Insights
Caution: Your Company's Biggest Privacy Threat is...the FTC
04.01.14
By Sanjay Nangia
Technology companies—from startups to megacorporations—should not overlook an old privacy foe: the Federal Trade Commission (FTC). Since its inception in 2002, the FTC’s data security program has significantly picked up steam. In the last two years, the FTC has made headlines for its hefty privacy-related fines against Google and photo-sharing social network, Path. In January 2014 alone, the agency settled with a whopping 15 companies for privacy violations. What is more, many of these companies’ practices were not purposefully deceptive or unfair; rather the violations stem from mere failure to invest the time and security resources needed to protect data.
Vested with comprehensive authority and unburdened by certain hurdles that class actions face, the FTC appears poised for more action. The FTC’s basis for its authority in the privacy context originates from the Federal Trade Commission Act (FTC Act) and is quite broad. Simply put, it may investigate “unfair and deceptive acts and practices in or affecting commerce.” In addition to this general authority, the FTC has authority to investigate privacy violations and breaches under numerous sets of rules, including the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act including disposal (FCRA), the Gramm-Leach-Bliley Act (GLB), and the Telemarketing and Consumer Fraud and Abuse Prevention Act. Nor is the FTC hampered with the requirements of private class action litigation. For example, successful privacy class actions often must establish that consumers were harmed by a data breach (as in In re Barnes & Noble Pin Pad Litigation), consumers actually relied on a company’s promises to keep the information confidential (as in In re Apple iPhone Application Litigation), or the litigation will not be burdened with consumer-specific issues (such as whether the user impliedly consented to the disclosure, as in In re: Google Inc. Gmail Litigation).
The FTC has often focused on companies failing to adhere to their own stated policies, considered a “deceptive” practice by the FTC. More recently, the FTC settled with the maker of one of the most popular Android Apps, “Brightest Flashlight Free.” While the App informed users that it collected their data, it is alleged to have failed to disclose that the data would be shared with third parties. And though the bottom of the license agreement offered consumers an opportunity to click to “Accept” or “Refuse,” the App is alleged to have already been collecting and sending information (such as the location and the unique device identifier) prior to receiving acceptance. Just last week, the FTC settled with Fandango for allegedly failing to secure data transmitted through its mobile app, in contravention of its promise to users. The FTC alleged that Fandango disabled a critical security process, known as SSL certificate validation, which would have verified that its app’s communications were secure. As another example, the FTC recently settled with a maker of a camera device used in homes for a variety of purposes, including baby monitoring and security. The device allows the video to be accessed from any internet connection. The devices are alleged to have “had faulty software that left them open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address.”
Companies have also been targeted for even slight deviations from their stated policies. For example, the FTC recently reached settlements with BitTorrent and the Denver Broncos. The entities were blamed for falsely claiming they held certifications under the U.S.-EU Safe Harbor framework. In reality, the entities had received the certifications but failed to renew them. The safe harbor is a streamlined process for US companies (that receive or process personally identifiable information either directly or indirectly from Europe) to comply with European privacy law. Self-certifying to the U.S.-EU Safe Harbor Framework also ensures that EU organizations know that the organization provides "adequate" privacy protection.
Perhaps most surprising to companies is the FTC’s assertion that it may require them to have reasonable data protection policies in place (even if the company never promised consumers it would safeguard the data). Failure to secure data, according to the FTC, is an “unfair” practice under the FTC Act. For example, the FTC recently settled with Accretive Health, a company that handles medical data and patient-financial information. Among other things, Accretive was alleged to have transported laptops with private information in an unsafe manner, leading to a laptop (placed in a locked compartment of an employee’s car) being stolen. It is estimated that the FTC has brought over 20 similar types of cases, but all but one settled before any meaningful litigation. The one: a case against Wyndham Hotels. There, the FTC has alleged that Wyndham failed to adequately protect consumer data collected by its member hotels. According to the FTC, hackers repeatedly accessed the data due to the company’s wrongly configured software, weak passwords, and insecure servers. Though Wyndham’s Privacy Policy did not technically promise that the information would remain secure, the FTC faulted it for the lapse anyway. Wyndham has challenged the FTC’s position in federal court and a decision is expected soon.
Being a target of an FTC action is no walk in the park. In addition to paying for attorney fees, the FTC often demands significant remedial measures. For instance, the company may be asked to (1) create privacy programs and protocols, (2) notify affected consumers, (3) delete private consumer data, (4) hire third-party auditors, and (5) subject itself to continual oversight by the FTC for 20 years. What is more, if a company ever becomes a repeat offender and violates its agreement not to engage in future privacy violations, it will face significant fines by the FTC. In this regard, for example, Google was required to pay $22.5 million for violating a previous settlement with the FTC.
All told, technology companies should not feel emboldened by recent class action victories in the privacy context. To avoid FTC investigation, they should carefully review their data handling practices to ensure that they are in accord with their privacy policy. Further, they would be wise to invest in the necessary resources required to safeguard data and regularly ensure that their methods are state of the art.