FTC Settles Data Breach Complaint With Enterprise Software Company
Not all hackers target consumers. Some target companies that hold consumer information in the hopes of finding and exploiting vulnerabilities that will lead to a trove of consumer information that may be used for nefarious purposes. Such is the backdrop of a recent Federal Trade Commission (FTC) case against a company that provides enterprise software to multilevel marketers.
The FTC’s action here centered on allegations that Utah-based InfoTrax Systems' substandard data protection for its clients allowed hackers to access the private information of a million consumers. According to the FTC's complaint in this matter, InfoTrax and its CEO Mark Rawlins failed to implement even basic "reasonable, low-cost, and readily available" data security measures to protect its customers' information. Among their deficiencies was the failure to delete unused personal information and the ability to detect malicious file uploads. The company also stored personal information—including social security numbers and bank account information—in easily readable text.
The FTC alleged that from May 2014 to March 2016 hackers accessed and took control of the company's server more than twenty times via remote access. They then stole the personal information of over one million customers. Because InfoTrax had no security measures in place to detect the intrusion, the company did not know of the breach until a hacker created a file so large that the company's disk ran out of space.
The FTC did not allege that the hackers used any of the personal information obtained from InfoTrax customers maliciously, but the complaint did allege that such breaches of personal information can lead to identity theft and fraud.
The proposed settlement order bars the company from operating its enterprise software business until it implements a data security program that remedies the issues identified in the FTC's complaint. It also requires the company to conduct biennial third-party assessments of its security program by an FTC approved assessor.
This case offers a reminder to companies storing customer data of the importance of adopting even basic security precautions to safeguard such data. As with similar FTC cases in this area, the settlement provides a roadmap of basic "do's and don'ts" of data security, such as implementing adequate and reasonable cybersecurity safeguards and not storing sensitive personal information such as social security numbers as clear, readable text.
This case also reinforces the FTC's expectation that these data security precautions also apply to companies storing the private information of other businesses, not just direct storage of private individuals. As Andrew Smith, Director of the FTC's Bureau of Consumer Protection, put it:
"Service providers like InfoTrax don't get a pass on protecting sensitive data they handle just because their clients are other businesses rather than individual consumers. As this case shows, it's every company’s responsibility to protect customers' personal information, especially sensitive data like Social Security numbers."
Truck Driver Files False Ad Class Action Against CBD Co.
An Illinois truck driver who lost his job after a failed drug test has filed a proposed class action suit accusing Florida-based CBD company Just Brands USA of selling him THC-laced gummies despite explicitly claiming on the product label that they contained no THC.
Trevor Darrow's complaint filed in Illinois federal court claims that he purchased a product from Just Brand's line of "JustCBD" watermelon gummies that are labeled as containing "NO THC." THC, the psychoactive component of marijuana, is banned in most states and for use by many professions, including truck drivers. Darrow claims that he had not failed a drug test in ten years of work and bought this product specifically because his line of work did not allow him to have any THC in his system. He failed his company's drug test after he ate the CBD gummies when THC showed up in his test results. He claims he was terminated from his position shortly thereafter.
The suit alleges that the CBD gummies Darrow purchased from Just Brands featured a label with the words "NO THC" printed prominently inside a distinctive yellow triangle. The complaint further alleges this label is false and misleading because, as Darrow claims he found out the hard way, the product actually contains THC.
Based on the alleged false advertising, plaintiff claimed violations of the Illinois Consumer Fraud and Deceptive Business Practices Act.
JustBrands has denied the allegations, although its denial statement may inadvertently admit them, as it notes that "Just CBD takes great pride in the quality if its products, its testing protocols and uses isolate based products, which do not contain THC above .3%, which is consistent with current laws and regulations."
The suit seeks damages for the proposed class, and for Just Brands USA to run a "corrective advertising campaign." The proposed class would not be limited to truck drivers but open to anyone who purchased Just CBD products in Illinois for the three years prior to the filing of the suit.
It is no surprise that the absence of specific regulatory labeling rules for CBD has resulted in legal actions by consumers alleging product mislabeling. Indeed, just last month we reported on case where a Florida company was accused of making "materially inaccurate" statements about the amount of CBD in its products. And on the regulatory front, earlier this month the FTC and FDA sent warning letters to companies they said were falsely marketing their CBD products.
As these cases highlight, alongside the litigation against CBD companies for false advertising have come calls for stronger CBD labeling regulation. In this case, counsel for plaintiff has used the matter to advocate for federal labeling of CBD products, telling a local news station "it boils down to this. There needs to be federal labeling," adding, "the Illinois legislature has not done a good job of protecting consumers here. We think that there should be laws related to how these products should be labeled. It’s very unregulated … because these laws allow companies to do whatever they want."
UK's ASA Bans Kids' Social Media App Ad, Deems It Detrimental to Mental Health
The United Kingdom's Advertising Standards Authority (ASA) has banned an ad for a children's social media app that encouraged children to obtain more followers in order to progress through the app, finding it detrimental to children's mental health.
