Photo of Sheila Millar

“Made in the USA” is an attractive selling point for many consumers who want to support homegrown industry, so it is the topic of many advertising claims for a variety of products. But to establish that a product is American-made, manufacturers have to show all its key parts were made here. And if steel tags which proudly state “Made in the USA” were, in fact, manufactured overseas, that’s false advertising.

This is the situation faced by Texas-based Block Division, Inc., a manufacturer of metal pulleys. According to the FTC complaint released on March 8, 2017, Block’s advertising used images as well as explicit wording to reinforce its “Made in the USA” message. Yet, according to the FTC, the company imported integral components of its pulleys from other countries, including, ironically, the imported steel plates that were stamped with the words “Made in USA.”

Under a settlement with the FTC, Block Division is banned from advertising its products as USA-made unless the company can establish “the final assembly or processing of the product occurs in the United States, all significant processing that goes into the product occurs in the United States, and all or virtually all ingredients or components of the product are made and sourced in the United States.” The company can make “qualified” U.S. origin claims only if it clearly and conspicuously “conveys the extent to which the product contains foreign parts, ingredients, and/or processing.”

Acting FTC Chairman Maureen Ohlhausen commented “Consumers have the right to know that they can trust companies to be truthful when it comes to ‘Made in USA’ claims. This is an important issue for American business and their customers, and the FTC will remain vigilant in this area.”

Two FTC documents, Complying with the Made in USA Standard and Enforcement Policy Statement on U.S. Origin Claims, outline fundamental requirements to comply with FTC enforcement guidelines and to substantiate “Made in the USA” claims:

  • All significant parts and processing that go into the product are of U.S. origin (the “virtually all” standard);
  • Competent and reliable evidence exists to back up the claim that the product in question is made in the U.S.

Block Division and the iSpring Water Systems settlement last month are the latest in a line of complaints the FTC has brought in recent years against companies that deceptively promote “Made the USA” advertising. These cases indicate the ongoing seriousness with which the Commission will treat such claims in future.

Comments on the proposed settlement will be accepted online until April 7, 2017.

Photo of Sheila MillarPhoto of Tracy Marshall

On March 1, the Federal Communications Commission (FCC) granted a temporary stay of one of the broadband privacy rules adopted in October of last year. That rule, which pertains to data security, would otherwise take effect on March 2. Newly installed FCC Chairman Ajit Pai and Federal Trade Commission (FTC) Acting Chair Maureen Ohlhausen issued a joint statement in support of the stay, which will allow the FCC to consider petitions for reconsideration of the October 2016 Report and Order before the data security and other new requirements for broadband internet service providers (ISPs) take effect. The Chairmen expressed their goal of “harmonizing the FCC’s privacy rules for broadband providers with the FTC’s standards for other companies in the digital economy.”

The FCC’s 2016 Report and Order established a comprehensive set of rules for protecting the confidentiality and security of information that ISPs acquire from their customers. Pai was one of two FCC Commissioners who issued a strong dissent. The recent stay, approved by the FCC in a 2-to-1 vote along party lines, follows Pai’s statement on February 24, 2017 that he would seek to reconsider elements of the Obama-era FCC’s privacy rules that were inconsistent with the FTC’s rules.

The moves by the FCC presage the likely withdrawal of the prescriptive broadband privacy rules, which rely on a determination by the FCC that ISPs are common carriers under its jurisdiction. This would return ISPs’ treatment of consumer privacy to the FTC, which has more experience enforcing privacy and data security laws in a technology-neutral manner.

Photo of Sheila MillarPhoto of Tracy Marshall

If a business advertises it is a member of a privacy program, even a voluntary one, it had better be, according to the Federal Trade Commission (FTC). In separate but related complaints, the FTC alleged that three businesses – software provider Sentinel Labs Inc., private messaging app developer SpyChatter Inc., and cybersecurity software company Vir2us Inc. – represented that they were members of the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) when they were not.

The CBPR is a voluntary, cross-border privacy regime designed “to protect data that flows between the regions.” Its system is based on nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access, correction, and accountability.

Although membership is voluntary, false representations about participation are enforceable. Furthermore, participation isn’t simply a matter of saying you support the principles; participants must undergo a review by an APEC-recognized accountability agent, which certifies companies that meet CBPR standards. Despite assertions in their online privacy policies that they were CBPR members, Sentinel, SpyChatter, and Vir2us Inc. had never been certified by an APEC agent.

