(by Matthew Nelson and Adam Kuhn)
2013 was a rough year for organizations struggling to secure their data. According to the recently published Internet Security Threat Report (ISTR),breaches increased 62% in 2013 and over 552 million identities were exposed. The list of companies experiencing data breaches reads like a “who’s who” of the business world and given the growing sophistication of cyber-criminals, there does not appear to be an immediate end in sight.
The cost of data breaches is astounding. A recent study by the Ponemon Institute estimates that data breaches cost US organizations an average of $5.4 million (this figure excludes uncommon “catastrophic” data breaches involving over 100,000 compromised records). Exacerbating the problem is the fact that if the Federal Trade Commission (FTC) gets involved, those costs are likely to climb. Unfortunately, many organizations are finding out the hard way that the FTC takes data breaches seriously, whether the breach involves thousands or millions records.
FTC Enforcement Actions on the Rise
The FTC’s Bureau of Consumer Protection has recently stepped up investigations into data breaches on behalf of consumers as more organizations collect, store and use sensitive information. This stepped up activity is consistent with comments from FTC Commissioner Julie Brill who recently stated that “more aggressive action” from regulators and businesses alike should be encouraged to protect consumer privacy. In a similar vein, FTC Deputy Director Daniel Kaufman has argued for more substantial penalties in the area of data security.
The FTC is not only talking the talk, they are walking the walk. They routinely exercise the authority granted to them by Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45) which authorizes the Commission to “prevent unfair methods of competition, and unfair or deceptive acts or practices in or affecting commerce.” The Act includes provisions for injunctive relief, disgorgement, consumer redress and settlement orders that can bind companies with substantial monetary penalties. The FTC also has enforcement or administrative responsibilities under more than 70 different federal statutes such as the Fair Credit Reporting Act (FCRA) (15 U.S.C. § 1681) and the Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. § 6501).
What triggers an FTC investigation?
In a recent webinar, FTC attorney Katherine McCarron explained that the FTC “look[s] at a company’s security procedures and determine[s] whether they are reasonable and appropriate in light of all the circumstances” when evaluating an organization’s conduct. Like many legal standards, the precise definition of “reasonable and appropriate” is subjective. That means the FTC will consider the unique facts of each case and consider not only the magnitude of the breach, but the sensitivity of the data that was lost.
Perhaps surprising to some, is the fact that the FTC interprets Section 5 broadly and takes the position that an actual injury or breach is not required to pursue an investigation. McCarron explains that the legal injury to consumers can involve a “practice that causes or is likely to cause substantial consumer injury…. It can be a probability in the future.” McCarron goes on to explain that a substantial injury doesn’t necessarily require a major breach of extremely sensitive information — it could be “a small injury to a lot of people.”
For example, in 2013, HTC settled an FTC investigation over a software design flaw that could have exposed millions of consumers’ personally identifiable information (PII) stored on HTC mobile devices, despite the fact that there was no actual breach. In addition to an obligation to redesign the software to fix the weakness, HTC is now obligated to “undergo independent security assessments every other year for the next 20 years.” A provision that is commonly included in FTC settlement agreements.
The FTC has also stepped up enforcement actions against organizations based on terms of use or privacy statements that are “deceptive” to consumers. For example, the FTC recently obtained a multi-million dollar settlement against a company for erroneously informing customers that tracking cookies would be blocked. In other cases, the FTC has pursued software developers for failing to properly disclose that information would be shared with third parties in their “terms of use” agreement. The common thread in these and other cases is that the FTC is aggressively protecting consumers from what they consider to be unfair or deceptive practices and the scope and breadth of cases the FTC is willing to pursue is expanding.
Conclusion
FTC enforcement actions have skyrocketed in recent years and any organization that deals with consumer information is potentially vulnerable. That means organizations should take reasonable steps to comply with data privacy representations made to consumers. Similarly, organizations need to establish policies and procedures to help prevent consumer data breaches in addition to deploying readily available data security technology to detect and guard against vulnerabilities. To hear more of McCarron’s insights and tips for implementing good data protection policies, log into the free recorded webinar titled: “The FTC on Fraud, Deception & Data Privacy Enforcement Actions.”
