Last week, the Federal Trade Commission (FTC) released an interesting case against a lead generator (ITMedia) that purportedly collected sensitive information from consumers who were seeking loans and sold that information to entities that were not in the business of providing loans. The defendants settled charges that they violated both the FTC Act and the Fair Credit Reporting Act (FCRA) and agreed to pay $1.5 million as a civil penalty for the FCRA violations. It’s an interesting case on the merits, but for today, let’s focus less on the case and more on whom the FTC named individually. Today is all about individual liability and the awful realization that when the FTC starts investigating the company you work for, it may also start investigating you for your role in the challenged practices.
Individual liability is an important consideration at the FTC and will be evaluated in most, if not all, investigations. And it is not necessarily something that will fully surface until the latter portion of an investigation, after staff have had the chance to review emails and documents and take depositions. Ultimately, they will be seeking to better understand who was involved in the challenged practices, how involved they were and what role they played.
In the ITMedia case, the FTC named a whole lot of corporate entities and also named six individuals as defendants – which is more than is typically seen in an FTC complaint. The named defendants include co-founders, chief executive officers and one individual defendant who was “general counsel and chief compliance officer” for several of the entities. The complaint also has a section titled “Participation and Knowledge of Individual Defendants.” Three pages of that section are dedicated to laying out what these individual defendants did and how they either had knowledge of the challenged activities or “intentionally avoid[ed] knowledge” of the challenged conduct and misrepresentations. And with respect to the general counsel, that section provides that he:
[A]pproves potential buyers participating in ITMedia’s lead marketplace, including approving entities that are not lenders, but debt relief services, pre-paid debit card sellers, marketers, lead aggregators, and other entities whose identity, business, and interest in the information is not known to ITMedia. He is the sole manager of ITMedia Solutions, is the chief officer of the company, and has full power to direct and manage the business affairs of the company. He is responsible for day-to-day operations, and the negotiation and performance of all contracts of ITMedia Solutions. [He] also reviewed and approved ITMedia’s purchase of credit scores, all the contracts under which ITMedia has disseminated consumers’ information, and supervised the representations made on ITMedia’s websites to induce consumers to submit sensitive information.
The fact that a general counsel was named is highlighted in the concurring statement of Commissioner Christine Wilson. Her overall thesis is that the FTC should “exercise carefully its prosecutorial discretion” when deciding whether to name individual defendants. She emphasizes the need to be even more cautious when going after an attorney in order to not “chill frank conversations between lawyers and company leadership and thereby undermine compliance efforts, disincentivize qualified lawyers from assuming in-house roles, and undercut the attorney-client privilege.” But ultimately, the commissioner agreed to name the attorney because he “frequently acted in a business capacity,” such as being responsible for some day-to-day operations. She concludes, “Given his alleged participation in the challenged conduct as a business manager rather than as a lawyer, and his ongoing business roles with affiliates of ITMedia, I conclude that individual liability is both warranted and necessary to achieve effective relief.” No commissioners dissented, and no one else issued a statement.
So let’s turn away from this specific case and discuss generally this question: When does the FTC name individuals in complaints? At the outset, there are those cases where naming the individual is necessary because the individual is basically the company; naming the individual is essential because an order against just the corporate entity could be easily circumvented by shutting down the company and establishing a new entity to do the same unlawful conduct. And there are times when the company is basically the alter ego of the individual and the two are virtually one and the same. Some cases that come to mind demonstrating aspects of these principles are a few old ones I worked on, cases such as those involving Kevin Trudeau and Direct Marketing Concepts, and more recently, just look at any of the telemarketing cases or debt collection cases where individuals are routinely named. But there are other cases that require the agency to take a much closer look at the individuals and carefully assess the role they played in the challenged practices.
As a matter of law, what must the FTC show to go after an individual for their role in a corporation’s deceptive or unfair practices under the FTC Act? Well, for starters, the precise standard varies depending on the jurisdiction. And it differs significantly depending on whether the agency is seeking money. In order to obtain injunctive relief only, the standard is relatively modest and can theoretically sweep in a lot of individuals. The agency generally needs to show that the individual participated directly in the challenged practices or had “authority to control” the corporate entity’s practices. And a range of practices can be used to demonstrate authority to control, such as involvement with day-to-day affairs, policy making, overseeing other employees, signing corporate documents and much more. There is no need to demonstrate any sort of ultimate control or decision-making by the individual when the agency “just” seeks injunctive relief. This appears to be a key reason why Commissioner Wilson emphasizes the need for the agency to carefully exercise its prosecutorial discretion when naming individuals. The mere fact that you can name an individual doesn’t mean that it’s always good policy to do so. And keep in mind, the scope of injunctive relief can be quite significant, including not just general conduct prohibitions but also industry bans in some situations.
The standard for individual liability is notably higher when money is on the table, and again, the precise language will vary somewhat by jurisdiction. As we all know by now, AMG has greatly curtailed the ability of the agency to seek money in federal court. So our discussion about seeking money from individuals is really premised on cases that predate that decision. But that said, it’s helpful to see how differently courts once treated individual liability depending on whether the agency was seeking money. Generally, to recover money, the agency must show that the individual had some measure of knowledge of the challenged conduct. The standard is sometimes phrased as actual knowledge or a “knew or should have known” standard, and sometimes it is phrased in terms of reckless indifference. But it’s always going to require a notably more robust showing than the “authority to control” standard for injunctive relief.
Much like everything else these days, whether to name an individual in a complaint has been subject to a number of differing commissioner opinions. In one matter, Commissioner Slaughter issued a dissenting statement because the complaint did not name the CEO. She emphasized the need to name individuals for specific and general deterrence and stated more broadly that she was “particularly interested not only in the evidence of the leaders’ involvement and knowledge but also in the extent to which the alleged law violations permeated a core aspect of the business and whether the corporate culture is one of compliance.” And former Commissioner Chopra was quite vocal over the years about his desire to have the FTC name more individuals, particularly from larger companies. For example, not too long ago he highlighted in a Made in the USA case that the agency had “charged the company’s president personally for his involvement in the alleged violation.” And although he is no longer at the FTC, a quick look at the FTC organizational chart does reveal that quite a lot of current FTC leadership had worked for Commissioner Chopra at some point in the past few years.
Finally, I leave you with one other interesting thing I noticed about this case, having nothing to do with individual liability. This matter has been kicking around for quite some time. Back in 2016, the agency had to file a petition in federal court to enforce the Civil Investigative Demand that it had issued ITMedia. The petition was amicably resolved a few months later, after the court had ruled in the FTC’s favor. I don’t think the petition has any bearing on the issues in this blog, but it is interesting to note just how long some investigations can go on.