FTC Settles Security Claims With Both MoviePass and Its Owners

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP

MoviePass, a movie subscription service, has agreed to a proposed settlement with the FTC over alleged deception and lack of security allegations. The now-defunct company not only allegedly marketed its service as a “one movie per day” service – yet took steps to actively deny subscribers such access – it also failed, according to the FTC, to secure subscriber’s personal data. The company also was alleged to have violated the Restore Online Shoppers’ Confident Act, which impacts the offering of “negative option” (subscription) services.

With respect to the security allegations, MoviePass’s privacy policy stated that it used reasonable measures to protection personal information. Statements included that the company “takes information security very seriously,” that it “uses reasonable administrative, technical, physical, and managerial measures to protect [consumers’] personal details from unauthorized access” and that email addresses and payment information were encrypted. Notwithstanding these statements, the FTC said the company failed to take security sufficiently seriously. Of particular concern, a database containing subscribers’ personal information, including emails and payment information, was both unencrypted and exposed, resulting in a 2019 data breach impacting about 28,000 individuals’ financial details.

Under the proposed order, with respect to the alleged security violations, MoviePass’s operators must implement a comprehensive information security program. The program must have a “qualified” employee who oversees it, it needs to be designed to address risks that face the company, must provide for employee training, and will be subject to FTC oversight and biennial third-party audits. The order also requires that senior executives annually certify the program, and that the company notify the FTC directly of any future data breaches. The settlement terms will be in effect for 20 years, and are with the company, its parent, as well as the two principal owners, who will be required to follow its terms for any business they control.

Putting it Into Practice: This settlement is a reminder that the FTC will use security statements in a company’s privacy policy to enforce its expectations under theories of deception. Also of interest is the defunct nature of the company. The FTC often brings claims -and seeks settlement- against both the company and its owners. Here, though, since the company is no longer operational, the practical effect will be that this settlement is principally against the owners.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.