On September 27th, the Senate Committee on Commerce, Science, and Transportation held a general oversight hearing of the FTC, which covered a multitude of major policy issues and included testimony from Chairwoman Edith Ramirez, Commissioner Maureen Ohlhausen, and Commissioner Terrell McSweeny. Chairman John Thune (R-SD) convened the hearing, joined by Senator Richard Blumenthal (D-CT) who sat in for Ranking Member Bill Nelson (D-FL), who was not in attendance. Several other Committee members also participated in the hearing, cycling through as schedules permitted on what appeared to be a jam-packed day. Members in attendance included: Senators Dean Heller (R-NV), Amy Klobuchar (D-MN), Brian Shatz (D-HI), Jerry Moran (R-KS), Steve Daines (R-MT), Dan Sullivan (R-AK), Edward Markey (D-MA), Tom Udall (D-NM), Kelly Ayotte (R-NH), Maria Cantwell (D-WA), and Deb Fischer (R-NE).
The Commissioners’ opening statements focused on key issues related to the agency’s mandate including enforcement, policy development, business education, and competition promotion. But for members and Commissioners alike, privacy and data security were the clear headline issues of the day. A variety of related topics were also raised, including protecting children online, the Internet of Things (IOT), tourism, credit reports, telecommunications, and deceptive claims. A brief summary of these issues follows. Continue Reading Senate Commerce Committee Members Air Laundry List of Pressing Issues Including Privacy, Data Security, and FTC Enforcement
Five months ago, Kelley Drye’s Communications practice group launched the Full Spectrum podcast. Since then, they have recorded and posted ten episodes, featuring several different attorneys speaking on the most timely trends and issues in the Communications industry. While the podcast is still new, it has gained a substantial following through iTunes, SoundCloud, their podcast website, and blog posts.
Episodes are posted twice monthly and include topics such as the monthly FCC Enforcement update. Take a moment to check out the podcast for legal discussions related to the technology, media and telecommunications industries. Kelley Drye’s Full Spectrum is also available on iTunes.
This inquiry follows a week after Senator Mark Warner’s (D-VA) request to FTC Chairwoman Edith Ramirez that the FTC work with members of Congress to identify ways to better protect children in the era of connected toys. Warner writes that the Children’s Online Privacy Protection Act was enacted in 1998 and may not have contemplated today’s evolving market of smart toys, for example, those connected devices that record children’s conversations and upload them to the cloud for all to hear and for hackers to exploit. The recent proliferation of these connected toys, Warner states, makes congressional efforts to protect children’s data “even more imperative.”
These congressional inquiries underscore potentially serious privacy concerns in the evolving market of connected toys and augmented reality. Since the publication of its January 2015 IoT Report, the FTC has encouraged companies to take three key steps in order to build consumer trust in IoT devices: (i) adopt “security by design”; (ii) engage in data minimization; and (iii) increase transparency and provide consumers with notice and choice for unexpected data uses. The FTC recently stated its belief that IoT-specific federal legislation is not warranted at this time, and the FTC will continue to rely on its Section 5 authority to ensure companies do not engage in unfair or deceptive privacy and data security practices.
For more guidance, see our Mashable article, “Navigating the Legal Pitfalls of Augmented Reality.”
On June 14, 2016 2-3pm (ET) please join the NAI, Kelley Drye and Federal Trade Commission Chief Technologist Lorrie Faith Cranor in exploring effective notice and consent options as industry moves toward data collection and use across the Internet of Things.
Dr. Cranor will present a taxonomy of notice options based on her research, including various forms of visual, audio and haptic notices. She will discuss the selection of effective notice and consent mechanisms suitable for a given system or device, particularly as companies are constrained by interfaces on mobile devices, wearables, and smart home devices. She will also describe ways to evaluate the effectiveness of a notice in the context in which it is used.
This event may be attended either live at the offices of Kelley Drye in Washington, D.C., or via webinar.
Connected devices have existed in the marketplace in one form or another for decades (think vending machines or weather sensors). Yet, a confluence of forces in recent years has helped spur a mass proliferation of technology in the “Internet of Things,” and with it, the collection and analytics of big data. Demand is high to connect nearly everything to the Internet — from smart home platforms and connected cars, to wearable devices and even smart yoga mats. Analysts predict that the number of IoT devices will reach between 25 and 200 billion devices by 2020.
For such an ubiquitous topic, the IoT can be surprisingly difficult to describe. At a basic level, the IoT is an ecosystem of physical objects connected to the Internet generally featuring small, embedded sensors relying on wired and wireless technologies that collect and transmit data either passively or actively. The Federal Trade Commission, the nation’s top consumer protection cop, defines the IoT as “the ability of everyday objects to connect to the Internet and to send and receive data,” that includes both consumer- and nonconsumer-facing devices. As the IoT has continued to grow into new and emerging areas, so too has FTC scrutiny.
In the Law360 article, ‘Smart’ Ways To Avoid FTC Internet Of Things Scrutiny’, partner Alysa Hutnik and associate Crystal Skelton, address recent enforcement matters and lessons learned from the FTC’s report, “Internet of Things: Privacy and Security in a Connected World.” They also provide a list of several key issues to consider when developing and marketing a connected or “smart” device.
