On Tuesday, the FTC simultaneously released a “Mobile Health App Interactive Tool” and “Best Practices,” to help mobile health app developers navigate the maze of federal regulation, including data privacy regulation.  The tool walks developers through a series of high level questions about the nature of their app, and uses the

Wyndham-FTC Settlement Looks to PCI; Target Consumer Appeals Settlement; Leaders Propose Encryption Commission; Ashley Madison MDL in St. Louis; FTC Commissioner Warns of FCC ISP Overreach; Moms Sue Over Doll’s IoT Capability

Wyndham to Implement PCI-Focused Information Security Program in Settlement with FTC

On Wednesday, the FTC and Wyndham settled a long-standing dispute regarding the hospitality company’s alleged “unfair and deceptive” data security practices, a suit that confirmed the FTC’s authority to regulate in the space.  Wyndham agreed to establish a comprehensive information security program designed to protect payment cardholder data and to conduct regular structural audits of its information security systems – taking cues from the Payment Card Industry Data Security Standard.

Target Consumer Appeals $10M Data Breach Settlement

Californian James Sciaroni has appealed the $10 million consumer class action settlement approved in November by Judge Paul Magnuson.  When Sciaroni objected to the settlement in July, he argued that it “does not adequately compensate the class,” totaling only about 9 cents per class member in compensatory damages, in addition to the information security standards Target accepted.

Continue Reading Privacy-Cybersecurity Weekly News Update December 6- 11, 2015

U.S.-EU Data Sharing Pact Invalidated; Two Lawsuits Based on October Breaches; Dow Jones & Co. Breached; California’s New Comprehensive Privacy Law; California Revises Breach Notification Requirements; California Smart TV Notice Requirements; California Targets “Hackers for Hire”; Cybercrime Costs Increase

Top EU Court Invalidates U.S.-EU Safe Harbor

On October 6, 2015, the European Court of Justice (ECJ) invalidated the safe harbor agreement that governed the transfer of digital information between the U.S. and the European Union.  The ECJ found U.S. data protection policies offer inadequate protection to EU citizens’ privacy rights, a result of the broad data access practices for U.S. national security and law enforcement purposes.  The European Commission announced its intent to provide guidance on transatlantic sharing policies in light of the decision, and also identified other mechanisms for data sharing in the absence of the safe harbor agreement.  For more coverage of this decision and its impact, see our recent alert here.

California Class Action Suits Filed Based on October 2015 Data Breaches

Two proposed class action suits have been filed in California federal courts in connection with recent breaches announced by T-Mobile and Scottrade.  One suit alleges that T-Mobile and Experian’s negligence and breaches of contract led to the exposure of more than 15 million T-Mobile subscribers’ information.  The compromised information includes encrypted Social Security numbers and driver’s license information.  The complaint also alleges that Experian’s failure to secure customer information recklessly violated the Fair Credit Reporting Act. The second suit seeks relief from Scottrade for a breach affecting 4.6 million users of the brokerage firm’s services.  Scottrade confirmed that customer mailing information was compromised, but could not rule out exposure of more sensitive data. In addition to the California class action against Experian, a coalition of more than 20 consumer advocacy organizations have asked both the CFPB and the FTC to investigate Experian’s privacy and data security practices in light of the T-Mobile breach.

Continue Reading Key Privacy & Cybersecurity Developments: October 5, 2015 – October 11, 2015

As part of the FTC’s ongoing initiative to promote collaboration “among whitehat researchers, academics, industry representatives, consumer advocates, and regulators regarding the privacy and security implications of emerging technology,” its first-ever PrivacyCon will include presentations on research and trends in consumer privacy and data security, discussions about the interplay between regulators and technology, identification of

The Federal Trade Commission (FTC) has struck again in the data privacy world, this time at 13 companies that allegedly misrepresented in their privacy statements that they were U.S.-EU or U.S.-Swiss Safe Harbor certified. This latest enforcement sweep demonstrates the FTC’s privacy focus and reinforces the need for companies to make accurate public representations.

The FTC charged the 13 companies with misleading consumers and has proposed placing them under a familiar 20-year consent order. The consent order requires the companies to refrain from  misrepresenting privacy or security program adherence and to keep strict records for the FTC’s overview. For the next 20 years, any companies that disobey the consent order will be subject to a $16,000 civil penalty per violation.

Continue Reading Recent FTC Safe Harbor Enforcement Takeaways