FTC Attorneys Announce “Back-to-Basics” Advertising and Data Security Workshop by Richard B. Newman, July 8, 2019 The Federal Trade Commission has announced that, along with its regional partners, it will conduct a public workshop in Atlanta on Thursday, August 15, 2019, on truth-in-advertising basics and data security compliance. Designed for digital advertisers, the ad tech industry and FTC CID attorneys, Green Lights & Red Flags: FTC Rules of the Road for Business will feature discussions about established consumer protection and antitrust principles, new developments in the law and their practical application in today’s marketplace. FTC Commissioner Rohit Chopra and Georgia Attorney General Christopher M. Carr are expected to deliver remarks. The all-new Green Lights & Red Flags workshop addresses social media marketing, data security and other trending topics impacting the digital marketing industry. It is the first of the new Green Lights & Red Flags workshops that the FTC and its regional partners will be hosting in cities across the country. Important topics include: Legal Regulatory False Advertising Considerations. An introduction to federal and state laws prohibiting deceptive and unfair practices for digital marketers. Social Media and Influencers. Using eCommerce marketing platforms (e.g., social media and influencers) and making “FREE” offers online. Complying with the Consumer Review Fairness Act. Regulatory investigations and enforcement to aggressively enforce the federal consumer protection statute banning the use of gag clauses in form contracts. Data Security. Insights into safeguarding personal information and honoring privacy promises. Without limitation, the FTC remains focused on digital marketing companies that store information in clear text without appropriate protections, do not monitor the activities of third-party service providers entrusted with data; do not have written information security policies; do not provide reasonable data security training for employees or contractors; do not assess risks to sensitive data by conducting periodic risk assessments or performing vulnerability and penetration testing; do not use readily available security measures to monitor unauthorized attempts to transfer sensitive information; do not implement reasonable data access controls; and do not possess a reasonable process to select, install and secure devices with access to personal information. Basics of Antitrust Law. A dos and don’ts primer for businesses and attorneys. Competitor Advertising. Self-regulation and litigation options for challenging a competitor’s deceptive advertising. FTC’s “New and Improved” Data Security Order Provisions FTC CID attorneys actively and aggressively initiate investigations and enforcement actions against digital marketers for what it considers to be lax security practices, including actions that may not even result in the breach of confidential customer information. If you are a service provider – or if you use third-party service providers to help manage your data – FTC settlement trends merit your attention. Following a recent ruling by the 11th Circuit that an FTC’s fencing-in order was unenforceable because it required a company to meet vague standards, the agency has made obvious efforts to bolster data security benchmarks for corporate digital marketing defendants. Current FTC data security order policy includes, without limitation, noteworthy new provisions such as requirements to: (i) provide the FTC with annual certifications of compliance; (ii) implement specific, enforceable safeguards; (iii) conduct yearly employee training and monitor systems for data security incidents; (iv) implement access controls; (v) utilize third-party assessors to reviewing data security program; and (vi) provide the FTC with increased access to documents and other materials upon which assessors base conclusions. Takeaway: Employees at business that handle consumers’ personal information should be trained and supervised with a “security-centric” focus. Designate someone to be in charge of security. Actively consider and assess security vulnerabilities. Conduct staff training appropriate to the nature of your business and update it to reflect current risks and threats. Ensure that someone is supervising the supervisors whose decisions have a big impact on security at your company. Exercise care when installing devices with network access. If your company uses third-party software or providers, consult with FTC attorneys to build security into your contracts. When entrusting data to third-party service providers, spell out your security expectations, monitor what they are doing on your behalf and follow websites that report on known vulnerabilities. Service providers are accountable for protecting the personal data they collect and store. Even if your operations are behind the scenes, you still may be liable for violations of the law. Richard B. Newman is an advertising and privacy law attorney at Hinch Newman LLP. Follow FTC defense attorneys on Twitter. Attorney Advertising. Informational purposes only. Not legal advice. Filed under: Blue Book, Bluebook Magazine, Revenue, Revenue Blog Tagged under: Advertising, data security, digital advertising, Federal trade commission About the Author Richard B. Newman is an FTC defense lawyer at Hinch Newman LLP. He is a nationally recognized FTC defense lawyer and advertising compliance attorney. He regularly provides advertising counsel and represents clients in high-profile investigations (CIDs) and enforcement proceedings initiated by the Federal Trade Commission, state attorneys general, departments of consumer affairs, and other federal and state agencies with jurisdiction over advertising and marketing practices. Richard’s practice also concentrates upon transactional matters relating to the dissemination of national advertising campaigns, including the gamut of affiliate marketing, telemarketing, lead generation, list management and licensing agreements.