The Federal Trade Commission ("FTC") has authority under the Federal Trade Commission Act to bring enforcement actions to stop "unfair and deceptive acts or practices." Through the filing, or the threat of filing, just 20 administrative and civil complaints, the FTC has used this power to establish minimum requirements for data privacy and security practices for the online world. This article explores the scope and content of these rules as they affect entities engaged in internet commerce.
Do What You Say
The first lesson that emerges from the FTC cases is one that seems obvious to everyone except, apparently, online data collectors: Do What you Say. Anything else is "unfair and deceptive." In its first online enforcement action, the FTC issued a draft administrative complaint against Geocities, the operator of a Website that hosted personal home pages and provided email addresses to registered adults and children. GeoCities' "New Member Application" required users to provide personal identifying information (name, address, gender, age), and requested additional information about user interests. Applicants were asked to select from a list of special offer topics and to designate whether they wished to receive specific products or services from individual companies.
GeoCities" published privacy policy promised that "We will not share this information with anyone without your permission . . . ." In truth, GeoCities sold, rented, or disclosed the collected personally identifiable information to third parties who used it for purposes not approved by the data subjects. GeoCities capitulated to the agency's threats, entering into a 20 year Consent Decree establishing what would become a familiar pattern in FTC enforcement cases. GeoCities agreed not to make any misrepresentation, expressly or by implication, about its collection or use of information from or about consumers. GeoCities agreed not to collect information from children if GeoCities had actual knowledge that a parent had not given permission to provide the information. And GeoCities agreed to provide a clear and prominent notice to consumers about its practices regarding the collection and use of personal identifying information, including:
• What information is collected
• Its intended uses;
• Third parties to whom it will be disclosed;
• Consumer's ability to access the information;
• Consumer's ability to remove information from GeoCities' databases.
The Decree required this information to appear on GeoCities' home page or a page accessible from a home page hyperlink and at each location on the Website at which personal identifying information is collected. Finally, the Decree required GeoCities to establish a procedure for obtaining express parental consent prior to collecting and using personal identifying information from children.
GeoCities establishes that it is an "unfair or deceptive trade practice" to mislead consumers about online data privacy practices. It also established the FTC's special sensitivity to the collection and use of information about children and established a standard for minimum "fair information privacy principles" ("FIPPs").
The FTC would repeat these themes in subsequent cases. Exactly six months after GeoCities, the FTC threatened action against Liberty Financial Companies, Inc. Liberty created Web pages directed at children known as "The Young Investor Measure Up Survey." Through this Website, Liberty collected information about allowance, financial gifts, spending, work habits, college plans, and family finances. The Survey stated that "all of your answers will be totally anonymous." But these data were merged with contact information for a promised newsletter and quarterly prize drawings. No newsletter was ever created and no prizes were awarded. The FTC's core complaint, as in GeoCities, was that the Website operator had not done what it promised to do. The resulting 20-year Consent Decree prohibited future misrepresentations and required Liberty's compliance with the GeoCities FIPPs.
Similarly, the FTC sued to prevent the bankruptcy trustee of online retailer Toysmart.com, from selling a customer contact list despite the company's express promise that personal information collected through its Website "is never shared with a third party . . . [and] is used only to personalize your experience online." In fact, every FTC privacy case involves an allegation that the target company failed to do what it expressly or impliedly promised.
Say What You Do
A second lesson from the FTC enforcement cases is that it is not enough that you do what you say, you must also say what you do in a clear and conspicuous way. In two related cases, Educational Research Center and National Research Center, the FTC complained about data uses that went beyond what the Website operator had disclosed. Both entities collected information from students, representing that it would be tabulated into a report utilized by colleges and universities to "keep in touch with the interests and trends among today's high school students" and to "make funding available for students' post-secondary education." Although the information was shared with such educational institutions, it was also shared with commercial entities for marketing purposes. The FTC alleged that the failure to include complete information about how data would be used constituted an unfair and deceptive trade practice.
A new application of this principle appeared in Cartmanager International. Cartmanager provided shopping cart software and related services to thousands of online retail merchants. The software generated customized "shopping cart" and "checkout" Web pages for use on merchants' Websites. These pages resided on Cartmanager's Website, but were designed to look like the other pages on the merchant's site and typically displayed the merchant's name and logo. Information collected through the Cartmanager software, including customer name, billing and shipping addresses, phone number, email address, credit card information, and merchandise ordered, was transmitted to Cartmanager, who then notified the merchant so it could fulfill the customer's order.
