Zombie PHR Breach Rule Rises From the Dead


If an entity that offers a personal health record identifies a breach of information in that record, it is required to provide notice to each impacted individual and to the FTC within 60 calendar days of discovery.

Yesterday, the FTC issued a policy statement announcing a new interpretation of the FTC’s 10-year-old “Personal Health Record Breach Notification Rule.” As the FTC acknowledges, this rule has never been enforced by the FTC. The FTC’s announcement indicates its intention to begin enforcing this rule, which allows the FTC to assess penalties of $43,792 per day of violation.

Continue reading “Zombie PHR Breach Rule Rises From the Dead”

TikTok Facing Billion-Pound Legal Challenge in Children’s Data Privacy Lawsuit


TikTok is facing a potential legal claim in the U.K. brought by the former Children’s Commissioner for England, Anne Longfield, on behalf of millions of children in the U.K. and EEA who have used the social media app. Claimants in the action could be entitled to over $1 billion pounds in damages.

This action follows fines issued by the U.S. Federal Trade Commission in 2019 and the Korea Communications Commission in South Korea in 2020 for mishandling children’s data. TikTok has also previously been investigated by the U.K.’s Information Commissioner’s Office, which ordered TikTok in 2019 to delete data associated with a linked app and set up an age verification system for that function.

Continue reading “TikTok Facing Billion-Pound Legal Challenge in Children’s Data Privacy Lawsuit”

FTC Settlement with Zoom Concerning Alleged Data-Security Lapses


On November 9, 2020, the United States Federal Trade Commission (FTC) announced that it had entered into a consent agreement, subject to final approval, with videoconferencing company Zoom Video Communications, Inc. (Zoom). The consent agreement settles allegations that Zoom engaged in a series of deceptive and unfair practices that undermined the security of its users. The Commission voted 3–2 to accept the settlement, with Commissioners Chopra and Slaughter voting no and issuing dissenting statements asserting that the FTC’s action did not go far enough.

While the FTC generally does not identify what triggers a law enforcement action, there have been many news articles and a number of class actions filed in connection with Zoom’s data-security practices over the past six months that likely led to this action.

Continue reading “FTC Settlement with Zoom Concerning Alleged Data-Security Lapses”

FTC Opinion Holds False Express Privacy Claims are Material


The Federal Trade Commission’s Opinion finding that Cambridge Analytica engaged in deceptive practices to harvest personal information closes another chapter in the Commission’s actions against Cambridge Analytica and its former chief executive and app developer. The opinion is noteworthy for two reasons. First, the procedural posture of this matter is unique because Cambridge Analytica failed to appear or to answer the complaint. This allowed the Commission under its Rules of Practice to find the facts to be as alleged in the complaint and to enter a final decision. Second, the Commission’s opinion holds that a false express privacy claim is material and thus violates Section 5 of the FTC Act.

Continue reading “FTC Opinion Holds False Express Privacy Claims are Material”

FTC Litigation with D-Link Ends with Comprehensive Settlement


In 2017, the FTC filed a complaint against D-Link Systems, Inc. (D-Link) alleging that the Taiwan-based computer networking equipment manufacturer had taken inadequate security measures which left its wireless routers and Internet-connected cameras vulnerable to hackers. In early July, D-Link agreed to a settlement that includes a requirement that it implement a comprehensive software security program, and obtain biennial, independent third-party assessments of its software security program for 10 years.

Continue reading “FTC Litigation with D-Link Ends with Comprehensive Settlement”

Further Expansion of Data Security Requirements in FTC Order with LightYear Dealer Technologies


The FTC has entered into a settlement with LightYear Dealer Technologies, doing business as DealerBuilt, a technology company that develops and sells dealer management system (DMS) software and data processing services to automotive dealerships nationwide. The settlement resolves allegations that DealerBuilt engaged in a number of unreasonable data security practices. The DealerBuilt’s DMS software tracks, manages, and stores information related to all aspects of a dealership’s business, including sales, finance, inventory, accounting, payroll, and parts and service and collects and maintains personal and competitively sensitive information about consumers and employees.

Continue reading “Further Expansion of Data Security Requirements in FTC Order with LightYear Dealer Technologies”