A PRIMER ON FTC CYBERSECURITY ENFORCEMENT
According to the Breach Level Index, the total number of data records lost or stolen in just the first half of 2016 was 554,454,942, stemming from 974 breach incidents. In the entire year of 2015, there were 707.5 million data records compromised. Over one billion Yahoo accounts were compromised in August 2013, the single largest breach in history.
The Federal Trade Commission (“FTC”) has brought 60 cases relating to data security since 2000. The pace at which these cases have been brought is increasing. While the perception may be that smaller companies with less data have less to worry about by way of data breaches because they have “little” client data, or “only” employee data, this is misguided. An estimated 62% of all cyber breaches occur in small and mid-market companies. The primary causes of data breaches are employee or contractor mistakes, such as stolen and lost laptops, and procedural error.
The FTC has enforcement authority over unfair and deceptive trade practices under the Federal Trade Commission Act, 15 U.S.C. § 45. This is important because the Federal Third Circuit Court of Appeals has ruled that such authority includes cybersecurity. FTC v. Wyndham, 799 F.3d 236 (3d Cir. 2015). That is by taking the following steps: (1) develop a company-wide policy on protecting consumer data; (2) coordinate with outside, independent, professional third parties to assess the effectiveness of existing cybersecurity practices; (3) develop effective cybersecurity practices to ensure adequate protection of consumer data; and; (4) train and monitor personnel to protect consumer data; (5) ensure consumers receive adequate disclosure on the use of the information collected from them; and (6) most importantly, develop a written data breach response plan, including procedures and mechanisms for handling data breaches, along with identifying and hiring professionals you will need in advance. The FTC actions below demonstrate the importance of each of these steps.
In December of 2016, the FTC brought an action against Ruby Corp, who operates AshleyMadison.com. The gravamen of the complaint was that the defendants failed to contractually require service providers to implement reasonable security, failed to train their personal to perform data security related duties and failed to implement reasonable access controls. For instance, they failed to monitor unsuccessful login attempts by customers, and failed tor restrict employee access to systems based on their job functions. These and other failures resulted in hackers essentially holding 9.7 gigabytes of online information pertaining to more than 36 million AshleyMadison.com customers for ransom. Most notable was that profiles of AshleyMadison.com customers who paid $19 for a full delete of their online dating profiles were included in this 36 million people, despite being assured upon the deletion of their accounts that that their digital trails would be deleted. Ruby Corp. often retained personal information for these consumers for up to 12 months and even failed to remove the profiles from their internal systems. In addition to mandating a comprehensive data security program and data assessments by a third party, the stipulated order required a hefty $8,750,000 payment to the FTC.
In the 11th Circuit, LabMD is currently appealing the FTC’s final order and opinion issued in an enforcement action against it. In this matter, a LabMD billing manager accidentally shared, on a P2P file-sharing program, 1,718 pages of sensitive consumer information for approximately 9,300 customers. This information included names, dates of birth and social security numbers. The billing manager compromised this information by accidentally designating for sharing the entire contents of her “My Documents” folder on the P2P program. Interestingly, no tangible harm to consumers occurred as a result of this breach. Accordingly, at issue before the 11th Circuit is whether the “substantial injury” requirement of the FTC Act can encompass intangible harms like embarrassment, reputational injury and privacy invasions. The 11th Circuit issued a temporary stay of the FTC’s final order, which signals that it likely does not qualify, but the matter is still pending. LabMD filed its brief on December 27, 2016; LabMD filed its brief on February 9, 2017.
However, the FTC’s enforcement authority has not merely been limited to instances involving inadvertent disclosure of otherwise confidential consumer information. For instance, in an enforcement action against Practice Fusion, Inc., the FTC filed a complaint alleging that Practice Fusion had engaged in deceptive acts or practices in violation of Section 5(a) of the FTC Act when Practice Fusion’s website posted over 600,000 reviews of physicians collected from consumers during the previous year. In the Complaint, the FTC alleged that Practice Fusion’s business practices violated the Act because Practice Fusion did not adequately disclose that these survey responses would result in the disclosure of their medical and personal information over the internet.
Even after FTC actions reach a resolution, entities in violation of those orders are subject to stiff penalties. For instance, in FTC v. LifeLock Inc., 2016 U.S. Dist. LEXIS 17973 (D. Ariz. 2016), the FTC alleged that LifeLock Inc. violated a court’s permanent injunction which prevented it from misrepresenting the extent to which they protected consumer privacy by failing to establish a comprehensive security program and then falsely advertising that it protected consumers’ sensitive data with the same high level safeguards as financial institutions. The Court ordered a judgment in favor of the Commission of $100,000,000 pending resolution of the claim.
While preventable to great extent, data breaches are inevitable. The errors leading to cybersecurity breaches are often times preventable by merely implementing a plan to prevent them in the first place, but even the most comprehensive cybersecurity plan is no 100% guarantee that some consumer data will not be inadvertently compromised at some point. However, note that it is not the FTC’s intent to take action against all data breaches. Rather, it is the lack of, or otherwise poor practices and methods which lead to the breach with which the FTC is concerned.
The jurisprudence of FTC cybersecurity enforcement thus far has exposed an underlying framework for avoiding FTC action. Avoid an FTC enforcement action by taking the following steps: (1) developing a company-wide policy on protecting consumer data; (2) coordinating with outside, independent, professional third parties to assess the effectiveness of existing cybersecurity practices; (3) developing effective cybersecurity practices to ensure adequate protection of consumer data; and; (4) training and monitoring personnel to protect consumer data; (5) ensuring consumers receive adequate disclosure on the use of the information collected from them; and (6) most importantly, developing a written data breach response plan, including procedures and mechanisms for handling data breaches, along with identifying and hiring professionals you will need in advance.
by: Brian C. Lawrence