In March 2015, there was growing concern over privacy issues related to collecting data via “smart toys.” At that time, Mattel had just released its newest Barbie, “Hello Barbie,” which contained an embedded microphone in the doll’s belt to record a child’s response to the doll’s questions. The child’s responses were sent back to Mattel through the doll’s WiFi capabilities. Mattel claimed the voice-recognition software and recording capabilities would allow the doll to learn to respond to the child’s statements and even learn the family dog’s name or other topics a child would enjoy discussing. In explaining the doll’s capabilities, Mattel Senior Vice President of Global Communications stated “[t]he number one request we receive from girls globally is to have a conversation with Barbie, and with Hello Barbie we are making that request a reality.”

At the time, there were concerns regarding how Mattel and other toy manufacturers would use the data collected from their toys. Angela Campbell from Georgetown University’s Center on Privacy and Technology warned, “[i]f I had a young child, I would be very concerned that my child’s intimate conversations with her doll were being recorded and analyzed.”

There were also concerns beyond what the toy manufacturers would do with the information. This data held by toy manufacturers could be a prime target for hackers. Privacy concerns were based on the fact that children and adolescents are the fastest growing sector of identity fraud victims. It has been widely accepted that children are targeted because they have good credit reports and their credit histories may not be reviewed for years until they apply for student loans or their first loans.

Unfortunately, this concern has become a reality since the introduction of “Hello Barbie.” On December 1, 2015, VTech Holdings Ltd., a manufacturer of digital toys and telephones, reported it suffered a data breach on November 14, 2015. VTech reported this breach involved “child profile information,” including the name, gender and birth date of the child. The “unauthorized party” gained access to information stored as part of VTech’s “Learning Lodge” app store on the company’s website.

The concerns over “Hello Barbie” and other smart toys were further validated when on September 13, 2016, the New York State Attorney General settled matters with Viacom, Mattel, Hasbro and JumpStart related to the use of tracking technology on their toys and websites. The settlement included an agreement by the toymakers to pay a combined $835,000 in fines for tracking and collecting personal data of children online in violation of the Children’s Online Privacy Protection Act.

In response to the settlement, Hasbro’s spokesperson said, “[w]e are rolling out a new, stricter online privacy protection policy for our partners, and enacting new protocols and technology to scan our digital properties for any cookies, widgets or other applications that may violate our policy.” The settlement also included an agreement by the toy makers to routinely scan their websites and assess their data collection practices.

The early discussion concerning “smart toys,” which culminated in the NY Attorney General taking action, provides a great snapshot on the rapid development of these privacy issues. The landscape has changed dramatically in the last year and a half since the release of “Hello Barbie,” as more private information from children falls prey to hackers and other criminals. Eric Schneiderman, New York’s Attorney General, may have said it best, “[n]ow children live online and we have to police the internet as we seek to police our streets…I don’t want there to be a dossier on any child that can be used later to scam them.”

The post Barbie (Still) Can’t Keep a Secret: Toy Makers Enter Settlement Related to “Smart Toys” appeared first on Privacy Risk Report.

For years there has been a discussion over whether data breaches and cyber security can eventually be regulated by centralized laws rather than various state and federal laws and regulations. Even in October 2014, President Obama called upon Congress to pass data breach legislation because, “[t]he current patchwork of laws governing a company’s obligations in the event of a data breach is unsustainable, and helps no one.”

At present, almost two years down the road, we still do not have a single framework regulating cyber security and data breaches. A recent blog post by the Federal Trade Commission (FTC) addresses how its enforcement activities can be coordinated with data breach guidelines created by the Department of Commerce (DOC). However, there is still more work to be done to harmonize state and federal law.

Background On NIST Standards

On February 14, 2014, the DOC’s National Institute of Standards and Technology (NIST) set out “a set of industry standards and best practices to help organizations identify, assess and manage cybersecurity risks.” The DOC created these standards in response to Obama’s Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity.”

