understanding the NIST Cybersecurity Framework, Physical Security, Ransomware, Phishing, Business Email Imposters, Tech Support Scams, Vendor Security, Cyber Insurance, Email Authentication, Hiring a Web Host, and Secure Remote Access.

Implementing security mechanisms that are tailored to an organization’s size and risk exposure can be complex. However, the FTC modules and report provide a useful starting point for smaller businesses looking for practical guidance on handling a range of cybersecurity and data protection matters.

National Privacy Legislation May be on the Horizon

By Sheila Millar and Tracy Marshall on October 1, 2018 Posted in Privacy

The recent passage of the California Consumer Privacy Act (CCPR) earlier this summer and the entry into force of the General Data Protection Regulation (GDPR) last May has put consumer privacy squarely on the national agenda. Now there are signs that government is responding. While a number of privacy bills have been introduced in Congress that never made it out of committee, Senator John Thune (R-SD), the ranking Republican on the Senate Commerce Committee, recently indicated this may be changing. Thune opened a recent hearing of the Committee at which Google, Amazon, Twitter and AT&T commented that both Republicans and Democrats support a national privacy law, but noted: “the question is what shape that law should take.” The companies testifying expressed support for preemptive federal legislation that gives consumers more control over their data and stresses transparency, but avoids a one-size-fits-all approach that might stifle innovation.

In the wake of the hearing, the U.S. Department of Commerce National Telecommunications and Information Administration (NTIA) is now seeking comments on several high-level goals that are intended to protect consumer privacy while encouraging innovation. The strategy outlined in the Request for Comments is “outcome-based” rather than prescriptive and offers seven key objectives:

The collection, use, sharing and storage of personal data should be transparent;
Users should be able to exercise reasonable control over the collection, use, storage, and disclosure of their personal data;
Data minimization principles should apply;
Organizations should ensure safeguards are in place to protect personal data from loss and unauthorized use;
Consumers should have the right to rectify and delete their personal data;
Privacy tools should be flexible enough to encourage innovation while also protecting consumer data;
Organizations should be accountable for data processing activities.

Comments are due to NTIA by October 26, 2018.

A number of trade associations, fearing unduly prescriptive federal legislation or a patchwork of state privacy laws, have also weighed in. The Chamber of Commerce, The Internet Association and other organizations recently published privacy proposals that call for preemptive, process-driven rules, themes that were echoed during the recent Commerce committee hearing. Senator Thune stated that a second hearing will take place starting in early October at which Alastair Mactaggart, the driving force behind the California ballot initiative whose withdrawal resulted in enactment of the CCPA, and European Data Protection Board (EDPB) Chairwoman Andrea Jelinek will testify.

Privacy legislation will likely continue to be a hot topic for the rest of the year, and for the new Congress in January, and we anticipate that state legislatures will also be looking at privacy and data security in 2019.

Agency Comings and Goings

By Sheila Millar, Tracy Marshall and Boaz Green on September 27, 2018 Posted in Data Security, Privacy, Product Safety

This week has seen several significant changes at the Commission level at both the Consumer Product Safety Commission (CPSC) and the Federal Trade Commission (FTC).

CPSC

After several months of stasis, the Senate voted to confirm Peter Feldman as a Commissioner on the CPSC, with a term expiring October 26, 2019. Feldman takes the place of Joseph Mohorovic, who resigned in October 2017. The Senate is also expected to approve Feldman’s nomination for a second term of 7 years shortly, which would expire in 2026.

Feldman, a Republican, will fill out the slate of commissioners at CPSC, giving the Republicans a 3-2 majority at the Commission for the first time since 2006. Acting Chair Ann Marie Buerkle still awaits confirmation as permanent Chair and for another seven-year term since her renomination to both posts by President Trump in January. Buerkle’s term formally ends in October, although she can hold over for one year.

FTC

At the FTC, Christine Wilson was sworn in as commissioner on September 26, 2018, replacing former Acting Chair and Commissioner Maureen Ohlhausen, whose term ended September 25. Ohlhausen worked for the FTC for the better part of 20 years, first as a staffer from 1998-2008 and then as director of the Office of Policy Planning. She was nominated by President Obama in 2012 and confirmed as a commissioner. Ohlhausen became Acting Chair in January 2017 when Edith Ramirez resigned her Chairmanship following the 2016 presidential election. Under Ohlhausen’s leadership, the FTC brought 20 privacy-related actions, including its first case relating to smart toys. In addition, the agency brought or settled over 138 cases that resulted in $300 million in compensation paid to 3.7 million people and refunds to consumers amounting to $6 million.

Wilson, a Republican, previously served at the FTC as Chief of Staff to Chairman Tim Muris during the George W. Bush administration. Prior to her tenure at the FTC, Wilson practiced as an attorney specializing in consumer protection and competition at law firms Kirkland & Ellis LLP and O’Melveny & Myers LLP. Phillips’ term will run until September 2023.

