The Federal Trade Commission (“FTC”) has, over the last decade, emerged as the primary federal agency responsible for overseeing the private sector’s data privacy and data security efforts. Data related cases now form a significant component of the FTC’s overall consumer protection enforcement program. Indeed, over the last 12 months one out of every ten consumer protection enforcement actions brought by the Commission involved a data related issue.

Privacy and security have not, however, received equal attention at the Commission. Historically the Commission’s primary enforcement focus has been on data security, and most of the Commission’s enforcement cases involved allegations that data security breaches could have been prevented if a company had better security practices. As little as three years ago more then two-thirds of the FTC’s data related enforcement actions focused on allegations of inadequate data security. The tide has turned. For two years now the majority of FTC enforcement actions have been premised on data privacy – not data security, and the trajectory of enforcement actions appears to be continuing in that direction.

Click here to view graph.

The shift has come hand-in-hand with renewed efforts by the Commission to obtain monetary relief, either in the form of civil penalties for violations of Commission rules or equitable remedies such as restitution or disgorgement. Indeed, during the past 12 months the Commission has obtained monetary relief in 20% of its cases, resulting in a record of more then $24 million in penalties and redress.

Click here to view chart.

With the FTC’s renewed emphasis on data privacy, companies should take care to review their data privacy practices. Among other things it’s essential to:

  • Identify the personally identifiable information collected by your company, whether the information relates to customers, employees, or other third parties,
  • Review all your privacy representations – wherever made,
  • Identify those instances in which your organization shares information, and review those sharing practices for consistency with legal requirements as well as regulatory best practices.
  • Conduct due diligence on any entity with which you share information. Obtaining representations and warranties concerning their data security practices may not be sufficient to address data privacy concerns.
  • Periodically monitor whether complaints have been submitted to the FTC, or other agencies, about your organization’s data privacy practices