September 22, 2021

Volume XI, Number 265

Advertisement

September 22, 2021

Subscribe to Latest Legal News and Analysis

September 21, 2021

Subscribe to Latest Legal News and Analysis

September 20, 2021

Subscribe to Latest Legal News and Analysis

FTC Settles Security Claims With Both MoviePass and Its Owners

MoviePass, a movie subscription service, has agreed to a proposed settlement with the FTC over alleged deception and lack of security allegations. The now-defunct company not only allegedly marketed its service as a “one movie per day” service – yet took steps to actively deny subscribers such access – it also failed, according to the FTC, to secure subscriber’s personal data. The company also was alleged to have violated the Restore Online Shoppers’ Confident Act, which impacts the offering of “negative option” (subscription) services.

With respect to the security allegations, MoviePass’s privacy policy stated that it used reasonable measures to protection personal information. Statements included that the company “takes information security very seriously,” that it “uses reasonable administrative, technical, physical, and managerial measures to protect [consumers’] personal details from unauthorized access” and that email addresses and payment information were encrypted. Notwithstanding these statements, the FTC said the company failed to take security sufficiently seriously.  Of particular concern, a database containing subscribers’ personal information, including emails and payment information, was both unencrypted and exposed, resulting in a 2019 data breach impacting about 28,000 individuals’ financial details.

Under the proposed order, with respect to the alleged security violations, MoviePass’s operators must implement a comprehensive information security program. The program must have a “qualified” employee who oversees it, it needs to be designed to address risks that face the company, must provide for employee training, and will be subject to FTC oversight and biennial third-party audits.  The order also requires that senior executives annually certify the program, and that the company notify the FTC directly of any future data breaches. The settlement terms will be in effect for 20 years, and are with the company, its parent, as well as the two principal owners, who will be required to follow its terms for any business they control.

Putting it Into Practice:  This settlement is a reminder that the FTC will use security statements in a company’s privacy policy to enforce its expectations under theories of deception. Also of interest is the defunct nature of the company. The FTC often brings claims -and seeks settlement- against both the company and its owners. Here, though, since the company is no longer operational, the practical effect will be that this settlement is principally against the owners.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 176
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Brittany Walter Intellectual property Attorney Sheppard Mullin Law Firm San Francisco

Brittany Walter is an associate in the Intellectual Property Practice Group in the firm's San Francisco office. She is a member of the Privacy and Cybersecurity Team, the Advertising Team and the Technology Transactions Team.

Areas of Practice

Brittany’s practice focuses on protecting her clients’ intellectual property rights through counseling, prosecution, enforcement and litigation.

Prosecution and Enforcement. Brittany assists with matters before the United...

415.774.2973
Advertisement
Advertisement
Advertisement