On April 24, 2019, the Federal Trade Commission announced two data security cases involving online operators—one, an online rewards website, and the second, a dress-up games website—that were alleged to have failed to take reasonable steps to secure consumers’ data, which allowed hackers to breach both websites.
ClixSense Case The FTC’s case against ClixSense and the company’s owner involved deceptive statements that the site, which collected personal information from users (including, in some instances, Social Security numbers), “utilizes the latest security and encryption techniques to ensure the security of your account information.” According to the FTC, ClixSense’s failures to implement reasonable security measures permitted hackers to gain access to the company’s network, through a browser extension that ClixSense downloaded. The hackers then published and offered the ClixSense user data for sale.
Unixiz Case The FTC’s case against Unixiz, Inc. (doing business as i-Dressup.com) involved alleged violations of the Children’s Online Privacy Protection Act (“COPPA”). According to the FTC, i-Dressup.com failed to obtain parental consent prior to collecting personal information from the child users of the site, and also failed to comply with COPPA’s requirement to keep the data it collected secure. These failures led to a hacker accessing the information of approximately 2.1 million i-Dressup.com users—including approximately 245,000 users who indicated they were under 13.
Both settlements require the operators to implement comprehensive information security programs and obtain independent biennial assessments of this program. In addition, they also are prohibited from making misrepresentations to the third party performing the biennial assessments of any information security program, and must provide an annual certification of compliance to the FTC.
The five-member Commission issued a separate statement in connection with these two settlements, indicating that the Commission was “particularly committed to strengthening the order provisions regarding data security assessments of companies by third parties” and that “future orders will better ensure that third-party assessors know they are accountable for providing meaningful, independent analysis of the data practices under examination.”