The Cybersecurity Infrastructure Security Agency, Federal Bureau of Investigation, and Department of Health and Human Services have jointly posted an advisory to warn hospitals and other health care providers about the threat of malicious attacks on their information systems.  At least six hospitals across the United States were recently victimized by attacks using Trickbot malware within a 24-hour period.  These attacks have led to requests for ransom to release data, data theft, and the disruption of services.

The advisory describes how the malware works, identifies indicators that a system may have been infected with the malware, and sets forth measures that health care providers may take to prevent and minimize damage from an attack and to respond to an attack if one occurs.  With the surge in coronavirus hospitalizations, the disruptions that such threats may cause raise more and more serious concerns, and health care providers should be on heightened alert.

Assaults on Section 230 of the Communications Decency Act (the “CDA”)—which shields online platforms from civil liability for third party content on their services—are abundant these days.  On October 15, 2020, FCC Chairman Ajit Pai announced that his agency, at the request of President Trump, will draft rules explaining when platforms’ efforts to moderate user-posted content will leave them exposed to potential liability.  Two days earlier, Justice Thomas issued a scathing critique of the Court’s current interpretation of Section 230, arguing for a much more limited interpretation that would drastically narrow the liability shield.

Most of the discussion has focused on concerns relating to free speech, the spread of misinformation, and accusations of biases in moderation practices.  However, the case in which Justice Thomas issued his statement demonstrates another important issue at stake—the ability of platforms to use privacy and information security screening tools.

Subsection (c)(2)(A) protects decisions to remove “objectionable” content made in good faith, while Subsection (c)(2)(B) protects software providers who give internet users the technical means to screen or filter such content.  It is the latter provision that was at issue in Enigma Software Group USA, LLC v. Malwarebytes, Inc., which involved two companies that both provide software to enable individuals to filter unwanted or malicious content, such as malware.  Enigma sued Malwarebytes alleging that Malwarebytes engaged in anticompetitive conduct by configuring its product to make it difficult for consumers to download and use Enigma products.  In its defense, Malwarebytes invoked Section 230(c)(2)(B).

The Ninth Circuit had previously held in Zango, Inc. v. Kasperskey Lab, Inc., 568 F.3d 1169 (9th Cir. 2009), that providers of software filtering tools (like Enigma and Malwarebytes) were in fact protected by Section 230(c)(2) because those tools allowed users to block objectionable content, such as malware.  The Zango court did not, however, address whether there were limitations on the provider’s discretion to declare online content objectionable.

The Ninth Circuit rejected Malwarebytes’ defense under Section 230, finding that “filtering decisions that are driven by anticompetitive animus are not entitled to immunity under section 230(c)(2).”  946 F.3d 1040, 1047 (9th Cir. 2019).  The Ninth Circuit explained that, in passing the CDA, Congress wanted to encourage the development of filtration technologies, not to enable software developers to drive each other out of business.  Accordingly, the Ninth Circuit found that this filtering function was not protected.  The Supreme Court denied Malwarebytes’ petition for certiorari, in connection with which Justice Thomas wrote his statement advocating for narrowing the scope of Section 230.

The Ninth Circuit’s opinion and the Supreme Court’s denial of certiorari mark the first chip in the immunity armor for makers of malware software and other filters.  Indeed, various cybersecurity experts, technology think tanks, and law and computer science professors submitted amicus curiae briefs in connection with the certiorari petition arguing that leaving the Ninth Circuit’s opinion intact would open the door to litigation against malware screening tool producers—and not just for allegedly anticompetitive behavior.

The Ninth Circuit’s decision, now left intact by the Supreme Court, could have a chilling effect on innovation of malware detection and filtration systems.  Makers of these filtering and screening tools may now have to spend resources to assess litigation risks associated with developing software that identifies and quarantines threats.  To minimize the risks and costs associated with litigation, these companies may begin to take a more conservative approach in identifying threats that might plausibly claim to be a rival.  A more conservative approach that errs against classifying potential rival software as a threat is particularly problematic where malware already often actively disguises itself as legitimate software.

