In Case You Missed It: Ruling in FTC v. Amazon Suggests a Way Forward for Companies Responding to Actions Brought by the FTC after a Data Breach. The FTC’s recent actions in the realm of data security have been predicated on its claim of statutory authority to seek injunctive relief for the failure to maintain reasonable and appropriate data security practices. A U.S. District Court ruling last week casts some doubt on that authority. Although the court concluded against Amazon on the facts at issue (involving in app purchases not data security), it also cast doubt on the FTC’s authority to seek long injunctions based on a company’s past practices.
News of Note: Third Circuit Releases Google and Viacom from Invasion of Privacy Claims. Last week, in In Re: Nickelodeon Consumer Privacy Litigation, the Third Circuit affirmed the dismissal of privacy claims tied to Google’s and Viacom’s alleged tracking of children’s online activities, including allegations made under the Video Privacy Protection Act. The opinion concluded that the statute enacted to prevent videotape service providers from disclosing a consumers’ viewing history was not intended to apply to the conduct at issue. The panel also cautioned, however, that “companies in the business of streaming digital video are well advised to think carefully about customer notice and consent.”
Practice Tip: Review the Department of Homeland Security’s Recent Final Rules for Private-Sector Information-Sharing before you Need to Act on Them. As reported here earlier, the Department of Homeland Security (“DHS”) just recently finalized its rules for private-sector information-sharing under the Cybersecurity Information Sharing Act of 2015 (“CISA”). CISA permits private companies to share cyber threat information with the U.S. government and shields those companies from liability for doing so. Understanding when and how such information may be submitted, and what to submit before you have a cybersecurity incident would be time well spent.