Data Breach

Subscribe to Data Breach
Federal Trade Commission

Monday, October 25, 2021

Bureau of Competition and FTC Operations

  • The FTC issued a policy statement restoring its pre-1995 practice of requiring parties under a merger consent decree to obtain the Commission’s permission before pursuing additional acquisitions in that market. This “Prior Approval” policy is designed to protect consumers and deter “clearly anticompetitive” deals, per Holly Vedova, the Director of the Bureau of Competition. The FTC will consider a number of factors when deciding whether to permit a deal, including (1) the nature of the transaction, (2) the level of market concentration and the degree to which the transaction increases market concentration, (3) the degree of pre-merger market power, (4) the parties’ history of acquisitiveness, and (5) evidence of anticompetitive market dynamics. The Commission approved the statement by a vote of 3-2; the Commissioners voting against the policy subsequently issued a dissenting statement.

Continue Reading FTC Updates (October 25-29, 2021)

A bill has been introduced in the California legislature that would dramatically increase retailers’ liability for data breaches. Dubbed the “Consumer Data Breach Protection Act,” Assembly Bill 1710 would enact sweeping changes to California’s data breach notification laws, setting short deadlines by which consumers would need to be notified of breaches and increasing the penalties associated with such breaches. AB 1710’s new provisions would apply to all businesses that sell goods or services to California residents and accept credit or debit cards, although the law retains exemptions for certain businesses that are subject to other privacy regulations (such as financial institutions).

The California Retailers Association has already come out in opposition to the bill, and in years past, has successfully fought similar efforts to expand the state’s data breach notification laws. However, given the number of recent high profile data incidents, lawmakers are in a stronger position this year to amend California’s data protection laws. Indeed, as introduced, AB 1710 made only minor nonsubstantive changes to the data privacy laws, but in the wake of various well-publicized data breaches, the bill’s authors substantially amended the bill to increase the “teeth” in the law.

The following briefly summarizes some of the bill’s key proposed changes:

Expands Restrictions on Data Use and Retention. AB 1710 limits retention of “payment-related data” to the amount of time required for “business, legal, or regulatory purposes.” Retention of payment-related data would be prohibited if it is unnecessary for those purposes. The bill also requires businesses to create “payment data retention and disposal” policies specifying the amount of time such data will be retained. The bill prohibits the retention of certain types of data, such as card verification codes, PIN numbers, social security and driver’s license numbers. The bill also forbids the sale of an individual’s social security number. The term “payment-related data” is defined to include all items that fall within the current statutory definition of “personal information,” such as a consumer’s name, social security number, driver’s license number, account numbers, and user name and passwords.Continue Reading California Legislature Seeks to Restrict Data Use and Ramp Up Retailer Liability for Data Breaches

On September 3, 2013, the U.S. District Court for the Northern District of Illinois dismissed a class action complaint against Barnes & Noble seeking damages based on a data security incident, finding that the plaintiffs lacked standing to bring the claims. This decision reaffirms that retailers may be able to avoid damages for data breaches