The data security implications could be significant.  Malware detection and filtration systems must constantly keep up with the evolution of malware itself.  These tools can alert users of certain potentially unwanted programs, which slow down the overall performance of the user’s computer and ultimately create additional access points for hackers.  Likewise, malware detection and filtration systems are vital to businesses, which use these tools to protect company and customer data from hacker attacks that utilize malware—for example, ransomware.  The privacy implications could also be significant as many individuals use filtration tools to help screen unwanted spam or content, the opening of which can lead to online tracking, placement of cookies, or other additional unwanted content.

While the recent assaults on the CDA’s liability shield widely focus on the First Amendment implications, as applied to actions by social media giants like Facebook and Twitter to filter and remove user content, an unintended consequence of these assaults could be an overall decrease in privacy and data security protections for us all.

The Regulations to the California Consumer Privacy Act (CCPA) continue to evolve, in confusing fashion. As background, the AG’s Office had previously issued proposed Regulations to the CCPA in October 2019. The AG’s Office then issued a revised set of proposed amendments to the Regulations in February 2020 and then again in March 2020. While most of the regulations were made effective on August 14, 2020, the California Department of Justice withdrew four (4) sections of the proposed Regulations from the review of the Office of Administration Law so that they could be adjusted at a later date. Adding to the confusion, the California Department of Justice just yesterday released a new third set, of proposed amendments to the Regulations. This new set of amendments corrects the four sections of the prior proposed regulations that were not originally submitted for review. The four sections include:

  • Proposed section 999.306, subd. (b)(3), which elaborates on how businesses that collect personal information in the course of interacting with consumers offline can provide the notice of right to opt-out of the sale of personal information through an offline method. The proposed language indicates that brick-and-mortar stores can offer paper notices or post signs in the area where personal information is collected. Businesses collecting personal information over the phone can provide the notice orally.
  • Proposed section 999.315, subd. (h), which provides guidance on how a business’s methods for submitting requests to opt-out should be easy and require minimal steps. The business’s process for submitting a request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out, which is determined from the time the consumer clicks the “Do Not Sell My Personal Information” link. Also, businesses should not use confusing language to label the opt-out link, require the consumer to list why they are opting-out, require the consumer to provide personal information to perform the request, or require the consumer to search the privacy policy to find the link to the opt-out request page.
  • Proposed section 999.326, subd. (a), which clarifies that a business may require an authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. Additionally a business may require a consumer to verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent permission to submit the request.
  • Proposed section 999.332, subd. (a), which clarifies that for those businesses that sell personal information of consumers under the age of 13, sell the personal information of consumers ages 13 to 15, or sell both, are required to include a description of the processes to opt-in as set forth in sections 999.330 and 999.331 in their privacy policies.

The California Department of Justice will accept written comments regarding the proposed changes between Tuesday, October 13, 2020 and Wednesday, October 28, 2020.

 

October is National Cybersecurity Awareness Month, and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and Office of Foreign Assets Control (“OFAC”) kicked off the month by issuing two advisories that aim to increase cybersecurity awareness, assist financial institutions in detecting and reporting ransomware activity, and highlight potential sanctions risks for facilitating ransomware payments.

The FinCEN and OFAC advisories signal the seriousness with which the Department of Treasury treats the threat of cybercriminals and ransomware attacks. Both FinCEN and OFAC have now squarely placed an obligation on financial institutions and other payment intermediaries to put procedures in place to detect ransomware payments and to restrict payments to blocked individuals. It appears FinCEN and OFAC want to make sure cybercrime does not pay by cutting off cybercriminals’ access into the financial system.

While both FinCEN and OFAC have offered guidance to financial institutions formulating policies and procedures for deciding whether to process or report payment requests that may be connected to ransomware attacks, OFAC has also offered a warning: facilitating ransomware payments may lead to an enforcement action and civil penalties. Given the growing national security concerns associated with ransomware attacks, the advisories rightly encourage financial institutions and other payment intermediaries that facilitate ransomware payments to share information via Suspicious Activity Reports (“SARs”) and to fully cooperate with law enforcement during and after ransomware attacks.

