FTC’s Settlement in Vizio May Provide Hint at Direction of Internet of Things Regulation

Internet of ThingsThe Federal Trade Commission’s (FTC’s) Settlement in FTC v. Vizio, Inc.may signal the direction that agency is heading on Internet of Things (IoT) enforcement. With veteran FTC enforcer Jessica Rich leaving and new appointee Maureen Ohlhausen taking over, Ohlhausen’s separate concurring statement in that matter is insightful.

The settlement took a broad view on the types of data that require protection. While the “Covered Information” included information like personal identifiers, IP address, and geolocation, it also included “Viewing Data,” which is essentially data about the content viewed on a television. Ohlhausen criticized this expansion and the FTC’s foray into this public policy basis for alleging an unfair practice. She notes, “But here, for the first time, the FTC has alleged in a complaint that individualized television viewing activity falls within the definition of sensitive information.” Hinting that this broad view of personal data may not continue, Ohlhausen writes, “There may be good policy reasons to consider such information sensitive…. But, under our statute, we cannot find a practice unfair based primarily on public policy. Instead, we must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers.” She then promises that “[i]n the coming weeks I will launch an effort to examine this important issue further.”

© MICHAEL BEST & FRIEDRICH LLP

DOJ, FTC Announce New Antitrust Guidance for Recruiting and Hiring; Criminal Enforcement Possible

handcuffs, criminal enforcementMany companies—and the HR professionals and other executives who worked for them—have found out the hard way that business-to-business agreements on compensation and recruiting can violate the antitrust laws and bring huge corporate and personal penalties.

Last week, the Federal Trade Commission (FTC) and the Department of Justice Antitrust Division (DOJ) jointly issued antitrust guidance for anyone who deals with recruiting and compensation. The guidance is written for HR professionals, not antitrust experts. It avoids jargon and applies antitrust basics in plain English. It expands on those basics by providing short and direct answers to real-life questions.

The guidance comes in the wake of several actions in recent years by the federal antitrust agencies against so-called “no-poaching” or “wage-fixing” agreements entered by companies competing for the same talent. It announces that DOJ will prosecute criminally some antitrust violations in this space. While the new guidance is explicitly aimed at HR professionals, senior executives should understand it as well.

The guidance starts with the basics: The antitrust laws establish the rules for a competitive marketplace, including how competitors interact with each other. From an antitrust perspective, firms that compete to recruit or retain employees are competitors, even if they do not compete when selling products or services. Therefore, agreements among employers not to recruit certain employees (no-poaching) or not to compete on various terms of compensation (wage-fixing) can violate the antitrust laws.

To be illegal, these agreements need not be explicit or formal. Evidence of exchanges of information on compensation, recruiting, or similar topics followed by parallel behavior can lead to an inference of agreement. Intent to lower a company’s labor costs is no defense. Also, there is no “non-profit” defense: while they might not compete to sell services, non-profits are considered competitors for the staff they hire.

The potential costs of antitrust violations are huge: fines by the agencies; treble damages for injured actual or potential employees; and intrusive regulation of basic company operations from consent decrees and judgments. In addition, the DOJ used this guidance to announce that it will now prosecute criminally any naked wage-fixing or no-poaching agreements. According to DOJ, these naked agreements—“separate from or not reasonably necessary to a larger legitimate collaboration between the employers”—harm competition in the same irredeemable way as hardcore price-fixing cartels. So now, any executives involved in such agreements—whether HR professionals or not—face personal consequences, including threats of potential jail time.

Even unsuccessful attempts to reach an anticompetitive agreement on these topics can be illegal in the eyes of the regulators. As the guidance makes clear, so-called “invitations to collude” have been and will continue to be pursued by the FTC as actions that might violate the Federal Trade Commission Act.

Some of these information exchanges and agreements do not automatically violate the antitrust laws and there is nothing in this new guidance that suggests otherwise. If the agreements are reasonably necessary to an actual or potential joint venture or merger, legitimate benchmarking activity, or other collaboration that might help consumers, their net effect on competition would need to be judged. In prior actions, the agencies also have recognized as legitimate certain no-poaching clauses in agreements with consultants and recruiting agencies. Even such common uses as employment or severance agreements might not run afoul of the antitrust law’s prohibitions.

