The Internet of Things (“IoT”) can be thought of as a group of different devices that can communicate with each other, perhaps over a network such as the internet. We have written extensively about many of the privacy challenges that IoT devices can create. Recently, the Federal Trade Commission (“FTC”) made clear that its Children’s Online Privacy Protection Rule (the “COPPA Rule”) would continue to be applicable to new business models, including “the growing list of connected devices that make up the Internet of Things. That includes connected toys and other products intended for children that collect personal information, like voice recordings or geolocation data.”

To assist companies in complying with their COPPA obligations, the FTC has released an updated Six Step Compliance Plan. These steps are:

Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.

Step 2: Post a Privacy Policy that Complies with COPPA.

Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids.

Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.

Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.

Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information.

Chart: Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement

Notably, per Step 1, the FTC has made it clear that COPPA defines “Website or Online Service” broadly, to include “mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads), internet-enabled gaming platforms, plug-ins, advertising networks, internet-enabled location-based services, voice-over internet protocol services, connected toys or other Internet of Things devices.” A key takeaway for companies everywhere is that, if your service collects personal information from kids under 13, it is unlikely that the FTC will be swayed by an argument that your service is not subject to the COPPA Rule. Instead, entitles would be wise to either limit their data collection activities such that personal information is not collected, or take the time to understand and comply with their COPPA obligations from the outset.

If your IoT device or app does collect personal information from kids under 13, “verifiable parental consent” is the most important compliance concept, and also tricky to implement. There are exceptions to this “verifiable parental consent” requirement in the COPPA Rule, but those exceptions are limited and reliance on any exception should only be done with careful consideration of your collection practices and the COPPA Rule.

Similarly, the FBI has warned consumers, regarding Internet connected toys presenting privacy concerns for children. Companies may wish to pay particular attention to the recommendations that the FBI has for consumers, as many of them involve the consumer researching whether the company has used basic measures to protect the privacy of children that use these toys, including using authentication and encryption as well as providing for security patches at the device level. Companies may wish to consider whether these suggestions could form part of the basis for a reasonable standard of care, and whether, given their IoT devices “use case,” a failure to support one or more of these measures could subject them to additional liability.

If you have any questions regarding COPPA compliance, please do not hesitate to contact the team at Mintz Levin.


Decisions you make when founding and/or investing in an insurtech venture can dictate your regulatory obligations, tax liability, operational structure and, ultimately, profitability.

Here are five seemingly simple questions to ask when launching an insurtech venture (and do not miss question #3): Continue Reading Five Questions for Investors in Insurtech

In a decision sure to have wide-ranging implications for cross-border discovery and governing privacy regimes, the Supreme Court recently held in Water Splash, Inc. v. Menon, that the Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil and Commercial Matters (the “ Hague Service Convention” or the “Convention”) does not prohibit service by mail.  While the Court stated explicitly that its holding does not affirmatively authorize service by mail, the Court concluded that the Convention does not prevent service by mail if: (1) the receiving country has not objected to service by mail; and (2) service by mail is authorized under otherwise-applicable law.

For any corporate entity with global operations or employees and consumers abroad, take a close look at the terms of the Convention, the applicable service laws of the countries in which you maintain operations, and, as always, be mindful of where you might need to look for documents or other things that might be implicated in relation to a complaint served or received aboard.  At the very least, pop Bob Dylan into Pandora and enjoy this warm summer day.

Continue Reading Knock, Knock, Knocking on Menon’s Door

Oregon’s legislature recently expanded the scope of statutory consumer protections by passing a bill to amend the state’s Unlawful Trade Practices Act (the “Act”). Recently, Oregon’s Governor Kate Brown signed H.B. 2090 into law after near unanimous passage by state lawmakers. The bill is particularly notable because it squarely targets online commerce and imposes liability on businesses for publishing false or misleading online privacy policies. Continue Reading Oregon Ramps up State Consumer Protections in an Era of Deregulation

Despite some courts’ evident confusion about the impact of payment card theft on consumer cardholders, other courts are getting it right.  Just this week, a judge in the Northern District of Illinois issued an order dismissing the second amended complaint filed by consumer cardholders in In re Barnes & Noble Pin Pad Litig. (N.D. Ill.).  This order marked the third time that the court had dismissed the consumer cardholder claims due to lack of injury.  Here, as in every theft of credit or debit card data, the fact that consumers are held harmless for fraudulent charges on their cards means that such losses – which are borne by the issuing banks – do not result in injury to consumers sufficient to confer statutory or constitutional standing.  This leaves plaintiffs, like those in Barnes & Noble, to argue that they sustained actionable injury because of inconvenience (cards are replaced, accounts are temporarily frozen) or apprehension of potential future harm (future adverse credit impact).  The court in Barnes & Noble held the former to be insufficiently significant to allow claims under statutes requiring proof of loss, while the latter was deemed too speculative to permit standing.  Even though plaintiffs could show that they purchased credit monitoring services after the breach, the court held that money spent on attempts to mitigate future fraud are not injury that may be redressed under state unfair competition law.

Having dismissed three separate attempts to plead an actionable claim, the court dismissed the second amended complaint in Barnes & Noble with prejudice.  With this ruling, the court has provided additional support for defendants resisting consumer claims arising from theft of payment card data.