Some of the merchants had published privacy policies promising not to share personal information with third parties. But in January 2003 Cartmanager began renting to third parties for marketing purposes the consumers' personal information collected through shopping cart and checkout pages. The FTC alleged that this constituted an unfair and deceptive practice since Cartmanager's pages appeared to be part of the merchants' individual pages, and consumers were not notified that different privacy policies applied to information provided through the sales and checkout pages. The FTC also complained that Cartmanager failed to disclose its intention to share such information to the merchants. Although Cartmanager's software license agreement provided that "Cartmanager shall retain full ownership of all data submitted by either Merchant or Purchaser . . ." this was "buried in the middle of the online agreement and does not explain how [Cartmanager] intends to use the information or that such use may conflict with the merchants' privacy policies."
Have Reasonable and Appropriate Security Practices
A third lesson established by the FTC cases is that strong privacy practices are not enough; you must also have security practices that are reasonable and appropriate to the nature of the data. In early 2000 the FTC filed a lawsuit against ReverseAuction.com alleging that the company had become an eBay user in order to obtain other user eBay IDs, in violation of that company's terms and conditions of use. ReverseAuction.com then sent email to the other eBay users suggesting that their eBay membership IDs would expire if the user did not update his or her information. ReverseAuction, in a precursor to today's phishing activities, did this in order to get eBay users to provide personal identifying information to ReverseAuction, which used the data for its own purposes. Once again, the FTC demanded that the company cease the deceptive practices, divest itself of its ill-gotten information, and promise to adopt the same FIPPs expressed in GeoCities and Liberty.
Even though no security breach was involved in ReverseAuction's unfair practices, the FTC added a requirement that the company disclose "the steps defendant has taken to ensure the security of the information collected and/or maintained at the site." This was the agency's first indication that it would require security mechanisms for Website operators not covered by substantive legislation, such as the Gramm-Leach-Bliley Act ("GLBA") or the Fair Credit Reporting Act ("FCRA").
Having already established that Website operators had to disclose their practices, the FTC took the next logical step by adding misleading express or implied statements about Website security to its list of prohibited practices. In the Microsoft case, the FTC's complaint alleged that the company had represented "expressly or by implication, that it maintained a high level of online security by employing sufficient measures reasonable and appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information obtained from or about consumers in connection with the Passport and Passport Wallet services." Specifically, Microsoft had said that ".NET Passport achieves a high level of Web Security by using technologies and systems designed to prevent unauthorized access to your personal information . . . . is protected by powerful online security technology and . . . is stored on secure . . . servers . . . in controlled facilities." The FTC complained that Microsoft did not fulfill these express promises.
The FTC complaint about what Microsoft had failed to do, creates, by implication, a list of what the FTC thinks a company must do to have adequate security policies, even when the Website operator is not covered by specific legislative or regulatory requirements.
[R]espondent failed to implement and document procedures that were reasonable and appropriate to: (1) prevent possible unauthorized access to the Passport system (2) detect possible unauthorized access to the Passport system; (3) monitor the Passport system for potential vulnerabilities; and (4) record and retain system information sufficient to perform security audits and investigations.
In its next administrative proceeding, Guess?, Inc., the FTC revealed its thinking about what was substantively required in a "reasonable and appropriate" security policy. Guess? sold its clothing and accessories through various outlets, including the www.guess.com Website. To make purchases, Guess.com required consumers to use a credit or debit card and to divulge the customer's name, address, card number, and expiration date. The company stored this information in databases that were connected to or supported the Website. Guess.com's privacy policy said: This site has security measures in place to protect the loss, misuse and alteration of the information under our control. All orders are transmitted over secure Internet connections using SSL (Secure Sockets Layer) encryption technology. All of your personal information including your credit card information and sign-in password are stored in an unreadable, encrypted format at all times. This Website and more importantly all user information, is further protected by a multi-layer firewall based security system.
In fact, the company did not encrypt stored data. Guess.com's software was designed to automatically present in readable text any information retrieved from or supplied to the databases. Thus, the databases were vulnerable to the use of a Structured Query Language ("SQL") injection string. By inserting an SQL query into the URL address bar of a normal browser, an unauthorized individual could retrieve any data held in the Web-connected databases.
The FTC complaint alleged that to avoid violating the Federal Trade Act, Website operators collecting personal identifying information had to implement a security policy which would include procedures "reasonable and appropriate to: (1) detect reasonably foreseeable vulnerabilities of their Website and application and (2) prevent visitors to the Website from exploiting such vulnerabilities and gaining access to sensitive information."
