Download as pdf or txt
Download as pdf or txt
You are on page 1of 7

Study: What FTC Enforcement Actions Teach Us About the

Features of Reasonable Privacy and Data Security Practices

By Patricia Bailin, CIPP/US, CIPM, CIPT, IAPP Westin Fellow

One of the major policy questions in the data privacy or data security program. Almost all of
governance space these days is what constitutes these cases have been settled. The settlement
a reasonable level of privacy and data security requirements include relatively standardized
that could provide a company with a safe language outlining the parameters of a data
harbor from U.S. Federal Trade Commission security program and begin to chart a path
(FTC) enforcement action. Over the past several toward the development of similarly standard
months, two companies facing FTC action as language for privacy programs. However, aside
well as a chorus of lawyers and scholars have from requiring the designation of an adequately
complained that enforcement is misguided trained chief data security or privacy officer and
absent clearer data security standards. the undertaking of regular risk assessments,
Complicating matters, the FTC has been the standard language that the FTC uses is terse
particularly tight-lipped about what data security and offers little in the way of specifics about
standards it expects to see, and industry calls for the components of a compliance program.
policy guidance documents or workshops were Consequently, anyone seeking to design a
left unheeded. Essentially, the industry is arguing program that complies with FTC expectations
that the FTC is shifting the goalposts during the would have to return to the complaints to parse
game. out what the FTC views as “unreasonable”—
and, by negation, reasonable—privacy and data
Regardless of the merits of such arguments security procedures.
(industry groups fight tooth-and-nail against
data security legislation even as they urge clearer The following analysis is the result of this
guidance), the Westin Research Center has approach. It suggests possible guidelines
explored FTC privacy and data security consent for complying with FTC privacy and data
decrees to try to parse out what an acceptable security standards based on what the FTC has
level of privacy and data security could be. This determined inadequate. In other words, by
study is part of the Westin Research Center’s pointing out what companies did not have in
project to provide a comprehensive casebook their programs, the FTC provides a peek at what,
of FTC privacy and data security enforcement in its opinion, these companies should have
actions. done. The guidelines below are drawn from the
47 cases, loosely organized into seven categories
OVERVIEW that are not mutually exclusive: Privacy, Security,
Software/Product Review, Service Providers, Risk
In at least 47 cases since 2002, the FTC has Assessment, Unauthorized Access/Disclosure
cited companies for failing either to design or and Employee Training.
to implement an appropriately comprehensive

iapp.org 1
We emphasize that the requirements below SECURITY
reflect neither legal advice by the Westin
Research Center nor express guidance by Since the FTC’s settlement with Microsoft in
the FTC; rather, they are extrapolated from 2002, the commission has made clear that
FTC assertions of corporate wrongdoings. companies handling consumer information
(Ostensibly, there could be a gap between what must implement a program that contains
the FTC views as inadequate and the guidance “administrative, technical, and physical
below; i.e., a company may not be cited for a safeguards appropriate to [the organization’s]
Section 5 violation even if it does not fix all of its size and complexity, the nature and scope of [its]
shortcomings under the FTC complaint.) activities, and the sensitivity of the personal
information collected from or about consumers.”
PRIVACY Such a program must set forth procedures not
only for data collection, but also for its storage,
In the four decisions requiring companies to handling, transport, and disposal.
establish a comprehensive privacy program
[MySpace, Facebook, Google and Snapchat], The commission has reiterated several times that
companies allegedly failed to respect user formal data security procedures should employ
choices. According to the FTC, these companies “readily available” technology and practices
ignored consumer privacy preferences or for safeguarding consumer information. The
misled consumers by providing inaccurate or programs must consider not only well-known
incomplete information about user privacy, threats but also business-specific vulnerabilities,
notice and control. In all four cases, the and they must be tailored to an organization’s
companies allegedly violated their own privacy specific business model and data needs.
policies and their statements on privacy Specific language in FTC cases indicates that
settings. It is possible to deduce from the FTC’s security policies should include consideration
complaints that companies should: of password procedures, encryption protocol,
access limitations and processes for data
• Perform risk assessments during the retention and disposal.
design and development stage of a new
product or service to identify and address Passwords
privacy vulnerabilities;
Despite the well-documented importance of
• Conduct regular testing and monitoring complex user credentials, corporate employees,
of the effectiveness of privacy controls, as well as average consumers, continue
settings and procedures to ensure that to generate weak user ID and password
user choices are respected; combinations. Password policies are therefore
fundamental to a company’s data security, as the
• Conduct regular reviews of privacy FTC notes with increasing frequency. A company
statements and product design in order to should:
ensure a match between privacy policies,
available user options, disclosures to third • Establish and enforce rules requiring
parties and product functions, and strong [TJX/Cardsystems], hard-to-
guess [LifeLock/Twitter] user IDs and
• Obtain explicit user consent to override passwords. Strong credentials can be
prior user choices or to apply new privacy achieved through default requirements
policies to previously collected data when that prohibit the use of common
privacy options or policies change. dictionary words [Reed Elsevier]; forbid