Specifically, this EO was intended “to enhance the security and resilience of the nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation and economic prosperity while promoting safety, security, business confidentiality, privacy and civil liberties.” The NIST Framework did not introduce or create new standards. Rather, it was intended to “leverage and integrate” practices that had already been in use by the NIST and similar organizations in 2014. The Framework provides general practices to approach a cyber security risk, referred to as the “Core,” which is composed of five “functions:” Identify, Protect, Detect, Respond and Recover. Based on these functions, the key elements of effective cybersecurity were summarized in the following manner:

1. Identify: helps organizations gain an understanding of how to manage cybersecurity risks to systems, assets, data and capabilities.
2. Protect: helps organizations develop the controls and safeguards necessary to protect against or deter cybersecurity threats.
3. Detect: are the steps organizations should consider taking to provide proactive and real-time alerts of cybersecurity-related events.
4. Respond: helps organizations develop effective incident response activities.
5. Recover: is the development of continuity plans so organizations can maintain resilience—and get back to business—after a breach.

Complying with the FTC via the NIST Framework

The FTC “is committed to protecting consumer privacy and promoting data security in the private sector.” Further, the FTC’s interest stems from Section 5 of the FTC Act, which is “the primary enforcement tool that the FTC relies on to prevent deceptive and unfair business practices in the area of data security.” Since 2001, the FTC has settled nearly 60 cases against companies that it believed failed to secure consumers’ personal information. Because of its enforcement in data security, the FTC is constantly asked “If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?”. FTC responds:

The Framework is not, and isn’t intended to be, a standard or checklist. It’s meant to be used by an organization to determine its current cybersecurity capabilities, set individual goals, and establish a plan for improving and maintaining a cybersecurity program, but it doesn’t include specific requirements or elements. In this respect, there’s really no such thing as “complying with the Framework.” Instead, it’s important to remember that the Framework is about risk assessment and mitigation. In this regard, the Framework and the FTC’s approach are fully consistent: The types of things the Framework calls for organizations to evaluate are the types of things the FTC has been evaluating for years in its Section 5 enforcement to determine whether a company’s data security and its processes are reasonable. By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach to the FTC’s long-standing Section 5 enforcement.

The FTC provides the following guidance concerning cyber security risks:

The Framework’s five Core functions can serve as a model for companies of all sizes to conduct risk assessments and mitigation, and can be used by companies to: (1) establish or improve a data security program; (2) review current data security practices; or (3) communicate data security requirements with stakeholders. And as the FTC’s enforcement actions show, companies could have better protected consumers’ information if they had followed fundamental security practices like those highlighted in the Framework.

Cyber Insurance’s Development Without Harmonized Laws and Regulations

 While the development of cyber security and data breaches measures may be stunted when there is little or no coordination between the laws and regulations, cyber insurance can continue to grow regardless of the actions of state, local and federal government. Rather than relying on government guidelines, the early stages of development of cyber insurance is supported by insurers, brokers and policyholders coordinating to make sure everyone understands a policyholder’s particular risks and the proper safeguards are put into place.

The post Cyber Insurance Can Develop Without Centralized Cyber Law appeared first on Privacy Risk Report.

Researchers from the University of Illinois, the University of Michigan and Google published “Users Really Do Plug In USB Drives They Find.” The report covers the controlled experiment where researchers placed nearly 300 USB thumb drives around the University of Illinois campus and watched to see what happened when someone found them.

The study found people will insert found thumb drives in their equipment. Specifically, they found an estimated 45% to 98% of the thumb drives were picked up and connected by participants. Regardless of whether people insert these drives because they are merely curious or whether they want to find the rightful owner, this study confirms employers’ data is at risk even if an employee isn’t connected to the Internet.

Researchers “measure[d] the efficacy and speed of the attack by replacing expected files on the drive with HTML files containing an embedded tag that allows us to track when a file is opened on each drive without automatically executing any code.” Once the data was accessed, researchers “offered participants the opportunity to complete a short survey,” which asked “why they connected the drive, the precautions they took, demographic information, as well as standard questions to measure their risk profile and computer expertise.”

The experiment found 8% of users indicated that they took no precautions when connecting the drive while 16% scanned the drive with their anti-virus software and 8% believed their operating system or security software would protect them, e.g., “I trust my MacBook to be a good defense against viruses.” Meanwhile, another 8% sacrificed a personal computer or used university resources to protect their personal equipment.