NIST Launches Development of Voluntary Privacy Risk Management Framework

By Sheila Millar and Tracy Marshall on September 13, 2018 Posted in Cybersecurity, Data Security, Privacy

The National Institute of Standards and Technology (NIST) has launched a collaborative effort to develop a voluntary framework that will help organizations manage privacy risks and protect consumer privacy when developing and using innovative technologies. According to NIST, a robust cybersecurity program can help manage risks, but organizations need customizable tools for addressing the challenges posed by an increasingly connected environment. The intent is to “bridge the gaps between privacy professionals and senior executives so that organizations can respond effectively to these challenges without stifling innovation.”

The privacy framework, which will be designed through an open process of stakeholder engagement to provide solutions for a wide range of organizations, is modeled on NIST’s Cybersecurity Framework. Alongside NIST, the National Telecommunications and Information Administration is leading the development of a set of privacy principles in coordination with the International Trade Administration.

Starting in October, NIST will convene a series of workshops to gather input from stakeholders. Organizations that wish to weigh on the direction of the framework can find events here.

FTC Approves ESRB’s Updated COPPA Safe Harbor Program

By Sheila Millar and Tracy Marshall on August 17, 2018 Posted in Data Security, Privacy

The Federal Trade Commission (FTC) approved modifications to the video game industry’s Children’s Online Privacy Protection Act (COPPA) program. Earlier this year, the Entertainment Software Ratings Board (ESRB) proposed several substantive changes intended to take account of recent FTC COPPA rules and guidance.

To receive FTC approval, COPPA safe harbor programs must “implement substantially similar requirements that provide the same or greater protections for children as those contained in the Rule; (2) an effective mandatory mechanism for the independent assessment of the safe harbor program participants’ compliance with the guidelines; and (3) disciplinary actions for noncompliance by safe harbor participants.”

Five NGOs and individuals submitted comments during a public comment period on a number of ESRB’s proposed changes, including amending the definition of “personal information and data,” ensuring that links to privacy statements be prominent and clearly labeled, and clarifying the program’s data minimization requirements. ESRB also revised the program to incorporate FTC enforcement guidance on how voice data was handled. The FTC approval letter noted that ESRB made revisions to address certain objections raised by three of the NGOs.

The Commission vote to approve the changes to ESRB’s COPPA safe harbor program was unanimous.

23 California DAs Obtain $1.5 Million Settlement for Deceptive Biodegradable Claims

By Sheila Millar and JC Walker on August 9, 2018 Posted in Litigation

Environmentally conscious consumers often look for products advertised as “green.” But labeling plastic products as “biodegradable” may land you on the legal compost heap if you can’t meet federal and state regulations governing green marketing. Amazon was just the latest company to find itself in the crosshairs when 23 California district attorneys charged that it violated state law when it marketed and sold products labeled “biodegradable” or “compostable.” Amazon settled the lawsuit for $1.5 million.

Most advertisers interested in degradability and similar claims should be familiar with the requirements in the FTC’s Guides for the Use of Environmental Marketing Claims. Advertisers also need to be aware of 2011 amendments to the California Public Resources Code restricting green claims for plastic products. The California law prohibits businesses from selling plastic goods that are labeled “compostable,” “biodegradable,” “degradable,” or other wording that implies the product will break down in a landfill or other environment, unless the product meets specific standards set forth in the law. There are differences, however, in how the FTC and the state of California view available standards from a substantiation standpoint.

Under the settlement, Amazon is prohibited from selling plastic products labeled as “biodegradable” or “compostable” if the product has not been certified as such in accordance with California’s requirements. In addition, the company will pay CalRecycle, the state agency responsible for recycling, $50,000 to test plastic products that are advertised as compostable or degradable.

California has shown itself to be an aggressive enforcer against misleading green marketing claims. In the last few years, the state has pursed legal action against several companies for alleged deceptive green labeling, settling claims against ENSO Plastics in 2013 with an $18,000 fine, and obtaining agreed-to penalties of $27,000 and $940,000 against Overstock.com and Walmart, respectively, in 2017. It is worth noting that any penalties received under the California law go directly to the jurisdiction that brings suit, providing DAs with an incentive to pursue degradable and compostable claims.

Any advertiser interested in developing and marketing products that are degradable or compostable should pay special attention to the requirements of both federal and state laws since they do not always align. In particular, it is essential for businesses to fully understand the nuances of FTC guidance and California law in assessing how they substantiate their claims.