FinCEN Advisory

The FinCEN advisory—entitled Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments—discusses four topics: (1) the role of financial intermediaries in ransomware payments, (2) ransomware trends and typologies, (3) ransomware-related financial red flags, and (4) reporting and sharing of information related to ransomware attacks.

  1. Financial Intermediaries and Ransomware Payments – The financial sector plays a crucial role in the collection and payment of ransomware demands by malicious cyber actors. The complexity and prevalence of ransomware attacks, as the advisory observes, has led to the creation of specialized companies such as digital forensic and incident response companies (“DFIRs”) and cyber insurance companies (“CICs”) that provide protection and mitigation services for ransomware victims, including paying convertible virtual currency (“CVC”) such as Bitcoin. Some DFIRs and CICs facilitate ransomware payments to cybercriminals by directly receiving customers’ fiat funds, exchanging them for CVC, and then transferring the CVC to criminal-controlled accounts. Depending on the particular facts and circumstances, this activity could constitute money transmission, which requires registration with FinCEN as a money service business (“MSB”) subject to Bank Secrecy Act (“BSA”) obligations, including the filing of suspicious activity reports (“SARs”). Moreover, FinCEN warns that facilitating ransomware payments on behalf of ransomware victims may implicate OFAC-administered sanctions.
  2. Ransomware Trends and Typologies – FinCEN identifies trends and typologies of ransomware payments across various sectors. The advisory notes that cbyercriminals are increasingly engaging in sophisticated ransomware operations such as “big game hunting” schemes that target larger enterprises to demand bigger payouts, double extortion schemes that involve removing sensitive data from targeted networks and encrypting the system files and demanding ransom, and requiring anonymity-enhanced cryptocurrencies (“AECs”) to reduce transparency. FinCEN recommends proactive prevention through effective cyber hygiene, cybersecurity controls, and business continuity resiliency as a best defense against ransomware attacks.
  3. Financial Red Flags – The advisory highlights 10 financial red flags that evidence potential ransomware-related payments. Red flags include, among other things, a customer disclosing payment is being made as a result of ransomware, a DFIR or CIC receiving or sending funds, or a customer with little or no experience with CVC suddenly initiating a transaction with a CVC exchange. And financial institutions should not only be on the lookout for red flags associated with potential ransomware-related payments coming from victims. FinCEN also warns financial institutions that rapid trades between CVCs with no apparent purpose, especially if the CVC is an AEC, could be a red flag of a cybercriminal receiving and masking a ransomware payment. While no single red flag is determinative of ransomware activity, FinCEN states that each should be considered in the context of the facts and circumstances of a transaction.
  4. Reporting Suspicious Activity – To assist in reporting ransomware attacks, FinCEN “strongly encourages” information sharing among financial institutions pursuant to section 314(b) of the USA PATRIOT Act where a transaction is suspected of involving terrorist financing or money laundering, and urges financial institutions to file SARs in order to protect the U.S. financial system from ransomware threats. To that end, FinCEN has asked financial institutions who believe a transaction relates to ransomware to include a note, “CYBER-FIN-2020-A006,” so that FinCEN can better track SARs reporting ransomware transactions.

OFAC Advisory

The OFAC advisory—entitled Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments— highlights the threat that ransomware poses to U.S. national security interests and details the sanctions risks associated with facilitating ransomware payments. The International Emergency Economic Powers Act (“IEEPA”) and the Trading with the Enemy Act (“TWEA”) generally prohibit U.S. persons from engaging in transactions with persons on OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”), other blocked persons, and persons covered by comprehensive country or region embargoes. The OFAC advisory makes clear that sanctions laws extend to financial institutions as well as companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses).” In other words, financial institutions, CICs, and DFIRs may be subject to civil penalties if they facilitate payments to blocked persons, whether on the SDN list or covered by an embargo. Although OFAC notes that it will consider licensing for ransomware payments on a case-by-case basis, but it reviews those requests “with a presumption of denial.”
Takeaways

The FinCEN and OFAC advisories signal the seriousness with which the Department of Treasury treats the threat of cybercriminals and ransomware attacks. Both FinCEN and OFAC have now squarely placed an obligation on financial institutions and other payment intermediaries to put procedures in place to detect ransomware payments and to restrict payments to blocked individuals. It appears FinCEN and OFAC want to make sure cybercrime does not pay by cutting off cybercriminals’ access into the financial system.

