The Federal Trade Commission is issuing specific data security requirements to companies as part of agency settlements, policing businesses more aggressively than before, attorneys and former staff said.
Proposed settlements reached this year with LightYear Dealer Technologies LLC, ClixSense.com, Unixiz Inc, and D-Link Systems Inc. show what the FTC is expecting in terms of corporate data security and responsibility, data security and privacy attorneys and former staff said.
Mandates in related consent orders, such as directing senior officers to provide annual compliance certifications to the FTC, go father than previous requirements and will likely reappear in future orders in settlements with other companies, they said.
“The FTC is realizing, to stay relevant and to drive more consistency across businesses, they need to utilize their authority in a way that forces a reasonable security standard on companies,” Michelle Reed, co-leader of Akin Gump Strauss Hauer & Feld LLP’s cybersecurity, privacy and data protection practice, said.
Attorneys said the agency wants to be seen as a strong enforcer. It’s building on lessons learned from past enforcement actions, including a failed court battle with now-defunct LabMD, according to data security and privacy attorneys and a sitting commissioner.
The commission is “using all of their available tools to be as specific as they think they can be around data security requirements,” Duane Pozza, a partner at Wiley Rein LLP and a former FTC official, said.
The moves, and a separate proposal to add specific provisions to a financial data security rule, come as Congress weighs whether to give the commission more authority over companies’ data security and privacy practices.
The FTC enforces consumer protection laws that prevent fraud, deceptive and unfair business practices. It can file complaints and force companies, through settlement agreements, to remedy allegedly unlawful behavior.
The commission is reviewing its orders and “trying to think hard about what’s working, what isn’t working, what we’re seeing in our enforcement,” Republican Commissioner Noah Joshua Phillips said.
In the past, the agency was more general in its mandates, such as by asking companies to implement “reasonable” data security practices, former staff members and attorneys said. But the agency ran into trouble with that approach in the LabMD case.
The FTC sued the medical testing laboratory in 2013 for exposing the personal information of approximately 10,000 consumers. An administrative law judge dismissed the complaint, but the commission reversed the dismissal and issued a cease-and-desist order.
LabMD petitioned the U.S. Court of Appeals for the Eleventh Circuit to review the order. The court vacated it in June 2018, saying it was unenforceable because it “mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished.”
The more detailed orders are partly “a response to litigation in LabMD,” Phillips said. “The court didn’t like that level of generality, and so part of what you’re seeing is an increased level of specificity,” he said.
Democratic commissioner Rebecca Kelly Slaughter said that the agency is “thinking carefully about how to be clearer with companies beyond just saying ‘reasonable.’”
Some of the specific requirements in recent FTC consent orders include new mandates to implement data access controls for databases that store personal information, encrypt certain data like Social Security numbers, as well as new obligations for third parties that assess the companies’ data security practices. The agency approved all of the related settlements, the requirements of which vary by company, unanimously.
The FTC in April announced proposed settlements with the operators of ClixSense, an online rewards website, and Unixiz Inc, a dress-up games website which does business as i-Dressup.com, to resolve FTC complaints that the companies didn’t take reasonable steps to protect consumers’ data. The FTC has finalized the ClixSense settlement.
D-Link, a smart home products manufacturer, entered into a proposed settlement, announced in July, after the FTC claimed it misrepresented the steps it took to secure wireless routers and internet-connected cameras.
A proposed settlement with LightYear Dealer Technologies, which does business as DealerBuilt, has drawn attorneys’ attention for going further than other April orders in its requirements for third-party assessments. The FTC claimed, among other things, that the auto industry technology company’s data security practices led to a breach of millions of individuals’ information.
Although the settlements are only binding on the companies involved, privacy attorneys and other companies look to them to gauge what data security practices the commission finds acceptable.
The agency’s complaints in data security cases may reveal “common threads” in unfair security practice allegations, and what specific acts and practices the FTC is trying to prohibit, Edward Holman, of counsel at Wilson Sonsini Goodrich & Rosati, said. Consent orders can offer guidance on what good information security programs should look like, Holman said.
The FTC is also looking to boost enforcement of financial institutions under its jurisdiction to ensure they’re protecting customers’ private information.
The agency has proposed adding more specific requirements to its Safeguards Rule under the Gramm-Leach-Bliley Act, such as requiring financial institutions to encrypt customer information, implement multi-factor authentication in certain situations, and appoint a chief information security officer to oversee the information security program.
The FTC approved the proposed changes by a 3-2 vote, with Phillips and Republican Commissioner Christine S. Wilson dissenting. The agency is digesting comments on its proposal from a wide array of received public comments and suggestions from a number of industry groups, so it’s unclear what shape the potentially revised rules will take.
It’s unclear at best whether Congress will give the commission new enforcement powers, despite the agency’s long-standing call for new tools.
“On data security, we’ve been unanimous in our call for Congress to give us additional authority,” Phillips said. There may be disagreements on particulars, but overall, “we as a society need to be doing better on data security,” he said.