December 2014 Practice Groups: Cyber Law and Cybersecurity Financial Institutions and Services Litigation Privacy, Data Protection and Information Management Consumer Financial Services Cybersecurity Lessons Learned From the FTC’s Enforcement History U.S. Cybersecurity Alert By Soyong Cho and Andrew L. Caplan In 2014, cybersecurity and data breach incidents regularly made the headlines, with the reported breaches becoming increasingly large and complex. As in the past, these data breaches have inevitably been followed by a flurry of class actions and government investigations. But amid this flurry of activity, one federal regulator in particular, the Federal Trade Commission (the “FTC” or “Commission”), has unquestionably been the most prominent and active cybersecurity enforcer. The FTC has more than a decade of experience in data security matters. Since 2002, the FTC has brought nearly 60 data security enforcement matters and settled more than 50 of those actions. The FTC’s data security activity has accelerated in recent years and likely will continue to do so. Jessica Rich, the current Director of the Bureau of Consumer Protection, leads the FTC’s consumer protection charge and recently stated that “data security enforcement remains a critical FTC priority.” 1 Director Rich has been involved in the FTC’s privacy and data security initiatives since the 1990s and has been praised as “a nationally recognized expert in the fields of privacy, data and identity protection, and emerging technologies.” 2 Her expertise and passion for this area, combined with what has been described as her “tenacious” drive, portends a continued focus on cybersecurity enforcement. 3 Since Director Rich’s appointment in June 2013, the FTC has brought about a dozen data security cases, comprising approximately twenty percent of all of the FTC’s data security matters since 2002. In light of the increased scrutiny on data security and the heightened risks of attacks, it is important for companies to understand the FTC’s authority and expectations for data security practices. The FTC has stated that “[t]he touchstone of the Commission’s approach [to data security] … is reasonableness.” 4 In light of this seemingly flexible and subjective standard, how can a company know when it might be in the FTC’s crosshairs on data security? In this article, we provide an overview of the FTC’s authority and highlight some common compliance themes that emerge from the FTC’s enforcement history. I. FTC Authority and Enforcement Activities Generally A. Basis for the FTC’s Data Security Enforcement Authority Although there is no comprehensive federal cybersecurity legal framework, the FTC has numerous enforcement tools. The Commission generally has enforcement or administrative authority under dozens of consumer protection laws. In the vast majority of its data security actions, the FTC has relied on its power under Section 5 of the FTC Act to prohibit “unfair or deceptive acts or practices in or affecting commerce.” 5 The FTC has also asserted violations of numerous other laws in its data security actions, including the Gramm-Leach- Cybersecurity Lessons Learned From the FTC’s Enforcement History Bliley Act (“GLBA”), Fair Credit Reporting Act (“FCRA”), Children’s Online Privacy Protection Act (“COPPA”), and regulations promulgated under those statutes, including GLBA’s Safeguards and Privacy Rules, FCRA’s Disposal Rule, and the COPPA Rule. In many of the actions it has settled, the FTC has obtained injunctive relief covering a defendant’s conduct for 20 years. The FTC has also sought or obtained civil money penalties for violations of the Disposal Rule, COPPA Rule, or past FTC consent orders. Possibly signaling a more aggressive enforcement strategy, the FTC has also requested monetary relief for impacted consumers in more recent actions. B. Few Industries Are Beyond the FTC’s Reach, and Companies Can Be Held Liable for Actions of Their Vendors or Customers Under the FTC Act, the FTC has broad enforcement authority over large swaths of the economy. 6 For example, the FTC has brought data security actions against retailers, financial institutions, health care-related companies, software and mobile app vendors and, notably, companies that sold products and services relating to data security. Importantly, companies that do not directly market to consumers or have consumer-facing businesses can also be targets of the FTC. The Commission has brought numerous cases against companies that handle or deal in consumer information, such as data sellers, payment processors, debt brokers, and consumer reporting agencies. The FTC has also alleged that companies are responsible for the data security failings caused by third parties, including vendors. In several cases, the FTC has alleged that the defendant was responsible for the security deficiencies of its third-party clients or end-users of its products or services. For example, in a number of cases, defendants that sold or resold consumer information