Articles in this issue

• FTC Announces Proposed Settlement with Software Provider to Settle Allegations that its Inadequate Security Safeguards Led to Cyberattack
• Court Denies Data Broker Kochava’s Motion to Dismiss FTC’s Amended Complaint
• UK Data Regulator Amplifies Call for Cookie Compliance
• Federal Program Establishes Partnership in First Step to Democratize AI Research and Development

FTC Announces Proposed Settlement with Software Provider to Settle Allegations that its Inadequate Security Safeguards Led to Cyberattack

On February 1, 2024, the Federal Trade Commission (“FTC”) announced a proposed settlement with Blackbaud Inc. (“Blackbaud”) to resolve allegations that its response to a 2020 cyberattack and its information security and data retention practices violated Section 5 of the FTC Act. This is the first time the FTC has brought standalone unfairness claims for a company’s failure to (i) implement and enforce reasonable data retention practices for sensitive customer data, and (ii) communicate accurately the scope and severity of a breach in its notification to consumers. The Commissioners’ joint statement (“Joint Statement”) asserted that the indefinite retention of consumer data “is independently a prohibited unfair practice under the FTC Act.”

Blackbaud provides data and administrative software services to approximately 45,000 companies and organizations throughout the United States and abroad, with a focus on nonprofits, educational institutions, and healthcare organizations. According to the FTC’s complaint (“Complaint”), for a three-month period beginning in early 2020, a hacker accessed Blackbaud’s legacy databases and moved laterally through its IT systems by leveraging existing security vulnerabilities. During this time, the Complaint alleges, the hacker exfiltrated unencrypted sensitive personal information from Blackbaud’s customers, which affected millions of individuals. The FTC alleged that this information included Social Security numbers, medical information (including diagnoses), financial information, as well as information about individuals’ religious practices, donation history, and account credentials. The Complaint alleges that when Blackbaud discovered the breach in May 2020, it paid the hacker a ransom in exchange for the hacker’s promise to delete the stolen data, but failed to “conclusively verify” that the hacker had, in fact, deleted the stolen data. Further, the FTC alleged that Blackbaud’s notification alerting victims of the breach included false statements that the breach it experienced did not involve any personal information, which Blackbaud corrected only months after it learned these statements were false. According to its press release, Blackbaud “neither admitted nor denied any of the allegations made by the FTC.”

Under the FTC’s proposed decision and order (“Proposed Order”), Blackbaud would be required to implement and maintain a comprehensive information security program, which mandates, among other things, certain prescriptive requirements around multi-factor authentication and the encryption of sensitive personal information. In addition, Blackbaud would be required to delete data that it no longer needs to provide products or services to its customers and publish a data retention schedule that would detail why it maintains personal data and when it will delete such information.

Takeaway: Long gone are the days of indefinite retention of consumer data, and the FTC has made that crystal clear in the Blackbaud action. Companies that have not already done so will want to prioritize reviewing their data retention practices to determine whether they align with regulatory expectations, and principles of data minimization. With respect to breaches, companies will want to continue to consult experienced breach counsel at the outset of any investigation and will need to refrain from publishing any “feel good” messages regarding the breach. Such messages, if they later turn out to be inaccurate, may be treated as a per se violation of Section 5 by the FTC.

Court Denies Data Broker Kochava’s Motion to Dismiss FTC’s Amended Complaint

The litigation between the Federal Trade Commission (“FTC”) and Kochava, Inc. (“Kochava”) took a turn on February 3, 2024, when U.S. District Court Judge B. Lynn Winmill denied Kochava’s motion to dismiss the FTC’s amended complaint. In his memorandum Decision and Order on Motion to Dismiss First Amended Complaint, Judge Winmill found that the FTC stated plausible claims that: (i) Kochava’s alleged sale of vast amounts of “highly granular” non-anonymized sensitive personal information about millions of individuals could “substantially injure” consumers through secondary harms, including stigma, physical violence, and emotional distress; and (ii) that the alleged sale of such sensitive personal information could deprive consumers of their right of privacy, and the loss of such privacy itself could result in a substantial injury to consumers, as it could expose them to significant risk of secondary harms. Kochava’s CEO and founder Charles Manning said in a statement that Kochava expected this ruling and that he was “confident” Kochava would prevail on the merits.

Kochava is a data broker that buys and sells consumers’ precise geolocation information obtained from their mobile devices and that is associated with a mobile or persistent identifier. The FTC first sued Kochava in August 2022, alleging that its sale of “precise location information,” which the FTC alleged could track users to sensitive locations, was a prohibited unfair practice under Section 5 of the FTC Act. Later, in October 2022, Kochava moved to dismiss the FTC’s claim arguing, among other theories, that the FTC failed to allege sufficient facts to establish that Kochava’s practices either caused or were likely to cause “substantial injury to consumers.” The court granted Kochava’s motion to dismiss, holding that the FTC failed to allege the “substantial injury” necessary to sustain the action, but allowed the FTC to amend its complaint. The FTC filed an amended complaint in June 2023 in which it emphasized its allegations that Kochava’s sale of precise location information was easily identifiable, detailed the inferences Kochava could allegedly make from such data, and described Kochava’s allegedly insufficient privacy controls. We covered these developments in earlier articles, located here.

