Marriott’s Settlement with the FTC: What it Means for Businesses

by Katherine McCarron and Kamay Lafalaise

Photos of authors

Left to Right: Katherine McCarron and Kamay Lafalaise (photos courtesy of the authors)

Marriott International, Inc. has long highlighted core values of putting people first, pursuing excellence, acting with integrity, and serving the world. The FTC and Attorneys General from 49 states and D.C. are jointly announcing an action that suggests the company may want to add a fifth value to that list: protecting customer data and privacy. 

According to a proposed complaint, Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide, LLC had data security failures that led to at least three breaches between 2014 and 2020. First, the FTC says between 2014 and 2018 bad actors were able to take advantage of weak data security to steal 339 million consumer records from Marriott’s subsidiary, Starwood, in two separate breaches. That included millions of passport, payment card, and loyalty numbers. Then, in 2020, according to the complaint, Marriott told its customers bad actors had breached Marriott’s own network through a franchised hotel.  This time the intruders stole 5.2 million guest records, which included significant personal information and loyalty account information. The stolen information was detailed enough, the complaint explains, that bad actors could use it to create highly successful, targeted phishing campaigns to commit fraud.

Continue reading

FINMA Sanctions Swiss Private Bank Mirabaud & Cie for Serious Violations of Swiss Financial Market Law

by Jonathan J. Rusch

photo of author

Photo courtesy of the author

For generations, the Swiss financial sector has carefully burnished its reputation as the “perfect home for wealth” and a “financial safe haven.”[1]  That reputation, not surprisingly, has led for some time not only to attraction of persons seeking legitimate investment and wealth management opportunities, but to a high degree of money laundering risk.[2]

In recent years, Swiss government authorities have responded to these money laundering risks with necessary changes in its anti-money laundering (AML) laws and general improvements in its legal and regulatory enforcement of those laws.  The Swiss Attorney General’s Office, for example, has demonstrated an increasing commitment to holding the Swiss banking community accountable for criminal violations of Swiss anti-money laundering (AML) laws.[3]  The Swiss Financial Market Supervisory Authority (FINMA), as the supervisor of the Swiss financial sector, has lately shown increased resolve in imposing significant sanctions on banks that fail to comply with AML laws.[4]

The most recent example of FINMA’s resolve took place on September 17, when FINMA disclosed that it had taken strong AML-related measures against a prominent Swiss private bank, Mirabaud & Cie SA.[5]  It stated that in June 2023, it had concluded enforcement proceeding against Mirabaud, finding that Mirabaud breached its AML obligations under Swiss law and “seriously violated provisions of financial market law concerning adequate organisation (governance), risk management and money laundering prevention over a prolonged period.”  It also took the highly unusual steps of confiscating CHF 12.7 million of unlawfully generated profits, opening three proceedings against individuals, and prohibiting Mirabaud from accepting any new clients with increased money-laundering risks until compliance with Swiss financial market law has been restored.

This post will explain the background and basis of FINMA’s actions and provide several observations on its significance.

Continue reading

CJEU: Competitors Can Sue over Data Protection Violations

by Dr. Detlev Gabel, Erasmus Hoffmann, and Markus Langen

Photos of authors

Left to Right: Dr. Detlev Gabel, Erasmus Hoffmann and Markus Langen (photos courtesy of White & Case LLP)

Background

The German Federal Court of Justice (Bundesgerichtshof), tasked with resolving a conflict between two competing pharmacists, sought guidance from the Court of Justice of the European Union (“CJEU”) on interpreting the General Data Protection Regulation (“GDPR”). The defendant’s business sells over-the-counter (“OTC”) medicinal products online. During the ordering process, customers must provide certain information, including their name, delivery address, and details about the relevant OTC product. Invoking German legislation on unfair commercial practices, the claimant, a competitor, asked the German courts to halt this practice of the competing pharmacy, unless there is assurance that customers give prior consent for the processing of their health-related data.

