In recent months, two federal regulating agencies have delivered decisions in which they unexpectedly took a broad interpretation of the law as it pertains to privacy—leaving some legal experts wondering if this is a sign of the times.
In September, the Federal Trade Commission (FTC) told corporate executives that they may be held personally liable for false advertising and privacy violations tied to their businesses. And, as an example, it pointed to a multimillion-dollar judgment against an executive at a company the FTC accused of running a “scareware” scheme.
In this case, the company was accused of tricking consumers into thinking their computers were infected with a virus, then selling them software to fix the problem. The company was sued and one of its officers decided to challenge the FTC’s claims. Ultimately, the court held him personally liable for the scheme’s ill-gotten profits—to the tune of $163 million.
Typically, individuals are insulated from direct liability because of the way corporation are structured. In this case, however, the executive—a bad actor—didn’t get that protection.
This case raises the question: When exactly does liability exist for executives?
Maybe it occurs only when there is willful misconduct, such as this case in which the officer of the corporation knew what the company was doing, knew it was wrong, encouraged it and was aggressive with making it happen. When liability applies is still unclear, however, but this case has opened that door with regard to FTC enforcement.
As a result, companies must understand what their privacy architecture looks like. If something isn’t working the way it should, the company has an obligation to fix it. This decision tells us that there is risk to individuals making key decisions in hiding behind corporate structure.
In an even more recent decision, the Federal Communication Commission (FCC) fined two companies $10 million for neglecting to safeguard its customers’ personal information.
According to the FCC, the companies “stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access.” They also caused a breach of the personal data of potentially more than 300,000 customers.
The case is the first of the FCC’s to involve data security and the largest privacy action in the commission’s history. While it’s more specific to the telecommunications industry, it’s interesting to note that generally, what a company has done in the past isn’t necessarily sufficient, and the rules have changed. This case serves as a general warning for everyone: If you have sensitive information, keep it secure.
Both this case and the FTC’s case demonstrate that regulatory agencies are paying close attention to privacy issues and exercising their authority with a powerful hammer.