How FTC privacy enforcement has evolved with recent cases

The FTC has recently undertaken further reviews of specific security practices past its historical boundaries 

The Federal Trade Commission (FTC) has asserted its enforcement authority as “the chief federal agency on privacy policy since the 1970s,” originally, under the Fair Credit Reporting Act and, subsequently, under a variety of federal privacy and security statutes, including the FTC Act (FTCA § 5), the Gramm‑Leach‑Bliley Act (GLBA) and the Children’s Online Privacy Protection Act (COPPA).

Historically, the FTC’s focus has been on the accuracy and completeness of disclosed privacy policies under FTCA § 5, i.e. whether the company making the disclosure is actually compliant with such disclosures. For example, the FTC settled charges with a leading online distribution platform for marketers based on the distributor’s violation of its own published privacy policy by using “history sniffing” technology to “secretly and illegally determine whether millions of consumers had visited any one of more than 54,000 domains.” Similarly, the FTC entered into a consent decree with a mobile social media app developer that exceeded its stated privacy policy by collecting contact information from users’ mobile devices, even when the user had affirmatively declined to give the developer authorization to do so.

The FTC has, however, undertaken further reviews of specific security practices. In In re CBR Systems, Inc., the FTC alleged that a leading cord blood bank failed to satisfy its own privacy policy, which promised that “[w]henever CBR handles personal information … CBR takes steps to ensure that your information is handled securely.” Failures included:

• The use of unencrypted backup tapes, laptops, external hard drives, and USB drives (several of which were actually stolen from an employee’s personal vehicle; these items contained personal information and network passwords and protocols)
• Transporting portable media containing personal information in a manner making the media vulnerable to theft
• Retention of a legacy database (due to inadequate supervision of vendor) in a vulnerable format on its network
• Not restricting database access on employee “need to know” basis
• Failure to destroy personal information for which CBR no longer had a business need
• Failure to monitor unauthorized system intrusions.

Recently, the FTC settled charges with Fandango and Credit Karma that the latter, among other failures, disabled SSL certificate validation for transmissions of personal information, “which would have verified that the apps’ communications were secure.” Indeed, in its guide “Mobile App Developers: Start with Security,” the FTC states that these developers should deploy and maintain “HTTPS or another industry-standard method” for transmission encryption.

In April, a U.S. district court rejected the motion to dismiss filed by a defendant hotel conglomerate (Wyndham), challenging the FTC’s authority to assert a data security claim under its enforcement authority pursuant to FTCA §5. In that case, the FTC alleged that Wyndham engaged “in a number of practices that, taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft;” such practices did, in fact, permit three separate hacks into Wyndham’s computer systems, which resulted in the theft and misuse of guest card numbers. The court rejected Wyndham’s assertions that data security supervision does not fall within FTCA §5, but instead is delegated to various agencies under a variety of federal laws, such as FCRA, COPPA and GLBA. The court stated instead, that “[h]ere, subsequent data-security legislation seems to complement – not preclude – the FTC’s authority.”

These developments indicate that businesses should take FTC data security guidance and regulatory enforcement actions in consideration when developing, monitoring and updating privacy policies and data security practices.

Republished with permission. This article first appeared in Inside Counsel on May 1, 2014.