were alleged to be responsible for failing to ensure that the downstream purchasers of information adequately protected sensitive consumer information. In cases where information is provided via a subscription service or where the purchaser obtains information through online access, the FTC has also sought to hold companies liable for failing to enforce policies and procedures to mitigate misuse of client accounts, such as identity authentication and password management. C. Individuals May Also Be Subject to FTC Scrutiny The FTC frequently uses its authority to bring enforcement actions against individuals who are alleged to have formulated, directed, controlled, had the authority to control, or participated in the allegedly unlawful acts or practices of corporate entities. In the data security realm, since 2002, the FTC has named individual defendants on their own or in addition to their affiliated companies in approximately ten matters. In five of those matters, the FTC has obtained or has requested monetary liability from the individual defendants. II. Areas of Particular Emphasis at the FTC A. Actual Breach Not Required to Trigger FTC Enforcement Activity The FTC has stated that “the mere fact that a breach occurred does not mean that a company has violated the law.” 7 At the same time, the FTC’s enforcement powers do not require an actual breach as a prerequisite to bringing an enforcement action. In fact, in one of its earliest data security cases, the FTC rejected the notion that its enforcement authority 2 Cybersecurity Lessons Learned From the FTC’s Enforcement History depended upon the occurrence of an actual data breach. Indeed, a review of the data security actions brought by the FTC since 2002 reflects that in almost one-third of those actions, the FTC’s claims were not based on an actual data breach. In such cases, the FTC instead generally alleged that the companies’ practices increased the risk of a data breach and/or misrepresented the extent of the companies’ data security measures. B. The FTC Takes a Broad View of Consumer Information Requiring Protection The typical categories of sensitive consumer information that the FTC seeks to protect include consumers’ financial account numbers and Social Security numbers. However, the FTC has also wielded its enforcement authority to protect less sensitive consumer information. For example, the FTC has brought enforcement actions against companies for their failures to adequately protect consumer email address, Internet surfing history, and social media activity. In consent orders settling actions, the FTC has consistently required companies to protect broad categories of information, including Social Security numbers; driver license numbers; financial account information; first and last name; home address; email addresses and other electronic identifiers, such as cookies or social media usernames; account passwords; dates of birth; telephone numbers; consumer photos and videos; and/or health-related information. C. Over-Collecting or Unnecessarily Retaining Consumer Information Increases Data Security Risk Data security necessarily begins with the collection and retention of data that needs to be protected. In numerous cases, the FTC has identified companies’ data collection and retention policies as unreasonably increasing data security risks and threats. For example, the FTC has targeted companies for collecting more information than was disclosed to consumers in privacy policies, such as consumers’ Internet surfing activity. The FTC has also criticized companies for keeping consumer information when they no longer had any business need for the information. III. Key Steps to Minimize Regulatory Risks in Light of the FTC’s Focus on Cybersecurity A. Companies Should Comply With Industry Standard Data Security Measures As previously noted, the FTC evaluates a company’s data security under a reasonableness standard. In practice, the FTC has often looked at a company’s allegedly deficient data security practices in light of standard industry practices. Through its suite of enforcement cases, the FTC has essentially defined (and continues to define) those industry practices that it considers to be essential ingredients of a “reasonable” cybersecurity compliance program. In numerous cases, the FTC has pointed to the failure to protect against well-known data security threats and vulnerabilities as an unreasonable data security practice. For example, the FTC has pointed to companies’ failures to implement free or low-cost defenses to wellknown third-party hacking attacks, such as Structured Query Logic (“SQL”) injection attacks and cross-site scripting attacks, and for disabling critical security measures. In addition, the FTC has cited companies’ failures to use well-known data security measures, such as 3 Cybersecurity Lessons Learned From the FTC’s Enforcement History validating Secure Sockets Layer (“SSL”) certificates and employing firewalls to segregate and protect sensitive