Based on these findings, researchers found that an attack through thumb drives “would be effective against most users and that the average person does not understand the danger of connecting an unknown peripheral to their computer.”

While this experiment delivered the bad news that hackers could have access to a network without an internet connection, the good news is that the majority of people connected the thumb drive to their computers in order to find its rightful owner to return it. This bit of good news had one last caveat, “while the users initially connect the drive with altruistic intentions, nearly half are overcome with curiosity and open intriguing files—such as vacation photos—before trying to find the drive’s owner.”

This experiment demonstrates something we have seen time and time again. Despite the safeguards that technology offers to protect data, in the end, data protection will only work if employees use the technology as intended. Once again, employee training is the most effective way to reach people. The practical implication of this experiment is that hackers can access a system even if it is not connected to the Internet. From an insurers’ perspective, this experiment shows the importance of an application process that measures both the technology used by a policyholder as well as information concerning the training employees receive to use that technology.

The post Data Security Gets “Thumbs Down” in New Study Involving Lost Thumb Drives appeared first on Privacy Risk Report.

Even though there seems to be a breach in the healthcare industry every week, there is still a lot to learn from these patient information breaches. For example, a recent breach at 21^st Century Oncology demonstrates important issues concerning the current state of cyber security. First, it serves as a reminder that a single piece of data could be protected by a number of state and federal regulations. Second, that data retention safety must evolve and keep up with hackers.

The data breach disclosed this month by 21^st Century may have involved more than 2 million people. On November 12, 2015, 21^st Century discovered one of its employees stole patient names, Social Security numbers and dates of birth of current and former patients to file fraudulent claims for tax refunds. Multiple class action lawsuits were filed after 21^st Century disclosed this breach on March 4, 2016. The latest Class Action Complaint was filed on March 18, 2016 in the District Court for the Middle District of Florida.

Multiple State and Federal Regulations May Protect the Same Piece Of Data

The breach and resulting litigation at 21^st Century demonstrates the need for any entity that stores data (or its insurer) to be aware of the various state and federal regulations governing the data being stored. In addition to claims of HIPAA violations, the Class Action Complaint against 21st Century also seeks recovery under the Florida Deceptive and Unfair Trade Practices Act, the Gramm-Leach-Bliley Act and the Federal Trades Commission Act. Cyber security presents a unique threat because incidents can give rise to a number of different violations under state and federal law stemming from a single theft.

While Data Remains the Same, Methods to Steal Have Drastically Changed

In general, the Class Action Complaint filed in the latest lawsuit contains allegations that 21^st Century failed to maintain an adequate data security system. More importantly, the Class Action Plaintiffs claim 21^st Century failed to protect their sensitive medical and health information, which is required protection under the HIPAA Act passed by Congress in 1996.

The Class Action Complaint asserts that, as a health care provider, 21^st Century maintained records for its patients including “the individual patients’ medical history, diagnosis codes, payment and billing records, test records, dates of service, and such health and treatment information necessary to process health insurance claims.” The lead class action plaintiff claimed 21^st Century made promises to him and the other plaintiffs that their information would be protected under the requirements found in HIPAA.

In asserting that 21^st Century violated HIPAA, the Class Action Complaint contains allegations that 21^st Century specifically violated Title II of HIPPA, which creates rules for handling sensitive information. Paragraph 54 of the Class-Action Complaint alleges:

Among other such insufficiencies, Defendant either failed to implement, or inadequately implemented, information security policies or procedures that protected or otherwise controlled the storage of personal information on Defendant’s computers. In addition, Defendant’s prolonged data breach could have been prevented if Defendant had honored its obligations to its patients by implementing HIPAA mandated, industry standard policies and procedures for securing their personal information.

While HIPAA has not changed, the threat to healthcare information constantly changes. In addition to being responsible for complying with various state and federal regulations, 21^st Century was also required to store information in accord with HIPAA. While most of the healthcare industry is familiar with HIPAA, data storage technology and hackers’ methods have drastically changed since it took effect in 1996. Consequently, it is important to analyze the numerous breaches in the healthcare industry even if you don’t store health information.

The post Still A Lot to Learn From Numerous Healthcare Breaches appeared first on Privacy Risk Report.