iapp.org 2
the use of the same word or a close industry standards. ValueClick, for example, was
variant of the word for both the password cited in 2008 for “using only an insecure form of
and the ID [Lookout], and deny a user alphabetic substitution that [was] not consistent
the ability to create credentials that he with, and less protective than, industry-standard
or she already employs elsewhere on the encryption.” Given the demonstrated risk of
network, especially passwords used to security breaches, companies should render
access third-party programs, websites, and personal information “unusable, unreadable,
networks [Twitter]; or indecipherable” as the FTC noted in its
complaint against CBR. Consequently, security
• Require periodic changes of user programs should contain protocols to ensure the
credentials, such as every 90 days, for company will:
customers and employees with access to
sensitive personal information [Lookout/ • Transmit sensitive [Credit Karma/
Twitter/Reed Elsevier]; Fandango] and personal information
[TJX], including user credentials
• Suspend user credentials and/or disable [TRENDnet] and financial account and
administrative passwords [Twitter] after a credit card information [Compete/
reasonable number of unsuccessful login Upromise], securely in either encrypted
attempts [Lookout/Reed Elsevier]; format [BJ’s] or through cryptographic
protocols (TLS or SSL), and
• Prohibit the use of default passwords
[BJ’s/DSW] or the sharing of user • Store sensitive and personal information
credentials [Reed Elsevier], as these in encrypted format [Genelink/Guess],
practices reduce the likelihood of including information that was encrypted
detecting or accounting for unauthorized during transmission [Petco] and any
activity; personal information on in-store
networks [BJ’s], back-up tapes [Nutter], or
• Establish and enforce policies to prohibit other portable media devices [CBR].
storage of administrative passwords
in plain text on computers [Guidance Limited Access
Software], in cookies [Reed Elsevier], or in
personal email accounts [Twitter], and Another common security issue raised in a
number of cases is lack of sufficient control
• Implement procedures for verifying or over access to personal information. Access
authenticating the identity of users who limitations can be instituted at either a network
create new credentials for systems or level, for example, by maintaining multiple
programs that will enable them to access servers or installing firewalls or similar solutions,
personal information [Choicepoint/Rental or at the employee level, by restricting access
Research]. to personal information to personnel of specific
departments or to individual employees. Limited
Encryption access policies curb unnecessary security risks
and minimize the number and type of network
FTC attention has regularly focused on data access points that an information security
encryption. In more than half (27) of the cases team must monitor for potential violations. A
requiring privacy or data security programs, company is therefore advised to:
the FTC addressed the defendant’s encryption
protocols, which should be compatible with • Segment servers [RockYou] so that