The guidance does not—and really cannot—go into all the detail necessary to determine when any particular effort will pass antitrust muster. It does refer readers to the earlier Health Care Guidelines but those helpful tips relate only to information exchanges. The guidance also provides links to the many prior civil actions taken by the agencies on these types of matters. It is accompanied by a two-sided index card entitled Antitrust Red Flags for Employment Practices that could be part of an effective compliance program.

© 2016 Schiff Hardin LLP

Made in the USA (For the Most Part)

made in the USANewspaper headlines report a new economic trend—manufacturing is returning to the United States. The country’s industrial production grew by 0.7 percent in July, its biggest jump since November 2014. This number represents everything made by factories, mines, and utilities. Before companies start slapping “Made in the USA” labels on their wares, they need to make sure they are familiar with the legal requirements to do so.

The Federal Trade Commission (the FTC) monitors the marketplace and aims to keep businesses from misleading consumers. Within the FTC’s jurisdiction is regulating “Made in the USA” claims.

If a product is labeled as “Made in the USA,” without any qualification, it must be “all or virtually all” made in the United States. “[A]ll significant parts and processing that go into the product must be of U.S. origin. That is, the product should contain no – or negligible – foreign content.” The FTC contemplates the site of final assembly or processing, the proportion of manufacturing costs paid to the U.S., and how detached the foreign material is from the finished product. For many businesses, this standard can be hard, if not impossible, to meet.

Since January 2015, the FTC has issued 46 letters to companies asserting misleading U.S. origin claims on a wide range of products, such as cookware, snow blowers, auto parts and pet products.

For example, the FTC recently determined that Shinola—a Detroit-based manufacturer of high-end watches, bicycles, and leather goods—did not meet it. Shinola advertises its products with the slogans “Built in the USA” and “Built in Detroit.” But in June of this year, the FTC called this labeling misleading because “100 percent of the cost of materials used to make certain watches . . . [and] more than 70 percent of the cost of the materials used to make certain belts” goes to imported materials. For example, Shinola’s watches incorporate Swiss-made timekeeping components.

Shinola’s founder had a good reason for why his company incorporated foreign parts:  many of the components are unavailable in the U.S. The components are imported to Detroit where Shinola’s 400 employees assemble watches in the company’s factory. The FTC, however, applied its “net impression” analysis and determined that Shinola’s slogans contradict reality. Shinola’s advertisements will now read “Built in Detroit using Swiss and Imported Parts.”

In light of the FTC’s stance on U.S. origin claims, companies should follow FTC decisions and exercise caution when saying “Made in the USA.” There is no bright line rule for whether a product is “all or virtually all” made in the USA. Companies should consider how their products fit within the FTC’s framework and only then decide whether their merchandise has, according to the FTC, been “Made in the USA.”

© 2016 Schiff Hardin LLP

Federal Trade Commission Continues to Scrutinize Social Media Influencer Programs

Social Media Influencer ProgramsThis week, as part of its ongoing focus on influencer programs, the Federal Trade Commission (FTC) settled charges against Warner Brothers Home Entertainment, Inc. regarding its use of such a campaign to market the video game Middle Earth: Shadow of Mordor. This investigation of Warner Bros. was brought under the FTC Act, which prohibits deceptive marketing, and requires that endorsers “clearly and conspicuously” disclose any “material connection” to the brand they are endorsing.

In late 2014, Warner Bros. and its advertising agency, Plaid Social Labs, LLC, hired “influencers” (i.e., individuals with large social media followings) to create videos and post them on YouTube, and promote the videos on Twitter and Facebook.  One of the influencers hired for the program, PewDiePie, is the most-subscribed individual creator on YouTube, with more than 46 million followers. Warner Bros. paid each of the influencers from a few hundred to tens of thousands of dollars for the videos, in addition to providing free copies of the game. Under these contracts, Warner Bros. had the ability to review and approve the videos.

The FTC alleges that Warner Bros. failed to require sponsorship disclosures clearly and conspicuously in the video itself, where viewers were likely to notice them. Instead, Warner Bros. instructed influencers to place the disclosures in the description box below the video. Warner Bros. also required the influencers to include other information about the game in the description box, so most of the disclosures appeared “below the fold,” visible only if consumers clicked on the “Show More” button. Additionally, when influencers embedded the YouTube videos on Facebook or Twitter, the description field (and thus, the disclosure) was completely invisible.  Some of the disclosures also only mentioned that the game was provided free, and did not disclose the payment.