California Company Settles with FTC over Alleged Privacy Shield Misrepresentations

By Sheila Millar and Tracy Marshall on July 16, 2018 Posted in Data Security, Privacy

If a company claims to be certified under the EU-U.S. Privacy Shield framework when it hasn’t even completed the paperwork, the Federal Trade Commission (FTC) isn’t likely to let it slide. ReadyTech, a California-based online training services company, made such a claim on its website, in violation of the FTC Act’s prohibition against deceptive acts or practices, according to the FTC’s complaint against the company.

The Privacy Shield is one of the approved mechanisms through which U.S. companies can lawfully transfer personal data from the EU to the U.S. in compliance with the EU General Data Protection Regulation (GDPR). ReadyTech stated on its website that it was “in the process of certifying that we comply with the U.S. – E.U. Privacy Shield framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries.” However, according to the FTC, while the company initiated the process of self-certifying to the U.S. Department of Commerce in 2016, it was never completed.

As part of the settlement, ReadyTech is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government agency or any self-regulatory or standard-setting organization. It also must comply with standard reporting and compliance requirements.

This is the FTC’s fourth case enforcing misrepresentations regarding participation in the Privacy Shield since the framework became operational two years ago, and the FTC brought similar enforcement actions under the old U.S.-EU Safe Harbor Framework (the Privacy Shield’s predecessor). The action against ReadyTech serves as a reminder to businesses to not only avoid misrepresenting their participation in privacy and data security frameworks, but also to take steps to ensure more generally that their practices are aligned with their privacy commitments.

The FTC actively enforces privacy and data security violations through its authority under Section 5 of the FTC Act, such as a failure to disclose certain practices in online privacy statements, a failure to follow stated practices, or materially and retroactively changing how personal data is handled without consent from affected consumers. The FTC pays special attention to possible violations of the Privacy Shield. The Privacy Shield, like the Safe Harbor before it, is viewed by businesses as a critical vehicle for companies to comply with cross-border data transfer obligations under EU privacy laws. Because privacy advocates and some regulators continue to criticize the Privacy Shield’s self-regulatory approach for meeting EU requirements, it is especially important that the FTC polices compliance to maintain the integrity of the program.

Companies that operate globally must be mindful of their obligations to meet their privacy commitments to comply with the FTC Act as well as with the new EU GDPR and other international data protection laws.

State Data Breach Notification Laws – Overview of Requirements for Responding to a Data Breach – Updated July 2018

By Sheila Millar and Tracy Marshall on July 10, 2018 Posted in Data Security, Privacy

With the ever-changing complexity of state data breach notification laws, companies facing a data breach need resources that will help them understand the issues. This summary provides an overview of the similarities and differences in data breach laws adopted in the 50 United States and the District of Columbia and includes laws enacted since our last update. Alabama and South Dakota became the last states to adopt breach notification laws, which took effect on May 1, 2018 and July 1, 2018, respectively. As a practical matter, most companies that experience a breach will be required to comply with all or several state laws depending on where the data subjects reside, and international data breach notification laws may also apply.

Because privacy is a politically popular topic for legislators, laws continue to evolve and change. It is important to confirm that no changes have been made to relevant laws whenever you experience a data breach. While this summary focuses on data breach notification obligations, many state laws also impose specific data security requirements for companies that handle personal information, which should also be consulted.

This summary is intended to provide general information about applicable laws, and does not constitute legal advice regarding specific facts or circumstances.

To download a copy, click here.

For more information on privacy and data security matters, please contact us:

Sheila Millar (+1 202.434.4143, millar@khlaw.com)

Tracy Marshall (+1 202.434.4234, marshall@khlaw.com)

CPSC Releases Revised Draft Age Appropriate Guidelines for Consumer Products

By Sheila Millar on April 2, 2018 Posted in Product Safety, Regulations

The U.S. Consumer Product Safety Commission (CPSC) announced potential changes to its 2002 Age Determination Guidelines Relating Children’s Ages to Toy Characteristics and Play Behavior (2002 Guidelines). The new draft guidance, titled Guidelines for Determining Age Appropriateness of Toys (Draft 2018 Guidelines), “addresses toys that have come onto the market since the last update and provides changes to the recommended age group for certain classic toys.” The plan to issue a Federal Register notice was announced at the International Consumer Product Health and Safety Organization (ICHPSO) conference in February 2018, and the updated draft was formally published on March 27, 2018. Congress specifically made the 2002 version of the guidelines one of four key factors for determining whether a consumer product is a children’s product, so this proposed set of changes will affect the children’s product industry.

The Draft 2018 Guidelines have been updated to take account of new toys that have come onto the market since 2002, changes in consumer purchasing behavior, and children’s access to toys. The Draft also reassesses the 2002 Guidelines’ age determinations based on a broad literature review, parent toy survey, and observational study of 243 children, ages 1 to 8 years old, and their parents across four age brackets: 1 to 1.5 years old; 1.6 to 2 years old; 3 to 5 years old; and 6 to 8 years old. The guidelines contain four levels, each representing an increasing level of detail: play categories; toy subcategories; age groups; and toy characteristics. The agency staff’s draft revisions were developed with input from the Child and Family Research Section staff at the National Institute of Child Health and Human Development (NICHD) within the National Institutes of Health (NIH).

