Lessons from the FTC Settlements with Facebook and Equifax

Recent settlements of Federal Trade Commission (FTC) actions against Facebook and Equifax received significant publicity for the deals’ large payments to consumers and the Commission. Facebook’s deal calls for a $5 billion penalty for misuse of user’s private data. The Equifax deal requires the company to pay up to $575 million to consumers whose personal information was exposed to hackers during a 2017 data breach.

While there has been much debate as to whether the these agreements represent mere slaps on the wrist considering that Equifax has a net worth of over $16.5 billion while Facebook recently reported earnings of in excess of $15 billion in the first quarter of 2019, the payments represent by far the largest amounts ever collected by the FTC in connection with exposure of consumer data.

The underlying facts of the two matters should be alarming to anyone.

The Equifax Breach

Equifax was first alerted to a potentially serious flaw in its systems by a third-party cyber security expert in March 2017. The company was specifically warned that the vulnerability could allow hackers to access a database containing personal credit information of millions of consumers whose creditworthiness was being monitored. No action was taken to address the flaw however, until July of that year, when the company’s internal security team noticed suspicious activity on its network.

An investigation later revealed that hackers had used the previously identified security flaw to gain access Social Security numbers, dates of birth and other sensitive information, mostly from consumers who had purchased products from Equifax such as credit scores, credit monitoring or identity theft-prevention services. At least 147 million names and dates of birth, 145 million Social Security numbers and nearly 210,000 credit card numbers and expiration dates were exposed before the company acted.

To check if your personal information was exposed obtain free credit monitoring if you qualify, click here.

The Facebook Complaint

The complaint against Facebook alleged that the company violated a 2012 agreement with the Commission that was supposed to protect users’ personal information through the use of individualized user preference settings.

Instead, the complaint alleged that the company, which generated the majority of its $55.8 billion in revenue in 2018 from the monetization of advertising targeted at it users, utilized deceptive disclosures and default settings in order to trick people into thinking that their data would not be shared with third parties. In fact, Facebook was sharing users’ personal information with third-party apps that were downloaded by the user’s Facebook “friends.”

In addition, the complaint alleged that Facebook failed to address concerns with apps that it knew were violating users’ privacy.

Some Lessons

Cyberspace is dangerous. Business owners and consumers need to be aware that any information they collect or put up on the Web may be exposed to hackers. These cyber criminals are not necessarily looking to hurt you directly, but often just want to collect the information in order to sell it on the darknet markets found on the dark web.

Businesses must take reasonable steps to protect their customers’ personal information. This information can include anything from credit card numbers to personal health information (which also must be protected in accordance with HIPAA under certain circumstances) to travel plans among other things. Here are some basic steps companies should undertake:

• Update and patch third-party software. This is how security updates get into your systems and address known vulnerabilities.
• Make sure that you are using good security software that is properly configured. Equifax apparently failed to keep an accurate log of what software it was running on what systems.
• Monitor activity on your network. Excessive incoming our outbound traffic can be a warning signs of a breach.
• Segment your network. Don’t allow a hacker who might penetrate your systems access to everything.
• Understand what you are promising your customers and visitors to your website. Don’t promise levels of security you cannot attain. If you do, you may be creating additional liability for making misrepresentations to your customers.

Consumers should also make sure to regularly update their personal devices and any apps on those devices. Exercise caution when opening links or attachments in emails from strangers and be careful about clicking on any suspicious-looking links or attachments in messages that appear to be from people you know. Also, read and try to understand the privacy disclosures on any e-commerce or other websites that you visit.

As these two major FTC cases illustrate, the Web is akin to the Wild West. Businesses need to be careful to protect their customers’ information as best they can or risk onerous fines.