The U.S. Chamber of Commerce on Thursday sued the FTC in an effort to gain access to Freedom of Information Act documents it says the agency “unlawfully” withheld (see 2112030042). The FTC circumvented due process, concentrated power in the hands of Chair Lina Khan and used “dubious legal means to achieve pre-ordained ends,” Chamber CEO Suzanne Clark said in a statement. The Chamber is seeking access to documents on so-called “zombie votes,” which the commission counted after Commissioner Rohit Chopra left the agency. The Chamber requested communication between the FTC, the European Commission and other foreign bodies about the Illumina-Grail transaction. The FTC “may have collaborated with and relied upon a foreign government authority to strong-arm American corporations into abandoning a planned merger,” the Chamber said. It requested details of Khan’s “legal fellow” employment status under Chopra. “The position of ‘legal fellow’ is highly unusual and not a typical title used in relationship to staff positions in support of a commissioner,” the Chamber said. The lawsuit was filed with the U.S. District Court for the District of Columbia. The agency didn’t comment.
Louisiana and Missouri can proceed with collecting discovery documents in a freedom of speech case involving top Biden administration officials and social media companies, the U.S. District Court for the Western District of Louisiana ruled Tuesday (see 2207070058). The states sued the Biden administration in May claiming officials colluded with social media companies to censor and suppress truthful information on topics like COVID-19, the efficacy of masks and election integrity. Missouri Attorney General Eric Schmitt (R) called the grant of discovery a “huge development.” The order noted the “First Amendment obviously applies to the citizens of Missouri and Louisiana, so Missouri and Louisiana have the authority to assert those rights.”
TikTok should end plans to “force personalized ads” on users, Access Now said in a statement Tuesday. Access Now wrote a July 5 letter to TikTok asking the company to cancel plans to target users over 18 with personalized ads in the European Economic Area, U.K. and Switzerland. Access Now cited a report that TikTok is pausing those plans in favor of working with regulators. Access Now Global Data Protection Lead Estelle Masse said the company “must end” the practice for good: “When we rang the alarm bells, data protection authorities from Italy, Ireland, and Spain listened. With their swift action to protect people’s rights, they shut down a problematic practice and potential harmful precedent before TikTok could implement it.” TikTok didn't comment.
Schools, from primary through university, are increasingly being hit with ransomware, with 60% suffering attacks in 2021 compared with 44% in 2020, reported Sophos Tuesday. The cybersecurity company canvassed 730 educators in 31 countries, finding only 2% were able to recover all their encrypted data after paying a ransom, down from 4% in 2020, it said. Schools, on average, were able to recover 62% of encrypted data after paying ransoms, down from 68% in 2020, it said. Colleges and universities reported the longest ransomware recovery time among all types of schools canvassed, with 40% saying it took them at least a month to recover, compared with 20% for other sectors, and 9% reporting it took three to six months to recover. Schools are “prime targets for attackers because of their overall lack of strong cybersecurity defenses and the gold mine of personal data they hold,” said Sophos analyst Chester Wisniewski. “Education institutions are less likely than others to detect in-progress attacks, which naturally leads to higher attack success.”
The FTC is committed to using its “full scope” of authorities to protect consumers’ location, health and sensitive data, the agency said in a blog Monday. The announcement follows an executive order from President Joe Biden aimed at combating “digital surveillance” in the wake of the overturning of Roe v. Wade (see 2207080060). The FTC will “vigorously enforce” the law, and past enforcement provides a “roadmap” for infractions involving location and health data, said FTC Division of Privacy and Identity Protection acting Associate Director Kristin Cohen. Cohen warned companies against deceptive acts involving promises to anonymize consumer data. The agency doesn’t “tolerate companies that over-collect, indefinitely retain, or misuse consumer data,” Cohen said, citing federal and state law.