While both FinCEN and OFAC have offered guidance to financial institutions formulating policies and procedures for deciding whether to process or report payment requests that may be connected to ransomware attacks, OFAC has also offered a warning: facilitating ransomware payments may lead to an enforcement action and civil penalties. Given the growing national security concerns associated with ransomware attacks, the advisories rightly encourage financial institutions and other payment intermediaries that facilitate ransomware payments to share information via SARs and to fully cooperate with law enforcement during and after ransomware attacks.

OFAC encourages financial institutions and companies that engage with ransomware victims to adopt risk-based sanctions compliance programs that account for the risk that a ransomware payment may involve an SDN or blocked person, a comprehensively embargoed jurisdiction, or nation-state actors that have a nexus to U.S. sanctions, such as Russia or North Korea. Finally, OFAC encourages companies to provide law enforcement with a “self-initiated, timely, and complete report of a ransomware attack” and to fully cooperate with law enforcement during and after a ransomware attack. These steps not only help financial institutions, CICs, and DFIRs avoid unlawful payments, but—if a violation occurs—will also be considered favorably in OFAC’s determination of a “possible enforcement outcome.”

OFAC’s cyber-related sanctions program has been used to identify malicious cyber actors, including perpetrators of ransomware attacks. U.S. persons, including financial institutions, that facilitate payment of ransomware demands to sanctioned cyber actors are in violation of U.S. sanctions and may be subject to OFAC enforcement action. Non-U.S. persons facilitating such payments through the U.S. financial system may also be exposed to OFAC enforcement action.

Takeaways

The FinCEN and OFAC advisories signal the seriousness with which the Department of Treasury treats the threat of cybercriminals and ransomware attacks. Both FinCEN and OFAC have now squarely placed an obligation on financial institutions and other payment intermediaries to put procedures in place to detect ransomware payments and to restrict payments to blocked individuals. It appears FinCEN and OFAC want to make sure cybercrime does not pay by cutting off cybercriminals’ access into the financial system.

While both FinCEN and OFAC have offered guidance to financial institutions formulating policies and procedures for deciding whether to process or report payment requests that may be connected to ransomware attacks, OFAC has also offered a warning: facilitating ransomware payments may lead to an enforcement action and civil penalties. Given the growing national security concerns associated with ransomware attacks, the advisories rightly encourage financial institutions and other payment intermediaries that facilitate ransomware payments to share information via SARs and to fully cooperate with law enforcement during and after ransomware attacks.

 

Last week, California Governor Gavin Newsom signed into law two amendments to the California Consumer Privacy Act (CCPA) that would impact various CCPA exemptions. One amendment, A.B. 1281 would extend two exemptions that were set to expire later this year: the employee exemption and the business (B2B) exemption. Both of these exemptions will now remain in effect until at least January 1, 2022. The other amendment, A.B. 713, would clarify the exemption relating to de-identified personal information. This amendment went into immediate effect and imposing additional disclosure requirements and contract restrictions on the sale or disclosure of such information by businesses subject to the Health Insurance Portability and Accountability Act (HIPAA), California’s Confidentiality of Medical Information Act (CMIA), and other laws relating to medical privacy and human subject research.

Following a very quiet start to HIPAA settlement activity in 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced eight settlements with covered entities and business associates.

The most recent of these announcements involves the second-largest HIPAA settlement amount in OCR’s history, amounting to $6.85 million. This settlement with Premera Blue Cross (PBC) pertains to an incident that occurred in May 2014 when hackers installed malware to access PBC’s IT system. The cyberattack went undetected until January 2015 and resulted in the disclosure of electronic Protected Health Information (ePHI) for more than 10.4 million individuals, including names, addresses, dates of birth, Social Security numbers, bank account information, and health plan clinical information. After PBC discovered and reported the breach, the OCR conducted an investigation and found potential violations, including failures to:

  • conduct a thorough assessment of the potential risks and vulnerabilities surrounding ePHI;
  • implement sufficient security measures to reduce risks and vulnerabilities and hardware, software and procedural mechanisms to record and examine activity; and
  • prevent unauthorized access to the ePHI of millions of individuals.

