Consumer Protection Connection

Consumer Protection

Cybersecurity Update

Posted in Cybersecurity

As connected products are increasingly integrated into everyday life, measures to address the security of Internet of Things (IoT) devices continue to evolve. Some of the latest initiatives include the following.

NTIA issues guidance on cybersecurity communications
Last month, as part of an ongoing multi-stakeholder initiative, a working group of the National Telecommunications and Information Administration (NTIA) issued guidance to help IoT manufacturers more effectively communicate cybersecurity and privacy information to consumers. The working group considered guidance from other agencies, including the Federal Trade Commission and Department of Homeland Security, nonprofits, and industry.

The NTIA document, Communicating IoT Device Security Update Capability to Improve Transparency for Consumers, focuses on “key elements” for manufacturers to consider communicating to consumers prior to purchase, which are crucial for transparency and informed choice. They include informing consumers upfront whether their devices will receive security updates, how updates will be communicated (e.g., will they update automatically?), and when updates will end. NTIA also recommends addressing how users are notified about security updates; what happens when a device no longer receives update support; how the manufacturer secures updates; any costs for consumers to keep their devices current once updates end; and when or whether a device ceases to operate or loses functionality when security support ends, or whether users bear the risk of operating the device once security updates end.

The guidance emphasizes that updates and patches do not offer complete device protection and are not the sole security measures that IoT manufacturers and consumers should take. Thus, while the guidance provides a useful roadmap for IoT manufacturers, companies may wish to consider advising on additional security practices and policies that apply to the device and prudent steps for consumers to take to maintain device security, such as password management. The recent focus on communicating about IoT updates and patches appears to stem from the recognition that IoT devices are powered by software, and that software is updated and replaced, sometimes frequently.

Internet of Things (IoT) Cybersecurity Improvement Act of 2017
On August 1, Senate Cybersecurity Caucus co-chairs Mark Warner (D-VA) and Cory Gardner (R-CO) introduced a bill to provide minimum cybersecurity operational standards for connected products purchased by federal agencies. Per Senator Gardner, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would “ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems.” The bill would require agencies to include a clause in procurement contracts requiring suppliers of connected products to meet basic industry-wide cybersecurity standards. Suppliers would be obliged to provide written certification that devices do not contain any known security vulnerabilities or defects, and allow for patching of security updates. In addition, connected devices would be prohibited from including hard-coded passwords, which can provide a back door for malware.

Although this bill would apply only to connected products purchased by the federal government, federal procurement standards are often mirrored by state procurement officials and can find their way into other specifications as well.

ANSI introduces first independent cybersecurity standard
Another development affecting cybersecurity of connected products is the finalization of the first independent standard for IoT device cybersecurity. The American National Standards Institute (ANSI) introduced UL 2900-1, General Requirements for Software Cybersecurity for Network-Connectable Products, on July 5. Developed as part of UL’s Cybersecurity Assurance Program, the UL 2900 series applies established security design principles to measurable criteria to assess vulnerabilities of connected products. UL 2900 has been recognized by the Food and Drug Administration, which is expected to formally announce its adoption in the next Federal Register notice.

As cybersecurity standards, guidelines, and proposed regulations for IoT devices proliferate, it is important to remember that the specific security measures adopted must be relevant to the type of information collected by a particular IoT device, including the potential sensitivity of that data.

Internal Reforms Announced for FTC’s Bureau of Consumer Protection

Posted in Privacy

The Federal Trade Commission’s Bureau of Consumer Protection is about to undergo reform, according to FTC Acting Chairman Maureen Ohlhausen. In a press release issued on July 17, the FTC stated that the changes are part of an ongoing initiative to simplify information requests and improve transparency that began last April, when Ohlhausen announced new internal working groups on agency reform and efficiency.

“It is our duty to carry out our vital mission in the most effective and efficient way possible. The changes announced today will reduce unnecessary and undue burdens of FTC investigations without compromising our ability to protect American consumers,” Ohlhausen stated.

The current round of reforms concern Civil Investigative Demands (CIDs) in consumer protection cases. According to the FTC, the changes include:

  • Plain language descriptions of the CID process and business education materials;
  • More detailed descriptions of the scope and purpose of investigations to provide a better understanding of the information requested;
  • Reduced time periods for investigations to minimize the burden on companies;
  • Streamlined instructions for providing electronically stored data; and
  • Where appropriate, longer response times for CIDs to improve quality and timeliness.

