Unfortunately, 2014 was another banner year for data breach incidents, resulting in numerous class actions and government investigations. Data security protection was thought to be coming from the Department of Homeland Security, in the form of its Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology. In light of the increased attention on data security from high profile attaches, however, the Federal Trade Commission (FTC) has been aggressively expanding its authority to provide enforcement for data security standards.
The FTC is not new to the data security game. In fact, it has over a decade of experience confronting data security concerns. The FTC has brought 55 data security enforcement matters since 2002. The extent and frequency of the FTC’s data security activity has increased over the past several years, with approximately 20% of the enforcement actions coming since the appointment of Jessica Rich as Director of the FTC’s Bureau of Consumer Protection in June 2013. According to Director Rich, “data security enforcement remains a critical FTC priority.” Director Rich, who is “a nationally recognized expert in the fields of privacy, data and identity protection, and emerging technologies,” has been involved in the FTC’s privacy and data security initiatives since the 1990s. With a privacy and data security expert at the helm of its Consumer Protection division, the FTC’s increased focus on data security should come as no surprise.
The FTC’s aggressive attempt to expand its powers under Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive acts or practices, is finding support outside of the Commission. In the FTC’s case against Wyndham Worldwide Corporation for failing to protect consumer information, a federal judge denied Wyndham’s challenge to the FTC’s authority to regulate corporate data security practices. According to a Sept. 11 report by the Congressional Research Service, the judge’s ruling effectively lends support to the FTC’s jurisdiction to regulate data security under its unfair or deceptive practices authority. With news of data breaches from mega-retailers like Target and Home Depot becomes more common, punitive FTC enforcement actions should continue to rise.
I. FTC Authority, Enforcement Activities, and Remedies
A. Basis for the FTC’s Data Security Enforcement Authority
Even without a comprehensive federal data security legal framework, the FTC has numerous enforcement tools at its disposal. The Commission generally has enforcement or administrative authority under dozens of consumer protection laws. As noted above, the FTC has relied on its power under Section 5 of the FTC Act to prohibit “unfair or deceptive acts or practices in or affecting commerce” in support of many of its enforcement actions. In addition, the FTC has also asserted violations of numerous other laws in its data security actions, including the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), Children’s Online Privacy Protection Act (COPPA), GLBA’s Safeguards and Privacy Rules, FCRA’s Disposal Rule, and the COPPA Rule.
The FTC has sought and obtained substantial relief through its enforcement actions. In many such actions, the FTC has obtained injunctive relief covering a defendant’s conduct for twenty years. The FTC has also obtained civil money penalties for violations of the Disposal Rule, prior FTC consent orders, or the COPPA Rule. And in a very aggressive enforcement move, the FTC has even begun requesting monetary relief for impacted consumers in more recent actions.
B. The FTC Reaches Most Industries, and Holds Companies Liable for Actions of their Vendors and Customers
Few industries escape the broad enforcement authority granted under the FTC Act. For example, the FTC brought data security actions against companies selling data security products and services, retailers, health care-related companies, software and mobile app vendors, and financial institutions. Even companies that do not directly market to or deal with consumers are subject to FTC enforcement. For example, the FTC brought numerous cases against data sellers, payment processors, consumer reporting agencies, and other companies that deal in consumer information.
The FTC even holds companies responsible for the data security failings caused by vendors and other third-parties. In several instances, the FTC sought to hold companies responsible for the security deficiencies of third-party clients or end-users of the companies’ products or services. By way of example, companies that sold or resold consumer information were made to answer for failing to ensure that the downstream purchasers of information adequately protected the sensitive consumer information. With the prospect of facing liability for the conduct of vendors and customers, companies must closely examine the data protection practices and capabilities of their business partners.
C. FTC Pursues Claims against Individuals
As a demonstration of just how serious the FTC takes data protection, it now brings enforcement actions against individuals alleged to have formulated, directed, controlled, had the authority to control, or participated in the allegedly unlawful acts or practices of their affiliated corporate entities. Since 2002, the FTC has named individual defendants on their own or in addition to their affiliated companies in as many as ten data security actions. In other words, individuals responsible for data security breaches, either directly or in a supervisory capacity, now face individual monetary liability.
II. FTC Focus Areas
A. Pre-Breach Risk Detection and Avoidance
While the FTC has stated that “the mere fact that a breach occurred does not mean that a company has violated the law,” its enforcement powers do not require an actual breach to bring an enforcement action. Indeed, the FTC rejects the notion that its enforcement authority depended upon the occurrence of an actual data breach. Rather, the FTC also focuses on prevention of data breaches in the first instance. In fact, almost one-third of enforcement actions since 2002 were not based on actual data breaches. Instead, the FTC alleged that the companies’ practices increased the risk of a data breach and/or misrepresented the extent of the companies’ data security measures. In other words, companies must put safeguards in place to protect against data breaches or face FTC liability.