Many consumers are finding new EMV (Europay Mastercard Visa) credit cards in their mailboxes to replace their old credit cards with a magnetic strip on the back. EMV cards are commonly referred to as “chip cards” and are intended to cut down on fraud by securing personal data on a chip on the face of the credit card, rather than a magnetic strip on the back of the card. These cards have been used in Europe for nearly ten years. Chip cards are being adopted on the premise that the magnetic strip cards were easily counterfeited by simply replicating, or “skimming” the data stored in the magnetic strip onto a another card. At this point, the metal chip makes “skimming” more difficult.

Chip cards also provide more safety at the point of sale. Rather than swiping the cards, consumers will now insert the chip cards into a new reader that generates a unique code needed to approve that particular sale. The theory is that the chip card will be more difficult to use without permission because the code is constantly changing. The Federal Trade Commission (FTC) recently issued bulletins describing how the chip cards can make purchases in stores safer.

• New Technology—Same Old Phishing Scam

While the technology giving rise to chip cards is new, the cards are already causing a number of security concerns. The FTC has recently issued warnings about phishing attacks asking people to click on a link and enter personal information in order to receive a new chip card. Further, there are concerns that the cards will be intercepted in the mail while on the way to consumers.

• New Liability for Retailers

At present, only the larger retailers are using the new “point of sale” reader for the chip cards. Unfortunately, many smaller retailers have not purchased the new readers because the equipment is expensive and difficult to install. Some reports estimate retailers will spend more than $30 billion to upgrade their cash registers to handle the chip cards.

In addition to the cost of the equipment, many retailers may be surprised to discover that liability for fraud using the new chip cards may shift to them if the cards are fraudulently used at their cash registers and they have not installed the new reader. Specifically, on October 1, 2015, merchants that have not installed the new equipment face additional fees to cover costs related to any fraud committed with the cards. While reports indicate that retailers may file lawsuits against the credit card companies that attempt to impose these fees after the October 1 “integration date,” retailers may ultimately have no choice but to purchase the new equipment.

• Insurance Implications

Insurance brokers are already warning their clients about the potential liability created by these new readers and chip cards. Merchants will need to understand the new liability that has been shifted to them as of October 1, 2015, and make sure they have the proper safeguards in place. For example, many merchants are complaining that the demand for this new equipment has caused seriously delays in installing the equipment. Therefore, even merchants that are ready and willing to adopt the new equipment may have liability shifted to them while on a waiting list for installation. Consequently, merchants may need to work with their insurance brokers and insurers to address this new liability.

The post Phish and Chips: Retailers Face New Liability For Fraud Committed With New Chip Credit Cards appeared first on Privacy Risk Report.

The Federal Communications Commission (FCC) recently fined Cox Communications, Inc. (Cox) $595,000 for failing to properly protect its customers’ personal information related to a 2014 data breach. In the November 5, 2015, FCC order, the FCC stressed the importance of protecting cable and satellite consumers’ personal information and the consequences of failing to protect such information. This may be a signal that the FCC is ready to be more vigilant against cable and satellite service providers for data breaches.

Cox’s electronic data systems were breached in August 2014 when a hacker pretended to be from Cox’s IT department and convinced a Cox customer service representative and a Cox contractor to provide their Cox IDs and passwords to a fake website controlled by the hacker. With these Cox IDs and passwords, the hacker then gained access to personal data of Cox’s current and former customers, including their name, home addresses, email addresses, phone numbers, partial social security numbers, and partial license numbers. The hacker then posted some of this personal information on social network sites, changed the passwords of some customers, and shared some customers’ personal information with another hacker.

As part of the settlement with the FCC, Cox agreed to improve its privacy and data security practices, including designating a senior corporate manager, who is a certified privacy professional, to:

• oversee compliance with the consent decree,
• conduct privacy risk assessments,
• implement a written information security program,
• maintain a reasonable oversight of third-party vendors,
• implement a better data breach response plan, and
• provide privacy and security awareness training to employees and third-party vendors.

