Cybersecurity Lessons Learned From the FTC’s Enforcement History

by K&L Gates LLP
Contact

In 2014, cybersecurity and data breach incidents regularly made the headlines, with the reported breaches becoming increasingly large and complex. As in the past, these data breaches have inevitably been followed by a flurry of class actions and government investigations. But amid this flurry of activity, one federal regulator in particular, the Federal Trade Commission (the “FTC” or “Commission”), has unquestionably been the most prominent and active cybersecurity enforcer.

The FTC has more than a decade of experience in data security matters. Since 2002, the FTC has brought nearly 60 data security enforcement matters and settled more than 50 of those actions. The FTC’s data security activity has accelerated in recent years and likely will continue to do so. Jessica Rich, the current Director of the Bureau of Consumer Protection, leads the FTC’s consumer protection charge and recently stated that “data security enforcement remains a critical FTC priority.”[1] Director Rich has been involved in the FTC’s privacy and data security initiatives since the 1990s and has been praised as “a nationally recognized expert in the fields of privacy, data and identity protection, and emerging technologies.”[2] Her expertise and passion for this area, combined with what has been described as her “tenacious” drive, portends a continued focus on cybersecurity enforcement.[3] Since Director Rich’s appointment in June 2013, the FTC has brought about a dozen data security cases, comprising approximately twenty percent of all of the FTC’s data security matters since 2002.

In light of the increased scrutiny on data security and the heightened risks of attacks, it is important for companies to understand the FTC’s authority and expectations for data security practices. The FTC has stated that “[t]he touchstone of the Commission’s approach [to data security]… is reasonableness.”[4] In light of this seemingly flexible and subjective standard, how can a company know when it might be in the FTC’s crosshairs on data security? In this article, we provide an overview of the FTC’s authority and highlight some common compliance themes that emerge from the FTC’s enforcement history.

I. FTC Authority and Enforcement Activities Generally

A. Basis for the FTC’s Data Security Enforcement Authority

Although there is no comprehensive federal cybersecurity legal framework, the FTC has numerous enforcement tools. The Commission generally has enforcement or administrative authority under dozens of consumer protection laws.  In the vast majority of its data security actions, the FTC has relied on its power under Section 5 of the FTC Act to prohibit “unfair or deceptive acts or practices in or affecting commerce.”[5] The FTC has also asserted violations of numerous other laws in its data security actions, including the Gramm-Leach-Bliley Act (“GLBA”), Fair Credit Reporting Act (“FCRA”), Children’s Online Privacy Protection Act (“COPPA”), and regulations promulgated under those statutes, including GLBA’s Safeguards and Privacy Rules, FCRA’s Disposal Rule, and the COPPA Rule.

In many of the actions it has settled, the FTC has obtained injunctive relief covering a defendant’s conduct for 20 years.  The FTC has also sought or obtained civil money penalties for violations of the Disposal Rule, COPPA Rule, or past FTC consent orders. Possibly signaling a more aggressive enforcement strategy, the FTC has also requested monetary relief for impacted consumers in more recent actions.

B. Few Industries Are Beyond the FTC’s Reach, and Companies Can Be Held Liable for Actions of Their Vendors or Customers

Under the FTC Act, the FTC has broad enforcement authority over large swaths of the economy.[6] For example, the FTC has brought data security actions against retailers, financial institutions, health care-related companies, software and mobile app vendors and, notably, companies that sold products and services relating to data security.

Importantly, companies that do not directly market to consumers or have consumer-facing businesses can also be targets of the FTC. The Commission has brought numerous cases against companies that handle or deal in consumer information, such as data sellers, payment processors, debt brokers, and consumer reporting agencies.

The FTC has also alleged that companies are responsible for the data security failings caused by third parties, including vendors. In several cases, the FTC has alleged that the defendant was responsible for the security deficiencies of its third-party clients or end-users of its products or services. For example, in a number of cases, defendants that sold or resold consumer information were alleged to be responsible for failing to ensure that the downstream purchasers of information adequately protected sensitive consumer information. In cases where information is provided via a subscription service or where the purchaser obtains information through online access, the FTC has also sought to hold companies liable for failing to enforce policies and procedures to mitigate misuse of client accounts, such as identity authentication and password management.

C. Individuals May Also Be Subject to FTC Scrutiny

The FTC frequently uses its authority to bring enforcement actions against individuals who are alleged to have formulated, directed, controlled, had the authority to control, or participated in the allegedly unlawful acts or practices of corporate entities. In the data security realm, since 2002, the FTC has named individual defendants on their own or in addition to their affiliated companies in approximately ten matters. In five of those matters, the FTC has obtained or has requested monetary liability from the individual defendants.

II. Areas of Particular Emphasis at the FTC

A. Actual Breach Not Required to Trigger FTC Enforcement Activity

The FTC has stated that “the mere fact that a breach occurred does not mean that a company has violated the law.”[7] At the same time, the FTC’s enforcement powers do not require an actual breach as a prerequisite to bringing an enforcement action. In fact, in one of its earliest data security cases, the FTC rejected the notion that its enforcement authority depended upon the occurrence of an actual data breach.  Indeed, a review of the data security actions brought by the FTC since 2002 reflects that in almost one-third of those actions, the FTC’s claims were not based on an actual data breach. In such cases, the FTC instead generally alleged that the companies’ practices increased the risk of a data breach and/or misrepresented the extent of the companies’ data security measures.