This continues the FTC’s focus on influencer programs with insufficient disclosures. In March, the FTC settled charges against national retailer Lord & Taylor related to its use of an Instagram influencer program with insufficient disclosures, where the influencers were paid and provided with a free dress. The influencers were required to make a post with the hashtag #DesignLab, and tagging @LordandTaylor, but were not instructed to disclose the payment or the free goods. At the same time, Lord & Taylor placed a paid article in Nylon, an online magazine, and purchased a paid placement on the Nylon Instagram account. Neither the post nor the article indicated they were paid advertising.

Likewise, in September 2015, the FTC settled charges against Machinima, an online entertainment network. Microsoft, through its advertising agency, hired Machinima to promote its Xbox One gaming console and video games. The  FTC alleged Machinima gave pre-release versions of the console and games to influencers, as well as payments of tens of thousands of dollars in some cases, in exchange for their uploading and posting endorsement videos.  Machinima did not require that the influencers disclose the sponsorship.

In each of these cases, the FTC entered consent agreements that require the brands to closely monitor and review its influencer content for appropriate disclosures, and terminate influencers who fail to accurately and conspicuously disclose their paid endorsements. The brands must keep records of their compliance and the FTC may review them at any time—with penalties of $16,000 per violation.

As marketing teams continue to try to reach consumers in new and creative ways, the FTC continues to signal its intention to closely scrutinize each development. As these methods evolve, brands should be conscious of their obligations to ensure appropriate disclosures in every format and to monitor for compliance.

© 2016 Neal, Gerber & Eisenberg LLP.

Serious Games Require Serious Attention to Marketing Statements

BrainLumos Labs recently paid $2 million to the Federal Trade Commission to settle claims that it deceived consumers about its brain training application’s ability to increase cognitive function. According to the FTC,  the company alleged that its app, called Lumosity, provided many beneficial effects including the ability to improve users’ school and work performance, delay the onset of age-related cognitive disorders and help restore brain function lost as a result of brain trauma and other health conditions.

According to the FTC, the company did not have sufficient scientific data to back up the claims made in its ads. The FTC also claimed that the company did not disclose that it solicited consumer testimonials about the effectiveness of the product via a contest that offered users the chance to win iPads and other prizes.

In a prepared statement, the company stood by the scientific basis for its brain-training methods and asserted that the settlement was a result of its marketing language that has since been discontinued.

The use of games for “good” causes, such as education, health and training is known as “serious games.” The potential for these types of games to help people in a variety of ways is immense. The number of these games is growing rapidly.

Makers of these games must be mindful not to overreach in the claims of what these games can do. The FTC has been active in policing unsupported claims by app makers.

Additionally, the FTC has been enforcing its endorsement guidelines which require disclosure when a company provides some compensation or financial incentive for endorsements or testimonials. Here, the fact that users had a chance to win valuable prizes in exchange for providing testimonials apparently was not disclosed.

Serious games and other apps have tremendous opportunity to provide beneficial results. However, it is important for makers of these games and apps to understand and comply with the various legal issues that are relevant to these offerings. It is advisable to seek legal review of all serious games and apps and their marketing plan before they are released to identify potential legal issues.

Government Forces Awaken: Rise of Cyber Regulators in 2016

As the sun sets on 2015, but before it rises again in the New Year, we predict that, in the realm of cyber and data security, 2016 will become known as the “Rise of the Regulators.” Regulators across numerous industries and virtually all levels of government will be brandishing their cyber enforcement and regulatory badges and announcing: “We’re from the Government and we’re here to help.”

The Federal Trade Commission will continue to lead the charge in 2016 as it has for the last several years. Pursuing its mission to protect consumers from unfair trade practices, including from unauthorized disclosures of personal information, and with more than 55 administrative consent decrees and other actions booked so far, the FTC (for now) remains the most experienced cop on the beat.   As we described earlier this year, the FTC arrives with bolstered judicial-enforcement authority following the Third Circuit’s decision in the Wyndham Hotel case.  Notwithstanding the relatively long list of administrative actions and its published guidance – businesses that are hacked and that lose consumer data, are at risk of attracting the attention of FTC cops and of proving that their cyber-related systems, acts and practices were “reasonable.”