iapp.org 3
unauthorized access to one does not precise threshold for data retention, it has stated
compromise the security of all; that data should be stored only for as long as it
serves a legitimate business need. Companies
• Apply readily available security measures should also have policies in place for disposing
such as firewalls or isolated payment card of data once such business needs have been met.
systems [Dave & Buster’s] to control and Companies should thus:
monitor access:
• Formalize policies regarding the length of
◦◦ to a computer network from wireless time consumer data will be stored. Data
access points [BJ’s/Dave & Buster’s], should not be stored indefinitely, but
rather for a period of time commensurate
◦◦ between computers on a network, with legitimate business needs [Ceridian/
including between computers on Life is Good]. Information for which there
one in-store network and those on is no longer a business need should be
other in-store or corporate networks destroyed [CBR], and
[DSW], and
• Implement and monitor compliance with
◦◦ between computers on the policies and procedures for rendering
company network and the Internet information unreadable or otherwise
[Cardsystems/Genica/TJX]; secure in the course of disposal.
Securely disposed information must not
• Limit employee access [CBR] to and practicably be read or reconstructed [CVS
copying of [Accretive Health] personal Caremark/PLS Financial].
information based on such employee’s
role; SOFTWARE/PRODUCT REVIEW

• Restrict third party access to personal Companies are responsible for managing the
information based on business need, for privacy and security of personal information
example, by restricting access based on that is processed by the products they develop
IP address, granting temporary access and use. Accordingly, they are required to
privileges, or similar procedures [Dave & instate checks and controls on the products
Buster’s]; they use as well as throughout the development
process of new products and services [Credit
• Establish an employee login page that Karma/Fandango]. The goal is to ensure that all
is unknown to consumers and separate products and software function according to an
from the customer/end user login page organization’s stated privacy and data security
[Twitter], and policies as well as any applicable industry
standards. More specifically, companies should:
• Restrict the number of files on which data
can be stored [DSW] in order to simplify • Implement appropriate checks and
compliance with data use limitations and controls on the review and testing of
deletion procedures [Accretive Health]. software and products intended for
internal use [Eli Lilly];
Data Retention and Disposal
• Follow well-known, commonly-accepted
The FTC has proscribed companies’ continuous secure programming practices, including
storage of data after it has served its business secure practices that are expressly
purpose. While the FTC does not specify a described in the product’s operating

iapp.org 4
system guides for manufacturers and • Requisite oversight of a service provider
developers [HTC], and will vary depending on the service and
the sensitivity of the information; but
• Perform security reviews and testing of companies should generally:
software and products at key points in the
development cycle: • Require by contract that service providers
implement and maintain appropriate
◦◦ Such procedures may take the form safeguards for consumers’ personal
of a security architecture review, information [Genelink/Goal Financial];
vulnerability and penetration testing,
and reasonable and appropriate code • Ensure reasonable oversight of service
review and testing to verify that providers’ security practices and
security and privacy protections are their employees’ handling of personal
consistent with user choices and information [Genelink/Credit Karma]:
company policy [TRENDnet];
◦◦ Adequately verify, through
◦◦ Special procedures should exist to monitoring and assessments,
test for any excessive collection that service providers implement
of personal information, i.e., reasonable and appropriate security
information that does not serve a measures to protect personal
legitimate business need [Compete]; information [GMR];
unauthorized collection of personal
information [Snapchat], and ◦◦ Request and review relevant
products or software that will information about a service
override existing, promised, or provider’s security practices, such as
standard defaults without employing its documented information security
substitute security measures program or the results of audits and
[TRENDnet]. security assessments conducted on
their network [GMR].
SERVICE PROVIDERS
RISK ASSESSMENT
Service providers who access or handle personal
information on behalf of a company could Each time the FTC has mandated that a
create liability for the company and must company implement a comprehensive privacy or
therefore be properly managed. For example, data security program, it has required that such
in a recent case, CBR, an umbilical cord blood program consider “material internal and external
and tissue bank, settled an FTC enforcement risks that could result in the…compromise of
action alleging, among other things, failure personal information and an assessment of the
to adequately supervise a service provider. sufficiency of any safeguards in place to control
In that case, the company’s lack of oversight these risks…in each area of relevant operation.”
resulted in two security lapses: the retention of In addition, the FTC expects to see policies in
a legacy database for which CBR no longer had a place to ensure that any issues are addressed and
legitimate business need, as well as the storage corrected. Risks should be continuously assessed
of personal information in that database in and the program adjusted as a result of ongoing
unencrypted, vulnerable form. monitoring, material changes to