At last week’s Strata + Hadoop Worldwide Big Data Conference those “in the know” about all things Silicon Valley prophesized that “data is the new bacon.” Witty comparisons aside, there is no question that big data has matured. Companies across all industry types are clamoring to leverage every possible gigabyte of available consumer data. As the industry has grown up, the list of FTC settlements involving privacy and data security has grown along with it – totaling more than 100 cases presently.
As Kelley Drye Partner, Alysa Hutnik, and Special Counsel, Kristi Wolff, explained in their conference panel (It’s a brave new world: Avoiding legal privacy and security snafus with big data and the IoT), the FTC has made it clear that it is not just interested in mature companies when it comes to privacy and data security issues. The agency is closely monitoring practices by both startups and “grown up” companies.
So what is the FTC interested in presently? Last week, the FTC announced that it will host a fall seminar series to examine three emerging consumer technology issues that, according to the FTC, are raising critical consumer protection issues. These workshops will address ransomware and related data security issues, privacy and other considerations associated with the use of drones, and tracking consumer habits through their Smart TVs. This week, the FTC also announced that it will hold its second PrivacyCon event, seeking to explore new and evolving technologies, such as targeted advertising, cross-device tracking, smart homes, health and fitness wearables, voice-controlled technologies, connected cars, and commercial drones. And, as those of you who follow this area know, the most common pattern is workshops, followed by guidance, followed by enforcement. Smart companies of all ages should pay close attention.
The Commission could be even more effective in deterring unfair and deceptive practices, she asserted, if Congress would pass legislation that would strengthen the Commission’s existing data security authority and expand the breach notification requirements to include a broader range of entities, such as health websites or online newsletters, which are not covered by current rules. In addition, Bureau Director Rich called for Congress to expand the FTC’s civil penalty authority, jurisdiction over non-profits, and rulemaking authority under the Administrative Procedures Act.
All in all, Bureau Director Rich’s testimony was consistent with the Commission’s approach of continually assessing new developments and emerging trends and threats in the privacy area and with the soon-departing Commissioner Brill’s remarks from February 2016 when she stated that “Neither new technologies nor small companies get a pass under the FTC Act. So, trying to ‘fly under the radar’ as a small company is not a strategy that I recommend.”
This week, a dozen mobile app developers received warning letters from the FTC concerning audio monitoring software used in their apps, but not clearly disclosed to consumers.
The app developers allegedly used software development kits created by a company called SilverPush. The warning letters explain that SilverPush makes a “Unique Audio Beacon” technology available for app developers, enabling the apps to “listen” for unique codes embedded into television or advertising content to determine what television shows or advertisements are playing nearby. The beacon is configured to access the device’s microphone to collect audio information, even while the app is not actively in use. Using this technology, SilverPush can generate a detailed log of the television or advertising content that the user views for targeted advertising and analytics.
Take Heed: after the FTC warns, enforcement for ignoring such warnings can come later for the same or similar practices. It is a good reminder to assess what consumers data is being collected by the business (and its mobile apps, websites, devices, etc.), and whether those practices are sufficiently disclosed. The more surprising (or personal) the data collection, the more obligation that can mean for the company to effect clear disclosures in a timely manner.
Yesterday, the FTC announced that it had entered into a settlement agreement with Taiwan-based computer hardware manufacturer ASUSTeK Computer Inc., resolving allegations that the company failed to take reasonable steps to secure its routers and cloud services. Such failure, the FTC claims, constitutes an unfair practice, in violation of Section 5 of the FTC Act.
Additionally, the complaint alleges that ASUS misrepresented the security of its routers to consumers, through claims such as “the most complete, accessible, and secure cloud platform” and “safely secure and access your router.” In reality, however, multiple vulnerabilities – including the failure to encrypt consumer files in transit – allegedly allowed unauthorized access to consumer files and router login credentials. According to the FTC, ASUS was aware of these vulnerabilities as early as June 2013, but did not notify consumers of firmware updates until February 2014.
Under the terms of the settlement, ASUS has agreed to clearly and conspicuously notify consumers of available software updates, and to implement a comprehensive security program that (1) addresses security risks related to the development and management of its routers and router software, and (2) protects the privacy, security, confidentiality, and integrity of customer personal information transmitted via the routers. Specifically, the program must:
- Designate an employee to coordinate and be accountable for the program;
- Identify material internal and external risks to security, and assess the sufficiency of any safeguards in place to control those risks;
- Design and implement reasonable safeguards to control the identified risks, including through reasonable and appropriate software security testing techniques;
- Regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures;
- Develop and use reasonable steps to select and retain service providers capable of maintaining security practices consistent with the order, and require by contract that service providers implement and maintain appropriate safeguards consistent with the order; and
- Evaluate and adjust the program in light of the results of testing and monitoring, any material changes to ASUS’s operations or business arrangements, or any other circumstances that may have a material impact on the effectiveness of the program.
Importantly, ASUS’s compliance with this requirement for a comprehensive security program is subject to independent audits for the next 20 years. This settlement serves as yet another reminder that the FTC remains focused on cyber security, and that it is important for all businesses that handle or have access to customer information to ensure that they have implemented reasonable security practices. Failure to do so could result in a lengthy and expensive investigation, followed by a 20-year order.