FTC Acting Chair Maureen Ohlhausen commented that “Cross-border commerce is an important driver of economic growth, and our cross-border privacy commitments help enable U.S. companies to compete around the world. Companies, however, must live up to the promises they make to protect consumer data.” Ohlhausen’s comments indicate the seriousness with which the FTC continues to approach deceptive advertising related to privacy.

Under their settlement with the FTC, the three companies are barred from making any misleading assertions about their “participation, membership or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization.”

Public comments may be submitted electronically on the Sentinel Labs, Inc., SpyChatter, Inc., and Vir2us, Inc. agreements through March 24, 2017.

It is important to note that there are a growing number of privacy “seal” programs, and some organizations offer a variety of such programs. Whether ads involve compliance with the EU-U.S. Privacy Shield, APEC, or programs under the Health Information Portability and Accountability Act (HIPAA) or Children’s Online Privacy Protection Act (COPPA), to minimize risk, businesses need to ensure that claims accurately reflect the specific program they joined. And, of course, they should only advertise participation while their membership or seal status is current and their policies and practices remain in compliance.

Photo of Sheila Millar

In line with the chairs of other U.S. government agencies and commissions, U.S. Consumer Product Safety Commission (CPSC) Chairman Elliot F. Kaye has resigned his seat as chairman, according to internal sources. Pursuant to the commissioners’ unanimous vote on January 19, 2017, Vice Chair Ann Marie Buerkle assumes the role of Acting Chair until a permanent replacement is appointed by President Trump and confirmed by the Senate.

Acting Chair Buerkle is a proponent of reducing testing burdens faced by manufacturers and working closely with the stakeholder community. She has opposed the recent increase in CPSC’s civil penalty settlements and criticized a lack of transparency in the civil penalty process.

Kaye was nominated by President Barack Obama on March 31, 2014, and was confirmed by the U.S. Senate on July 28, 2014, to a term set to run until 2020. He had two separate commissions—one as commissioner and one as chairman—and resigning the chairman’s seat does not automatically affect his seat as commissioner.

Photo of Sheila MillarPhoto of Jean-Cyril Walker

The push to “Buy American” aims to encourage consumers and businesses to support homegrown industry.  So, when a water filter maker’s claims of “buil[t] in the U.S.” didn’t hold water, the company quickly found itself in a sea of trouble with the FTC.

Georgia-based iSpring advertised and sold its water filter to consumers on its website as well as via major retailers such as Amazon, Overstock, Sears, Home Depot, and Walmart.  The FTC complaint alleged that iSpring Water Systems misled consumers with “false, misleading, or unsupported claims” that its water filtration systems are “Built in USA.” The problem, FTC alleged, was that the company used substantial components produced overseas.

Under the standard terms of its settlement with the FTC, iSpring is prohibited from making any representation regarding country of origin unless such representation is demonstrably true and cannot describe its products as “Made in USA” unless it can establish that virtually all of its components are sourced and manufactured in the United States. Qualified “Made in USA” claims are, of course, permissible so long as iSpring makes them “include a clear and conspicuous disclosure about the extent to which the product contains foreign parts, ingredients, [or] processing.”

“Supporting American manufacturing is important to many consumers. If a product is advertised or labelled as ‘made’ or ‘built’ in the USA, consumers rightly expect that to be the case when they part with their hard-earned money,” said Acting FTC Chairman Maureen Ohlhausen. “This is an important issue for American business and their customers, and the FTC will remain vigilant in this area.”

Many consumers do look for products made in America.  The decision confirms that the FTC, which has been very active in enforcing against similar products over the past couple of years, will continue to take a close look at such claims.  Public comments on the proposed agreement will be accepted until March 3, 2017, and interested parties can submit comments here.

Photo of Sheila MillarPhoto of Tracy Marshall

Have you ever had the niggling suspicion your television was watching you?  Apparently, if it was made by smart technology manufacturer VIZIO, it very well may have been.  In a $2.2 million settlement with the Federal Trade Commission (FTC) and the New Jersey Attorney General, VIZIO acknowledged that it collected and sold data from 11 million televisions without viewers’ knowledge.