SuperAwesome Trading aired the ad for its PopJam "walled garden" social media platform for kids on UK TV. The ad featured a scrolling image of PopJam showing an incrementally-increasing number of likes and followers, while a female voice explained that users can "Get likes and followers to level up."
The ASA – the UK’s independent regulator tasked with ensuring compliance with the country's advertising codes – handed down its ruling following a complaint expressing concern about the ad's effect on the mental health and self-esteem of children under 18 years of age. The complainant took issue with the ad’s invocation to "get likes and followers," claiming that such a statement was detrimental to children’s mental health.
The ASA agreed with the complainant, finding the ad breached UK Code of Broadcast Advertising (BCAP Code) Sections 1.2 on social responsibility and 4.1 on harm. The statement "get likes and followers" as used in the ad "explicitly encourages children to seek likes and followers in order to progress through the app," ruled the ASA.
The ASA concluded that by tying popularity to the attainment of likes and followers on a social media app, the ad gave kids the impression that their social standing and value was dependent on the number of likes they obtained on an app.
"We were … concerned that the ad's encouragement to gain likes and followers could cause children to develop an unhealthy perception that popularity on social media was inherently valuable which was likely to be detrimental to their mental health and self-esteem," noted the ASA.
The ASA disagreed with SuperAwesome's argument that the purpose of the "likes and followers" statement was to progress through the app and unlock benefits that would give kids "satisfaction" from playing the app, or that there were other ways beside likes and followers to progress through the app, because, crucially, the ad did not feature any of these other ways but focused solely on the likes and followers.
Instead, the ASA found the ad suggested to children that the only way to progress through the app was by getting likes and followers was likely to give kids the impression that social media popularity should be pursued as an end in and of itself.
SuperAwesome also argued that although reports showed social media platforms could have harmful effects on children's self-esteem, other reports also recognized that many children said social media made them feel happier and more connected to other kids. It also argued that Clearcast had cleared the ad to air on the grounds that it merely showed some benefits kids could get from using the app, but the ASA found these arguments similarly unavailing.
In addition to banning the ad in its current form as harmful to kids’ self-esteem, the ASA also ruled that SuperAwesome should ensure future ads for PopJam did not equate popularity with social media followers or likes.
Like advertising targeted to children, apps directed to this demographic are subject to intense and heightened scrutiny. We recently reported on YouTube's record $170 million penalty paid to the FTC to resolve alleged violations of the Children's Online Privacy Protection Act. And as this case indicates, social media platforms can be the target of regulators for other reasons, including regulations designed to protect children's mental health and well-being.
ASA Bans Under Armour "Recovery Sleepwear" Ad Over Insu icient Supporting Evidence
In another ruling from across the pond, the ASA banned an Under Armour advertisement for the performance-wear brand's "Athlete Recovery Sleepwear" line, finding the evidence provided by the company in support of the ad’s claims that the products can aid muscle recovery insufficient.
The banner ad in question, which ran on the company's website in October 2019, promised "RECOVER FASTER…RETURN BETTER…ALL DAY, ALL NIGHT RECOVERY…Sleep eight hours, feels like ten. Athlete Recovery Sleepwear helps you recover faster, get more zzz's [sic] and wake up ready to do it all again." The ASA reviewed the ad following a complaint that it was misleading and could not be substantiated.
The ad's claim that the product helps users "recover faster" and "return better," noted the ASA, "would be understood by consumers to mean that wearing Under Armour's Athlete Recovery Sleepwear would aid sleep and help their muscles recover from exercise." Claims made in the ad that the product helps recovery and sleep "would only add to that impression," noted the ASA.
The ASA banned the ad in its current form after it reviewed evidence provided by Under Armour and third-party manufacturer Hologenix in support of the claims. It ultimately found such evidence inadequate and not relevant enough to meet the ASA standard for such claims.
Evidence provided by Under Armour and Hologenix sought to prove that the product contained a material called Celliant, which reflected infrared light (IR) and "in turn penetrated muscle and increased blood flow," helping "repair and grow muscle." But the ASA was not convinced – finding the multitude of studies cited in support of this claim did not adequately support these assertions about Celliant and what the advertised product could do.
One study was discredited as "potentially tainted by a conflict of interest" since the scientist conducting the study was on the company's "Scientific Advisory Board."
Another study provided in support of other scientific claims had multiple issues, including a flawed testing methodology and not being peer-reviewed, the ASA found. Other studies provided by Under Armour were also flawed for various reasons, found the ASA.
As with the National Advertising Division (NAD) in the US, scientific evidence provided in support of advertising claims must be air-tight when arguing before the ASA.
In this case, the ASA summed up its findings as follows: "While some of the arguments put forward involved uncontroversial statements about settled areas of science … the level of uncertainty about both the mechanism of IR in post-exercise recovery, and the clear need for further study on the health benefits of IR on the body meant that the role of IR in this area was some way from settled scientific fact."
The lesson for advertisers in the UK is clear here: when making claims about cutting edge or innovative technologies that also involve big promises—such as that an item of clothing can help you feel like you slept longer than you did—be prepared for rigorous examination and a very strict interpretation of any evidence submitted in support of your claims.