Photo of Alysa Zeltzer Hutnik

Email
(202) 342-8603
Bio

43 State Attorneys General and the District of Columbia announced yesterday a settlement with Neiman Marcus Group LLC resolving the states’ investigation into the company’s 2013 data breach and its security practices. Over a three-month period in 2013, a breach of the Dallas-based retailer exposed customer credit card data at 77 Neiman Marcus stores nationwide. The data breach, discovered in 2014, resulted in access to over 370,000 Neiman Marcus credit cards, at least 9,200 of which the states alleged were used fraudulently.

In addition to a monetary settlement of $1.5 million, Neiman Marcus has agreed to implement a number of security-relatedinjunctive terms, including:

  • Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;
  • Maintaining an appropriate system to collect and monitor its network activity, and ensuring logs are regularly reviewed and monitored;
  • Maintaining working agreements with two separate, qualified Payment Card Industry forensic investigators;
  • Updating all software associated with maintaining and safeguarding personal information, and creating written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date;
  • Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company’s business; and
  • Devaluing payment card information, using technologies like encryption and tokenization, to obscure payment card data.

Neiman Marcus must also obtain an information security assessment and report from a qualified third-party professional and detail any corrective actions that it takes. The full settlement report is available here.

This settlement follows another multistate resolution with Adobe (here), highlighting the interest and monitoring by State Attorneys General on companies’ data security programs and steps taken to prevent, detect, and remediate data breaches. This most recent case is a good reminder to take steps to make sure you have an appropriate data security program in place, and that your records meaningfully reflect the comprehensive steps taken to address cyber incidents that may arise.

California Attorney General Xavier Becerra announced yesterday that the California Department of Justice will hold a series of six public forums on the California Consumer Privacy Act (CCPA).  The hearings will take place during January and February of this year and will give the public an initial opportunity to comment on the requirements set forth by the CCPA and the regulations the Attorney General must adopt on or before July 1, 2020.

The CCPA was passed in June of this year, and gives California residents specific privacy rights related to their online activities. Starting January 1, 2020, businesses will be required to comply with a number of provisions including requirements to disclose data collection and sharing practices to consumers, grant consumers a right to request deletion of their data, grant consumers a right to opt out of the sale of their personal information, and a prohibition on selling personal information of consumers under the age of 16 without explicit consent.

The CCPA requires the Attorney General to “solicit broad public participation” and adopt regulations regarding issues such as the definition of personal information, considering changes in technology and data collection practices, procedures for how a consumer can submit a request to opt out of the sale of his or her personal information, and procedures for businesses to determine whether a consumer’s request for information is verifiable.

The Attorney General’s announcement is particularly important because CCPA enforcement will not begin until six months after the promulgation of these regulations, or July 1, 2020, whichever is sooner.  These public forums indicate that Attorney General Becerra’s office is taking steps to adopt these rules, meaning CCPA enforcement may come sooner rather than later.

These hearings will serve as the first public forum in which businesses and members of the public can voice their thoughts or concerns about the required regulations. Members of the public who would like to speak at the forums can, but are not required to, register online. Comments may also be submitted via mail or email. A full schedule of the forums can be found here.

Kelley Drye is happy to assist if your business is considering whether to submit comments concerning the CCPA regulations or enforcement.  These forums present a critical opportunity for any stakeholder interested in California privacy law and enforcement to have their voices heard.  For more information on the CCPA and how it may affect your business, please visit our past blog posts here and here.

In June of this year, California passed the California Consumer Privacy Act (CCPA) giving California residents specific rights related to their online privacy, similar to those proscribed by GDPR. The law was passed hastily to avoid a stricter ballot measure on the subject, but Governor Brown recently signed a bill amending the law.