According to the FTC complaint, beginning in February 2014, VIZIO smart televisions covertly recorded continuous data of what viewers watched without their knowledge or consent. The television’s Smart Interactivity feature was advertised simply as way to get program recommendations.  But when the feature was activated, rather than make viewing suggestions, it collected data from cable, on-air broadcasts, dvds, broadband, and streaming devices and sent it back to VIZIO via the company’s embedded, proprietary ACR software.  The data, including a persistent identifier for each television, program and commercial viewed, when it was viewed, how long it was viewed, and what channel it was on, was then sold to third parties for audience measurement, analyzing advertising effectiveness, and behavioral advertising purposes. The complaint asserts that these actions violated Section 5 of the FTC Act and New Jersey consumer protection laws.

Under a stipulated federal court order, VIZIO is required to obtain express consent for its data collection and sharing practices, and must institute a comprehensive data privacy program.  The company is also barred from mispresenting the privacy, security, and confidentiality of consumer information it collects.

FTC Acting Chairman Maureen K. Ohlhausen issued a concurring statement in which she noted that “[e]vidence shows that consumers do not expect televisions to collect and share information about what they watch.”  She went on, however, to caution:

We must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers. This case demonstrates the need for the FTC to examine more rigorously what constitutes “substantial injury” in the context of information about consumers. In the coming weeks I will launch an effort to examine this important issue further.

Ohlhausen’s statement is consistent with earlier dissenting and concurring statements in other cases suggesting that FTC privacy and data security enforcement actions should focus on instances where business actions resulted in actual harm to consumers. The type of review Ohlhausen describes may result in affirming the importance of all three factors under the Commission’s 1980 Unfairness Policy Statement.  With the Internet of Things exploding, manufacturers of smart products should stay tuned.

 

Photo of Sheila MillarPhoto of Tracy Marshall

On January 10, 2017, the National Institute of Standards and Technology (NIST) released an update to its Cybersecurity Framework, first issued in 2014. The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The new draft provides details on managing cyber supply chain risks, clarifies key terms, and introduces measurement methods for cybersecurity. According to NIST, the new Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 incorporates feedback and suggestions received since 2014, including responses from a December 2015 request for information and comments from attendees of a workshop held in April 2016.

The changes in the latest Framework include a new section on cybersecurity measurement; a more detailed explanation of how to use the Framework for Cyber Supply Chain Risk Management purposes; refinements to better account for authentication, authorization, and identity proofing; and a more thorough explanation of the relationship between Implementation Tiers and Profiles.

NIST is a branch of the U.S. Department of Commerce which provides measurement standards. On February 12, 2013, President Obama issued an Executive Order that called for the development of a risk-based, voluntary set of industry standards and best practices to help organizations manage cybersecurity risks. The Cybersecurity Framework is intended to “help organizations manage cybersecurity risk in the nation’s critical infrastructure, such as bridges and the electric power grid,” and was developed in consultation with industry, academia and government agencies. The Cybersecurity Enhancement Act of 2014 calls for NIST to continue its work on the framework.

Details of the changes can be found in Appendix A of the draft Framework. Comments on the draft will be accepted until April 10, 2017, and should be sent to cyberframework@nist.gov. From ransomware attacks to data breaches at major retailers, health care facilities and others, cybercrime continues to present serious threats to businesses across the supply chain. With these growing risks, it is important for businesses in all sectors to monitor best practices and assess, implement, and re-assess security solutions periodically.

Photo of Sheila MillarPhoto of Tracy Marshall

In 2015, Verizon found itself in hot water over charges it was using a “super cookie” that continued to operate even when users believed they had opted out of mobile phone data tracking. Verizon allegedly then sent the data obtained to a third party for targeted advertising purposes without its customers’ consent. Verizon settled with the FTC in 2015, and now, the third party at the heart of the FTC’s complaint, Turn Inc., has followed suit, agreeing to the terms of a consent order with the FTC on December 20, 2016.

Turn’s demand side platform and data management platform enables sellers to target consumers with digital advertisements. According to the FTC, Turn’s privacy policy indicated that Verizon wireless customers could set their web browser to block targeted advertising or limit cookies, but that web data tracking continued even after customers had taken the appropriate steps to turn it off.

The proposed consent order requires Turn to provide an effective opt-out for consumers who do not want their data used for targeted advertising; place a hyperlink on its homepage to an explanation of what information is collected and used for targeted advertising; and provide an accurate representation of its privacy policy.