B. The FTC Takes a Broad View of Consumer Information Requiring Protection

The typical categories of sensitive consumer information that the FTC seeks to protect include consumers’ financial account numbers and Social Security numbers. However, the FTC has also wielded its enforcement authority to protect less sensitive consumer information. For example, the FTC has brought enforcement actions against companies for their failures to adequately protect consumer email address, Internet surfing history, and social media activity. In consent orders settling actions, the FTC has consistently required companies to protect broad categories of information, including Social Security numbers; driver license numbers; financial account information; first and last name; home address; email addresses and other electronic identifiers, such as cookies or social media usernames; account passwords; dates of birth; telephone numbers; consumer photos and videos; and/or health-related information.

C. Collecting or Unnecessarily Retaining Consumer Information Increases Data Security Risk

Data security necessarily begins with the collection and retention of data that needs to be protected.  In numerous cases, the FTC has identified companies’ data collection and retention policies as unreasonably increasing data security risks and threats. For example, the FTC has targeted companies for collecting more information than was disclosed to consumers in privacy policies, such as consumers’ Internet surfing activity. The FTC has also criticized companies for keeping consumer information when they no longer had any business need for the information. 

III. Key Steps to Minimize Regulatory Risks in Light of the FTC’s Focus on Cybersecurity

A. Companies Should Comply With Industry Standard Data Security Measures

As previously noted, the FTC evaluates a company’s data security under a reasonableness standard.  In practice, the FTC has often looked at a company’s allegedly deficient data security practices in light of standard industry practices. Through its suite of enforcement cases, the FTC has essentially defined (and continues to define) those industry practices that it considers to be essential ingredients of a “reasonable” cybersecurity compliance program.

In numerous cases, the FTC has pointed to the failure to protect against well-known data security threats and vulnerabilities as an unreasonable data security practice. For example, the FTC has pointed to companies’ failures to implement free or low-cost defenses to well-known third-party hacking attacks, such as Structured Query Logic (“SQL”) injection attacks and cross-site scripting attacks, and for disabling critical security measures. In addition, the FTC has cited companies’ failures to use well-known data security measures, such as validating Secure Sockets Layer (“SSL”) certificates and employing firewalls to segregate and protect sensitive information.

The FTC has also brought actions against companies for failing to have adequate data security procedures in place. For example, the FTC has pointed to companies’ failures to keep software patches up to date and for using outdated software programs that were no longer supported. A frequently cited deficiency is also the failure to encrypt sensitive information, both while the information is being transmitted and while it is stored, thereby creating security vulnerabilities. The FTC has also singled out companies for failing to have adequate measures in place to detect unauthorized intrusions and to adequately respond to such intrusions once detected.

B. Companies Must Also Ensure That Employees Are Properly Trained and Managed on Issues Involving Data Security

In addition to guarding against outside threats, companies must also ensure that their own employees do not pose data security risks. Many of the FTC’s cases involve the company’s own disclosure of consumer information. For example, the FTC has brought actions where company employees downloaded peer-to-peer software programs for personal use, which then led to unauthorized disclosure of sensitive consumer data. FTC cases have also involved company employees stealing consumer information or accessing consumer information without authorization. The FTC has also brought cases where employees lost unencrypted hardware containing sensitive consumer information and where employees failed to test software programs, which resulted in the disclosure of consumer information. 

C. Don’t Overlook the Basics

When considering these challenging cybersecurity issues, it can be dangerously easy to overlook everyday considerations that affect the handling of physical information. Companies must also still ensure that they properly dispose of consumer information in all forms, including hard copies and paper records. The FTC has brought numerous cases involving the improper disposal of paper documents containing sensitive consumer information, frequently in the companies’ own dumpsters. In certain cases, the FTC can seek civil money penalties of $16,000 per violation [8].

*           *           *

The FTC’s enforcement history demonstrates that the Commission is looking at all aspects of data security, from the initial collection of data through responses to a data breach.  The FTC has stated that reasonable and adequate data security programs must be a dynamic “continuing process of assessing and addressing risks.”[9]  To meet the FTC’s expectations, companies, including those that have not experienced a data breach, should ensure that they have appropriate policies, procedures, and industry standard measures in place that evolve with changes in the cybersecurity landscape.

Notes:

[1] Jessica Rich, From Health Claims to Big Data: FTC Adverting and Privacy Priorities for Today’s Marketplace -- Brand Activation Association Keynote, Nov. 7, 2014, available at http://www.ftc.gov/public-statements/2014/11/health-claims-big-data-ftc-advertising-privacy-priorities-todays.

[2] FTC Announces Personnel Changes in Bureau of Consumer Protection, Dec. 11, 2011, available at http://www.ftc.gov/news-events/press-releases/2011/12/ftc-announces-personnel-changes-bureau-consumer-protection.

[3] Id.

[4] See Commission Statement Marking the FTC’s 50th Data Security Settlement, Jan. 31, 2014, available
at http://www.ftc.gov/system/files/documents/cases/140131gmrstatement.pdf.

[5] 15 U.S.C. § 45(a)(2).

[6] See id.

[7] Id.

[8] See 16 C.F.R. Part 682.

[9] Prepared Statement of the Federal Trade Commission on Protecting Personal Consumer Information from Cyber Attacks and Data Breaches, before the Committee on Commerce, Science and Transportation, United States Senate (Mar. 26, 2014), available at http://www.ftc.gov/public-statements/2014/03/prepared-statement-federal-trade-commission-protecting-personal-consumer.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© K&L Gates LLP | Attorney Advertising

Written by:

K&L Gates LLP
Contact
more
less

K&L Gates LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.