The reforms are intended to make investigatory/information gathering requests less burdensome to businesses and more efficient generally. If effective, they will narrow the scope of information requested to specific pertinent information. As in many areas of legal and regulatory compliance, responding to CIDs—even in the absence of any wrongdoing or evidence thereof—can be time consuming and costly to businesses.

Other regulatory reform initiatives have been announced by the FTC in recent months, so it is reasonable to expect that more changes will be on horizon. Most recently, the FTC announced that it is seeking public comments on the Picture Tube, Textile, Energy Labeling, and CAN-SPAM Rules to inform the agency’s decision on whether to update them.  More information is available in Keller and Heckman LLP’s Consumer Protection Connection blog post Regulatory Reforms Afoot at FTC: Now’s Your Chance to Weigh In.

Regulatory Reforms Afoot at the FTC: Now’s Your Chance to Weigh in

Posted in Regulations

As part of Acting Chair Maureen K. Ohlhausen’s regulatory reform initiative, the Federal Trade Commission (FTC) is asking for the public’s input on the Picture Tube, Textile, Energy Labeling, and CAN-SPAM Rules. The comments will inform the Commission’s decision on whether to update these rules.

  • The Textile Rule obliges marketers of textiles to label their goods properly for identification purposes. The FTC seeks comments on a proposal to eliminate the obsolete labelling provisions, “which require marketers to attach a label to a textile product disclosing the manufacturer or marketer name, the country where the product was processed or manufactured, and the generic names and percentages by weight of the fibers in the product.”
  • The Picture Tube Rule requires manufacturers to adopt uniform measurement of television screen sizes and requires advertisers to base any representation of the screen size on the horizontal dimension of the actual, viewable area so that consumers know exactly what to expect. The FTC is looking for particular feedback regarding whether the rule is still needed at all as well as opinions on its “efficiency, costs, benefits and impact.”  The commission will consider new television technology “including plasma, LED, OLED, and other similar materials in flat display screens” as it deliberates possible changes.
  • Under the Energy Labeling Rule, EnergyGuide labels are required on certain appliances “to help consumers compare similar models.” The Commission is proposing to update this rule “to eliminate provisions that are obsolete and unnecessarily burdensome and to account for new products in the marketplace.” The FTC’s proposed changes are informed by feedback it received in an earlier call for comments that ended in September 2016.
  • The CAN-SPAM Rule  implements the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act and sets forth requirements for commercial email messages. The FTC is seeking comment on the benefits of the Rule, the costs of compliance, and whether it should be amended, for example, to account for technological or economic changes.

Comments on the Textile Rule must be submitted by July 31, 2017. Feedback on the Picture Tube Rule and the CAN-SPAM Rules must be submitted by August 31, 2017. All comments should be submitted at

Acting Chair Ohlhausen stated: “Regulations can be important tools in protecting consumers, but when they are outdated, excessive, or unnecessary, they can create significant burdens on the U.S. economy, with little benefit. Private firms face constant market pressure to innovate and improve, and I see no reason why government should operate any differently. American taxpayers should expect nothing less from us.”

As the reform process continues, the FTC may update or repeal other rules. Stay tuned.

What’s Happening at the CPSC

Posted in Product Safety

Acting Consumer Product Safety Commission (CPSC) Chair Ann-Marie Buerkle recently released an update regarding CPSC’s current projects, some of which involve stakeholder participation.

Mid-Year Adjustments

The Commission has approved its FY 2017 Mid-Year Review and Proposed Operations Plan Adjustments. Top priority has been given a project concerning improving the safety of lithium ion batteries. In addition, the Regulatory Robot project, which provides information to the regulated community about CPSC regulations, will be updated and improved. The CPSC’s e-filing study – which aims to discover the value of different types of information for assisting the Office of Import Surveillance in targeting products and shipments at import – is also moving forward.

CPSC will also be holding a public hearing on its priorities for Fiscal Year 2018 and Fiscal Year 2019. The hearing will begin at 10 a.m. on Wednesday, July 26, 2017.

Help for CPSC on Reducing Regulatory Burdens

The CPSC put out a request for information on ways to reduce burdens and costs of existing rules, regulations, or practices. CPSC is interested in hearing any and all ideas, big or small, that might help ease regulatory burdens, including comments on third party testing, eliminating or updating a rule, changing a practice, and providing guidance.