Public comments on the proposed agreement will be accepted through January 19, 2017, and interested parties can submit comments here.

Photo of Sheila Millar

On December 12, 2016, the California Department of Toxic Substances Control (DTSC) released a draft Alternatives Analysis (AA) Guide under the state’s green chemistry program, Safer Consumer Products (SCP). Under the SCP program, product designers and manufacturers are encouraged to reduce or eliminate the use of certain targeted chemicals in their products, and the Guide is intended to help businesses navigate the SCP Alternatives Analysis process.  It also provides useful approaches, methods, resources, tools, and examples of best practices.

A webinar to discuss the draft Guide will be held on January 10, 2017; registration information is available here.  The comment period is open now and runs until January 20, 2017.

Clocking in at over 200 pages, the draft Guide is far from light reading, but businesses and trade associations that use chemicals currently or that are potentially targeted in the SCP process should keep close tabs on AA developments  and consider submitting comments. AAs will impose substantial expense on companies and industries, in part because the California SCP legislation establishes proscriptive requirements that no currently available AA tool will meet.

Photo of Sheila MillarPhoto of Tracy Marshall

New research from security company Kaspersky Labs suggests that the use of ransomware is now so widespread that nearly every moment, a ransomware attack is being launched somewhere in the world on businesses and consumers.

Ransomware, or malicious software that infiltrates computer systems and uses tools like encryption to deny access or hold data “hostage” for a ransom, is becoming an epidemic. According to Kaspersky’s data, ransomware attacks increased threefold between January and September 2016. Forty-two percent of small and medium-sized businesses were hit with ransomware attacks, while individual consumer attacks escalated from one every twenty seconds to one every ten. Ransoms demanded typically range from $500 to $1,000, but some criminals have demanded as much as $30,000, and only one in five small- to medium-sized companies have been able to retrieve their data after payment.

The threat is so great that Federal Trade Commission (FTC) held a workshop on ransomware on September 7, 2016. In her opening remarks, FTC Chairwoman Edith Ramirez cautioned businesses to be aware of the dangers of ransomware, and to adhere to FTC recommendations.

As a follow-up to the workshop, the FTC released ransomware guidelines on November 10, 2016, including a video outlining the dangers. The guidance offers four important steps that the FTC believes businesses should adopt to minimize the risk of ransomware threats:

  • Training and education. Implement education and awareness programs to train employees to exercise caution online and avoid phishing attacks.
  • Cyber hygiene. Practice good security by implementing basic cyber hygiene principles. Cyberhygiene initiatives include important steps:
    • Assess the computers and devices connected to networks to proactively identify the scope of potential exposure to malware.
    • Identify technical measures that can mitigate risk, including endpoint security products, email authentication, intrusion prevention software, and web browser protection.
    • Implement procedures to keep security current. Update and patch third-party software to eliminate known vulnerabilities.
  • Back up your data early and often.
    • Identify business-critical data in advance and establish regular and routine backups.
    • Keep backups disconnected from your network so that you can rely on them in the event of an attack.
  • Prepare for an attack. Develop and test incident response and business continuity plans.

The FTC also advises victims of ransomware on three steps they should adopt in response to attacks:

  • Contain the attack. Disconnect infected devices from your network to keep ransomware from spreading.
  • Restore your computer. If you’ve backed up your files, and removed any malware, you may be able to restore your computer. Follow the instructions from your operating system to re-boot your computer, if possible.
  • Contact law enforcement. Report ransomware attacks to the Internet Crime Complaint Center or an FBI field office. Include any contact information (like the criminals’ email address) or payment information (like a Bitcoin wallet number). This may help with investigations.

Generally, authorities do not recommend that businesses pay the ransom. Too often they simply get higher demands, become targets again, or don’t get the data back.

It is also important for businesses to remember that ransomware attacks often constitute data breaches that may be reportable under federal or state data breach notification laws. Conducting tabletop exercises to educate staff and test preparedness is helpful.

The FTC’s recommendations are consistent with overall steps that the Commission and other experts have recommended to address data breaches. It’s important for business to pay attention to this sort of FTC guidance. The only thing worse than being held hostage by ransomware perpetrators is being held hostage and then also facing an FTC inquiry for alleged failure to adequately safeguard data.