iapp.org 5
company operations, or any other changing • Implement reasonable measures to assess
circumstances. Risk assessment policies should and enforce compliance with established
include provisions obligating the company to: security policies and procedures, such as
by scanning networks for and blocking
• Record and retain system information unauthorized downloads of applications
sufficient to perform security audits and [EPN];
investigations [Microsoft];
• Implement policies for the prevention of
• Perform assessments to identify unauthorized access, including standard
reasonably foreseeable risks to the procedures, such as regularly checking
security, integrity, and confidentiality of for and installing security patches and
personal information collected and stored critical updates on the company’s network
on the network [Genelink], online [EPN] [LifeLock];
or in paper files [Nutter];
• Implement policies for the detection of
• Assess application or network unauthorized access, including:
vulnerabilities, particularly to commonly
known or reasonably foreseeable attacks ◦◦ installing antivirus or anti-spyware
like “cross-site scripting” [Reed Elsevier], programs on computers [LifeLock],
to widely known security flaws like
“predictable resource location,” or to ◦◦ employing an intrusion detection
design flaws like the ability of users to system [Genica],
bypass website authentication procedures
[Lookout], and ◦◦ creating a formalized process to
address security warnings and
• Evaluate the likelihood and risks of third intrusion alerts [TJX], and
party access [Premier Capital Lending];
for example, in some cases it might be ◦◦ logging network activity [EPN] and
sufficient to provide third parties with reviewing activity on the network
access to fictitious data sets rather [LifeLock];
than real personal information or to
provide them with access to only certain • Monitor and filter outbound traffic [Dave
categories of personal data rather than & Buster’s] and outgoing transmissions
unrestricted database access [Genelink]. [EPN] to identify and block unauthorized
disclosures of personal information;
UNAUTHORIZED ACCESS/DISCLOSURES
• Implement procedures for receiving,
Preventing and addressing incidents of reviewing, and addressing security
unauthorized access to and disclosures of vulnerability reports from third parties
personal information are critical components [Fandango], including researchers,
of a comprehensive privacy and data security academics, or other members of the public
program. References to incident response appear [HTC], and
in more than half (24) of the cases in this study.
Extrapolating from the inadequacies described • Prepare an incident response plan that
in past complaints, a company should: is ready to implement immediately upon
detection of a security breach [EPN].

iapp.org 6
EMPLOYEE TRAINING Interestingly, in one case, the FTC alleged that
a company suffered a security breach by “using
Designing and implementing an employee personal information in training sessions
training program has increasingly become a with employees and failing to ensure that the
standard industry practice and one that the information was removed from employees’
FTC has required in numerous settlements. The computers following the training” [Accretive
employee training program should be designed Health]. Of course, the training program itself
to assist employees in understanding and must not compromise a company’s data security.
managing privacy and data security safeguards.
Once a company has a privacy and data security CONCLUSION
program in place, the employee training program
should focus on ensuring compliance with it. This study sets forth the contours of a
According to the FTC, an employee training reasonable privacy and data security program
program should: based on analysis of 47 FTC enforcement cases.
While providing companies with neither a safe
• Educate employees on the company’s harbor from enforcement nor immunity from a
privacy and data security policies as well privacy or data security breach, such a program
as on security risks [Upromise] relevant to will mitigate risk and strengthen a company’s
their jobs: hand in dealing with any adversity. Although
the analysis in this study is informal and based
◦◦ Employees, including software/ on “reverse-engineering” the FTC’s complaints,
product engineers [HTC] and it offers a potential starting point for defining
executives [EPN], should receive “reasonable” measures of privacy and data
training on information security, security, thereby helping to clear the fog of
collection, handling, transport, uncertainty surrounding compliance with a
maintenance and disposal of constantly shifting legal landscape.
consumer personal information;

◦◦ Engineering staff should receive


appropriate training and oversight
for detecting application
vulnerabilities and conducting
security testing [Tower Records/
HTC];

• Provide adequate training to employees


about timely and effective security
incident response [Goal Financial].

iapp.org 7

You might also like