Comments on how to reduce regulatory burdens may be submitted electronically here. The deadline is September 30, 2017.

Recall Effectiveness Workshop

On Tuesday, July 25, CPSC will hold a workshop to explore and develop proactive measures that CPSC and stakeholders can take to improve recall effectiveness. The workshop will be held in the Hearing Room at CPSC’s headquarters in Bethesda, MD from 9 a.m.  to 3 P.m.

Register to attend here.

11 States Sue Department of Energy over Inaction on Efficiency Standards

Posted in Uncategorized

Eleven states, led by New York Attorney General Eric Schneiderman and California Attorney General Xavier Becerra, and including the city of New York, a Pennsylvania regulator, and three nonprofit groups, have jointly filed suit in federal court to sue the Department of Energy (DOE). The lawsuit seeks to compel implementation of new and updated energy efficiency standards for air compressors, commercial boilers, portable air conditioners, power supplies, and walk-in coolers and freezers.

The rules subject to the lawsuit were finalized in 2016. The coalition argues that federal law required the rules to go effect in March 2017, after the mandatory 45-day error correction review had passed. But in late January, the White House directed agency heads to impose a freeze on new regulations until they had an opportunity to review them, and newly appointed DOE Secretary Rick Perry left the status of the rules in limbo.

According to estimates, the new energy efficiency standards would collectively save U.S. consumers between $11 to $12 billion on electricity bills annually, and would reduce greenhouse gas emissions by more than 159 million tons over 30 years.

In the new environment where the federal government is taking an increasingly deregulatory stance, states, municipalities, and NGOs may become increasingly willing to take legal action to compel rulemaking. In April, the same coalition (less Maryland) brought suit in New York circuit court to compel the DOE to implement ceiling fan efficiency standards, but the DOE relented before the case was heard. DOE confirmed the ceiling fan regulations will go into effect in September 2017.

CPSC Issues Safety Warning for LayZBoard Hoverboards

Posted in Product Safety

It is no secret that hoverboards – two-wheeled, battery-powered, self-balancing scooters – have proved enormously popular with kids and teenagers. But allegations regarding defective battery packs have triggered recalls. The latest hoverboard incident was associated with a fatal fire in Harrisburg, Pennsylvania last March.

The U.S. Consumer Product Safety Commission (CPSC) started an investigation into the Harrisburg incident after fire officials blamed the accident on a charging hoverboard. Now, the CPSC has asked consumers to immediately stop using the brand of hoverboard used, LayZ Board. The CPSC made clear that the warning does not apply to Lazyboard scooters, which are a separate brand made by a different manufacturer.

Some 3,000 LayZ Board hoverboards have been imported into the U.S. Among the incidents the CPSC investigated were reports of burns and property damage across 20 states, allegedly causing in excess of $2 million in property damage. In September 2016, the CPSC recalled 501,000 hoverboards from eight manufacturers after documenting 99 incidents stemming from the scooters’ lithium-ion battery packs overheating and, in some instances, catching fire or exploding. Since then, the CPSC added another 500 scooters from a ninth manufacturer to the recall.

Lithium ion batteries offer manufacturers the ability to design and produce devices that can run for long period of time without recharging. But, after a series of high-profile accidents, the dangers posed by cheaper makes of the batteries have been widely publicized. In June 2016, CPSC’s then-Chair Elliot Kaye stated: “Unless the manufacturer can show that the device has been certified as safe by Underwriters Laboratories (UL), it should be considered “a fire hazard waiting to happen.” He urged consumers to return any non-certified hoverboard back to the manufacturers for a refund.

The first hoverboard certification was granted by UL in May 2016, meaning that earlier models would have been manufactured before the UL hoverboard standards were in place. That does not automatically mean that earlier models are unsafe if the manufacturer used a high degree of due diligence when choosing batteries for use in their products, but it is likely that they will have to demonstrate that level diligence if investigated. It is unlikely that retailers will now accept new models of hoverboards that are not certified.

It is worth noting that while the CPSC’s has issued a warning notice about LayZ Board rather than a recall, the Commission can still initiate a recall down the road.

