A Reasonable Security Blanket

Fear the data breach.  Companies large and small worry that a security lapse compromising personal information may hurt their customers or employees and expose the organization to costly liability and a damaged reputation.  But recent developments suggest that comfort may still be found in keeping privacy promises and keeping up with “reasonable security” best practices.

This week’s $11.2 million settlement of the Ashley Madison class action is a reminder that companies handling potentially sensitive personal information can pay a heavy price for lax security.  Of course, in that case there were allegations of “deceptive” as well as “unfair” practices under FTC Act section 5(a), since the company, for example, charged a fee for deleting data from closed accounts and then failed to do so.  See the Bloomberg Law article (in which I’m quoted).  But this follows last month’s $115 million proposed settlement of consolidated class actions against Anthem, Inc. after the first of a wave of cyberattacks against large health insurance companies in 2015 and 2016.  In such cases, liability generally comes down to a simple question of keeping up with reasonable security measures, not a failure to keep specific privacy promises.  These cases demonstrate that this effort is a real challenge even for large organizations with substantial in-house IT resources.

The Federal Trade Commission has handled more than 60 complaints and consent orders concerning data breaches exposing sensitive personal data.  Its “Start with Security” guide offers ten practical principles for businesses handling personal information.  Today, the FTC announced that it will publish a weekly blog post on Fridays over the next few months called “Stick with Security” to offer insights drawn from the FTC’s experience with data breach investigations.  The first post explains how the FTC chooses to take enforcement action in the case of some publicized breach incidents and not others.

Good summer reading for a few minutes on Fridays.  Beach blanket optional.

Are You Keeping Up with COPPA? The FTC Just Updated Its Compliance Plan for Businesses

On June 21, 2017, the FTC released its updated its 6 step COPPA Compliance Plan for Businesses (“Compliance Plan”).   The changes to the Compliance Plan are intended to help businesses keep up with changes to technology and evolving business models in connection with the Children’s Online Privacy Protection Act (“COPPA”). The FTC states in its blog post  announcing the updated Compliance Plan that the changes fall into 3 categories:

New business models/technologies: COPPA applies to websites and other “online services.” The FTC is making clear, if there was any doubt, that voice activated devices that collect information are “online services” subject to COPPA.

New products: The FTC has specifically highlighted connected toys and other IoT devices as being subject to COPPA.

New Methods for Obtaining Parental Consent: The FTC has added two recently approved methods for obtaining parental consent to its list: (1) having parents answer a series of knowledge-based questions that only a parent should be able to answer; and (2) using facial recognition technology and photographs submitted by the parent.

Key Takeaways: The FTC has not updated its rules but has clarified its position. Companies should be continuously aware of how the use of new technologies and the launch of new products could implicate COPPA — and in an IoT world many products that previously would not have been an “online service” now likely are.

Partner Heather Nolan To Be Interviewed This Wednesday, June 21, 2017 on Privacy Issues In Marketing and Broadcasting

On Wednesday, June 21, 2017, InfoLawGroup partner, Heather Nolan, will be interviewed on the Privacy Piracy radio program out of the University of California by its host Mari Frank.  Heather will be discussing privacy issues in marketing and broadcasting.  The show is scheduled to take place at 3:30pm Central Time, and will be available for listening on the show’s website after the live stream.


InfoLawGroup Thanks Clients, Attorneys and Staff for 2017 Chambers Recognition

Chambers and Partners has again recognized InfoLawGroup in its new 2017 guide.  Along with being ranked for  Media & Entertainment: Transactional in the USA guide, two of our attorneys, Justine Gottshall (privacy) and Jamie Rubin (media & entertainment) were again recognized as leaders in their field.

We are delighted to receive public acknowledgment from Chambers and to be recognized along with other great firms.  We are grateful to our clients for recommending us, and thank all of our attorneys and staff whose hard work continues to make InfoLawGroup a success.

Does #Partner Mean “I Was Paid To Post This Message”?