Many of the amendments clarify some of the CCPA’s “technical” errors, such as solidifying that the Act should not be enforced to contradict the California Constitution. The most significant change, however, deals with the enforcement of the Act. Although Section 1798.198 makes the Act operative on January 1, 2020, the newly-added Section 1798.185(7)(c) prevents the Attorney General from bringing an enforcement action under the Act until July 1, 2020, or six months after the final regulations made pursuant to the Act are published, whichever is sooner. Thus, although the effective date is January of 2020, the California Attorney General may not be able to bring enforcement actions until up to six months after the enactment date, depending on when the office promulgates regulations. The amendments also extend the date by which the Attorney General must promulgate regulations from January 1, 2020 to July 1, 2020.

Another point worth noting is that the amendments remove the requirement for a private plaintiff to inform the Attorney General of a claim he or she has brought to enforce his or her private cause of action under the Act. This eliminates the ability of the Attorney General to bring its own action in lieu of a private one.

Additional changes include specifying additional laws to which the Act does not apply, including: (1) the Confidentiality of Medication Information Act or regulations promulgated in response to HIPAA, or the Health Information Technology for Economic and Clinical Health Act; (2) the Federal Policy for Protection of Human Subjects; and (3) the California Financial Information Privacy Act. The amendments also limit the civil penalty to $2,500 per violation, or $7,500 for each intentional violation.

Although this bill has clarified some issues with the original law, this will likely not be the last set of amendments to the CCPA before it goes into effect. We will keep you posted.

 

Yesterday, the California legislature passed SB-327, a bill intended to regulate the security of internet-connected devices.  Unlike the California Consumer Privacy Act (CCPA), SB-327 is significantly more narrow.  As enacted, the bill is a “lighter” version of what was first introduced and amended in 2017 (which, at that time, would have included certain disclosure and consent requirements for connected devices).

At its core, SB-327 requires connected devices to be equipped with “reasonable security features” that are:

  1. appropriate to the nature and function of the device;
  2. appropriate to the information it may collect, contain, or transmit; and
  3. designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

Subject to the above, if a connected device is equipped with a means for authentication outside a local area network, this is considered a “reasonable security feature” if either: (a) the preprogrammed password is unique to each device manufactured; or (b) the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time. These requirements, of course, are in addition to any duties or obligations imposed under other laws (i.e., CCPA).

The term “connected device” is defined as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” Pretty much every device connected to the Internet is assigned either an IP address or Bluetooth address when it is connected. This can include, for example, anything from computers, tablets, and mobile devices, to smart watches, smart home hubs, or app-controlled toys.

The bill does not provide a private right of action. Only the Attorney General, a city attorney, a county counsel, or a district attorney can enforce the law, and the bill does not address (either directly or by implication) any specific penalties or remedies that may be sought by these entities. However, it’s possible that we see the requirement to implement reasonable security measures asserted as a basis for a legal duty in conjunction with other claims (either by the AG or consumers).

The bill was ordered to engrossing and enrolling. If signed by Governor Brown, the law would become effective on January 1, 2020 (same day as the CCPA).

The Northern District of California recently ruled on DIRECTV’s motion for judgment on partial findings in a case where the FTC is seeking $3.95 billion in damages. The FTC’s case alleges that DIRECTV engaged in misleading advertising over a span of more than a decade and across a variety of media channels ranging from television to the company’s website, violating Section 5 of the FTC Act and the Restore Online Shopper’s Confidence Act (ROSCA).

Specifically, the FTC alleges that the company failed to prominently display certain key provisions, such as the 24-month contract requirement and that advertised prices would increase after 12 months, on over 40,000 advertisements. The agency did not allege that the advertising in question was false, but that the details were not displayed sufficiently.

In partially granting DIRECTV’s motion, the court found that the FTC failed to prove a Section 5 violation as to the company’s banner, print, or TV ads because the agency did not establish that there was a misleading net impression among consumers, and because the Commission did not sufficiently identify the alleged net impression. The proffered evidence did not establish that the advertisements were likely to mislead a reasonable consumer.