Kawasaki Settles with CSPC for $5.2 Million for Alleged Failure to Report Defects

Posted in Product Safety

Kawasaki Heavy Industries, Ltd., of Japan; Kawasaki Motors Corp., U.S.A., of Foothill Ranch, California; and Kawasaki Motors Manufacturing Corp., U.S.A., of Lincoln, Nebraska, agreed to pay a $5.2 million civil penalty over allegations that Kawasaki failed to report floorboards cracking during normal operation of various Teryx4 recreational off-highway vehicles (ROVs) during two separate periods, which the CPSC alleged amounted to defects that could create substantial product hazards.

  • April 2012–July 2014: Kawasaki allegedly received over 400 reports of certain models’ floorboards cracking or breaking during normal operation due to debris impacts/penetration. Three incidents resulted in injuries to consumers, including one serious injury.
  • July 2013–August 2015: Kawasaki allegedly received over 150 reports of certain models’ floorboards cracking or breaking during normal operation, with three of these incidents resulting in consumer injuries, including two serious injuries.

Federal law requires that manufacturers, distributors, and retailers must report potential product safety hazards to the CPSC within 24 hours of discovering evidence of a problem. Despite having received numerous reports of incidents caused by problems with the floorboards of thousands recreational off-highway vehicles (ROVs), Kawasaki allegedly detailed only one incident and an unspecified number of injuries, which the Commission believed amounted to a material misrepresentation of the extent of the problem. The CPSC asserted that the company impeded the CPSC’s investigation, and hampered the agency’s ability to accurately communicate the prevalence of the hazard to the public, creating an unreasonable safety risk.

The civil penalty relates to a recall initially announced in 2014 and subsequently expanded in 2015.

In addition to paying a civil penalty, the company also agreed to maintain a program to ensure compliance with CPSC-administered laws, and also to maintain a related system of internal controls and procedures to assure that it adheres to reporting obligations.

Making determinations about substantial product hazards for purposes of reporting to CPSC necessarily involves subjective judgments.  It can be difficult to sort through complex facts and information.  The CPSC, however, continues to urge companies to report promptly and fully, and this civil penalty settlement follows several multimillion dollar agreements in recent years.

The settlement was provisionally approved by the CPSC by a 4-to-1 vote, with the three Democrats and one Republican voting to approve the settlement, and Acting Chairman Ann Marie Buerkle voting to reject the provisional settlement. While it is possible that ultimately a change in the makeup of the Commission will result in the agency taking a new look at its approach to civil penalties, it remains essential for manufacturers to maintain accurate records of product defects, analyze them carefully, and to do their best to assure that agency communications are accurate.

CPSC Staff Recommends Rejecting Organohalogen Petition

Posted in Product Safety, Regulations

In 2015, a group of non-government organizations (NGOs) filed a petition with the U.S. Consumer Product Safety Commission (CPSC), asking CPSC to categorically ban additive organohalogen flame retardants (OFRs) from the market in the U.S. in many significant consumer product categories. OFRs include a very broad set of diverse chemical compounds added to consumer products to retard the spread of flames, often to comply with regulatory requirements or voluntary safety standards. OFRs have been used in a large variety of consumer and household products available in the U.S. and other countries over the years.

The petitioners sought to prohibit the use of OFRs in children’s products, furniture, mattresses, and electronics casings. They claim that OFRs as a class are toxic, leading to widespread human exposure, and present a serious public health concern. Their claims were challenged by a number of groups, some of whom argued that the individual chemicals within the broad class of “organohalogens” described by petitioners were too distinct to treat as a class. Additionally, opponents asserted that the petition failed to establish that OFRs as a class pose a hazard based on the criteria the Commission must consider under the FHSA.

After nearly two years, CPSC staff submitted a 537-page briefing package to the Commission describing staff’s conclusion that insufficient evidence supported the petitioners’ claims. Accordingly, CPSC staff recommended that the Commission reject the petition for lack of evidence, as required under the Federal Hazardous Substances Act (FHSA). Chief among the reasons staff cited were:

  • The data on the hazards of OFR toxicity is insufficient “to conclude that all products defined by the petitioners with OFRs are hazardous substances under the FHSA.” Further, data indicates “that not all chemicals in this class have the same toxicity under the FHSA or the same exposure potential.”
  • The mere presence of OFRs in household dust does not establish a link to the four product categories in the petition.
  • The FHSA requires consideration of the connection between the toxicity of a substance, exposure to that substance through customary and reasonably foreseeable use of a product, and resulting substantial personal injury or substantial illness associated with the exposure. Given the varying properties of OFRs and lack of a connection between OFR measurements in environmental media and use in products in the petition, the petition does not support a conclusion that products containing any OFR are all hazardous substances under the FHSA.