The large cash settlement is accompanied by a requirement that PBC follow a Corrective Action Plan, which will be monitored by the OCR for a period of two years. The Corrective Action Plan requires PBC to conduct a risk analysis and develop and implement a risk management plan, revise its privacy and security policies, make the policies available to its workforce, and provide an annual report to the OCR that identifies any additional reportable events related to material violations of the revised policies.

Earlier in the same week, the OCR announced that it reached settlements with Athens Orthopedic Clinic, PA (AOC), a clinic providing services to approximately 138,000 patients, and CHSPSC, LLC, a business associate providing IT and health information management services to hospitals and physicians.

The AOC settlement arises from a complaint alleging that AOC failed to prevent patient information from being posted online. AOC discovered the breach in June 2016 when a journalist notified it that a database of patient records was posted online for sale. Two days after AOC received this information, a hacker group emailed AOC to demand money in exchange for the return of the patient records. It was later discovered that the hacker group had access to AOC’s system for over a month through the use of a vendor’s credentials. The information posted online included patients’ names, dates of birth, medical procedures, Social Security numbers, test results, and health insurance information. In notifying the OCR of the breach, AOC reported that over 200,000 individuals were affected. The OCR investigated and found that AOC may have violated HIPAA by failing to:

  • provide appropriate training to employees;
  • enter into business associate agreements with certain business associates;
  • conduct a risk analysis;
  • implement risk management and audit controls; and
  • maintain HIPAA Policies and Procedures.

AOC entered into a Resolution Agreement and Correction Action Plan, agreeing to pay $1.5 million in penalties. The corrective action plan requires it to revise its business associate agreements as necessary, conduct a risk analysis, develop a risk management plan, revise its privacy, security, and breach notification policies, and provide training to its workforce on those policies. AOC’s compliance with the corrective action plan will be subject to monitoring by HHS for a period of two years.

The settlement agreement between the OCR and CHSPSC, LLC (CHSPSC) similarly involves hackers accessing ePHI maintained by the company, which in this case was a business associate handling data for a wide range of customers. In April 2014, the Federal Bureau of Investigation notified CHSPSC that hackers had accessed its information system. The hackers continued to access ePHI until August 2014 by relying on compromised administrative credentials. Ultimately, over 6 million individuals were affected, with Social Security numbers, names, ethnicities, and emergency contact information included in the information that was disclosed. The OCR’s investigation indicated that CHSPSC could potentially have violated HIPAA by failing to:

  • implement technical policies and procedures to limit access to its software programs and more generally prevent unauthorized access to ePHI on its network;
  • respond to a known security incident, mitigate its harmful effects, and document the incident and its outcome;
  • implement procedures to regularly review its information system activity; and
  • conduct accurate and thorough assessments of potential risks and vulnerabilities to the security of ePHI.

CHSPSC agreed to pay $2.3 million and entered into a Resolution Agreement and Corrective Action Plan. Similar to the corrective action plans discussed above, CHSPSC must develop a risk analysis and risk management plan, revise its policies and procedures regarding its security and network access, and provide training to its workforce with respect to these policies.

These settlements all relate to breaches from hackers who had access to ePHI over an extended period of time. Well-organized hacking groups have targeted entities in the health care and health benefit industries to gain access to sensitive data. The factual descriptions in the settlement agreements do not offer much detail, but the penalties and corrective action plans imposed by OCR demonstrate the importance of maintaining proper security safeguards to prevent inappropriate access to ePHI and responding promptly to incidents when they are discovered.

In addition to the settlements discussed above, the OCR announced this past month that it had entered into five settlements related to patients’ access to their own health records. Under the applicable HIPAA rules, health care providers generally must provide individuals with their medical records within 30 days of a request. Providers may charge only reasonable cost-based fees with respect to such requests. Last year, the OCR launched a Right of Access Initiative to enforce patients’ rights to receive copies of their medical records in a timely manner without excessive charges.