But the FTC is not alone. In electronic communications, the Federal Communications Commission (FCC) in 2015 meted out $30 million in fines to telecom and cable providers, including to AT&T ($25 million) and Cox Communications ($595K). And this agency, increasingly known for its enforcement activism, may have just begun.  Reading its regulatory authority broadly, the FCC has asserted a mandate to take “such actions as are necessary to prevent unauthorized access” to customers’ personally identifiable information. This proclamation, combined with the enlistment of the FCC’s new cyber lawyer/computer scientist wunderkind to lead that agency’s cyber efforts, places another burly cop on the cyber beat.

The Securities and Exchange Commission (SEC) will be patrolling the securities and financial services industries. Through its Office of Compliance Inspections and Examinations (OCIE), the SEC is assessing cyber preparedness in the securities industry, including investment firms’ ability to protect broker-dealer and investment adviser customer information. It has commenced at least one enforcement action based on the agency’s “Safeguards Rule” (Rule 30(a) of Regulation S‑P), which applies the privacy provisions in Title V of the Gramm-Leach-Bliley Act (GLBA) to all registered broker-dealers, investment advisers, and investment companies. With criminals hacking into networks and stealing customer and other information from financial services and other companies, expect more SEC investigations and enforcement actions in 2016.

Moving to the Department of Defense (DoD), new rules, DFARS clauses, and regulations (e.g., DFARS subpart 204.73, 252.204–7012, and  32 CFR § 236) are likely to prompt the DoD Inspector General and, perhaps, the Defense Contracting Auditing Agency (DCAA) to examine whether certain defense contractors have the required security controls in place.  Neither the DoD nor its auditors have taken action to date.  But don’t mistake a lack of overt action for a lack interest (or planning).  It would come as no surprise if, by this time next year, the DoD has launched its first cyber-regulation mission, be it by the False Claims Act, suspension and debarment proceedings, or through terminations for default.

In addition to these cyber guardians, other federal agencies suiting up for cyber enforcement include:

  • The Consumer Financial Protection Board’s (CFPB) growing Cybersecurity Program Management Office;

  • The Department of Energy’s (DOE) Office of Electricity Delivery and Energy Reliability, examining the security surrounding critical infrastructure systems;

  • The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services, addressing healthcare providers and health insurers’ compliance with health information privacy and security safeguard requirements; and

  • The Food and Drug Administration, examining the cybersecurity for networked medical devices containing off-the-shelf (OTS) software.

But these are just some of the federal agencies poised for action.   State regulators are imposing their own sector-specific cyber security regimes as well.   For example, the State of California’s Cybersecurity Task Force, New York’s Department of Financial Services, and Connecticut’s Public Utility Regulatory Agency are turning their attention toward cyber regulation. We believe that other states will join the fray in 2016.

At this relatively early stage of standards and practices development, the National Institute of Standards and Technology (NIST) 2014 Cyber Security Framework lays much of the foundation for current and future systems, conduct, and practices. The NIST framework is a “must read.” NIST, moreover, has provided additional guidance earlier this year in its June 2015 NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.  While addressing security standards for nonfederal information systems (i.e., government contractors’ information systems), it also provides important guidance for companies who do not operate within the government contracts sphere.  Ultimately, this 2015 NIST publication may serve as an additional general standard against which regulators (and others) may assess institutional cybersecurity environments in 2016 – and beyond.

But for now, the bottom line is that in 2016 companies now must add to its list of actual or potential cyber risks and liability, the hydra-headed specter of multi-sector, multi-tiered government regulation – and regulators.

Part II: Legal Insights on Ashley Madison Hack

As more names emerge from the dark web data dump of Ashley Madison customers, lawyers around the globe have found a very willing group of would-be plaintiffs. Interestingly, all of these plaintiffs are named “Doe,” which must only be a coincidence, and certainly has nothing to do with the backlash that certain well-known ALM clients have experienced. All kidding aside, the size of the claims against ALM is staggering with one suit alleging more than $500 million in damages. How these plaintiffs will prove their damages is a question for another day, but the fact that ALM — which reported earnings of $115 million in 2014 — may soon face financial ruin must give any spectator pause.

The plaintiffs’ bar is certainly not the lone specter haunting ALM’s corridors these days. Although the company touts its cooperation with government officials in attempting to bring criminal charges against the Impact Team, that cooperation will be punctuated by the all-but-certain FTC enforcement action to come — assuming that the FTC’s data breach enforcement team were not among the 15,000 email addresses registered to a .mil or .gov account.