The FTC says no!  Specifically, the FTC said: “terms like “Thank you,” “#partner,” and “#sp” aren’t likely to explain to people the nature of the relationship between an influencer and the brand.”  Before now, I might have approved the use of #partner in the right context.  But last week, the FTC sent letters to over 90 influencers (athletes, celebrities, etc.) reminding them of their obligation to disclose if they are being paid to post or otherwise have a relationship with a company/brand mentioned in their post. Letters were also sent to marketers to remind them of their obligations in this arena. The letters warn of the wrong way to make these disclosures (e.g., don’t make the disclosure after a “more” button in a post, don’t make the disclosure within a string of unrelated hashtags, don’t make the disclosure vague – no #sp or “thank you”).  Below are links to samples of the letters the FTC sent to influencers and marketers regarding improper/proper material connection disclosures.  And check out our other posts that explain related compliance obligations when engaging influencers: HERE and HERE.

Influencer Sample Letter From FTC

Marketer Sample Letter From FTC

NY AG Settles with TRUSTe Over its COPPA Safe-Harbor Program

Last week, the New York Attorney General’s Office announced that it had entered into a settlement with privacy compliance company TRUSTe, signaling the AG’s continuing interest in children’s privacy and potentially portending an uptick in state-level enforcement under the Children’s Online Privacy Protection Act (“COPPA”).

TRUSTe operates an FTC-approved safe-harbor program for online services subject to COPPA. As an approved safe-harbor provider, TRUSTe is required to conduct annual audits of its clients’ online services to assess compliance with its program requirements.  According the the New York Attorney General, TRUSTe’s assessments failed to adequately address the presence of third-party tracking technologies prohibited on child-directed sites under COPPA.  Continue Reading

New Litigation Against National Clothing Retailer for Use of “Up To % Off” Messaging

What Have Retailers Been “Up To” In New Jersey?

The last few years have been quite interesting for retailers, with a number of different pricing and advertising related legal issues coming to the forefront. Recently, another new front in this battle opened in New Jersey where a national clothing retailer became the subject of a class action related to its discount price advertising. This time the claim relates to a seemingly tried and true method of retail advertising– the use of “Up To X % Off” promotional messaging. This also marks the next chapter in our on-going discussion of “Up To” claims.

The suit, filed against JoS. A. Bank Clothiers, Inc., alleges that the retailer did not adequately display the minimum percentage of savings to customers when it used an “Up to 70 Percent Off” message and other similar messages in its advertising. The plaintiff, Michael Leese, alleges that this type of message violates New Jersey’s consumer protection laws, which require advertisements to state the minimum percentage of savings just as conspicuously as the maximum percentage of savings.

Continue Reading

BYOB: Be Your Own Broadcaster (and Studio) –What to watch out for in content creation and distribution

2017 is starting to look like the year of DIY content creation and distribution. Companies are becoming their own studios and broadcasters at a seemingly record pace. If your organization doesn’t already have its own channel or stream, there’s a good chance someone is at least considering making it happen. We work hand in hand with clients as they move into this space, and here are some important things to take note of and plan to address:

Continue Reading

Eric J. Anderson Joins InfoLawGroup LLP As Partner

InfoLawGroup is pleased to announce that Eric J. Anderson has joined the firm as a Partner. Prior to joining InfoLawGroup, Mr. Anderson served for several years as head marketing and advertising counsel for Sears Holdings Corporation.

Eric has extensive experience advising on marketing, advertising, digital, mobile and e-commerce initiatives. Eric also regularly negotiates a wide variety of contracts affecting those initiatives, including agency and vendor agreements, sponsorship and celebrity spokesperson agreements, master services agreements, influencer agreements and the underlying tech agreements. From claim substantiation to privacy to navigating the compliance maze for multi-platform digital campaigns, Eric’s practice is expansive and fits right into what InfoLawGroup is called upon to address for its clients on a daily basis.

Eric is located in the firm’s Chicago office. He looks forward to continuing to speak and conduct training sessions on various topics affecting advertising and promotions, including loyalty programs, coupons, rebates, sports and entertainment sponsorships, branded entertainment and pricing and sale frequency issues.