FTC data privacy enforcement will threaten corporate bottom lines
The Federal Trade Commission is increasingly under pressure to hold organizations accountable for safeguarding the personal information they collect, use and share. Insufficient data security and privacy practices can lead to FTC investigations, fines and settlements.
In most of these cases, the FTC charges defendants with violating Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce.
In the face of extensive consumer ire, the FTC is looking to prove it can take serious action against offenders. Social networking giant, Facebook, will soon face an impressive multi-billion-dollar fine for its role in passing customer information to a large (and now defunct) data company, Cambridge Analytica, in 2016, as well as other privacy violations. The privacy fine is expected to be the single largest the FTC has ever brought against an offending entity.
Legislation and the FTC’s Reach
Despite the mounting concerns over data security and privacy practices that put consumers’ data at risk, the U.S. Congress still has yet to adopt national legislation to address cybersecurity, and security spending will see a nominal increase given the current administration’s recent budget proposal. Consequently, organizations are subject to a patchwork of laws and regulations relevant to cybersecurity and privacy practices, including differing laws and regulations in each state and the District of Columbia, as well as from multiple federal administrative agencies.
Therefore, the FTC has taken a comprehensive directive to extend its supervision over all companies operating in the United States. In fact, the FTC has assumed a leading role in policing corporate cybersecurity practices since 2002. Since that time, it brought more than 200 cases against companies for unfair or deceptive practices that endangered the personal data of consumers.
The FTC brings enforcement action against organizations that violate consumers’ privacy rights when they deceive consumers by claiming they will protect the consumers’ information. Such actions are the result of the FTC finding that the organizations in fact did not protect such information because their data security and privacy practices were not adequate.
Failure to protect consumers’ information through inadequate security measures comes in many forms including: poor system monitoring, weak firewalls and intrusion detection, weak user controls, and poor application security that fails to identify and remediate vulnerabilities. Poor application security leaves organizations (and by proxy, their customers, employees and others) vulnerable to cyberattacks.
The FTC also brings action against those who engage in deceptive privacy practices. These organizations misrepresent their practices related to collection, use or sharing of consumers’ information.
In the case of Facebook and Cambridge Analytica, Facebook did not disclose the data directly to Cambridge Analytica, but permitted information Facebook had on users to flow to application developers by not limiting the ability for it to happen. One such developer took full advantage of the ability, then shared the information Cambridge Analytica.
Fines are not the only measure taken by the FTC. Fines are often accompanied by consent decrees. Consent decrees enable organizations to settle the violation with the FTC without admission of guilt.
Consent decrees can be extremely costly and last for years. Snapchat, the company behind the popular mobile messaging app, agreed to a 20-year consent decree to settle FTC charges for representations made to users about disappearing messages sent through the service. They are now closely monitored by the FTC and spend millions to comply. For example, they must:
- Submit to the FTC biennial privacy risk assessments from an independent third-party approved by the FTC.
- Provide, upon the FTCs’ request and up to five years after their creation, all consumer complaints related the conduct prohibited under the consent decree and any responses to those complaints.
- Provide, upon the FTCs’ request and up to five years after their creation, all materials relied upon to prepare the risk assessment, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials .
Violations of a consent decree are a crime and can result in accumulation of penalties. Facebook’s new FTC charges are expected to include some of these penalties for violation of its previous FTC consent decree. Facebook and the FTC are also negotiating a new 20-year consent decree that will mandate long-term, high impact structural changes to Facebook’s business model.
The Rising Danger of Cyberattacks
Cyberattacks continue to increase in frequency and severity. Attackers use more sophisticated methods to exploit weaknesses. For instance, attackers now use artificial intelligence to outsmart corporate cyber defenses. These advanced tactics, when successful, can also result in a hit a company’s bottom line.
A 2018 Ponemon Institute study found that the average total cost of a breach now ranges from $2.2 million for incidents with fewer than 10,000 compromised records to $6.9 million for incidents with more than 50,000 compromised records. Companies also pay the price for reputational damage and lost trust. Ripple effects often include loss of current and potential customers, investors and future opportunities.
The Bottom Line
Given the FTC’s increased role in policing cybersecurity, organizations should take these recent developments under advisement and critically examine their cybersecurity practices and policies to protect their own bottom line against the risk of an FTC enforcement action due to a data breach, consumer complaints or other occurrence. The absence of prescriptive, government regulations that enforce good corporate behavior creates ambiguity for companies.
It is very difficult for organizations to definitively conclude what or how much they should do to avoid FTC enforcement. Therefore, companies continue to look for guidance on cybersecurity best practices from nationally recognized industry bodies and the government itself.
The FTC has published guidelines and metrics to help organizations determine if their cybersecurity and data privacy practices are adequate, or if they need to update policies and technology to strengthen their privacy practices and cyber defense stance. The National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce, maintains the NIST Cybersecurity Framework to guide organizations in reducing cybersecurity-related risk.
Compliance with NIST standards and guidelines has become a top priority in many high-tech industries today. The NIST website offers a valuable, free resource for use by any size organization.