We have recently written about the increasing importance of cybersecurity as an aspect of risk management for nonprofits in light of the proliferation of data security breaches across different sectors. (See here and here.) A bill recently introduced in the House of Representatives would, if passed, give nonprofits even more reason to focus on this issue.
The Federal Trade Commission (the “FTC”) is the agency charged with protecting consumers and the marketplace against deceptive or unfair business practices. Over the past ten years, the FTC has taken the lead role in data security enforcement matters, and during that time, has entered into 60 consent decrees with organizations based on allegations of lax data security practices. (See, e.g., FTC v. Wyndham Worldwide Corp., Civil Action No. 2:13-CV-01887-ES-JAD (D.N.J. December 11, 2015).)
The FTC’s authority to pursue such actions comes from the Federal Trade Commission Act (the “Act”), which empowers the FTC to prevent unfair methods of competition or unfair or deceptive acts or practices in business, to investigate business practices, to seek relief for conduct harmful to consumers, and to prescribe trade regulation rules, among other things.
The FTC’s reach over nonprofits has been debated and there have been recent FTC actions against nonprofit entities. (See, e.g., In re Advocate Health Care Network, Docket No. 9369 (FTC administrative complaint filed December 17, 2015); In re The Penn State Hershey Medical Center, Docket No. 9368 (FTC administrative complaint filed December 7, 2015).)
Last month, Rep. Bobby L. Rush, D-Ill. introduced a bill (H.R. 5255) that would amend the Act to expressly extend the FTC’s oversight authority to 501(c)(3) organizations.
The bill has received the support of FTC Commissioner Edith Ramirez, who, in a recent appearance before a House subcommittee on Commerce, Manufacturing, and Trade, said that empowering the FTC to pursue charities that engage in fraudulent or deceptive conduct would close an important gap in FTC protection, and might be useful in investigating data security or privacy practices of nonprofits.
If passed, this bill could have significant implications for the exempt organizations sector. Stay tuned for updates.