Lessons From Privacy-Related EnforcementAugust 16, 2016 | | |
Federal and state regulators are bringing more and more enforcement proceedings to challenge the adequacy of corporate privacy practices. Although the best course for businesses is to be proactive and develop privacy rules that meet all applicable requirements before government steps in, a review of various privacy-related settlements that agencies recently have reached suggests a variety of steps that companies across all industries should consider adopting in an effort to protect the privacy of consumers and avoid the wrath of regulators.
In late July, the Federal Trade Commission (FTC) approved a final order resolving its complaint against Taiwan-based computer hardware maker ASUSTeK Computer. The FTC contended that ASUS marketed routers as including numerous security features that could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.” The FTC asserted that, despite these claims, ASUS failed to take reasonable steps to secure the software on its routers.
In addition, the FTC asserted that ASUS’s routers allowed consumers to plug in a USB hard drive to create their own “cloud” storage, which ASUS advertised as a “private personal cloud for selective file sharing” and a way to “safely secure and access your treasured data through your router,” but that the services had serious security flaws.
There are three essential elements to the consent order the FTC reached with ASUS.
First, ASUS must establish and maintain a comprehensive security program subject to independent audits for the next 20 years.
Second, ASUS must notify consumers about software updates or other steps they can take to protect themselves from security flaws, including through an option to register for direct security notices (e.g., through email, text message, or push notification).
Third, ASUS is prohibited from misleading consumers about the security of its products, including whether a product is using up-to-date software.
For ASUS—and for other companies seeking to draw lessons from the settlement—the security program undoubtedly was the crucial component of the settlement.1 Under the settlement, the ASUS security program must be “reasonably designed” to address security risks related to ASUS’s development and management of new and existing routers and software and to protect the privacy, security, confidentiality, and integrity of individually-identifiable information from or about individual consumers that is collected by ASUS.
In addition, the content and implementation of the security program must be fully documented in writing and must contain administrative, technical, and physical safeguards appropriate to ASUS’s size and complexity, the nature and scope of ASUS’s activities, and the sensitivity of its products’ functions or consumers’ information. Specifically, the program must, among other things:
- Designate an employee or employees to coordinate and be accountable for the security program;
- Identify material internal and external risks to the security of the company’s products that could result in unauthorized access to or unauthorized modification of a product, and assess the sufficiency of safeguards in place to control these risks;
- Identify material internal and external risks to the privacy of consumers’ individually-identifiable information that could result in the unintentional exposure of that information by consumers or the unauthorized disclosure or other compromise of that information, and assess the sufficiency of safeguards in place to control these risks;
- Regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures;
- Develop and use reasonable steps to select and retain service providers capable of maintaining required security practices and require service providers by contract to implement and maintain appropriate safeguards; and
- Evaluate and adjust the security program in light of the results of the required testing and monitoring, material changes to ongoing operations or business arrangements, or any other circumstances that may have a material impact on the effectiveness of the security program.
Less imposing settlements have fewer obligations, but can be demanding for those businesses. Last December, for instance, New York State Attorney General Eric T. Schneiderman reached a settlement with the University of Rochester Medical Center that required that the medical center train its workforce on policies and procedures related to protected patient health information but that did not impose any other significant stringent requirements.2
Of course, when a regulator challenges a company’s privacy record, there also is a potential for imposition of a fine or penalty. In March, for example, California authorities reached an $8.5 million settlement with Wells Fargo Bank over alleged privacy violations. The bank also agreed to implement an internal compliance program.3 As another example, earlier this year, New York Attorney General Schneiderman reached a settlement with Uber regarding its data security practices that, among other things, involved a $20,000 penalty (as well as a number of changes to Uber’s privacy procedures).4
A company that settles a privacy action with an agency typically will have a continuing entanglement with the government that can last for years—or for decades. The company also may have to inform its executives and employees about the settlement during that time. Certainly, taking steps to preempt a regulator’s challenge through the use of basic risk management techniques and safeguards, data security training for employees, and the like is the more prudent, and the more cost-effective, course of action.
1. A security program is not only a typical element of a negotiated settlement, but also is something that the FTC may seek to impose in the absence of a settlement. In late July, for example, the FTC found that medical testing laboratory LabMD had failed to protect consumers’ medical and personal information. It ordered LabMD to establish a comprehensive information security program subject to periodic independent, third-party assessments. See Matter of LabMD, No. 9357 (FTC July 29, 2016), available at https://www.ftc.gov/system/files/documents/cases/160729labmd-opinion.pdf.
2. See New York-URMC Letter Agreement, available at http://www.ag.ny.gov/pdfs/URMC_Letter_Agreement_Fully_Executed_11_30_2015.pdf.
3. See People v. Wells Fargo Bank, N.A., No. BC611105 (Cal. Super. Ct. March 28, 2016) (stipulated final judgment), available at https://oag.ca.gov/system/files/attachments/press_releases/Court approved Wells Fargo Stip Judgment 3_28_16_0.pdf?.
4. See Press Release, “A.G. Schneiderman Announces Settlement With Uber To Enhance Rider Privacy” (Jan. 6, 2016), available at http://www.ag.ny.gov/press-release/ag-schneiderman-announces-settlement-uber-enhance-rider-privacy.
Reprinted with permission from the August 16, 2016 issue of the New York Law Journal. © ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.
- Shari Claire Lewis