The recommendations conclude with a statement that staff will continue to monitor flame retardants in children’s products and mattresses, and will work closely with voluntary standard setting organizations as well as with EPA “to coordinate activities on FR chemicals, including OFRs.”

A briefing package of this magnitude not only requires time for Commissioners and their personal staffs to review, but is often decided in an open hearing. Given the summer holidays, it will likely take several months before a decisional meeting is scheduled.

FTC Announces Date for PrivacyCon 2018 and Call for Presentations

Posted in Privacy

The Federal Trade Commission (FTC) has announced that its third annual PrivacyCon will take place in Washington, D.C., on February 28, 2018.  The conference will bring together researchers, academics, industry representatives, consumer advocates, and government representatives to explore an array of consumer privacy and data security issues, with a particular focus on emerging technologies, such as the Internet of Things and artificial intelligence.

Acting FTC Chairman Maureen Ohlhausen, in line with other recent public statements, said she wants the conference to draw attention to research on how the economics of privacy are implicated in the larger discussion about privacy:

“Deepening the FTC’s understanding of the economics of privacy and consumer harm in the context of information exposure is integral to the FTC’s enforcement and educational efforts. I have made studying the economics of privacy a centerpiece of my consumer protection agenda, and I hope that PrivacyCon 2018 will highlight important research in this area.”

The call for presentations asks for research into a wide array of issues, including:

  • Privacy and security risks associated with emerging technologies and threats to consumer privacy, such as phishing, business email account takeovers, unpatched software, Internet of Things vulnerabilities, ransomware, distributed denial of service attacks, and identify theft.
  • Quantifying the costs and benefits of privacy from consumer and business perspectives.
  • Incentives for manufacturers and software developers to implement privacy and security by design.
  • Market failures in the area of privacy and data security, and available tools for overcoming or mitigating such failures.
  • What interventions would most appropriately address any consumer injury resulting from market failures (e.g., ex ante regulation vs, ex post enforcement).

Despite the fast pace of technological change, the FTC has announced the upcoming workshop well in advance; the deadline for submissions for PrivacyCon is November 17, 2017.

White House Issues New Cybersecurity Executive Order

Posted in Cybersecurity

On May 11, President Trump issued Executive Order Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which centers on federal networks, critical infrastructure, and the nation’s overall cybersecurity. The order largely expands on cybersecurity recommendations developed during the Obama administration. The order calls for a review of vulnerabilities and preparedness by the Secretary of Homeland Security and the Director of the White House Office of Management and Budget (OMB), who are directed to “jointly assess each agency’s risk management report to determine whether the risk mitigation and acceptance choices set forth in the reports are appropriate and sufficient to manage the cybersecurity risk to the executive branch.” Key provisions include:

  • Federal agency heads will now be held accountable for cybersecurity in their agencies. They are required to review their computer security measures and submit a risk management report to the Secretary of Homeland Security and the Director of OMB within 90 days.
  • The head of the Department of Homeland Security is responsible for oversight of the cybersecurity measures of companies that DHS has determined are “at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security,” and must report on the adequacy of the security protocols of such businesses to the President within 6 months.
  • Federal agencies are instructed to implement the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The NIST Cybersecurity Framework is intended to “help organizations manage cybersecurity risk in the nation’s critical infrastructure, such as bridges and the electric power grid,” and was developed in consultation with industry, academia, and government agencies.

Many analysts are calling the executive order a good first step but note there is considerable work still to be done, including details of how expanded cybersecurity infrastructure will be funded and how the new regime will be implemented.

The recent, destabilizing “Wanna Cry” ransomware attacks made all too apparent how important it is to have a strong cybersecurity regime in place. As predicted, the government is looking to the NIST Cybersecurity Framework as a guide for managing cybersecurity risks for government agencies and critical infrastructure businesses. Whether or not your business is part of a critical infrastructure industry, the Framework can be a useful tool in understanding and managing security risks.

Consumer Protection Connection