How will that enforcement action proceed? In many cases, the FTC initiates its investigation with a letter, sometimes called an “Access Letter” or an “Informal Inquiry Letter.” Although there is no enforceable authority behind such a letter, companies typically conclude that cooperation is the best course. For more formal investigations (or when the access letter is ignored), the FTC will issue “Civil Investigative Demands,” which are virtually the same as a subpoena, and are enforceable by court order. After collecting materials, the investigators will – in order from best case scenario to worst – drop the matter altogether, negotiate a consent decree, or begin a formal enforcement action via a complaint.

There is, of course, a lot more to an action than what I’ve listed above, which deserves a series of posts of their own. For today, the pressing question is – what’s going to happen to ALM when the FTC calls? Under the circumstances, it would make sense for ALM to push as hard as it can for a consent order, given that the likelihood of succeeding in litigation against the Commission is vanishingly low – there is little doubt that ALM failed to comply with its own promised standards for protecting customer data. And, in light of recent revelations about what really happened when customers paid to “delete” their Ashley Madison accounts, ALM will want to forestall the threat of a separate, non-data breach related unfair business practices suit any way it can.

Every consent order looks different, but the FTC has made a few requirements staples of its agreements with offending businesses over the last two decades. These include:

  • Establishing and maintaining a comprehensive information security program to protect consumers’ sensitive personal data, including credit card, social security, and bank account numbers.

  • Establishing and reporting on yearly data security protocol updates and continuing education for decision makers and data security personnel.

  • Working to improve the transparency of data, so that consumers can access their PII without excessive burdens.

  • Guaranteeing that all public statements and advertisements about the nature and extent of a company’s privacy and data security protocols are accurate.

 ALM will undoubtedly offer to take all of these steps, and more, in negotiations with the Commission. But as I mentioned above, the torrent of lawsuits ALM faces in the next year or so may moot any consent decree with the FTC. If ALM liquidates in the face of ruinous lawsuits and legal bills, the FTC’s demands will be meaningless. ALM, then, is likely an example of a company that would have benefited from a more minor security breach and subsequent FTC imposition of the kind of remedial measures that may have stopped this summer’s catastrophic data breach. An ounce of prevention is worth a pound of cure, they say, and ALM may learn that lesson at the cost of its business.

© 2015 Bilzin Sumberg Baena Price & Axelrod LLP

Unlucky 13: FTC Settles Charges under International Safe Harbor Framework

Thirteen companies have agreed to settle with the Federal Trade Commission (FTC) charges relating to their participation in the U.S.–EU and U.S.–Swiss Safe Harbor Frameworks. Seven companies allegedly failed to renew their Safe Harbor self-certifications, including a sports marketing firm, two software developers, a research organization, a business information firm, a security consulting firm, and an e-discovery service provider. Another six allegedly failed to seek certification under the Frameworks, but nevertheless claimed in their privacy policies to be certified, including an amusement park, two sporting companies, a medical waste service provider, a food manufacturer, and an e-mail marketing firm. Last year, fourteen companies settled with the FTC over similar claims, and advocacy group named 30 companies in a complaint alleging that they were out of compliance with the Safe Harbor Frameworks.

The European Commission’s Directive on Data Protection prohibits the transfer of personal data to non-EU countries that do not meet the EU standard for privacy protection, so the U.S. Department of Commerce (DOC) negotiated the Safe Harbor Frameworks to allow U.S entities to receive such data provided that they comply with the Directive. To participate in the Safe Harbor Frameworks, companies must annually self-certify that they comply with seven key privacy principles for meeting EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement. Only appropriately self-certified companies may display the Safe Harbor certification mark on their websites, and the FTC is charged with enforcing violations.

This enforcement action is a reminder of the importance of maintaining current Safe Harbor status for those who elect to participate the program. It is also a reminder that companies must act in accordance with their published privacy policies, and periodically review their privacy policies to ensure that they remain current and reflect companies’ actual practices.

© 2015 Keller and Heckman LLP

Is the SCOTUS Rule of Reason Unreasonable?

“Not too hard, not too soft,” says the Supreme Court in FTC v. Actavis, 133 S. Ct. 2223 (2013).  The majority tries to reach middle ground by rejecting both the FTC’s argument that any reverse payment in settlement of a patent claim is presumptively unlawful and Actavis’ argument that any settlement within the scope of the patent is permissible, but is the court’s new “rule of reason” approach really “just right?” Let’s see how this plays out in a simple scenario using a product whose success everyone loves to hate—the Snuggie.