The five new settlements announced this month demonstrate the OCR’s ongoing commitment to this initiative. All five settlements involve a health care provider’s failure to provide a patient with his or her medical records in a timely manner after receiving a request from the patient or his or her personal representative. The settlement amounts range from $3,500 to $70,000 and require the organization to comply with a corrective action plan and monitoring by the OCR for a period of one-to-two years.

The recent settlement announcements are consistent with OCR’s past practice of announcing a majority of its settlements during the last few months of the year. We will continue monitoring OCR announcements in the event that there are more settlements announced before year-end.

 

On September 9, 2020, Washington Senator Reuven Carlyle, D-Seattle, announced via Twitter that the third version of the draft Washington Privacy Act 2021 (“WPA”) was available for public review and comment. The recently released version of the WPA is the latest attempt by the Washington legislature to pass a comprehensive privacy bill. An earlier 2020 version failed to pass Washington’s House of Representatives due to disagreement over whether the act should contain a private right of action or be limited to enforcement by the state’s attorney general.

Of note, the revised bill:

  1. Broadens (slightly) the jurisdictional scope. The WPA applies to legal entities that conduct business in Washington or that produce products or services that are targeted to Washington residents and (i) either control or process personal data of more than 100,000 consumers during a calendar year or (ii) derive over 25% of gross revenue from the sale of personal data and process or control the personal data of over 25,000 consumers. The 50% threshold for gross revenue generated from the sale of personal data is a change from the 2020 version’s 25% threshold. The WPA also adds exemptions for institutions of higher education and nonprofit organizations.
  2. Has similar controller responsibilities as the 2020 bill. The WPA includes provisions aimed at specifying controller (i.e., local governments, state agencies, or institutions of higher education that process personal data) responsibilities that generally mirror the prior version. These include provisions aimed at enhancing transparency around the reasons for collecting personal data; limiting collection to what is adequate, relevant, and reasonably necessary; avoiding secondary use, implementing reasonable security measures; obtaining consumers’ consent before processing sensitive data; and nondiscrimination, anti-retaliation and non-waiver of consumer rights provisions.
  3. Adds an additional exemption for local regulations already in effect. Under the WPA, local regulations in effect as of July 1, 2020 are preempted from the new regulations regarding the processing of personal data by controllers or processors (i.e., natural or legal persons who process personal data on behalf of a controller).
  4. Incorporates a cure period for penalties. The WPA provides for sole Attorney General enforcement under the Consumer Protection Act (CPA) and adds a 30-day cure period, with penalties of up to $7,500 per violation if the violation continues after notifying a consumer of a cure.
  5. Includes new sections for data privacy during public health emergencies. Unlike the 2020 version, the WPA adds new provisions that address recent privacy-related issues that have arisen regarding automated contact tracing in public health emergencies. These new provisions appear to strike a balance between personal data collection during a declared state of emergency and the individual’s privacy rights under the WPA. In general, these new provisions limit how personal data (including specific geolocation data, proximity data, or personal health data) may be processed for automated contract tracing purposes during a public health emergency, such as that seen with the COVID-19 pandemic, in the public and private sectors. Notice and consent is required and the selling or sharing of such data with law enforcement is prohibited. Individuals may seek civil remedies for violations of the WPA that occur in the public sector.

It remains to be seen whether this latest version has what it takes to survive the comment period and pass both branches of Washington’s legislature. Given, however, the recent awareness around privacy issues during a global pandemic, Washington may be one step closer to passing its long-awaited and much debated comprehensive privacy act. Further, the WPA’s broad definition of personal data likely includes IP addresses and persistent identifiers, which may bring many out-of-state businesses with websites that reach Washington residents within the scope of the WPA.

On September 22nd, the Federal Trade Commission (FTC) hosted an event, “Data To Go: An FTC Workshop on Data Portability,” to examine the potential benefits and challenges to consumers and competition raised by data portability. Data portability means giving consumers the ability to receive a copy of their data for their own use or and move the data to another entity or service.

The workshop did not focus on any specific policy proposals or legislation, but the FTC expressed a desire to begin discussions as issues associated with data portability continue to evolve.  The FTC noted that in addition to providing benefits to consumers, data portability may benefit competition by allowing new entrants to access data they otherwise would not have so that they can grow competing platforms and services.  At the same time, the FTC recognizes that there may be challenges to implementing or requiring data portability.

