MediaTech Law

By MIRSKY & COMPANY, PLLC

Appellate Court Upholds FTC’s Authority to Fine and Regulate Companies Shirking Cybersecurity

In a case determining the scope of the Federal Trade Commission’s (FTC) ability to govern data security, the 3rd U.S. Circuit Court of Appeals in Philadelphia upheld a 2014 ruling allowing the FTC to pursue a lawsuit against Wyndham Worldwide Corp. for failing to protect customer information after three data breaches that occurred in 2008 and 2009. The theft of credit card and personal details from over 600,000 consumers resulted in $10.6 million in fraudulent charges and the transfer of consumer account information to a website registered in Russia.

In 2012, the FTC sued Wyndham, which brands include Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge. The basis of the claim stated that Wyndham’s conduct was an unfair practice and its privacy policy deceptive. The suit further alleged the company “engaged in unfair cybersecurity practices that unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”

The appellate court’s decision is of importance because it declares the FTC has the authority to regulate cybersecurity under the unfairness doctrine within §45 of the FTC Act. This doctrine allows the FTC to declare a business practice unfair if it is oppressive or harmful to consumers even though the practice is not an antitrust violation. Under this decision, the FTC has the authority to level civil penalties against companies convicted of engaging in unfair practices.

What exactly did Wyndham do to possibly merit the claim of unfair practices?

According to the FTC’s original complaint, the company:

  • allowed for the storing of payment card information in clear readable text;
  • allowed for the use of easily guessed password to access property management systems;
  • failed to use commonly available security measures, like firewalls, to limit access between hotel property management systems, corporate networks and the internet; and
  • failed to adequately restrict and measure unauthorized access to its network.

Furthermore, the FTC alleged the company’s privacy policy was deceptive, stating:

“a company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of the business.”

Wyndham requested the suit be dismissed arguing the FTC did not have the authority to regulate cybersecurity. The appellate court found otherwise, however, stating that Wyndham failed to show that its alleged conduct fell outside the plain meaning of unfair.

The appellate court’s ruling highlights the need for companies to take special care in crafting a privacy policy to ensure it reflects the company’s cybersecurity standards and practices. This includes staying up-to-date on the latest best practices, and being familiar with the ever-changing industry standard security practices, including encryption and firewalls.

Read More

.SUCKS: Extortion or Free Speech?

Domain names are an essential part of modern commerce and convey important information about the website’s affiliation and legitimacy. Consumers may briefly glance at the .com or .edu at the end of the page they land on to make sure they’re on the right site, but soon they may see an unfamiliar suffix next to their favorite brand’s page – .sucks.

In 2014, the Internet Corporation of Assigned Names and Numbers (ICANN), a California-based nonprofit that manages and coordinates domain names, agreed to allow Vox Populi, a Canadian domain name registrar, to operate the registry for the new “.sucks” top-level domain (TLD).

Read More

Privacy: Consent to Collecting Personal Information

Gonzalo Mon writes in Mashable that “Although various bills pending in Congress would require companies to get consent before collecting certain types of information, outside of COPPA, getting consent is not a uniformly applicable legal requirement yet. Nevertheless, there are some types of information (such as location-based data) for which getting consent may be a good idea.  Moreover, it may be advisable to get consent at the point of collection when sensitive personal data is in play.”

First, what current requirements – laws, agency regulations and quasi-laws – require obtaining consent, even if not “uniformly applicable”?

1. Government Enforcement.  The Federal Trade Commission’s November 2011 consent decree with Facebook user express consent to sharing of nonpublic user information that “materially exceeds” user’s privacy settings.  The FTC was acting under its authority under Section 5 of the FTC Act against an “unfair and deceptive trade practice”, an authority the FTC has liberally used in enforcement actions involving not just claimed breaches of privacy policies but also data security cases involving managing of personal data without providing adequate security.

2. User Expectations Established by Actual Practice.  The mobile space offers some of the most progressive (and aggressive) examples of privacy rights seemingly established by practice rather than stated policy.  For example, on the PrivacyChoice blog, the CEO of PlaceIQ explained that “Apple and Android have already established user expectations about [obtaining] consent.  Location-based services in the operating system provide very precise location information, but only through a user-consent framework built-in to the OS.  This creates a baseline user expectation about consent for precise location targeting.”  (emphasis added)

Read More

Privacy For Businesses: Any Actual Legal Obligations?