Guess?'s 20 year Consent Decree required adoption of a security program having: administrative, technical, and physical safeguards appropriate to Respondents' size and complexity, the nature and scope of Respondents' activities, and the sensitivity of the personal information collected form or about consumers, including:
A. the designation of an employee or employees to coordinate and be accountable for the information security program.
B. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information . . . and assessment of the sufficiency of any safeguards in place to control these risks . . .
C. the design and implementation of reasonable safeguards to control the risks identified . . and regular testing or monitoring of the effectiveness of the safeguards' key controls, systems, and procedures. . .
[and] that Respondents obtain an assessment and report from a qualified, objective, independent third-party professional, [to examine, assess and certify] that Respondents' security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected . . . .
The FTC would add in a later case that such security assessments must be completed by a person "qualified as a Certified Information System Security Professional (CISSP); . . . a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) . . . , or a similarly qualified person or organization approved by the Associate Director for Enforcement."
In subsequent cases, the FTC added to its definition of what constitutes "reasonable and appropriate security." In Tower Records, the FTC alleged that companies must implement well-known fixes for security threats and must implement appropriate change controls to assure that existing privacy and security practices are continued. In Cardsystems, the FTC added requirements that (i) companies should not store sensitive information for unnecessarily long periods of time or in a vulnerable (i.e., unencrypted) format, (ii) must use strong passwords to prevent a hacker from gaining control over computers and access to personal information stored on a network, (iii) must use readily available security measures to limit access between computers on its network and with the internet; and (iv) must employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations."
The FTC's adoption of a duty to implement reasonable and appropriate information data security practices stems from the agency's work under the Gramm-Leach-Bliley Act ("GLBA"). Pursuant to GLBA, the FTC and several other federal agencies overseeing the financial services industry issued identical regulations titled "Guidelines Establishing Standards for Safeguarding Consumer Information." These Guidelines, later adopted by the FTC as its GLBA Safeguards Rule in 2002, adopts the approach that "security is more a process than a state." The Department of Health and Human Services adopted the same approach in the HIPAA Security Standards for health care information. The FTC has taken these process oriented, fact driven standards created under these industry specific regulations and established them as a general standard for data security.
Training and Oversight Are Required
In the Eli Lilly case, the FTC taught that merely having a suitable privacy policy was not enough; companies must take appropriate steps to implement their policies.
The FTC complained that Eli Lilly had inadvertently disclosed personal identifying information about users of an anti-depressant drug, Prozac, by sending an email with the users' addresses in the "To" box. This made all the email addresses viewable by all the recipients, and therefore arguably disclosed the addressee's use of the drug. The agency complained that this error had occurred as a result of inadequate training and oversight of the personnel who sent the email, and required the company to improve training and supervision. Having the right policy was not enough; the company also had to take reasonable steps to make sure the policy was properly implemented.
Don't Change The Rules Retroactively
The fourth lesson is that you cannot retroactively change the rules of the privacy and security game to the detriment of consumers. In Gateway, the FTC objected to the "Hooked-on-Phonics" company's use of personal identifying information collected from parents in violation of previously published privacy policies. Gateway had said that it would not sell, rent, or loan personally identifiable information to any third party without receiving the customer's explicit consent. Those same policies informed users that the policy might change in the future, but promised that Gateway would notify consumers of such changes "on this Site or by e-mail. You will then be able to opt-out of this information usage by sending an email."
In April 2003, Gateway began renting personal information provided by consumers on the Gateway Learning Website without seeking or receiving consent. On June 20, 2003, Gateway posted on its Website a new privacy policy that contained a revised statement permitting the sharing of personal information with third parties and requiring consumers to write to Gateway to object if they wished to opt out of such usage. Gateway later made additional changes and added "updated July 17, 2003" to its privacy policy. But Gateway took no additional steps to alert customers that it had changed its policy to permit third-party sharing of personal information without explicit consent.
The FTC complained that the retroactive application of privacy policy changes "caused or is likely to cause substantial injury to consumers." The FTC said that Gateway should have provided additional notice that its policy had materially changed and what aspects of the policy had changed. The resultant 20-year Consent Decree prohibits Gateway from applying material changes in its privacy policy to information collected before the posting and notification of the new policy, unless Gateway obtains the express affirmative ("opt-in") consent of the affected consumers.
