How Did A Hacker Allegedly Access A Million Customers’ Personal Data? Let the FTC Count the Ways.

Data Privacy & Security

How Did A Hacker Allegedly Access A Million Customers’ Personal Data? Let the FTC Count the Ways.

  • The FTC has reached a settlement with technology company InfoTrax Systems, L.C. and its CEO (collectively, “InfoTrax”), resolving allegations that InfoTrax failed to implement reasonable security safeguards, in violation of the FTC Act, thereby allowing a hacker to access the personal data of one million consumers.
  • The FTC’s complaint alleged that InfoTrax, which offers back-end support to multi-level marketers, failed to take reasonable, low-cost measures to protect consumer data entrusted to it by its clients, including failure to inventory and delete personal information that was no longer needed, detect malicious file uploads, or adequately segment its network, and by storing consumer personal information in clear, readable text on its network, among other things. According to the complaint, these security failures allegedly resulted in a hacker infiltrating InfoTrax’s system more than 20 times in a period of less than two years.
  • The settlement prohibits InfoTrax from handling sensitive information unless it implements an information security program that addresses the failures identified in the complaint, and requires InfoTrax to obtain a third-party assessment of its information security program every two years, among other things.

FTC Sues Data Storage Company for Allegedly Misleading Consumers About Compliance with International Privacy Standard  

  • The Federal Trade Commission (“FTC”) issued an administrative complaint against data storage company RagingWire Data Centers, Inc. (“RagingWire”) for allegedly misleading consumers about participating in and complying with the EU-U.S. Privacy Shield framework (“Privacy Shield”) in violation of the FTC Act.
  • According to the complaint, RagingWire allegedly continued to claim that it participated in Privacy Shield despite allowing its certification to lapse and twice being warned of its misleading claims by the FTC. Moreover, the FTC alleges that RagingWire failed to comply with Privacy Shield’s requirements by, among other things, not verifying annually that it had made accurate statements about its Privacy Shield practices, and not maintaining a dispute resolution process for consumers with privacy-related complaints.
  • A proposed order included in the complaint would bar RagingWire from misrepresenting its participation in Privacy Shield or any other data privacy or security program sponsored by the government or any other standard-setting organization, among other things.

2020 AG Elections

Republican Heather Heidelbaugh Announces Candidacy for Pennsylvania Attorney General

  • Pittsburgh attorney Heather Heidelbaugh has declared her candidacy for the Republican nomination for Pennsylvania AG in 2020.
  • Heidelbaugh, who is in private practice, is the first candidate to announce her intention to seek the Republican nomination for AG.
  • Current AG Josh Shapiro, a Democrat serving his first term, has not announced whether he is seeking reelection.

Antitrust

FTC Orders Sale of Assets After Finding Consummated Merger of Prosthetics Companies Anticompetitive

  • The FTC issued a unanimous opinion and final order finding that the consummated acquisition of FIH Group Holdings, LLC (“Freedom Innovations”) by Otto Bock HealthCare North America, Inc. (“Otto Bock”) would result in reduced competition in the microprocessor prosthetic knee (“MPK”) market.
  • In its opinion, the FTC finds that Freedom Innovations and Otto Bock were both major sellers of MPKs, which are typically prescribed to patients with above-the-knee amputations. The acquisition, which was not reportable under the Hart-Scott-Rodino Act, is found likely to lead to higher prices and less innovation, thereby harming amputees and prosthetic clinic customers.
  • The FTC’s order requires Otto Bock to divest the Freedom Innovations assets and business to an FTC-approved buyer within 90 days of the issuance of the order, thereby unwinding the allegedly uncompetitive acquisition.

Consumer Protection

Debt Collector Agrees to Pay $4 Million and Change Its Collection Practices to Resolve Massachusetts Attorney General Probe

  • Massachusetts AG Maura Healey reached a settlement with debt collection company Portfolio Recovery Associates, LLC (“Portfolio”) over allegations that Portfolio engaged in deceptive practices to collect debts from consumers in violation of state consumer protection law and debt collection regulations.
  • According to the AG’s office, Portfolio had allegedly engaged in prohibited tactics by, among other things, demanding payment on debts that it could not substantiate, pursuing the wrong consumers for the wrong amounts, misleading consumers about protections for exempt sources of income such as Social Security, and failing to verify the accuracy of consumer information it reported to credit reporting agencies.
  • According to the AG’s office, under the terms of the settlement, Portfolio agreed to pay $4 million, which will be used to pay back thousands of consumers who were subject to Portfolio’s collection practices. Portfolio also agreed to make significant changes to its business practices, including no longer collecting from consumers with exempt income sources only, obtaining documentation to prove the validity of debts, and refraining from reporting debts to consumer reporting agencies unless it can substantiate their accuracy.

FTC Obtains Preliminary Injunction, Stops Student Debt Relief Scheme Allegedly Costing Consumers Millions 

  • The FTC sued debt relief company Arete Financial Group d/b/a Arete Financial Freedom along with several related companies and individuals (collectively “Arete Financial”) for allegedly operating an illegal student debt relief scheme in violation of the Telemarketing and Consumer Fraud and Abuse Prevention Act, the Telemarketing Sales Rule, and the FTC Act.
  • The complaint filed in the U.S. District Court for the Central District of California alleges that Arete Financial’s advertising and telemarketing calls misleadingly claimed that it was affiliated with the Department of Education, and Arete Financial allegedly charged consumers illegal upfront fees for enrolling in its student loan relief program and sought to place consumers’ loans into temporary forbearance or deferment status without the consumers’ authorization or knowledge.
  • The complaint seeks injunctive relief, rescission or reformation of contracts, restitution, refund of monies paid, disgorgement of ill-gotten funds, and costs, among other things. According to the FTC, the court has granted a temporary restraining order halting Arete Financial’s operation of the student debt relief program.
FacebookTwitterShare