information. The FTC has also brought actions against companies for failing to have adequate data security procedures in place. For example, the FTC has pointed to companies’ failures to keep software patches up to date and for using outdated software programs that were no longer supported. A frequently cited deficiency is also the failure to encrypt sensitive information, both while the information is being transmitted and while it is stored, thereby creating security vulnerabilities. The FTC has also singled out companies for failing to have adequate measures in place to detect unauthorized intrusions and to adequately respond to such intrusions once detected. B. Companies Must Also Ensure That Employees Are Properly Trained and Managed on Issues Involving Data Security In addition to guarding against outside threats, companies must also ensure that their own employees do not pose data security risks. Many of the FTC’s cases involve the company’s own disclosure of consumer information. For example, the FTC has brought actions where company employees downloaded peer-to-peer software programs for personal use, which then led to unauthorized disclosure of sensitive consumer data. FTC cases have also involved company employees stealing consumer information or accessing consumer information without authorization. The FTC has also brought cases where employees lost unencrypted hardware containing sensitive consumer information and where employees failed to test software programs, which resulted in the disclosure of consumer information. C. Don’t Overlook the Basics When considering these challenging cybersecurity issues, it can be dangerously easy to overlook everyday considerations that affect the handling of physical information. Companies must also still ensure that they properly dispose of consumer information in all forms, including hard copies and paper records. The FTC has brought numerous cases involving the improper disposal of paper documents containing sensitive consumer information, frequently in the companies’ own dumpsters. In certain cases, the FTC can seek civil money penalties of $16,000 per violation. 8 * * * The FTC’s enforcement history demonstrates that the Commission is looking at all aspects of data security, from the initial collection of data through responses to a data breach. The FTC has stated that reasonable and adequate data security programs must be a dynamic “continuing process of assessing and addressing risks.” 9 To meet the FTC’s expectations, companies, including those that have not experienced a data breach, should ensure that they have appropriate policies, procedures, and industry standard measures in place that evolve with changes in the cybersecurity landscape. 4 Cybersecurity Lessons Learned From the FTC’s Enforcement History Authors: Soyong Cho soyong.cho@klgates.com +1.202.778.9181 Andrew L. Caplan andrew.caplan@klgates.com +1.202.778.9094 Anchorage Austin Beijing Berlin Boston Brisbane Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt Harrisburg Hong Kong Houston London Los Angeles Melbourne Miami Milan Moscow Newark New York Orange County Palo Alto Paris Perth Pittsburgh Portland Raleigh Research Triangle Park San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane Sydney Taipei Tokyo Warsaw Washington, D.C. Wilmington K&L Gates comprises more than 2,000 lawyers globally who practice in fully integrated offices located on five continents. The firm represents leading multinational corporations, growth and middle-market companies, capital markets participants and entrepreneurs in every major industry group as well as public sector entities, educational institutions, philanthropic organizations and individuals. For more information about K&L Gates or its locations, practices and registrations, visit www.klgates.com. This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. © 2014 K&L Gates LLP. All Rights Reserved. 1 Jessica Rich, From Health Claims to Big Data: FTC Adverting and Privacy Priorities for Today’s Marketplace -- Brand Activation Association Keynote, Nov. 7, 2014, available at http://www.ftc.gov/public-statements/2014/11/health-claims-bigdata-ftc-advertising-privacy-priorities-todays. 2 FTC Announces Personnel Changes in Bureau of Consumer Protection, Dec. 11, 2011, available at http://www.ftc.gov/news-events/press-releases/2011/12/ftc-announces-personnel-changes-bureau-consumer-protection. 3 Id. 4 See Commission Statement Marking the FTC’s 50th Data Security Settlement, Jan. 31, 2014, available at http://www.ftc.gov/system/files/documents/cases/140131gmrstatement.pdf. 5 15 U.S.C. § 45(a)(2). 6 See id. 7 Id. 8 See 16 C.F.R. Part 682. 9 Prepared Statement of the Federal Trade Commission on Protecting Personal Consumer Information from Cyber Attacks and Data Breaches, before the Committee on Commerce, Science and Transportation, United States Senate (Mar. 26, 2014), available at http://www.ftc.gov/public-statements/2014/03/prepared-statement-federal-trade-commissionprotecting-personal-consumer. 5