With companies increasingly worried about what the California Attorney General, and private litigants, will do once the California Consumer Privacy Act comes into effect, they should not lose sight of what the Federal Trade Commission (FTC) is already doing.
On November 12, 2019, the FTC announced that InfoTrax Systems L.C. (InfoTrax), a Utah technology company, and Mark Rawlins, its founder, agreed to implement a comprehensive data security program as part of a 20-year consent agreement to settle an FTC complaint in the wake of a two-year breach of the company’s network. The FTC alleged that InfoTrax, whose clients are primarily multilevel marketers, failed to use reasonable, low-cost and readily available security protections to safeguard the personal information that it maintained on its clients’ behalf. As part of the proposed settlement, InfoTrax and Rawlins are prohibited from collecting, selling, sharing, or storing personal information pending the overhaul of the company’s security operations—in effect, temporarily shutting down the company’s operations.
The settlement re-emphasizes the FTC’s determination to enforce cybersecurity standards, regardless of what state regulators are doing, and the settlement sheds further light on what regulators and courts consider “reasonable” cybersecurity practices.
Furthermore, it puts companies on notice that enforcement actions may target the data-protection practices of companies whose clients are other businesses, not just companies who deal with individual consumers; business operations may be severely interrupted until operations are compliant with an FTC settlement; and compliance with an FTC-mandated information security plan and accompanying certification will likely be more costly than voluntary safeguards to sensitive data.
InfoTrax provides back-end operations including compensation, accounting, data security, and operation of its clients’ web portals. The FTC alleges that from 2014 to 2016, a hacker infiltrated InfoTrax’s servers more than 20 times, and in March 2016 the hacker accessed about one million consumers’ personal information. The FTC defines personal information as individually identifiable information from or about an individual consumer including, but not limited to, names, addresses, Social Security numbers, and credit/debit card information. The FTC’s complaint against InfoTrax and Rawlins alleged violations of § 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a).
Under the terms of the proposed settlement, InfoTrax and Rawlins are required to document and implement a comprehensive data security program (the Information Security Program) to protect the “security, confidentiality, and integrity” of stored personal information. The proposed settlement mandates that the Information Security Program safeguards must, in addition to other requirements, include:
- Policies, procedures, and technical measures to inventory and delete personal data that is no longer needed;
- Annual code review and software penetration testing;
- Technical measures to detect and limit unknown file uploads and anomalous activity that may attempt to exfiltrate personal information outside the company’s network boundaries;
- Annual assessment, testing, and monitoring of the safeguards’ effectiveness;
- Network vulnerability testing every four months and annual penetration testing;
- Annual review of the Information Security Program and modification based on the results of that review; and
- Annual assessment and documentation of internal and external risks to personal information.1
In addition to requiring InfoTrax to conduct its own internal monitoring, the proposed settlement requires InfoTrax to obtain independent assessments from a third party, selection of which is subject to the FTC’s approval, for the initial 180-day period after the FTC order and then biennially for 20 years. The third-party report must: (1) determine whether the plan has been implemented and maintained as required; and (2) identify gaps or weaknesses in the plan.
Furthering the trend toward senior officer accountability for cybersecurity, the proposed settlement requires annual certification by a senior corporate manager that the requirements of the proposed settlement have been established, implemented and maintained, and that there is no known, material noncompliance that has not been corrected or disclosed to the FTC.
Finally, the FTC’s settlement acknowledges what privacy laws like the California Consumer Privacy Act imply and what both the New York State Department of Financial Services’ 23 NYCRR Part 500.11 (which requires third-party service providers to comply with cybersecurity practices and to certify compliance by March 2020) and Europe’s General Data Protection Regulation (GDPR) recognize: that companies are responsible for personal information they pass to other companies. The settlement requires InfoTrax to retain service providers capable of safeguarding personal information, indicating to all companies the importance of vendor due diligence and diligent contracting.
The FTC voted 5-0 in favor of the settlement, with one commissioner writing a concurring opinion to question whether the order’s 20-year timeline is too long, given both the burden to the company and the dynamic nature of the technology industry.