December 2014
Practice Groups:
Cyber Law and
Cybersecurity
Financial Institutions
and Services
Litigation
Privacy, Data
Protection and
Information
Management
Consumer Financial
Services
Cybersecurity Lessons Learned From the FTC’s
Enforcement History
U.S. Cybersecurity Alert
By Soyong Cho and Andrew L. Caplan
In 2014, cybersecurity and data breach incidents regularly made the headlines, with the
reported breaches becoming increasingly large and complex. As in the past, these data
breaches have inevitably been followed by a flurry of class actions and government
investigations. But amid this flurry of activity, one federal regulator in particular, the Federal
Trade Commission (the “FTC” or “Commission”), has unquestionably been the most
prominent and active cybersecurity enforcer.
The FTC has more than a decade of experience in data security matters. Since 2002, the
FTC has brought nearly 60 data security enforcement matters and settled more than 50 of
those actions. The FTC’s data security activity has accelerated in recent years and likely will
continue to do so. Jessica Rich, the current Director of the Bureau of Consumer Protection,
leads the FTC’s consumer protection charge and recently stated that “data security
enforcement remains a critical FTC priority.” 1 Director Rich has been involved in the FTC’s
privacy and data security initiatives since the 1990s and has been praised as “a nationally
recognized expert in the fields of privacy, data and identity protection, and emerging
technologies.” 2 Her expertise and passion for this area, combined with what has been
described as her “tenacious” drive, portends a continued focus on cybersecurity
enforcement. 3 Since Director Rich’s appointment in June 2013, the FTC has brought about
a dozen data security cases, comprising approximately twenty percent of all of the FTC’s
data security matters since 2002.
In light of the increased scrutiny on data security and the heightened risks of attacks, it is
important for companies to understand the FTC’s authority and expectations for data security
practices. The FTC has stated that “[t]he touchstone of the Commission’s approach [to data
security] … is reasonableness.” 4 In light of this seemingly flexible and subjective standard,
how can a company know when it might be in the FTC’s crosshairs on data security? In this
article, we provide an overview of the FTC’s authority and highlight some common
compliance themes that emerge from the FTC’s enforcement history.
I. FTC Authority and Enforcement Activities Generally
A. Basis for the FTC’s Data Security Enforcement Authority
Although there is no comprehensive federal cybersecurity legal framework, the FTC has
numerous enforcement tools. The Commission generally has enforcement or administrative
authority under dozens of consumer protection laws. In the vast majority of its data security
actions, the FTC has relied on its power under Section 5 of the FTC Act to prohibit “unfair or
deceptive acts or practices in or affecting commerce.” 5 The FTC has also asserted
violations of numerous other laws in its data security actions, including the Gramm-Leach-
Cybersecurity Lessons Learned From the FTC’s
Enforcement History
Bliley Act (“GLBA”), Fair Credit Reporting Act (“FCRA”), Children’s Online Privacy Protection
Act (“COPPA”), and regulations promulgated under those statutes, including GLBA’s
Safeguards and Privacy Rules, FCRA’s Disposal Rule, and the COPPA Rule.
In many of the actions it has settled, the FTC has obtained injunctive relief covering a
defendant’s conduct for 20 years. The FTC has also sought or obtained civil money
penalties for violations of the Disposal Rule, COPPA Rule, or past FTC consent orders.
Possibly signaling a more aggressive enforcement strategy, the FTC has also requested
monetary relief for impacted consumers in more recent actions.
B. Few Industries Are Beyond the FTC’s Reach, and Companies Can Be Held Liable for
Actions of Their Vendors or Customers
Under the FTC Act, the FTC has broad enforcement authority over large swaths of the
economy. 6 For example, the FTC has brought data security actions against retailers,
financial institutions, health care-related companies, software and mobile app vendors and,
notably, companies that sold products and services relating to data security.
Importantly, companies that do not directly market to consumers or have consumer-facing
businesses can also be targets of the FTC. The Commission has brought numerous cases
against companies that handle or deal in consumer information, such as data sellers,
payment processors, debt brokers, and consumer reporting agencies.
The FTC has also alleged that companies are responsible for the data security failings
caused by third parties, including vendors. In several cases, the FTC has alleged that the
defendant was responsible for the security deficiencies of its third-party clients or end-users
of its products or services. For example, in a number of cases, defendants that sold or
resold consumer information were alleged to be responsible for failing to ensure that the
downstream purchasers of information adequately protected sensitive consumer information.