Over the last year, we have seen the Securities and Exchange Commission address cybersecurity in addition to the U.S. Court of Appeals for the 3rd Circuit’s holding that the Federal Trade Commission has the authority to regulate cybersecurity for American businesses and corporations. In addition to the FCC’s fines against telecommunications providers, this action brought by the FCC provides the latest example in a long line of government agencies having to regulate emerging issues concerning data security.

The post The First Cable Operator to Be Targeted by the FCC for Data Breach Settles for $595,000 appeared first on Privacy Risk Report.

The number and scale of cyber attacks on U.S. corporations has outpaced the development of regulations and methods to enforce such regulations. To date, it has been relatively unclear whether cybersecurity would be governed by the Federal Trade Commission (FTC) Act, the Fair Credit Reporting Act, the Stored Communications Act or laws found in various states around the country. Because of the decision issued by the U.S. Court of Appeals for the 3rd Circuit in Federal Trade Commission v. Wyndham Worldwide Corp., we now have more clarity on this issue.

On August 24, 2015, the 3rd Circuit held that the FTC has the authority to regulate cybersecurity for American corporations and businesses. In particular, the 3rd Circuit held that the FTC can bring an unfairness claim involving data security under the FTC Act of 1914 and U.S. businesses have sufficient notice of regulations giving rise to an unfairness claim under the Act.

Wyndham Breaches

Wyndham, a company that franchises and manages hotels, suffered three data breaches in 2008 and 2009 caused by separate hacker attacks on Wyndham’s computer networks. The hackers stole credit card information and other personal information from over 600,000 of Wyndham’s customers. The attacks resulted in a loss of at least $10.6 million related to the fraud.

FTC Action

In initiating its action, the FTC alleged Wyndham “engaged in unfair cybersecurity practices that, ‘taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.’” The FTC also claimed Wyndham failed to use proper security measures to protect customers’ data, including encryption of valuable customer financial data.

The FTC originally filed suit in a District Court in Arizona, claiming Wyndham engaged in “unfair” and “deceptive” practices in violation of 15 U.S.C. § 45(a). The case was ultimately transferred to a District Court in New Jersey. Once it was transferred, Wyndham filed a motion to dismiss on the unfair practice and deceptive practice claims. The District Court denied the motion to dismiss and certified its decision for interlocutory appeal.

FTC had Authority Under FTC Act of 1914

The threshold question on appeal was whether the FTC could bring an administrative action against companies under the FTC Act based on allegations of deficient cybersecurity measures to protect consumers against hackers. Based on various amendments through the years, a violation of the FTC Act has developed to require “substantial injury that is not reasonably avoidable by consumers and that is not outweighed by the benefits to consumers or competition.” In its complaint, the FTC alleged Wyndham’s failure to implement proper safeguards was in violation of the FTC Act. The Third Circuit agreed with the FTC.

In general, the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” The 3rd Circuit first analyzed the meaning of “unfairness” as used in the Act. Wyndham argued that the FTC could not bring an action against it because the FTC’s allegations failed to meet the requirements of “unfairness” under the Act. The 3rd Circuit rejected Wyndham’s argument when it held: “[a] company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing adequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

Also on this point, Wyndham took the position that the FTC failed to meet this requirement because a “business does not treat its customers in an ‘unfair’ manner when the business itself is victimized by criminals.” The 3rd Circuit was not persuaded by Wyndham and opined that the second and third breaches were foreseeable to Wyndham after it suffered the first attack and, therefore, the FTC could survive Wyndham’s motion to dismiss.

Wyndham had Proper Notice of Cybersecurity Standards Required to Follow

Wyndham also argues that it did not receive proper notice that the FTC was interpreting the Act to include lax cybersecurity measures as a violation (“The relevant question is not whether Wyndham had fair notice of the FTC’s interpretation of the statute, but whether Wyndham had fair notice of what the statute itself requires”). In rejecting Wyndham’s argument, the 3rd Circuit framed the issue on appeal as follows:

…Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required by § 45(a). Instead, the relevant question in this appeal is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute.  

The 3rd Circuit held “[a]s a necessary consequence, Wyndham is only entitled to notice of the meaning of the statute and not the agency’s interpretation of the statute.” Further, the 3rd Circuit found Wyndham’s argument that it “lacked notice of what specific cybersecurity practices are necessary to avoid liability” lacked merit when Wyndham had been attacked three times (“At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed the cost-benefit analysis”).

