There is no comprehensive federal statutory scheme governing breaches of consumers’ private data. However, the Federal Trade Commission (“FTC”) has a history of trying to protect consumers’ private data based on its general mandate to regulate unfair business practices pursuant to the FTC Act. Importantly, the FTC’s power to do so has been upheld by at least one court. (See FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).)
While the reach of the FTC may be limited, liability exposure can be high when the FTC does take action. As such, adhering to its recommendations could prove useful to avoid prosecution by the FTC. Given that President Donald Trump’s nominees to the FTC have indicated that data breaches will be a top priority for them, the FTC’s efforts to protect private consumer data will undoubtedly continue, and may accelerate.
A. The FTC’s Recommendations to Protect Consumers.
In 2012, the FTC finalized a 2010 preliminary report offering the following recommendations to protect consumers and to take some of the burden off consumers to protect themselves:
1. Privacy by Design. Weave privacy protection procedures into daily business practices.
a. Secure consumers’ private data, but also limit its collection and retention.
b. Task designated employees with creating, monitoring, and periodically reviewing privacy procedures.
2. Simplified Choice for Businesses and Consumers.
Provide consumers with an option not to have private data collected and shared, as opposed to presenting them with a long disclosure form containing legalese.
3. Greater Transparency.
a. Provide consumers with open disclosure regarding how their collected, private data is used so consumers can compare those practices to other companies’ practices.
b. Provide consumers with reasonable access to their collected, private data.
c. Encourage a culture of privacy protection by educating consumers about commercial data privacy practices
B. When Companies Have Failed to Protect Their Consumers’ Private Data, The FTC Has Taken Action.
1. Petco. In 2004, Petco, Inc. settled a case the FTC brought against it based on allegations that its website contained security flaws. The FTC argued that Petco violated federal law by failing to keep promises it had made to consumers regarding their privacy protection. Pursuant to the settlement reached with the FTC, Petco was required to roll out a twenty-year program to protect its website from hackers trying to steal its consumers’ private data.
2. ChoicePoint. In 2006, the FTC brought an action against ChoicePoint, Inc. because its database of consumer data had been compromised, which allowed private data to be misused. The FTC argued that ChoicePoint did not adequately screen subscribers to its database. ChoicePoint was also required to implement a twenty-year program to protect private consumer data and better screen how that data was being used. ChoicePoint was also required to pay $5 million in consumer restitution and $10 million in fines.
3. Genica Corporation. In 2009, Genica Corporation settled a case brought by the FTC based on how the company collected and stored its consumers’ data through one of its consumer electronics websites. The FTC argued that Genica had violated federal law by failing to keep its promise to consumers to adequately protect their data.
4. Heartland Payment Systems. In 2010, Heartland Payment Systems had to pay $60 million to Visa card issuers because of their losses resulting from a data breach.
5. Dave & Busters. Also in 2010, the FTC argued that Dave & Buster’s failed to secure its network, resulting in hackers accessing private consumer data and amassing hundreds of thousands of dollars in fraudulent charges. The FTC required Dave & Buster to create a program to protect private data it obtained from its consumers.
6. Sacket National Holdings, Inc. In 2011, Sacket National Holdings, Inc. and SettlementOne settled a case brought by the FTC as a result of hackers having breached the networks of clients who had purchased consumer credit products from the companies, which allowed the hackers to obtain consumers’ private data. Both companies were required to create a twenty-year program to secure consumer data.
7. Uber & Equifax. More recently, in August 2017, the FTC penalized Uber for misusing its consumer’s private data. Uber is now required to submit to 20 years of privacy checks. In September 2017, the FTC announced it was investigating the Equifax, Inc. data breach.
Following the FTC’s recommendations may prevent data breaches that expose companies to liability and will certainly be considered by the FTC should a breach occur. Moreover, securing consumers’ private data, being transparent with consumers, and providing consumers with choices regarding how their data is used are simply good business practices.