B. The FTC Broadly Defines Protectable Consumer Information
Of course, the FTC considers consumer financial account and Social Security numbers as sensitive consumer information. However, through its enforcement actions, the FTC also requires protection of less sensitive consumer information. Among the information types covered by FTC enforcement actions are consumer email addresses, internet surfing histories, and social media activities. Companies must be cognizant that the FTC consistently requires that companies protect broad categories of information, including Social Security numbers; driver license numbers; financial account information; first and last name; home address; email addresses and other electronic identifiers, such as cookies or social media usernames; account passwords; dates of birth; telephone numbers; consumer photos and videos; and/or health-related information. With such a broad list of protected consumer information, the recent increase in FTC enforcement actions makes sense.
C. Unnecessary Collection or Retention of Consumer Information
The collection and retention of data that needs to be protected is at the heart of data security. Companies with data collection and retention policies that unreasonably increase data security risks and threats are often targets of FTC action. For example, the FTC has pursued companies for collecting more information than was disclosed to consumers in privacy policies and for keeping consumer information when they no longer had any business need for the information. The FTC’s focus on retained information also calls into question company practices regarding customer information contained on older or disused computer equipment, which can create a data breach if mishandled.
III. Key Steps to Minimize Regulatory Issues with the FTC
The FTC has stated that “[t]he touchstone of the Commission’s approach [to data security]… is reasonableness.” While this does not provide much in the way of specific guidance, it is clear that data security measures must be reasonable for the company, but also for the company’s industry.
A. Companies Should Comply with Industry-Standard Data Security Measures
As noted, the FTC evaluates a company’s data security under a reasonableness standard. Where specific rules or guidelines are in place, as with HIPAA in the health care field and the FCRA in the consumer credit industry, what the FTC considers reasonable can be as simple as compliance with those industry-specific rules. Where no such rules exist, however, the FTC has often looked at a company’s allegedly deficient data security practices in light of standard industry practices. Through its enforcement cases, the FTC essentially defines what it considers “reasonable” data security measures.
In multiple instances, the FTC has pointed to the failure to protect against well-known data security threats and vulnerabilities as an unreasonable data security practice. For example, a company’s failure to implement free or low-cost defenses to well-known third-party hacking attacks, such as Structured Query Logic (SQL) injection attacks and cross-site scripting attacks, and for disabling critical security measures. In addition, the FTC has cited companies’ failures to use well-known data security measures, such as validating Secure Sockets Layer (SSL) certificates, employing firewalls to segregate and protect sensitive information, encrypting data on devices that could be stolen or misplaced, and wiping or destroying data no longer in use. Essentially, anything that constitutes an “easy” fix or something most of the industry is doing can be considered “reasonable” components of a data security program.
B. Employee Training and Management on Data Security Issues
Not only must companies guard against outside data security threats, but they must also control data security risks posed by their own employees. Many FTC cases involve the disclosure, both intentionally and unintentionally, of consumer information by company employees. By way of example, the FTC pursued a company where its employees downloaded peer-to-peer software programs for personal use, resulting in unauthorized disclosure of consumer data. The FTC also targets situations where company employees steal consumer information or access consumer information without authorization. In addition, some FTC cases involve employees losing unencrypted hardware containing sensitive consumer information, or employees failing to test software programs resulting in the disclosure of consumer information. Essentially, any situation where an employee’s action or inaction places data at risk can result in FTC liability.
C. Be Good at the Basics
Considering the depth and breadth of data security issues, it is a daunting challenge for any company. In the face of such a challenge, companies may overlook relatively easy protective measures in favor of focusing on complex system intrusion risks. In light of the potentially severe consequences of running afoul of the FTC for failing to protect consumer data, companies must take care of the “easy” risk categories, such as locking away physical information, properly eliminating electronic data, and limiting non-essential employee access to private consumer data. Numerous FTC cases involve the improper disposal of paper documents and digital files containing sensitive consumer information. In certain cases, the FTC can seek civil money penalties of $16,000 per violation. Thus, taking care of basic risks can have a substantial economic cost on top of the financial and reputational costs of public data breaches.
Companies must be mindful of the extent to which the FTC seeks to protect consumer information. Since the FTC has already signaled its aggressive stance on data security, high-profile breaches like those that occurred at Target and Home Depot provide additional support for its efforts. Moreover, there are currently eight bills pending in Congress that would impact FTC’s role in data security, including several that propose granting FTC the authority to promulgate information security standards, impose civil penalties on companies that fail to meet certain standards, and authority to issue administrative rules.
As the FTC’s enforcement history demonstrates, it takes a hard-line approach to data security. Rather than focusing on a single facet of data security, the FTC considers the problem from the initial collection of data through responses all the way through an actual data breach. According to the FTC, reasonable and adequate data security programs must be a fluid “continuing process of assessing and addressing risks.” In order to satisfy the FTC, all companies, whether or not they have experienced a data breach, must take steps to ensure that they have appropriate policies, procedures, and industry standard measures in place to protect consumer data. Furthermore, those policies, procedures, and measures must evolve with changes in company operations and technology.