The cost of data breaches is astounding. A recent study by the Ponemon Institute estimates that data breaches cost US organizations an average of $5.4 million (this figure excludes uncommon “catastrophic” data breaches involving over 100,000 compromised records). Exacerbating the problem is the fact that if the Federal Trade Commission (FTC) gets involved, those costs are likely to climb. Unfortunately, many organizations are finding out the hard way that the FTC takes data breaches seriously, whether the breach involves ten thousand or tens of millions records.
FTC Enforcement Actions on the Rise
The FTC’s Bureau of Consumer Protection has recently stepped up investigations into data-breaches on behalf of consumers as more organizations collect, store, and use sensitive information. This stepped up activity is consistent with recent comments from FTC Commissioner Julie Brill where she stated that “more aggressive action” from regulators and businesses alike should be encouraged to protect consumer privacy. Likewise, FTC Deputy Director Daniel Kaufman has argued for more substantial penalties in the area of data security.
The FTC is not only talking the talk, they are walking the walk. They routinely exercise the authority granted to them by Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45) which authorizes the Commission to “prevent unfair methods of competition, and unfair or deceptive acts or practices in or affecting commerce.” The Act includes provisions for injunctive relief, disgorgement, consumer redress and settlement orders that can bind companies with substantial monetary penalties. The FTC also has enforcement or administrative responsibilities under more than 70 different federal statutes such as the Fair Credit Reporting Act (FCRA) (15 U.S.C. § 1681) and the Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. § 6501).
What triggers an FTC investigation?
In a recent webinar, FTC attorney Katherine McCarron explained that the FTC “look[s] at a company’s security procedures and determine[s] whether they are reasonable and appropriate in light of all the circumstances” when evaluating an organization’s conduct. Like most legal standards, the precise definition of “reasonable and appropriate” is subjective and often depends on facts of the case, including the sensitivity of the data and magnitude of the breach.
For example, an enterprise responsible for securing large amounts of sensitive data like credit cards or social security numbers may face a much higher level of scrutiny than a small company trusted with only nominal amounts of consumer information.
Perhaps surprising to some, is that the FTC interprets Section 5 broadly and takes the position that an actual injury or breach is not required to pursue an investigation. McCarron explains that the legal injury to consumers can involve a: “Practice that causes or is likely to cause substantial consumer injury . . . . It can be a probability in the future.” And, as McCarron explains, a substantial injury doesn’t necessarily require a major breach of extremely sensitive information — it could be “a small injury to a lot of people.”
For example, in 2013, HTC settled an FTC investigation over a software design flaw that could have exposed millions of consumers’ personally identifiable information (PII) stored on HTC mobile devices, despite the fact that there was no actual breach. In addition to an obligation to redesign the software to fix the weakness, HTC is now obligated to “undergo independent security assessments every other year for the next 20 years.”
The FTC has also stepped up enforcement actions against organizations based on terms of use or privacy statements that are “deceptive” to consumers. For example, in 2012, the FTC obtained a $22.5 million settlement from Google for allegedly placing tracking “cookies” on the computers of Safari users. According to the complaint, Google erroneously informed users that the Apple Safari browser’s default settings would block tracking cookies that enabled Google’s advertising service to place targeted advertisements. Similarly, the FTC has pursued developers for failing to properly disclose in their terms of use whether information would be shared with third parties or not.
Conclusion
FTC enforcement actions have skyrocketed in recent years and any organization that deals with consumer information is potentially vulnerable. That means organizations should take reasonable steps to comply with data privacy representations made to consumers. Similarly, organizations need to establish policies and procedures to help prevent consumer data breaches in addition to deploying readily available data security technology to detect and guard against vulnerabilities. To hear more of McCarron’s insights and tips for implementing good data protection policies, log into the free recorded webinar titled: “The FTC on Fraud, Deception & Data Privacy Enforcement Actions.”