Takeaway: Judge Winmill’s denial of Kochava’s motion to dismiss represents a “win” for the FTC, especially since Judge Winmill initially expressed his skepticism regarding whether the FTC’s claims deficiencies could be cured. The case will now proceed to discovery, teeing up what could result in a closely followed and highly publicized trial in 2025. Meanwhile, companies that sell precise geolocation data are on notice because, as we saw in the X-Mode and InMarket enforcement matters, the FTC views the allegedly nonconsensual collection and sale of precise geolocation data that can, in the FTC’s view, be tied back to sensitive locations as a per se prohibited unfair practice under the FTC Act.

UK Data Regulator Amplifies Call for Cookie Compliance

The UK Information Commissioner’s Office (“ICO”) is once again emphasizing the importance of aligning advertising cookie practices with data protection regulations. In November 2023, the ICO issued a warning to 53 of the UK’s top 100 websites, urging them to make necessary changes or face enforcement action.

The ICO has now reported that the response to this call to action was “overwhelmingly positive.” A total of 38 organizations out of the 53 contacted so far have already updated their cookie banners to meet compliance standards, and 4 more are committed to doing so by the end of February. Some organizations are exploring alternative solutions, like contextual advertising and subscription models, with the ICO set to provide further guidance on these approaches.

The ICO has made clear that its mission extends beyond the top 100 websites and has stated that it is already preparing to extend its scrutiny to the next 100 websites. To aid this process, the ICO is developing an AI solution to help identify non-compliant cookie banners, with a “hackathon” event planned for early 2024 to explore what this AI solution might look like. The ICO is not alone in looking to technical solutions to assist with identifying non-compliance; the European Data Protection Board has launched its own website auditing software tool that can be used by national data protection authorities to facilitate enforcement, as well as by organizations for their own compliance checks.

Stephen Almond, Executive Director, Regulatory Risk at the ICO made the following statement: "Our advice to all organisations is to take action now to become compliant. We can already see the ripple effect of our intervention with many organisations making changes to cookie banners without receiving a letter from us. And as we’ll be steadily working our way through the list of websites offering services to UK users to give them all the same message, it makes sense to be compliant before the regulator comes knocking.”

Takeaway: It is clear that the ICO intends to sustain its heightened attention to websites’ cookie practices until it is satisfied with the compliance landscape of websites offering goods and services to UK users. Enforcement in this area will only become easier for regulators with the previewed AI solution and the EDPB’s new website auditing tool, so organizations using cookies (particularly advertising cookies) will want to ensure that they have their cookie practices in order “before the regulator comes knocking.”

Federal Program Establishes Partnership in First Step to Democratize AI Research and Development

On January 24, 2024, the U.S. National Science Foundation (“NSF”), ten collaborating federal agencies, and twenty-five private sector companies launched the National Artificial Intelligence Research Resource pilot (“NAIRR Pilot”), fulfilling President Biden’s call in his October 30, 2023 executive order on AI to establish this initiative. The NAIRR Pilot is meant to establish a shared research infrastructure for AI that will strengthen and democratize access to essential tools necessary to AI innovation, such as datasets, computing power, models, software, and training and user support resources.

Led by the NSF, the two-year NAIRR Pilot’s operations will be organized into four focus areas: (1) NAIRR Open – aimed at enabling open AI research through diverse AI resources; (2) NAIRR Secure – aimed at establishing exemplar privacy preserving resources; (3) NAIRR Software – aimed at exploring and facilitating interoperability across AI tools; and (4) NAIRR Classroom – aimed at reaching new communities through educational and training resources.

Initially, the NAIRR Pilot will “support AI research to advance safe, secure and trustworthy AI,” and “the application of AI to challenges in healthcare and environment and infrastructure sustainability.” It will also “support educators to enable training on AI technologies and their responsible approaches.”

Researchers can apply for initial access through the NAIRR Pilot portal at nairrpilot.org. A broader call for proposals from researchers seeking access to the full suite of NAIRR Pilot resources is expected later this spring.

Takeaway: The fact that key private sector players and lawmakers have come together to establish the NAIRR Pilot demonstrates the current enthusiasm for the U.S. taking a leading role in AI research and development. Lawmakers have even expressed optimism that the NAIRR Pilot may be codified into law, and key stakeholders have heralded the NAIRR Pilot as being a critical step in establishing safe and ethical AI systems, while inspiring innovation in AI.