In cases where information is provided via a subscription service or where the purchaser
obtains information through online access, the FTC has also sought to hold companies liable
for failing to enforce policies and procedures to mitigate misuse of client accounts, such as
identity authentication and password management.
C. Individuals May Also Be Subject to FTC Scrutiny
The FTC frequently uses its authority to bring enforcement actions against individuals who
are alleged to have formulated, directed, controlled, had the authority to control, or
participated in the allegedly unlawful acts or practices of corporate entities. In the data
security realm, since 2002, the FTC has named individual defendants on their own or in
addition to their affiliated companies in approximately ten matters. In five of those matters,
the FTC has obtained or has requested monetary liability from the individual defendants.
II. Areas of Particular Emphasis at the FTC
A. Actual Breach Not Required to Trigger FTC Enforcement Activity
The FTC has stated that “the mere fact that a breach occurred does not mean that a
company has violated the law.” 7 At the same time, the FTC’s enforcement powers do not
require an actual breach as a prerequisite to bringing an enforcement action. In fact, in one
of its earliest data security cases, the FTC rejected the notion that its enforcement authority
2
Cybersecurity Lessons Learned From the FTC’s
Enforcement History
depended upon the occurrence of an actual data breach. Indeed, a review of the data
security actions brought by the FTC since 2002 reflects that in almost one-third of those
actions, the FTC’s claims were not based on an actual data breach. In such cases, the FTC
instead generally alleged that the companies’ practices increased the risk of a data breach
and/or misrepresented the extent of the companies’ data security measures.
B. The FTC Takes a Broad View of Consumer Information Requiring Protection
The typical categories of sensitive consumer information that the FTC seeks to protect
include consumers’ financial account numbers and Social Security numbers. However, the
FTC has also wielded its enforcement authority to protect less sensitive consumer
information. For example, the FTC has brought enforcement actions against companies for
their failures to adequately protect consumer email address, Internet surfing history, and
social media activity. In consent orders settling actions, the FTC has consistently required
companies to protect broad categories of information, including Social Security numbers;
driver license numbers; financial account information; first and last name; home address;
email addresses and other electronic identifiers, such as cookies or social media usernames;
account passwords; dates of birth; telephone numbers; consumer photos and videos; and/or
health-related information.
C. Over-Collecting or Unnecessarily Retaining Consumer Information Increases Data
Security Risk
Data security necessarily begins with the collection and retention of data that needs to be
protected. In numerous cases, the FTC has identified companies’ data collection and
retention policies as unreasonably increasing data security risks and threats. For example,
the FTC has targeted companies for collecting more information than was disclosed to
consumers in privacy policies, such as consumers’ Internet surfing activity. The FTC has
also criticized companies for keeping consumer information when they no longer had any
business need for the information.
III. Key Steps to Minimize Regulatory Risks in Light of the FTC’s Focus on
Cybersecurity
A. Companies Should Comply With Industry Standard Data Security Measures
As previously noted, the FTC evaluates a company’s data security under a reasonableness
standard. In practice, the FTC has often looked at a company’s allegedly deficient data
security practices in light of standard industry practices. Through its suite of enforcement
cases, the FTC has essentially defined (and continues to define) those industry practices
that it considers to be essential ingredients of a “reasonable” cybersecurity compliance
program.
In numerous cases, the FTC has pointed to the failure to protect against well-known data
security threats and vulnerabilities as an unreasonable data security practice. For example,
the FTC has pointed to companies’ failures to implement free or low-cost defenses to wellknown third-party hacking attacks, such as Structured Query Logic (“SQL”) injection attacks
and cross-site scripting attacks, and for disabling critical security measures. In addition, the
FTC has cited companies’ failures to use well-known data security measures, such as
3
Cybersecurity Lessons Learned From the FTC’s
Enforcement History
validating Secure Sockets Layer (“SSL”) certificates and employing firewalls to segregate
and protect sensitive information.