Meet Peter.  He has a pug with whom he likes to spend his evenings, wrapped up in a Snuggie, watching movies and sharing popcorn.  Peter was quite dismayed, though, to see his poor little pug shivering and cold without a Snuggie of his own.  So, Peter invented the Puggie.  He used special fibers formulated specifically to maintain heat while resisting odors because no one likes a smelly dog blanket.  Peter even obtained a patent on his Puggie and began producing more to sell around his neighborhood, the Franklin Terrace Community.  Once word spread of Peter’s success, however, several of Peter’s neighbors began producing competing products—the Pug Pelt, the Schnauzzie, and so on–which boasted the same odor-resistant properties as Peter’s Puggie.

Outraged, Peter publicly accused his competitors of patent infringement and demanded that they stop producing their “piddly dog pelts.” But they refused, claiming their fibers were different.  Knowing how costly an extensive fiber dispute could be, Peter offered his competitors $1,000 to stop producing their competing pelts for a period of two years.  The other pelt producers agreed, took the money, and stopped production immediately.  The Franklin Terrace Community, however, was not pleased.  Peter had not only run off the competition, but he had also bumped the Puggie price up afterward, making a killing during the chilly winter as the sole pelt producer.  Community members petitioned the homeowners’ board for some guidance on whether Peter’s payment constituted an unfair trade practice.  Peter opposed the petition and claimed that he had the right to pay whatever amount he deemed fit to protect his patent.

The board found the community’s argument that any “reverse settlement” payment by a patent holder is presumptively unlawful to be too harsh.  Peter’s assertion, however, that any payment is immune from attack so long as it remains within the scope of the patent was believed to be too soft.  Peter complained that the money and time he would have to commit to an extensive patent lawsuit over his odor-resistant fibers would put him out of business, but the board believed that his willingness to drop a grand to keep his competitors at bay was a much more accurate representation of Peter’s confidence in his patent.  Specifically, the board found Peter’s payment of $1,000 to be a “strong indicator of power.”  In an effort to come up with a more “middle of the road” approach, the board created the “rule of reason” to determine the legality of reverse settlement payments.  No real guidance was provided, though, on how to apply the new rule—just not too hard, not too soft.

Without any elaboration on how this new “rule of reason” is to be applied in antitrust lawsuits, did the board cause more confusion than clarity?  And, how large must a reverse settlement payment be to stand as an “indicator of power” and “lack of confidence” in the patent?  If Peter’s patent was iron-clad and his competitors were infringing, should he have had the right to pay any amount he deemed fit to protect his patent, or was $1,000 too much for some piddly pooch pelts?  Does this unfairly prohibit Peter from settling litigation that he may see as too costly or damaging?  Or, does the need to protect consumers from the Puggie monopoly Peter created outweigh Peter’s patent rights?

It is hard to say exactly what effect the Supreme Court’s “rule of reason” decision in FTC v. Actavis will have on future antitrust litigation.  We are likely to see an increase in the number of antitrust suits that are tried as opposed to settled. What do you make of this amorphous, middle-of-the-road approach?

© Copyright 2002-2015 IMS ExpertServices, All Rights Reserved.

Federal Trade Commission: Start with Security

On June 30, 2015, the Federal Trade Commission (FTC) published “Start with Security: A Guide for Businesses”(the Guide).

The Guide is based on 10 “lessons learned” from the FTC’s more than 50 data-security settlements. In the Guide, the FTC discusses a specific settlement that helps clarify the 10 lessons:

FTC_FederalTradeCommission-Seal

  1. Start with security;

  2. Control access to data sensibly;

  3. Require secure passwords and authentication;

  4. Store sensitive personal information securely and protect it during transmission;

  5. Segment networks and monitor anyone trying to get in and out of them;

  6. Secure remote network access;

  7. Apply sound security practices when developing new products that collect personal information;

  8. Ensure that service providers implement reasonable security measures;

  9. Implement procedures to help ensure that security practices are current and address vulnerabilities; and

  10. Secure paper, physical media and devices that contain personal information.

The FTC also offers an online tutorial titled “Protecting Personal Information.”

We expect that the 10 lessons in the Guide will become the FTC’s road map for handling future enforcement actions, making the Guide required reading for any business that processes personal information.

© 2015 McDermott Will & Emery