For businesses, is there an obligation in the United States to do anything more than simply have a privacy policy?  The answer is not much of an obligation at all.

Put another way, is it simply a question of disclosure – so long as a business tells users what it intends to do with their personal information, can the business pretty much do anything it wants with personal information?  This would be the privacy law equivalent of the “as long as I signal, I am allowed to cut anyone off” theory of driving.

Much high-profile enforcement (via the Federal Trade Commission and State Attorneys General) has definitely focused on breaches by businesses of their own privacy statements.  Plus, state laws in California and elsewhere either require that companies have privacy policies or require what types of disclosures must be in those policies, but again focus on disclosure rather than mandating specific substantive actions that businesses must or must not take when using personal information.

As The Economist recently noted in its Schumpeter blog, “Europeans have long relied on governments to set policies to protect their privacy on the internet.  America has taken a different tack, shunning detailed prescriptions for how companies should handle people’s data online and letting industries regulate themselves.”   This structural (or lack of structural) approach to privacy regulation in the United States can also been seen – vividly – in legal and business commentary that met Google’s recent privacy overhaul.  Despite howls of displeasure and the concerted voices of dozens of State Attorneys General, none of the complaints relied on any particular violations of law.  Rather, arguments (by the AGs) are made about consumer expectations in advance of consumer advocacy, as in “[C]onsumers may be comfortable with Google knowing their search queries but not with it knowing their whereabouts, yet the new privacy policy appears to give them no choice in the matter, further invading their privacy.”

Again, there’s little reliance on codified law because, for better or worse, there is no relevant codified law to rely upon.  Google, Twitter and Facebook have been famously the subjects of enforcement actions by the states and the Federal Trade Commission, and accordingly Google has been careful in its privacy rollout to provide extensive advance disclosures of its intentions.

As The Economist also reported, industry trade groups have stepped in with self-regulatory “best practices” for online advertising, search and data collection, as well as “do not track” initiatives including browser tools, while the Obama Administration last month announced a privacy “bill of rights” that it hopes to move in the current or, more realistically, a future Congress.

This also should not ignore common law rights of privacy invasion, such as the type of criminal charges successfully brought in New Jersey against the Rutgers student spying on his roommate.   These rights are not new and for the time being remain the main source of consumer recourse for privacy violations in the absence of meaningful contract remedies (for breaches of privacy policies) and legislative remedies targeted to online transactions.

More to come on this topic shortly.

Read More

RTs are Not Endorsements – Social Media Policies

“RTs do not = endorsements.” We’ve all seen it on Twitter bios, usually bios belonging to members of the media.

These kinds of disclaimers, disassociating the tweets from the people who retweet them, are common. The Twitter bio belonging to Brian Stelter of the New York Times (@brianstelter) notes, “RT & links aren’t endorsements.”

A Social Media Policy Addressing RTs and Linking

But for some, those disclaimers are not enough.  Last fall, the Associated Press introduced an updated social media policy for its reporters and editors.  As recently reported in Yahoo! News, the AP memo advised reporters and editors that “Retweets, like tweets, should not be written in a way that looks like you’re expressing a personal opinion on the issues of the day. A retweet with no comment of your own can easily be seen as a sign of approval of what you’re relaying.” The guidelines note, “[W]e can judiciously retweet opinionated material if we make clear we’re simply reporting it.”

Read More

FTC Blogger Guidelines – A Look at Enforcement

It is a task often relegated to the office interns: posting promotional content to outside social media sites.

Despite the fact that this practice is officially frowned upon in the Federal Trade Commission’s 2009 endorsement guidelines, companies will often engage paid individuals – either employees on the payroll or outside bloggers who receive compensation in the form of a free sample – to post positive reviews online, including to places like Twitter, personal blogs, or online public forums without identifying the connection between the commenter and the product being commented on.

The FTC’s endorsement guidelines seek (among other things) to ensure that unbiased positive reviews online can be considered credible, while also ensuring that positive reviews that are partially the result of some sort of compensation be acknowledged as such.

Read More