The Cost of Non-Compliance Is High
As the cases discussed above demonstrate, the FTC commonly resolves complaints by requiring a Consent Decree describing in detail specific steps the target company must take, subject to agency oversight, typically for a 20-year period.
If that is not enough by itself to encourage compliance, the agency demonstrated in ChoicePoint just how aggressive it can be in seeking to rectify "unfair and deceptive" practices. ChoicePoint collected information from consumer reporting agencies and public sources, not the consumers themselves. ChoicePoint sold compilations of this information to fee paying subscribers, qualifying certain of ChoicePoint's subsidiaries as "consumer reporting agencies" under the Fair Credit Reporting Act. In order to become a subscriber, a business had to submit an application that included information and documentation to establish that the applicant is a legitimate business with a lawful purpose for purchasing consumer data.
In early 2005 ChoicePoint discovered that it may have disclosed the personal information of 163,000 consumers to persons who did not have a lawful purpose for acquiring the data. The information disclosed included birth date, Social Security number, and, in many cases, credit reports. At least 800 cases of identity theft arose out of these disclosures.
According to the FTC Complaint, this occurred because ChoicePoint had failed to implement reasonable procedures to verify or authenticate the identities and qualifications of prospective subscribers, and failed to monitor unauthorized activity by subscribers, even after subpoenas from law enforcement authorities alerting it to fraudulent accounts and/or its own experiences with a subscriber should have raised doubts about the legitimacy of the subscriber's business.
The FTC and ChoicePoint stipulated to entry of a civil judgment imposing what had become the FTC's standard 20-year Consent Decree oversight terms. The judgment also required ChoicePoint to pay a $10 million civil penalty and to deposit $5 million into a fund administered by the Commission for equitable relief, including consumer redress. The Court ordered the company to adopt specific internal procedures for investigating subscribers and a comprehensive information security program "fully documented in writing." As part of this program, the company had to designate an employee to coordinate and be held accountable for the information security program, identify the material internal and external risks to security, confidentiality, and integrity of personal information that could result in unauthorized disclosures, misuse, loss, alteration, destruction or other comprise of such information, and design and implement reasonable safeguards to control the risks through assessment and regular testing. ChoicePoint also reportedly spent $9 million in legal and technical fees as a result of the breach and FTC action and suffered significant declines in its stock price. These costs and fines should be large enough to get anyone's attention.
The nature of ChoicePoint's deficiencies is also instructive. This was not a case of a sophisticated hacker penetrating technical defenses, but plain old con artists using simple, sloppy, tricks easily detected by anyone paying attention. ChoicePoint's failure was not so much failing to have privacy and security policies in place, but failure to administer them in a diligent way.
Finally, it is also noteworthy that the FTC raised these issues and imposed these sanctions, in the alternative, under both the FCRA regulations applicable to consumer reporting agencies as well as pursuant to its general powers to prohibit unfair and deceptive trade practices. That is, the agency has made clear that it believes all companies should adopt security practices like those required under financial industry regulations, even if those regulations do not specifically apply.
Conclusions
The FTC's enforcement actions establish important lessons for every company collecting or using personal identifying information. While the FTC has not established specific minimum substantive content for privacy policies, it has established procedural minimums. You must tell data subjects what information you are collecting about them and how you are going to use it. You must do what you say, not just in theory, but in practice. It is not enough to have a published privacy and security policy, you must also provide appropriate training and oversight to make policy implementation a reality, and you must not apply a less restrictive data usage policy to data collected under a more restrictive policy.
The FTC cases also establish specific minimum content for security policies:
• use strong passwords and controls to prevent unauthorized access to systems, data, and communications;
• establish technical and non-technical methods to detect unauthorized access, use, or alteration of data;
• record and retain system information sufficient to perform security audits and investigations;
• store sensitive data only for so long as it is needed;
• encrypt sensitive data when stored or transmitted;
• establish personal responsibility for data security;
• do risk and vulnerability assessments and make adjustments based on the results;
• test and monitor the effectiveness of the safeguards' key controls, systems, and procedures;
• promptly apply industry recognized procedures and fixes;
• document the security system in writing; and
• use, qualified, credentialized, independent third parties to assess and test your systems.
And most important, the FTC has established the requirement that privacy and security policies must be based on the sensitivity of the data at issue, and that such policies and practices must evolve continually in light of the ever changing nature of the threats. That is, security is a process, not a state or destination.
And finally, all companies must be aware of these rules, not just those specifically subject to detailed financial services industry regulations. Failure to comply with the agency's data privacy and security rules can lead to very costly lessons.