Implications of the Wyndham Decision

The FTC’s Chairwomen, Edith Ramirez, has already issued a statement concerning the Wyndham decision that “it is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.” Consequently, based on the reasoning of the Wyndham decision, corporations are going to have a difficulty taking the position that they were somehow unaware of the importance of cybersecurity. Further, now that the FTC is taking the lead in enforcing cybersecurity measures, U.S corporations should expect the FTC to provide clear guidance on what is expected to safeguard data.

This post originally appeared in Advisen’s Cyber Risk Network on August 25, 2015 (http://www.cyberrisknetwork.com/)

The post 3rd Circuit’s Wyndham Decision Indicates FTC Should Take Lead in Cybersecurity Enforcement Actions appeared first on Privacy Risk Report.

The United States District Court for the District of New Jersey dismissed a derivative suit brought by shareholders on behalf of Wyndham Worldwide Corporation following a series of data breaches within the Company. After Wyndham’s Board of Directors unanimously voted to refuse a shareholder’s demand to bring a lawsuit based on the breaches, several shareholders filed the derivative action in an attempt to force the board to bring suit.

In dismissing the shareholders’ derivative action, the Court held that the “business judgment rule” protected the Board’s decision to refrain from litigating claims surrounding the data breaches. It reasoned that, even prior to the shareholder’s demand, the Board had routinely discussed the cyber attacks at Board meetings; previously investigated and rejected the claims from an identical demand letter; and, overall, had developed its understanding of the issues surrounding the cyber attacks. Moreover, the Board and a special Committee specifically considered the shareholder’s demand in this case. Based on this prior knowledge and investigation, the Court found that the Board “had a firm grasp of Plaintiff’s demand when it determined that pursuing it was not in the corporation’s best interest.” Accordingly, the Board’s decision not to pursue further action on Wyndham’s behalf was protected by the business judgment rule.

While the board of directors may have escaped liability in this case, the Wyndham Corporation itself may still face liability on several fronts, including an action brought by the FTC. The FTC’s action against Wyndham remains pending before the Third Circuit, which is set to rule on the scope of the FTC’s authority in data breach cases.

The post Shareholder Derivative Suit Against Wyndham For Data Breaches Dismissed appeared first on Privacy Risk Report.

On October 17, President Barack Obama signed an Executive Order addressing the growing concerns over data security in the United States. One of the most notable aspects of the Order is its requirement that all federally-issued credit and debit cards include chip-and-PIN technology. The chip-and-PIN technology enhances the security of the more traditional magnetic strip cards by replacing the magnetic strip with a computer chip that uses cryptography to protect data contained within the card. While the Order only applies to those cards issued by the federal government, several private sector companies, including Target, Wal-Mart, and Home Depot, have agreed to implement chip-and PIN technology starting in 2015.

The Order also addresses the need for improved resources for identity theft victims following a data breach. It orders federal agencies with publicly available resources for victims of identity theft to share such information with the FTC, so that the FTC can continue to develop and streamline these resources at its website for identity theft victims, IdentityTheft.gov.

In conjunction with signing the Order, Obama called on Congress to pass data breach legislation, writing in a statement that “[t]he current patchwork of laws governing a company’s obligations in the event of a data breach is unsustainable, and helps no one.” While members of the Senate have proposed several cybersecurity and data breach bills, Congress has yet to enact any of these bills into law.

The post President Obama Signs Executive Order Addressing Data Security appeared first on Privacy Risk Report.

In late June, the Federal District Court for the District of New Jersey certified two major data security issues for interlocutory appeal to the Third Circuit. FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887 (D.N.J. June 23, 2014). The Third Circuit is set to rule on two issues affecting the extent of the FTC’s authority to regulate data security among businesses: “(1) whether the FTC can bring an unfairness claim involving data security under Section 5 of the FTC Act and (2) whether the FTC must formally promulgate regulations before bringing [an] unfairness claim under Section 5.”

This decision will potentially define yet another avenue for business liability following a data breach.

The post Third Circuit Addresses FTC Authority Related To Data Security appeared first on Privacy Risk Report.