Recently the United States Computer Emergency Readiness Team (US-CERT), an organization within the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) and a branch of the Office of Cybersecurity and Communications’ (CS&C) National Cybersecurity and Communications Integration Center (NCCIC), encouraged users and administrators to review a recent article from the Federal Bureau of Investigation (FBI) regarding Building a Digital Defense with an Email Fortress.

Are we have discussed in many posts before, phishing — the fraudulent practice of sending emails purporting to be from a reputable entity to induce an individual to reveal privileged information such as a password — remains a major security threat.  Within the article, the FBI provides several helpful actions for businesses can take to reduce their risk of being phished, including reporting and deleting suspicious e-mails, and making sure that countermeasures such as firewalls, virus software, and spam filters are robust and up-to-date.

We encourage each of our readers to review the FBI’s guidance and consider whether their organization could benefit from any of the methods of protection provided.

Companies with any questions regarding any of these issues should not hesitate to contact the team at Mintz Levin.

It seems as though we have been writing about this case for a lifetime.  Target Corporation’s data breach saga came one step closer to a conclusion this week.  On Tuesday, Target reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the states’ investigation into the company’s 2013 data breach.   Alabama, Wisconsin, and Wyoming were not part of the settlement. Continue Reading Target Reaches $18.5 Million Dollar Settlement in Data Breach with States

 

The latest edition of the Mintz TCPA Digest has been published and you can read it hot off the presses, here.

This month’s issue features updates on the latest regulatory activities and an article on a potential ruling that could have major implications for pending and future TCPA cases.

Mintz Levin’s TCPA and Consumer Calling Practice team should be on your speed dial.

 

You’ve had your apple a day, but you can’t keep the subpoenas away…  

And, if your organization is facing a request seeking records or other materials that may contain patient health information (“PHI”), it bears repeating that while HIPAA provides a number of methods through which covered entities that hold records containing PHI may produce such records, these guidelines are closely enforced by courts.   Read on for your spring check-up. Continue Reading HIPAA Spring Check-up: Your Obligations to Safeguard Third-Party Patient Health Information in medical records produced in litigation

Amid the flurry following former FBI Director James Comey’s firing last week, President Trump marked his 111th day in office on Thursday, May 11th by signing an executive order targeting national cybersecurity.

The long-awaited order is the first step in fulfilling Trump’s promise to address national cybersecurity concerns and it arrives as threats of international hacking and cyberattacks reach an all-time high. It establishes three overarching cybersecurity priorities for the United States: (1) protecting federal networks, (2) reinforcing critical IT infrastructure, and (3) protecting the American public in the online space. The full text of the executive order can be found here.

While the order includes few actionable items, it sets strict deadlines for government agencies to produce risk reports and recommendations for improving their data security practices, signifying an important call to action from the executive branch that places risk management at the forefront.

Modernizing & consolidating federal networks

Consolidating to the cloud will likely be the first major step toward overhauling the government’s administration-wide cybersecurity protocol. In a press briefing last Thursday, White House Homeland Security Advisor Tom Bossert addressed what he views as fractured, agency-specific IT security practices across the government, noting that “[if] we don’t move to shared services, we have 190 agencies all trying to develop their own defenses against advanced collection efforts.”

The move to modernize is an extension of similar efforts from the Obama administration to bolster cybersecurity, an area in which Bossert says the administration made “a lot of progress … [but] not enough.” In line with advancing these efforts, the executive order requires federal agencies to use the Framework for Improving Critical Infrastructure Cybersecurity developed in 2014 by the National Institute of Standards and Technology (“NIST”) to manage cybersecurity risk. Coincidentally, the Framework may be revised soon as the NIST recently closed a comment period on an updated draft that it circulated in January 2017, and per the executive order any successor document to the Framework will become the operative version to be used by government agencies. Separately, Rep. Will Hurd (R-TX), Chairman of the House Information Technology Subcommittee, recently reintroduced H.R. 2227, the “Modernizing Government Technology Act,” which secures more efficient funding for the modernization of federal IT infrastructure and is expected to hit the floor of the House of Representatives within the next couple of weeks.

Reinforcing critical infrastructure

The second prong of the executive order requires the Secretary of Homeland Security to prepare an audit of potential vulnerabilities across the country’s infrastructure systems – from financial and telecommunications systems to utilities including water and electricity. Improving transparency about the security gaps in these systems is crucial, especially as traditional data breaches are losing ground to more devastating Distributed Denial of Service (DDoS) botnet attacks made possible by the growing Internet of Things, or “IoT” (see our blog post here for a discussion of the House’s efforts to address growing security concerns around the IoT).

Protecting the public online

Finally, President Trump’s executive order urges policies aimed at protecting U.S. citizens from domestic and foreign online threats. In addition to increasing the number of cybersecurity experts working with the White House, Bossert suggested that following through on such policies will require greater partnerships between the federal government and the private sector. Indeed, the government currently relies on technology from large, long-time vendors, many of which may not be prepared to grapple with the significant and evolving risks becoming apparent across the data security landscape. Independent technology startups are proving to be the heart of progress in new cybersecurity measures, and the government will need to cultivate solid relationships with these players if it wants to stay ahead in the cybersecurity arena.

President Trump’s executive order has received some criticism for its breadth, but overall has been commended by cybersecurity experts as a balanced step in the right direction. Time will tell whether the resulting policies will make a meaningful difference in the country’s ability to fend off attackers in the ever-evolving online battleground.