The 2018 Draft Guidelines make age-grade recommendations for new products, such as play touchscreen phones, suction cup building pieces, wooden trains with magnetic pieces, and magnetic puzzles. The 2018 Draft Guidelines also recommend changes for a variety of toys, including microscopes, colorful wooden blocks, large basketball hoops, and toy cameras with viewfinder function. Other revisions include recommended testing changes, such as shifting existing small parts or use-and-abuse testing requirements based on age grades that are different from the 2002 Guidelines.

CPSC staff explains that “many toy-related injuries could be prevented by age-labeling products for the age group for whom they are intended. Providing the consumer product toy industry with better age-grading guidance, and describing how these principles can be applied to their products, can help reduce product-related incidents and reduce costly compliance and enforcement actions.”

The CPSC’s Age Determination Guidelines play an important role in determining not just the suitability of toys for children in different age ranges, but also which safety requirements apply to a particular toy. Interested stakeholders should carefully review the updated Draft 2018 Guidelines with a view to identifying whether the CPSC and NIH staff’s assessments, evaluations, and test results match their information and experience. Focus group testing and evaluations from manufacturers, industry groups, or other outside groups could help improve and inform CPSC staff’s conclusions.

Comments on the Draft 2018 Guidelines may be submitted here until June 11, 2018.

CPSC Sues to Force Jogging-Stroller Recall

By Sheila Millar on March 6, 2018 Posted in Product Safety

The U.S. Consumer Product Safety Commission’s (CPSC) first lawsuit of 2018 is against the maker of popular lines of jogging strollers, Britax Child Safety, Inc. The complaint, to be heard in administrative proceedings, concern’s Britax’s B.O.B. jogging strollers. The company and its 2011 merger partner, B.O.B. Trailers, Inc., have been importing and distributing the strollers since 1997. At issue are about 493,000 jogging strollers imported and distributed between December 2011 and September 2015. They include a range of single- and double-seated models.

Detaching front wheels are the central issue of the case. CPSC takes the view that the three-wheeled stroller models can operate when the front wheel is not properly secured, leading to the front wheel detaching when the stroller is moving, which in turn causes the stroller to stop and tip over. The CPSC’s position is that the detachment issue reflects a design defect. The company argues that improper use, rather than any design flaw, is the cause of the problem, saying: “the[ detachments] involve an improperly secured quick[-]release mechanism … or jogging with the swivel wheel unlocked.”

According to the agency’s press release, it has received about 200 complaints about wheels coming off the stroller since 2012, with reports of 50 injuries to children and 40 to adults, including head and teeth injuries, bruises, torn ligaments, and cuts.

When CPSC asked the company to conduct a recall, the company refused, arguing that misuse rather than any defect in the product was the cause. By a 3-to-1 vote, a majority of CPSC Commissioners approved filing an administrative complaint seeking to compel Britax to recall the strollers, inform the public of the defect, and offer a remedy in the form of repair, replacement, or refund.

Britax has been willing to conduct recalls with CPSC before. In 2011, for example, the company jointly recalled its B-Nimble strollers over a risk of brake failure. It conducted other recalls with CPSC in 2014, 2016, and 2017. Notably, although CPSC has been receiving complaints about wheel detachment since 2012, only now has the agency attempted to force a recall. The company’s refusal to conduct a recall in this situation suggests its conviction that user error is to blame, a point emphasized in the company’s statement: “While we respect the CPSC and its mission, we cannot agree to recall a product that is not defective.”

Questions of safety and user misuse are complicated and necessarily involve subjective judgments. Additionally, hazards that appear clear in hindsight are often hazy at the outset. It is common for reasonable people, including safety experts inside and outside government, to disagree about what constitutes a safety hazard, the scope of a company’s responsibility for improper installation or misuse of a product by consumers, and about what constitutes an acceptable degree of risk.

Although administrative and judicial lawsuits to force recalls have been exceedingly rare for CPSC, the agency has initiated several in recent years. These include suits to force recalls and to recover civil penalties from companies who were allegedly late in reporting substantial product hazards. The Britax suit represents a continuation of this hard-charging enforcement effort. Further, it suggests the willingness of a majority of commissioners to support pursuing administrative remedies when companies disagree with agency conclusions. Companies working with CPSC on potential safety issues should bear this in mind as they work on joint solutions, just as they should remember that the agency’s jurisdiction extends to products that fail to comply with a regulatory requirement, pose an unreasonable risk of serious injury or death, or contains a defect that poses a substantial risk of harm.