The Federal Trade Commission on March 2, 2023, announced a proposed complaint and proposed consent order with BetterHelp, Inc., an online counseling platform that allegedly disclosed consumer health data to third-party advertising platforms. The settlement requires payment of $7.8 million to be used for consumer refunds—the first time an FTC action has required the return
Federal Developments
Biden Administration Plans Mandatory Cybersecurity Regulations for Critical Infrastructure Companies
Recent comments by Anne Neuberger, President Biden’s Deputy National Security Adviser for Cyber and Emerging Technology, herald an important shift in U.S. cybersecurity policy. Traditionally, the U.S. Government’s approach has mostly focused on requiring companies to notify regulators and affected individuals of security breaches that implicate specific types of information, such as personally identifiable information, protected health information, and financial information. Federal efforts to prescribe or enforce proactive security measures have been sector-specific, such as the Transportation Security Administration’s Security Directives covering rail and pipeline owners and operators. Those measures have been spread among sector-specific agencies, which has resulted in multiple, and sometimes conflicting or confusing, requirements applying to some businesses. Federal law enforcement agencies have also made targeted and novel use of criminal search authorities to proactively remediate privately owned machines infected with malware by Russian and China-based actors.…
Four Data Security Safeguards the FTC Would Like Companies To Adopt in 2023
Data security will be an enforcement priority for the FTC in 2023. The FTC, in its December 14, 2022, Commission meeting, highlighted four data security measures that it believes are particularly important for strong cybersecurity.
This Update discusses what these safeguards are and why the FTC believes they are so critical.
White House Adopts Blueprint for an AI Bill of Rights
The Office of Science and Technology Policy (OSTP), a part of the Executive Office of the President, recently published a white paper titled “The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People” (Blueprint). This Blueprint offers a nonbinding framework for the responsible development of policies and…
$228M Verdict in First Illinois Biometric Information Privacy Act Trial
After a five-day trial and only an hour of deliberation, the nation’s first trial under the Illinois Biometric Information Privacy Act (BIPA) ended with a bang. The jury found that the defendant, BNSF Railway Company, recklessly or intentionally violated BIPA 45,600 times (once per class member), resulting in a $228 million judgment.
President Biden Issues Executive Order Regarding Signals Intelligence Activities, Clearing Way for New Trans-Atlantic Data Privacy Framework
President Biden issued an executive order (EO) increasing protections and safeguards for personal data subject to signals intelligence activities. It also establishes a redress mechanism for residents of qualifying states who allege they were harmed by U.S. signals intelligence activity conducted in violation of U.S. law. The EO is intended to address perceived deficiencies in…
FTC Sues Data Broker for Alleged Unfair Act of Selling Precise Geolocation Data
The Federal Trade Commission filed a lawsuit on August 29, 2022, against data broker Kochava Inc., alleging that the company’s sale of precise geolocation data is an unfair act or practice that violates Section 5 of the FTC Act. The case follows an FTC blog post warning that the agency would be vigilant in protecting…
CISA Seeks Input on New Cybersecurity Reporting Requirements
The Cybersecurity and Infrastructure Security Agency seeks public input on regulations that will set new mandatory cybersecurity reporting requirements for critical infrastructure companies. Open questions include the following:
- Who will be subject to the new requirements?
- What level of incident will trigger mandatory reporting?
- How much follow-up reporting will be required?
- What costs could potential
FTC Kicks Off Wide-Ranging Privacy Rulemaking
On August 11, 2022, the Federal Trade Commission (FTC) issued an advance notice of proposed rulemaking (ANPRM), kicking off its long-awaited rulemaking on commercial surveillance and data security.
The ANPRM is the first step in a long process that could result in the adoption of a federal regulation addressing privacy, data security, and use of…
Forthcoming Disclosure and Security Requirements for Institutions Hosting Federally Funded Research
National Security Presidential Memorandum-33 requires federal agencies to impose disclosure and security requirements as part of research and development grant programs.
Academic and research institutions will be subject to standardized and enhanced disclosure obligations at the institutional and individual levels. Major institutions will also have to implement security programs with elements including cybersecurity and insider…