The courts at both the first and second instance determined that the ordering process involves processing of health data, which is prohibited under the GDPR in the absence of explicit customer consent or other justification. The courts found this practice to be in breach of the GDPR, and thus unfair and unlawful under the German Unfair Competition Act. The German Federal Court of Justice sought clarification on whether the GDPR allows national legislation to permit competitors to initiate legal action against a person allegedly violating the GDPR. Furthermore, it inquired if the information provided during the ordering process qualifies as health data under the GDPR, even though the relevant OTC products do not require a prescription.

In its judgement of October 4, 2024, the CJEU provided clarity on these issues.

Continue reading

California’s Legislative Push on AI: A Wave of New Obligations and Prohibitions

by Beth George, Janet Kim, Sean Quinn, Madeline Cimino, and Christine Chong

Photos of authors

From left to right: Beth George, Janet Kim, Sean Quinn, Madeline Cimino, and Christine Chong (Photos courtesy of Freshfields Bruckhaus Deringer LLP)

California Governor Gavin Newsom recently signed into law a wave of legislation – totaling 19 laws – addressing the opportunities and risks of AI and placing California at the forefront of AI regulation in the United States. From election integrity to performer rights and healthcare transparency, the state has enacted measures aimed at managing potential negative impacts of the AI boom. At the same time, Governor Newsom vetoed SB 1047, the most comprehensive bill on his desk, signaling his interest in balancing the need for regulation to promote the safe deployment of AI with an interest in fostering growth in this important new sector of the California tech economy.

Continue reading

California Pushes Ahead With Climate Disclosure Law

by Ronald C. Chen, Raaj S. Narayan, and Carmen X. W. Lu

Photos of the authors

Left to Right: Ronald C. Chen, Raaj S. Narayan and Carmen X. W. Lu (photos courtesy of Wachtell, Lipton, Rosen & Katz)

Recently, California Governor Gavin Newsom signed into law Senate Bill 219, which applies broadly to public and private companies “doing business” in California.  The law will require companies that have total annual revenues of over $1 billion dollars to disclose and independently assure their scopes 1 and 2 emissions (direct and purchased emissions) beginning in 2026 and to disclose scope 3 emissions (value chain emissions) beginning in 2027.  In addition, companies that have annual revenues of over $500 million dollars will be required to prepare a climate-related financial risk report in accordance with the recommendations of the Task Force on Climate-related Financial Disclosures beginning on or before January 1, 2026.  Emissions disclosures will need to be submitted to the California Air Resources Board (“CARB”), or a non-profit emissions reporting organization designated by CARB, while climate-related financial risk disclosures will need to be publicly posted on the company’s website.

Continue reading

ICO Dawn Raids: How to respond and what you can do to prepare – An FAQ

by Robert Maddox and Aisling Cowell

Left to Right: Robert Maddox and Aisling Cowell (photos courtesy of Debevoise & Plimpton LLP)

In the UK, unannounced inspections of businesses’ premises, or “dawn raids”, are most often associated with authorities such as the Serious Fraud Office, National Crime Agency, Competition and Markets Authority and Metropolitan Police. However, data controllers and processers should be aware that the UK’s Information Commissioner’s Office (“ICO”) can also carry out dawn raids as part of investigations into compliance with data protection laws.

Such inspections can be stressful and complex for businesses to respond to, with a risk of criminal liability for failing to cooperate properly.

Here, we examine the ICO’s powers to conduct dawn raids, how those powers have been exercised in the past, and outline the steps which businesses should consider taking to prepare effectively for – and appropriately respond to – dawn raids.