The FTC has also brought actions against companies for failing to have adequate data
security procedures in place. For example, the FTC has pointed to companies’ failures to
keep software patches up to date and for using outdated software programs that were no
longer supported. A frequently cited deficiency is also the failure to encrypt sensitive
information, both while the information is being transmitted and while it is stored, thereby
creating security vulnerabilities. The FTC has also singled out companies for failing to have
adequate measures in place to detect unauthorized intrusions and to adequately respond to
such intrusions once detected.
B. Companies Must Also Ensure That Employees Are Properly Trained and Managed on
Issues Involving Data Security
In addition to guarding against outside threats, companies must also ensure that their own
employees do not pose data security risks. Many of the FTC’s cases involve the company’s
own disclosure of consumer information. For example, the FTC has brought actions where
company employees downloaded peer-to-peer software programs for personal use, which
then led to unauthorized disclosure of sensitive consumer data. FTC cases have also
involved company employees stealing consumer information or accessing consumer
information without authorization. The FTC has also brought cases where employees lost
unencrypted hardware containing sensitive consumer information and where employees
failed to test software programs, which resulted in the disclosure of consumer information.
C. Don’t Overlook the Basics
When considering these challenging cybersecurity issues, it can be dangerously easy to
overlook everyday considerations that affect the handling of physical information.
Companies must also still ensure that they properly dispose of consumer information in all
forms, including hard copies and paper records. The FTC has brought numerous cases
involving the improper disposal of paper documents containing sensitive consumer
information, frequently in the companies’ own dumpsters. In certain cases, the FTC can
seek civil money penalties of $16,000 per violation. 8
*
*
*
The FTC’s enforcement history demonstrates that the Commission is looking at all aspects of
data security, from the initial collection of data through responses to a data breach. The FTC
has stated that reasonable and adequate data security programs must be a dynamic
“continuing process of assessing and addressing risks.” 9 To meet the FTC’s expectations,
companies, including those that have not experienced a data breach, should ensure that
they have appropriate policies, procedures, and industry standard measures in place that
evolve with changes in the cybersecurity landscape.
4
Cybersecurity Lessons Learned From the FTC’s
Enforcement History
Authors:
Soyong Cho
soyong.cho@klgates.com
+1.202.778.9181
Andrew L. Caplan
andrew.caplan@klgates.com
+1.202.778.9094
Anchorage Austin Beijing Berlin Boston Brisbane Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt
Harrisburg Hong Kong Houston London Los Angeles Melbourne Miami Milan Moscow Newark New York Orange County Palo Alto Paris
Perth Pittsburgh Portland Raleigh Research Triangle Park San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane
Sydney Taipei Tokyo Warsaw Washington, D.C. Wilmington
K&L Gates comprises more than 2,000 lawyers globally who practice in fully integrated offices located on five
continents. The firm represents leading multinational corporations, growth and middle-market companies, capital
markets participants and entrepreneurs in every major industry group as well as public sector entities, educational
institutions, philanthropic organizations and individuals. For more information about K&L Gates or its locations,
practices and registrations, visit www.klgates.com.
This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in
regard to any particular facts or circumstances without first consulting a lawyer.
© 2014 K&L Gates LLP. All Rights Reserved.
1
Jessica Rich, From Health Claims to Big Data: FTC Adverting and Privacy Priorities for Today’s Marketplace -- Brand
Activation Association Keynote, Nov. 7, 2014, available at http://www.ftc.gov/public-statements/2014/11/health-claims-bigdata-ftc-advertising-privacy-priorities-todays.
2
FTC Announces Personnel Changes in Bureau of Consumer Protection, Dec. 11, 2011, available at
http://www.ftc.gov/news-events/press-releases/2011/12/ftc-announces-personnel-changes-bureau-consumer-protection.
3
Id.
4
See Commission Statement Marking the FTC’s 50th Data Security Settlement, Jan. 31, 2014, available
at http://www.ftc.gov/system/files/documents/cases/140131gmrstatement.pdf.
5
15 U.S.C. § 45(a)(2).
6
See id.
7
Id.
8
See 16 C.F.R. Part 682.
9
Prepared Statement of the Federal Trade Commission on Protecting Personal Consumer Information from Cyber
Attacks and Data Breaches, before the Committee on Commerce, Science and Transportation, United States Senate
(Mar. 26, 2014), available at http://www.ftc.gov/public-statements/2014/03/prepared-statement-federal-trade-commissionprotecting-personal-consumer.
5