Is Your Business Ready for FTC Oversight of Data Security?

On August 24, the Third Circuit issued its opinion in FTC v. Wyndham Worldwide Corp. At issue was the FTC's assertion of oversight authority in regulating the cybersecurity practices of businesses. Traditionally, the FTC has enjoyed broad authority to protect consumers from harmful business practices; 15 U.S.C. § 45(a)—part of the Federal Trade Commission Act—prohibits “unfair or deceptive acts or practices in or affecting commerce.” The FTC Act defines “unfair acts or practices” as those that cause or are likely to cause “substantial injury to consumers which (are) not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” The FTC is empowered to enforce this prohibition using administrative remedies (in a trial-type proceeding before an administrative law judge) and/or judicial remedies (in a federal court by seeking civil penalties and/or injunctive relief).

Yet, the question, of course, remained whether the FTC could harness that authority to also regulate data security practices.

In Wyndham, the FTC charged the hospitality company with failing to properly secure personal information collected from hotel customers. These failures allegedly allowed intruders to gain unauthorized access—on three separate occasions—to payment card information on more than 619,000 customer accounts resulting in $10.6 million in fraud losses. The FTC argued that Wyndham failed to employ a number of readily available and commonly used data security measures and that it accordingly published a deceptive privacy policy. After losing its motion to dismiss, Wyndham challenged the FTC’s authority to regulate cybersecurity practices under the unfairness prong of 15 U.S.C. § 45(a) by interlocutory appeal. A unanimous Third Circuit panel not only found the FTC indeed had authority to regulate cybersecurity practices under the FTC Act, but that Wyndham had adequate notice that its security practices may have fallen short of the requirements of the FTC Act.

The Wyndham case is only one example of the FTC’s recent move to fill the vacuum left by Congressional inaction related to data security oversight and the perceived inability of traditional civil litigation to alter security behavior. For example, the FTC has settled with companies such as Fandango and Credit Karma for failing to secure data transmitted through their mobile applications, has targeted companies such as Snapchat for failing to follow their own published data security policies and has recently settled with companies claiming, but failing, to comply with international data privacy standards.

The recent Wyndham decision, however, was widely considered the litmus test for whether the FTC’s expansion into data security practices would hold. Now that it has, the implication for business could be significant. Virtually every business sector is finding it necessary to collect, maintain, analyze and monetize user data. Mobile apps, Internet-of-Things devices, retail, hospitality like Wyndham, healthcare providers, media firms and financial institutions—just to name a few—collect mountains of information daily. Mismanage that data, and the FTC may come knocking. Once a company is in the FTC’s crosshairs, that company is often forced to expend substantial resources in the form of compliance costs or even legal fees. Companies may also be asked to overhaul data security policies and practices, hire third-party auditors, notify affected customers and/or subject themselves to continual FTC oversight for as many as 20 years.

So, what steps can your company take to maintain compliance given likely increased FTC regulatory oversight? 

Review and confirm compliance with your published privacy policy.

Companies should review their published privacy policies. Many times, especially for start-ups, these policies are simply cut-and-paste from other websites without much attention given to whether they accurately reflect what is happening behind the scenes. Failing to follow the terms of your own published privacy policies is one of the greatest risks in triggering an FTC claim that a company’s actions are “unfair” or “deceptive.” An organization should therefore ask itself whether it is actually performing the commitments made in the privacy policy and handling data in a way consistent with how the process is described.

Revisit your internal data collection policies and practice.

Companies should review their internal data collection policies and practices and ask the following questions:

  • Is user data collected in an efficient way?
  • Is user data collected in a transparent fashion, with notice provided to the consumer?
  • Is user data anonymized and periodically wiped to minimize damage if there is an unexpected breach?
  • Are there strict standards governing the disclosure of information to third parties?

Often, collected data is unused by companies—and, often, the security of unused data is overlooked. If your organization does not need certain data or can otherwise limit the impact of a data breach through anonymization of the data, the compliance risk will also almost certainly be reduced.

Review and supplement your security architecture.

Third, companies should consider reviewing and updating, when necessary, security infrastructure to align with commonly used and readily available data security measures, such as:

  • Implementing restrictions requiring that consumers use complex passwords;
  • Preventing servers from using commonly known default user IDs and passwords;
  • Setting up basic firewalls;
  • Maintaining a proper inventory of its computers;
  • Encrypting highly sensitive data, such as payment card information, in a form that is not “clear readable text”;
  • Ensuring that any and all subsidiaries of the organization implement adequate information-security policies and procedures before connecting them to the main network;
  • Installing updates and security patches for server operating systems;
  • Monitoring the network for malware used in previous intrusions, and
  • Restricting third-party access to the network.

Any or all of these are neither sufficient nor even necessarily mandatory. That said, spending the time at the front end to assess how your organization’s security architecture compares to industry standards is not only good business practice, it may provide a strong defense against a potential FTC investigation.

Verify compliance with industry and state-specific data privacy rules.

Finally, companies should be aware of industry and state-specific privacy regulations. For example, organizations providing online services that may be used by children under 13 must comply with the Children’s Online Privacy Protection Act (COPPA). COPPA requires that the organization provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children. The company must maintain the confidentiality and security of a child’s information and retain the information only as long as is necessary to fulfill the purpose for which it was collected. Other industries such as banking, healthcare and education face their own collection of specialized data privacy regulations.  

The problem of data security for companies of all sizes will only grow as the complexity of varying threats and the costs to defend against those threats accelerate. Not only do companies face highly damaging media attention should a breach occur, the real possibility of increased FTC involvement following Wyndham will undoubtedly keep executives and general counsel on edge. Despite the changing landscape, companies can prepare for the unknown by thinking proactively about data security and, subsequently, updating and adhering to best practices.

The alternative may, unfortunately, be a costly and distracting bout with the FTC.

Reprinted with permission of IAPP. The original article appears at:

The articles on our Website include some of the publications and papers authored by our attorneys, both before and after they joined our firm. The content of these articles should not be taken as legal advice.