Continue reading

FTC Announces New Enforcement Initiative Targeting Deceptive AI Practices

by Robert A. Cohen, James W. Haldin, Daniel S. Kahn, Maude Paquin, and Michael Scheinkman

Photos of the authors

Left to right: Robert A. Cohen, James W. Haldin, Daniel S. Kahn, Maude Paquin, and Michael Scheinkman (Photos courtesy of Davis Polk & Wardwell LLP)

The Federal Trade Commission launched Operation AI Comply, announcing enforcement actions against five companies for alleged deception regarding artificial intelligence.  The FTC’s actions mark the latest U.S. scrutiny of AI-related misconduct. 

Background

On September 25, 2024, as part of a new enforcement “sweep” called Operation AI Comply, the FTC announced enforcement actions against five companies that allegedly used artificial intelligence (AI) to “supercharge deceptive or unfair conduct that harms consumers.”  According to the FTC, these cases showcase how “hype surrounding AI” is used to “lure consumers into bogus schemes” and to provide AI-based tools that themselves can be used to deceive consumers.  In announcing the actions, FTC Chair Lina Khan stated that “[t]he FTC’s enforcement actions make clear that there is no AI exemption from the laws on the books.”

Continue reading

T-Mobile to Spend 31.5 Million Dollars to Settle Multiple FCC Investigations Related to Recent Data Breaches

by Lisa Sotto and Jennie Cunningham

Photos of the speakers

Left to right: Lisa Sotto and Jennie Cunningham. (Photos courtesy of Hunton Andrews Kurth LLP)

On September 30, 2024, the Federal Communications Commission announced that T-Mobile has entered into an agreement to settle multiple data protection and cybersecurity investigations stemming from data breaches in 2021, 2022 and 2023. The breaches involved the personal information of millions of current, former, and prospective T-Mobile customers and end-user customers of T-Mobile wireless network operators, and resulted from various threat vectors, including a 2021 cyberattack, a 2022 platform access incident, a 2023 sales application incident, and a 2023 API incident. T-Mobile previously settled class action claims in federal district court related to the 2021 cyberattack. In addition to a $15.75 million penalty, T-Mobile also will be required to spend $15.75 million over the next two years to strengthen its cybersecurity program and implement a plan to protect consumers from similar future breaches. Continue reading

OFAC Extends Recordkeeping Requirements

by Satish M. Kini, Robert T. Dura, Aseel M. Rabie, Jonathan R. Wong, and Yair Strachman

Photos of authors

Left to right: Satish M. Kini, Robert T. Dura, Aseel M. Rabie, Jonathan R. Wong, and Yair Strachman (Photos courtesy of Debevoise & Plimpton LLP)

Earlier this month, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) issued an Interim Final Rule (“IFR”) to extend OFAC’s current recordkeeping requirements from five to 10 years. The IFR was published in the Federal Register on September 13, 2024, with public comments due by October 15, 2024. The new recordkeeping requirements are set to take effect on March 12, 2025.

The IFR follows amendments to the statute of limitations in the International Emergency Economic Powers Act (“IEEPA”) and the Trading with the Enemy Act (“TWEA”), two statutes that authorize many of OFAC’s sanctions programs. The new 10-year statute of limitations—codified at 50 U.S.C. §§ 1705(d) and 4315(d)—became effective on April 24, 2024, and was discussed in our Debevoise Client Update available here. In July 2024, OFAC issued guidance on how it interpreted the new statute of limitations and signaled that it also would extend its recordkeeping requirements, as we noted here.

Continue reading

Operation AI Comply: Continuing the Crackdown on Overpromises and AI-related Lies

by Julia Solomon Ensor

Federal Trade Commission

Maybe you grew up daydreaming about artificial intelligence, or AI. You imagined its potential to change the future, possibly with an army of helpful robots to take on your least favorite human tasks. The Star Wars franchise had R2-D2. The Jetsons had Rosey. There was RoboCop. And when everything else was gone, the world had WALL-E, the stoic trash collector looking for love. Now, as a business owner, you’re always watching for the next big invention to fine-tune processes and increase profitability. And some marketers can’t resist taking advantage of that by using the language of AI and technology to try to make it seem like their products or services deliver all the answers.

Continue reading