Global merchant losses to online payment fraud will exceed $343 billion 2023-2027, reported Juniper Research Monday. The number includes sales of digital and physical goods, money transfer transactions, and banking and airline ticketing via fraudster attacks including phishing, business email compromise and socially engineered fraud, it said. A key driver is fraudster innovation such as account takeover fraud, where a user’s account is hijacked, despite identity verification measures, Juniper said. To combat rising fraud, fraud prevention vendors need to orchestrate the right mix of verification tools, at the most effective time. “No two online transactions are the same, so the way transactions are secured cannot follow a one-size-fits-all solution,” said analyst Nick Maynard. Fraud prevention requires several verification capabilities, intelligently orchestrated, to protect merchants and users, Maynard said. Physical goods purchases will be the largest source of losses, at an expected 49% of online payment fraud losses globally over the next five years, Juniper said. Lax address verification processes in developing markets are a major risk, with fraudsters targeting physical goods specifically, due to their resell potential, Juniper said.
President Joe Biden issued an executive order Friday meant to combat “digital surveillance” and protect data privacy for reproductive health care services. Citing the overturning of Roe v. Wade, Biden directed FTC Chair Lina Khan to explore steps to “protect consumers’ privacy when seeking information about and provision of reproductive health care services.” He ordered Health and Human Services Secretary Xavier Becerra to consult with Attorney General Merrick Garland and Khan on options for addressing “deceptive or fraudulent practices, including online, and protect access to accurate information.” House Oversight Chair Carolyn Maloney, D-N.Y., applauded the EO. Maloney announced a health data privacy probe on Friday with House Consumer Policy Subcommittee Chair Raja Krishnamoorthi, D-Ill., and Rep. Sara Jacobs, D-Calif. They sent letters to five data broker companies and five personal health app companies “requesting information and documents regarding the collection and sale of personal reproductive health data.” Location data “collected by mobile phones may be used to locate people seeking care at clinics, and search and chat history referring to clinics or medication create digital bread crumbs revealing interest in an abortion,” they wrote.
DOJ’s Justice Management Division lacks staff to effectively manage its cyber supply chain risk management (C-SCRM) program, the Office of Inspector General reported Thursday. Lack of “personnel resources” resulted in “widespread noncompliance, outdated guidance, inadequate threat assessments, and insufficient mitigation and monitoring actions,” OIG said. The division needs to “provide communication, outreach, and training to Department components and develop procedures to periodically assess their efforts,” OIG concluded. The FBI’s C-SCRM program is “more modern,” but millions of dollars in IT goods might not have gotten proper inspection based on cyber requirements, OIG said. The office recommended the Drug Enforcement Administration develop its own C-SCRM program, as required by an intelligence community directive.
U.S. cyber victims shouldn’t make ransomware payments, the FBI, Cybersecurity and Infrastructure Security Agency and Treasury Department said Wednesday in an advisory on Maui ransomware, a common North Korean state-sponsored cyberthreat. Paying ransom doesn’t “guarantee files and records will be recovered and may pose sanctions risks,” the agencies said. U.S. companies should “adopt and improve cybersecurity practices and report ransomware attacks to, and fully cooperate with, law enforcement,” the agencies said.
The Biden administration urged a court Friday not to grant expedited discovery to Missouri and Louisiana in their suit claiming the administration colluded with social media platforms to censor and suppress truthful information (see 2205050056). In its response at the U.S. District Court for Western Louisiana (case 3:22-cv-01213-TAD-KDM), the administration said it plans to file a motion to dismiss. Don't allow states to take discovery before defendants can respond to the complaint, it said. "The Court must first address whether it has jurisdiction before this matter may proceed at all. … Expedited discovery is rare, and is authorized only when a party shows that it has a pressing need.” States “make little effort to show that they will suffer irreparable harm (or in fact any harm) absent expedited discovery.” It would go against federal civil procedure rules to require the U.S. defendants "to respond to an unspecified number of interrogatories and document requests, and potentially prepare for depositions, on a compressed timeline,” it said. Missouri and Louisiana seek a "a sweeping preliminary injunction that would have the perverse effect of suppressing public officials’ speech on matters of public concern,” and multiple courts including the D.C. Circuit U.S. Court of Appeals dismissed similar claims “for lack of subject-matter jurisdiction,” the administration said. “Although social media companies have been taking action against what they have deemed to be misinformation for years -- since before this Administration began,” plaintiffs here and in other cases insist “that the actions they were subject to were attributable … to certain comments made by Government officials about the harms of misinformation.” But courts “uniformly dismissed those challenges, concluding that the plaintiffs lacked Article III standing because their allegations did not show that the challenged actions were caused by any Government actor rather than the independent judgments of social media companies.”