FTC Continues to Focus on Data Protection

During 2016 the United States Federal Trade Commission (FTC) announced six formal enforcement actions. All involved corporate failures to protect sensitive personal information (health, financial or other) belonging to customers, other consumers or employees. These included proceedings against the owners of AshleyMadison.com (failure to protect the information of 36 million dating site users) and ASUS TeK Computer Inc. (failure to take reasonable steps to close security holes in home network routers).

The resolution of these data breach cases over the past several years has involved payments to consumers as high as $100 million (LifeLock, Inc.) and/or the establishment and imposition of comprehensive data security plans subject to independent audits and reporting requirements for 20 years (ASUS).

As we enter 2017, enforcement activity shows no signs of slowing down. On January 5, the Commission filed a Complaint in Federal District Court against Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumers’ privacy at risk.

On February 22, the FTC announced the resolution of three additional data security-related actions concerning false claims by Sentinel Labs, Inc., which provides endpoint protection software to enterprise customers; SpyChatter, Inc., the marketer of a private message app; and Vir2US, Inc., a distributor of cyber-security software.

The Consent Injunctions in these cases reflect that each of the companies falsely represented to its customers that they complied with international standards designed to protect privacy during data transfers.  The representations were found in the privacy polices posted on the defendants’ websites.

Under the terms of the settlement with the FTC, the three companies are prohibited from misrepresenting their participation, membership or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization. Failure to comply with the terms of the injunctions could subject the companies to serious financial penalties.

It will also be interesting to see if the Commission takes action following disclosure of a serious security flaw in children’s toy manufactured by CloudPets  that allows third parties to access messages left for children on their stuffed animals from remote locations (for example, by a parent deployed overseas on military duty). Given the FTC’s specific concerns with children’s privacy issues, this matter bears watching.

We can expect to see the Commission to continue its focus on data protection-related matters. Companies would do well to undertake a comprehensive review of their own internal data protection practices and policies, including how customer and employee information is handled, and the website posting of their privacy policy.