The FTC has recently undertaken further reviews of specific security practices past its historical boundaries
- The use of unencrypted backup tapes, laptops, external hard drives, and USB drives (several of which were actually stolen from an employee’s personal vehicle; these items contained personal information and network passwords and protocols)
- Transporting portable media containing personal information in a manner making the media vulnerable to theft
- Retention of a legacy database (due to inadequate supervision of vendor) in a vulnerable format on its network
- Not restricting database access on employee “need to know” basis
- Failure to destroy personal information for which CBR no longer had a business need
- Failure to monitor unauthorized system intrusions.
Recently, the FTC settled charges with Fandango and Credit Karma that the latter, among other failures, disabled SSL certificate validation for transmissions of personal information, “which would have verified that the apps’ communications were secure.” Indeed, in its guide “Mobile App Developers: Start with Security,” the FTC states that these developers should deploy and maintain “HTTPS or another industry-standard method” for transmission encryption.
In April, a U.S. district court rejected the motion to dismiss filed by a defendant hotel conglomerate (Wyndham), challenging the FTC’s authority to assert a data security claim under its enforcement authority pursuant to FTCA §5. In that case, the FTC alleged that Wyndham engaged “in a number of practices that, taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft;” such practices did, in fact, permit three separate hacks into Wyndham’s computer systems, which resulted in the theft and misuse of guest card numbers. The court rejected Wyndham’s assertions that data security supervision does not fall within FTCA §5, but instead is delegated to various agencies under a variety of federal laws, such as FCRA, COPPA and GLBA. The court stated instead, that “[h]ere, subsequent data-security legislation seems to complement – not preclude – the FTC’s authority.”
These developments indicate that businesses should take FTC data security guidance and regulatory enforcement actions in consideration when developing, monitoring and updating privacy policies and data security practices.
This article first appeared in Inside Counsel on May 1, 2014.