During the workshop, FTC staff discussed several examples of existing data portability laws and regulations, such as the right to data portability under Article 20 of the European Union’s General Data Protection Regulation (GDPR) and the right for consumers to make requests for portable data under the California Consumer Privacy Act (CCPA). The FTC noted that other countries have taken different approaches, like India and the United Kingdom’s data portability regulations that are narrowly tailored to address only the health and financial services sectors.

The panelists of the workshop highlighted a variety of issues and considerations for data portability. From an information security perspective, the panelists discussed how businesses would need to ensure they could verify the identity of the consumer before completing a transfer of data to prevent unauthorized actors from stealing people’s data. From a privacy perspective, the panelists discussed how users should be fully informed about the data they are receiving, to whom they can transfer their data, and how a new entity or service may use the information they are given by the consumer.

Additionally, from an operational perspective, the panelists remarked that the data provided to consumers would need to be interoperable between different systems.  In one example discussed by the panelists, if consumers receive their data and are not able to give their information to another entity or use their data with other systems then the ability to port the data loses its effectiveness. The panelists called for businesses or the government to implement some form of standardization so that the data would remain useful to consumers. Some panelists called for a federal privacy and security law that would set protection standards for businesses in regards to data portability.

The FTC is not the only government agency exploring the concept of data portability. The Consumer Financial Protection Bureau (CFPB) recently announced a potential rulemaking under the Dodd-Frank Act Section 1033, which authorizes the CFPB to create rules enhancing consumers’ access to their financial data. The CFPB is asking for comments on similar issues as those discussed during the FTC working surrounding data portability, such as privacy, security, effective consumer control over data access, and accountability for errors and any unauthorized access.

Earlier this month, the Federal Trade Commission (FTC) announced a $10 million settlement with the online learning company ABCmouse for allegedly violating the FTC Act as well as the Restore Online Shoppers’ Confidence Act (ROSCA). The FTC Act prohibits unfair or deceptive acts or practices in or affective commerce. ROSCA makes it illegal to automatically charge consumer for products sold online unless the seller clearly discloses the material terms of the transaction before obtaining the consumer’s billing information; obtains the consumer’s express informed consent before making the charge; and provides simple mechanisms to stop recurring charges.

ABCmouse is an online learning tool that offers memberships to access content. The FTC alleged that ABCmouse violated ROSCA by offering memberships to their services, but did not disclose that the memberships would automatically renew indefinitely. Similarly the FTC claimed that ABCmouse offered a free trial with the option to extend membership beyond the trial period, but did not disclose that at the end of the free trial the membership would automatically renew indefinitely.

The FTC also claimed ABCmouse did not offer consumers a simple way to stop the automatic renewal, despite offering “easy cancellation” when the user enrolled in their membership. The FTC alleged that more than 100,000 users attempted to cancel their services with ABCmouse. Those users who tried to cancel were required to participate in a lengthy process to stop the automatic renewals and some users found that even after they had tried to cancel their membership, the charges did not stop. Additionally, ABCmouse did not make the required disclosures to their users about the automatic renewals, the ability to cancel the automatic renewals, or the deadline by which they would need to cancel their membership in order to avoid unwanted charges.

ABCmouse has agreed to the FTC’s settlement which requires ABCmouse to:

  • Not misrepresent any automatic renewals;
  • Make required disclosures about the automatic renewals and a user’s ability to cancel;
  • Obtain express informed consent for automatic renewals; and
  • Provide a simple mechanism to opt out of the automatic renewals.

The FTC warned in its blog post about the ABCmouse settlement that because of COVID-19, it is more important now than ever that companies that rely on automatic renewals do so legally. More people are signing up for subscriptions services that they may no longer wish to have once things return to normal. It is important for companies that use automatic renewals follow the requirements of ROSCA as well as any state laws surrounding automatically renewals so that consumers may stop the automatic renewals at any time. For more information about automatic renewals, see our previous blog post which details both the federal and state requirements for automatic renewals.