The FTC provided evidence for less than 1,000 of the challenged 40,000 advertisements at issue in the case. The court determined that this, along with the additional evidence that the FTC did provide, such as expert testimony regarding three specific ads, were not enough for the agency to meet its burden. The court noted that the agency was not required to introduce all 40,000 ads into evidence, but it did need to explain why the conclusions made about a few ads could be generalized among a large number of others that varied in format, content, and emphasis. The court also highlighted that DIRECTV’s print ads displayed the necessary disclosures in text that was in all caps, bolded, and in a dark font against a light background, which the court determined was likely sufficiently prominent and in compliance with the FTC’s .com Disclosure guidance.

Notably, the court declined to make a similar conclusion about DIRECTV’s website advertisements. The court found that the FTC’s evidence, although “far from overwhelming” was enough to defer a determination about the Section 5 and ROSCA claims associated with the website advertising at issue. Specifically, the court focused on the fact that the challenged advertising required consumers to hover over or click on a link or icon to learn about the pertinent terms of the offer. In theory, therefore, a consumer could have flowed through the entirety of the online order process without confronting important details about the offer.

The court also discussed the FTC’s nearly $4 billion potential remedy, suggesting that the agency would be unlikely to meet its burden to prove an adequate basis for relief due to the court’s partially granting DIRECTV’s motion. The court had issues with the FTC expert’s calculation of unjust gains because he presumed that all of the defendant’s subscribers for the time period at issue were misled in the same way, without a sufficient basis for that presumption other than the FTC’s instruction. This presumption was especially problematic because there were so many iterations of the advertisements. However, the court deferred the issue to see if the FTC would be able to prove liability with the remaining claims.

In a case that is historic for the breadth of advertising at issue and the amount of damages the FTC seeks, the court’s order creates significant challenges for the agency as to the remaining claims in the case. We will continue to monitor this case for any updates as it proceeds.

In the meantime, the case continues to be notable in highlighting the scrutiny that a company may face when failing to sufficiently disclose post-introductory prices and term commitments for subscription type plans. Following best practices and regulatory guidance on disclosing material terms are helpful steps to avoid such scrutiny in the first instance.

Last week, the House Committee on Energy and Commerce held a Committee Hearing on the Oversight of the Federal Trade Commission. All five Commissioners attended and their message was largely the same: the FTC needs additional rulemaking and civil penalty authority to better protect consumers, especially as it applies to privacy and data security enforcement.

Privacy and data security were a focus of the Chairman’s opening statements, during which he noted that both were a top priority for the agency. Chairman Simons also discussed the need for the FTC to have jurisdiction over nonprofits and common carriers, imploring Congress to pass legislation giving the agency such authority, along with comprehensive data security legislation. Simons noted that the FTC was watching and assessing the EU’s implementation of its comprehensive privacy law, the General Privacy Data Protection Regulation (GDPR), to see how it may apply to the U.S. and he reaffirmed enforcement of the EU-U.S. Privacy Shield, which the FTC has enforced in the past.

Chairman Simons also referenced the hearings that the Commission will be holding in the fall, emphasizing that he anticipated the agency would benefit from participant input on a number of topics—from merger guidelines to privacy and data security. Simons, a former student of Chairman Pitofsky, noted that the agency held similar hearings during the Pitofsky era that resulted in agency action, such as amendments to the merger guidelines. The Chairman noted that he wanted this year’s hearings to be similarly effective in setting the agency’s future agenda. Continue Reading Big Government? FTC Advocates for More Authority in Congressional Hearing

California recently passed the California Consumer Privacy Act (CCPA), providing new rights for California consumers (broadly defined as California residents) regarding their personal data. The CCPA is modeled after the EU’s General Data Protection Regulation (GDPR), which provides EU citizens with a number of rights related to data processing and imposes specific requirements on companies that process EU citizen data. The new California law provides similar requirements for businesses that collect data from California consumers. The following are some key points of comparison. Continue Reading GDPR Sidebar: Comparing the California Consumer Privacy Act to the GDPR

On June 28, 2018, Governor Brown signed into law the “California Consumer Privacy Act of 2018.” The legislation was a compromise to avoid a ballot initiative that was more closely modeled after the European Union’s General Data Protection Regulation (GDPR). This Act is scheduled to go into effect on January 1, 2020.

