Advertising Lawyer Richard B. Newman Quoted by Legaltech News on Data Privacy Court Orders
On April 24, 2019, the Federal Trade Commission issued a statement regarding the matters of Unixiz, Inc. d/b/a i-Dressup.com and Zhijun Liu and Xichen Zhang individually & James V. Grago, Jr. d/b/a ClixSense.com (FTC Matter Nos. 1723002 & 1723003)
The Commission announced cases against Clixsense and i-Dressup,1 which include allegations that the companies failed to employ reasonable security to protect consumers’ sensitive data. The orders obtained in these matters contain strong injunctive provisions, including new requirements that go beyond requirements from previous data security orders.
For example, the orders include requirements that a senior officer provide annual certifications of compliance to the Commission, and explicit provisions prohibiting the defendants from making misrepresentations to the third parties conducting assessments of their data security programs. According to the FTC, these new requirements will provide greater assurances that consumers’ data will be protected going forward.
As discussed in greater detail below, FTC attorneys are instructed to closely review orders to determine whether they could be strengthened and improved – particularly in the areas of privacy and data security. The FTC has expressly stated that future orders will better ensure that third-party assessors know they are accountable for providing meaningful, independent analysis of the data practices under examination.
So, what is the really all about? Why now?
FTC compliance and defense attorney Richard B. Newman’s opinion on the issue was recently solicited by Legaltech News in an article entitled “What’s Behind the FTC’s Push for More Detailed Orders?”
The article addresses the recent statement referenced above, and what is really behind that FTC’s efforts to include “new and improved” injunctive provisions in data privacy-related court orders.
For example, the i-Dressup proposed settlement orders the children’s website operator, without limitation, to pay a $35,000 fine, undergo biennial assessments by a third-party and install a data security officer.
While the FTC’s press release appears to be an effort in convey forward-thinking regulatory policy, Newman stated that the FTC’s position is the result of an appeal’s court recent finding that the agency failed to include the requisite amount of specificity in a settlement order with LabMD Inc. According to Newman, “the court held that the FTC’s order should be invalidated because it failed to direct LabMD to cease committing any specific unfair acts or practices and instead imposed on the general requirement that the company maintain a ‘comprehensive information security program that is reasonably designed to protect the security, confidentiality and integrity of personal information collected from or about consumers.’”
He also added that “while that 11th Circuit decision perhaps wasn’t the overriding factor for the FTC’s new stance, it was likely a component.” “Here, the FTC was almost certainly mindful of the need for specificity in conjunction with injunctive relief and how failing to account for the issue may render settlements vulnerable to attack,” Newman stated.
View the article at Legaltech News (subscription required).