The FTC with a cavalier attitude is weighing in on areas that are outside its authority and deciding issues on subjective means…. I can’t support a massive increase for the Commission’s budget, especially given the FTC’s recent track record and given the nation’s current fiscal outlook.Steve Womack (R-AR)

When a Chairman opens

For anyone planning to attending the ABA Antitrust Spring Meeting in Washington DC this week (March 29-31), please look for your friends from Kelley Drye Ad Law on multiple panels on Wednesday and Thursday:

ABBY STEMPSON (Special Counsel in the Ad Law and State AG practices) will be speaking on a panel entitled Fundamentals –

On February 16, 2023, the Attorneys General of Ohio and Pennsylvania announced a settlement with Ohio-based DNA Diagnostics Center (“DDC”) for a 2021 data breach which involved 2.1 million residents nationwide, including the social security numbers of over 45,000 Ohio and Pennsylvania residents. As a part of the settlement, which resolves alleged violations of Ohio and Pennsylvania consumer protection laws, DDC will pay $400,000 in fines and will be required to implement improved security practices.

DDC, one of the world’s largest private DNA testing companies, suffered the breach in November 2021. The breach involved databases that were not used for any active business purpose, but had been acquired by DDC as a part of a 2012 acquisition of Orchid Cellmark.  These databases contained the personal information of over 2 million individuals who received DNA testing services between 2004 and 2012, including names, payment information, and social security numbers. DDC claims it was unaware that this data was transferred as a part of its acquisition of Orchid. 

DDC allegedly received indications of suspicious activity in the database from a security vendor as early as May 2021, but did not activate its incident response plan until August 2021 after the vendor identified signs of malware. The malware was loaded onto DDC’s network by threat actors that ultimately facilitated the extraction of patient data, which was subsequently used to extort a payment from DDC in exchange for its promised deletion. In its internal investigation of the incident, DDC found that an unauthorized third party had logged in via VPN on May 24 using a DDC account, having harvested credentials from a domain controller that provided password information for each account in the network. The Assurance of Voluntary Compliance (“AOC”) noted that at the time the hacker accessed the VPN, DDC had recently migrated to a different VPN, meaning no one should have been using the VPN that the hackers used.  Furthermore, the AOD notes that the threat actor used a decommissioned server to exfiltrate the data.

Continue Reading DNA Diagnostics Center Settles Data Breach with Ohio and Pennsylvania Attorneys General

Our State AG webinar series continues, this time with Consumer Protection Division Director Kevin Anderson and Deputy General Counsel Daniel Mosteller of the North Carolina Attorney General’s Office (NC AGO). During our webinar, we learned about the office’s structure, consumer protection work as it relates to public health issues, and the tools they have pursuant to the consumer protection laws of North Carolina. In case you missed it, here is a recording of the webinar. We have also recapped what we learned below.

General Office Information

North Carolina elects its attorney general (AG) during the same cycle as the US presidential election. The AG oversees the Consumer Protection Division which also handles antitrust and charities matters. The division has approximately 20 attorneys, plus other staff members. The NC AGO promotes a “two-way dialogue” which takes place between the attorneys in the division and the front office to determine the office’s consumer protection priorities. The AG will set an agenda based on constituent needs. In parallel, the division continually works to spot new consumer protection issues to bring to the AG’s attention.

The NC AGO receives consumer complaints about a range of unfair or deceptive acts conducted within the state. Consumers can file complaints with the office, which in turn, sends the complaints to the businesses at issue, asking for their voluntary response, with the ultimate goal of resolving disputes. Complaint specialists handle these complaints, assisting consumers and businesses with the process, and logging complaints into a database so that the office can keep an eye on trends and issues that need investigating. Last year, the office received over 20,000 written consumer complaints—a large increase compared to ten years ago.

Continue Reading State AGs and Consumer Protection: What We Learned from ….North Carolina

While seventeen new state attorneys general are now sworn in and getting settled into their offices across the country, consumer protection continues to be the top of their agenda. Enforcement continues to take shape in different forms including individual actions, multistate investigations, and partnering with the Federal Trade Commission (FTC).  This year we expect states to target particularly salient issues such as dark patterns, autorenewal concerns, and/or data security and privacy, but those priorities will continue to evolve through discussions at the forums of their main national organizations.

For our first State AG webinar of the year, we dove into consumer protection in the Tennessee attorney general office with our guests, Chief Deputy Lacey Mase and Executive Counsel Jeff Hill. If you missed it, we’ve recapped what we learned.

Background of the Office

Unlike other states,  Tennessee is the only state where the AG is appointed by the state Supreme Court, with the AG serving for an eight year term. Qualified attorneys submit applications to the Supreme Court and are interviewed publicly before being selected to serve as AG.

Within the AG’s office, the Consumer Protection Division handles both consumer protection and antitrust work. The AG’s consumer protection priorities are constantly shifting in order to respond to consumer needs. The office evaluates whether resources should be allocated to large scale litigation needs such as multistate actions or whether there are smaller consumer concerns that need to be addressed within the state.

The Consumer Protection Division now houses the Division of Consumer Affairs which serves as the point of contact for consumer complaints about unfair or deceptive acts conducted within the state (until a few years ago, the Division was a separate agency). Tennessee does provide complaint mediation for consumers, where the office will routinely ask businesses for a response.

Continue Reading State AGs and Consumer Protection: What We Learned from….Tennessee

Earlier this month at the 2022 NAAG Consumer Protection Fall Conference panelists including current and former AG personnel discussed recent consumer protection legislation and rulemakings that have been implemented or proposed, as well as recent court actions affecting consumer protection laws to provide AGs and staff a year in review.

In the wake of the

In late September, we blogged about a lawsuit that the Chamber of Commerce and other business groups filed against the CFPB, challenging the CFPB’s update to its Supervision and Examinations Manual. As updated, the manual now states that discrimination is an “unfair” practice under the Dodd-Frank Act, and that the agency plans to scrutinize it

Most people would generally agree that discriminating on the basis of race, color, religion, disability, or similar factors is a bad thing to do – indeed, that it’s “unfair” within the common meaning of the word.  It’s also illegal in various circumstances – e.g., the Equal Credit Opportunity Act prohibits certain forms of discrimination in

Join us on Thursday for a webinar discussing how to operationalize adtech privacy compliance, and learn about other ways you can stay informed.

Operationalizing Adtech Privacy Compliance: Understanding the IAB Multi-State Privacy Agreement

State privacy laws that go into effect in 2023 will significantly change the digital advertising landscape.  These privacy laws require companies to

How To Protect Employee/HR Data and Comply with Data Privacy Laws
Wednesday, July 20

As workforces become increasingly mobile and remote work is more the norm, employers face the challenge of balancing the protection of their employees’ personal data and privacy against the need to collect and process personal data to recruit, support and monitor