The Act enumerates a number of rights for consumers regarding the privacy of their personal information. Some rights, such as the right to be forgotten or the right to request information disclosure, are reminiscent of those seen in the GDPR, while others, such as the right to opt out of the sale of a consumer’s personal information, are specific to the new law.

Along with identifying consumer rights, the law also imposes requirements on businesses, including those that collect or have collected consumers’ personal information, to make specific disclosures about their personal information practices and to respond to consumer requests. Importantly, the definition of “personal information” is broadly defined to include common information, such as a name or email address, as well as more specific information, such as biometric information and geolocation data, although publicly available information is not included. Continue Reading California Enacts Sweeping Privacy Law; Will Other States Follow?

Kelley Drye introduces a new Full Spectrum series, “Inside the TCPA,” which will offer a deeper focus on TCPA issues and petitions pending before the FCC. Each episode will tackle a single TCPA topic or petition that is in the news or affecting cases around the country. In this inaugural episode, partner Steve Augustino and associate Jenny Wainwright discuss the definition of an autodialer or ATDS. This episode addresses the 2018 D.C. Circuit decision in ACA International and the FCC’s new proceeding to examine the definition. With initial comments filed on June 13th, Steve and Jenny analyze the principal arguments made by commenters and discuss whether Congress will weigh in on the matter. To listen to this episode, please click here.*

Future episodes of “Inside the TCPA” will tackle reassigned numbers, consent, and other topics raised before the FCC. This is a companion to Kelley Drye’s comprehensive list of petitions before the Commission available in our monthly TCPA Tracker newsletter. Please contact us if we can assist you with any of the FCC proceedings.

Kelley Drye’s Full Spectrum is available on iTunes. To subscribe, and keep up to date on the latest trends and topics in communications, simply find the built-in and undeletable podcast app, search “Kelley Drye Full Spectrum,” look for our logo, and hit “subscribe.”

You can also access the podcast through our website, Soundcloud, and Stitcher.

*Audio files may load faster through Google Chrome

The FTC announced yesterday that it will accept comments and hold a series of public hearings on consumer protection, privacy, and competition policy and enforcement.  The hearings will take place during fall and winter of this year and will evaluate whether recent changes in the economy, technology, or international landscape require adjustments to how the Commission approaches consumer protection, privacy, and competition issues.

The hearings are modeled off of hearings held in 1995 under then-Chair Robert Pitofsky.  Those hearings took place amidst the early growth of the internet and e-commerce, featuring panels such as, “The Newest Medium for Marketing: Cyberspace,” “Privacy in Cyberspace,” and “The Changing Role of the Telephone in Marketing.”  The 1995 hearings featured panelists from large companies including Walt Disney, General Electric, and Coca-Cola, along with consumer group representatives, regulators, academics, and attorneys from private law firms.  The hearings culminated in a two volume report on the state of consumer protection and competition policy.

In announcing the 2018 hearings, FTC Chair Joe Simons noted that “the FTC has always been committed to self-examination and critical thinking, to ensure that our enforcement and policy efforts keep pace with changes in the economy.”  Simons served as Director of the Bureau of Competition immediately after Pitofsky’s tenure as Chair under then-Chair Tim Muris – and alluded to Pitofsky, Muris and former Chair Kovacic in his statement announcing the hearings.  Simons’ statement also expressed his view that “[t]his project reflects the spirit, style, and, most importantly, broad scope of that effort,” and characterized the efforts as an “all-agency” project that will entail significant efforts from the Bureaus of Consumer Protection, Competition, and Economics, the Office of the General Counsel, the Office of International Affairs, as well as the Office of Policy Planning. Continue Reading FTC Examining How Consumer Protection and Privacy May Be Affecting Innovation and Competition; Seeking Input and Will Hold Policy Hearings to Address