FTC: Anatomy of a Data Security/Privacy Investigation and the Future of Privacy John Jay College of Criminal Justice Center for Cybercrime Studies November 10, 2011 Kristin Krause Cohen, Staff Attorney Division of Privacy and Identity Protection Federal Trade Commission
Disclaimer The views expressed in this presentation are mine and are not necessarily those of the Commission or any individual Commissioner.
Meet the Federal Trade Commission Nation’s only general jurisdiction consumer protection agency ~1,100 lawyers and staff members in Washington and 7 regional offices Federal jurisdiction in the areas of antitrust and consumer protection Three bureaus: Competition Economics Consumer Protection
Agenda for Today How the FTC’s Data Security Program Has Evolved The FTC Privacy Report Recent Privacy Enforcement Actions New Areas
Legal Standards Relevant laws governing data security and privacy: Fair Credit Reporting Act (FCRA) – Disposal Rule Federal Trade Commission Act (FTC Act) Other federal laws (HIPAA, DPPA, FERPA) State laws
Anatomy of a FTC Investigation Finding cases Pre-search Civil Investigative Demand or access letter Analyzing the facts Litigation or consent negotiation (or closing letter) Compliance and monitoring
Perspective FTC data security enforcement has become more granular From the enforcement actions are specific lessons for businesses to learn, including those in the health industry FTC’s definition of what is unfair or unreasonable will help to inform evaluation of privacy and security practices in other contexts.
Four Points that Guide the FTC’s Information Security Enforcement Information security is an ongoing process. A company’s security procedures must be reasonable and appropriate in light of the circumstances. A breach does not necessarily show that a company failed to have reasonable security measures – there is no such thing as perfect security. A company’s practices may be unreasonable and subject to FTC enforcement even without a known security breach.
The Early Years The FTC’s early privacy and data security enforcement is characterized by targeting companies that engaged in practices contrary to their published privacy policies
The Early Years Geocities (1999) (first Internet privacy case) and Gateway (2004) The FTC alleged the companies used personal information in a manner contrary to promises made to consumers. Order required Geocities to notify members and allow their information to be deleted and prohibited Gateway from sharing personal information obtained under their original privacy policy without express consent.
False Representations About Data Security and FTC Enforcement
Common Vulnerabilities: Petco Petco (2005) FTC alleged that Petco falsely represented that personal information it obtained from consumers was maintained in an encrypted format Petco’s website and web application were vulnerable to commonly known or reasonably foreseeable attacks Order against Petco prohibited misrepresentations and required it to implement a comprehensive information security plan and obtain independent assessments of the plan
FTC use of “unfairness” prong of Section 5 Duty to protect data implied in requirement not to engage in unfair practices
Multiple Risks: BJ’s FTC alleged BJ’s engaged in an unfair practice by “failing to employ reasonable and appropriate security measures to protect personal information....”
Multiple Risks: BJ’s Specifically, FTC alleged BJ’s did not employ reasonable and appropriate measures to secure personal information. Among other things, it: did not encrypt information while in transit or when stored stored information in files that could be accessed using a commonly known default user ID and password did not use readily available security measures to limit access to its networks through wireless access points on the networks did not employ sufficient measures to detect unauthorized access or conduct security investigations stored information for up to 30 days when it no longer had a business need to keep the information
Peer-to-Peer Application Warning Letters Notified almost 100 organizations that files containing PII shared from their computer networks to P2P networks FTC simultaneously released business education on risks associated with P2P Dartmouth study found thousands of documents with sensitive patient information on P2P networks
Social Networking: Twitter Twitter (2010) FTC alleged Twitter failed to require strong administrative passwords, secure storage of administrative passwords, periodic password changes, suspend accounts after repeated login failures Consumers’ non-public tweets were revealed and unauthorized tweets sent from accounts
Employee Data: Ceridian/Lookout Services Ceridian/Lookout Services (2011) FTC alleged companies failed to use reasonable and appropriate security to protect the personal information of its clients’ employees Ceridian is a payroll processor and Lookout Services provided employers assistance with complying with immigration laws
Privacy Roundtables Three public roundtables to explore privacy in light of new technologies, including social media Significant public participation 200 participants reflecting range of perspectives Transcripts and comments on FTC’s website
Roundtable Themes Increased collection and use of consumer data Lack of understanding and informed consent Consumers are interested in privacy Benefits of data collection and use Decreasing relevance of PII/non-PII distinction
Privacy Report – Proposed Framework Companies Should “Bake in” Privacy Employ reasonable safeguards to protect data Limit collection and length of retention Procedures to promote data accuracy Implement internal privacy programs Simplified Privacy Choices Carve out commonly accepted business practices – fraud prevention, fulfillment All other practices should have simple choice at relevant time and context Improve Transparency Improving and standardizing privacy disclosures to compare across businesses Tiered access to consumer data that companies maintain Consumer education
Behavioral Advertising Industry has made some progress in developing and implementing tools to allow consumers to control the collection and use of their online browsing data. Privacy report included a recommendation to implement a universal choice mechanism for behavioral tracking, including behavioral advertising.
Do Not Track – 5 Issues to Consider Any system should be implemented universally, so consumers do not have to opt out as they go from site to site The choice mechanism should be easy to find, easy to understand, and easy to use Any choices offered should be persistent and should not be deleted Any system should be effective and enforceable Any system should let consumers opt out of being tracked through any means and not permit technical loopholes
Recent FTC Privacy Enforcement Google Buzz FTC alleged Google did not adequately disclose to gmail users that signing up for Buzz meant the identity of their frequent correspondents would be made public, OR that they would be enrolled in some features of Buzz even if they chose not to sign up. First FTC Settlement to require a company to adopt a comprehensive privacy program.
Recent FTC Privacy Enforcement Chitika Online advertising company tracked consumers’ online activities even after they chose to opt out of online tracking Unbeknownst to consumers, the opt-out cookie only lasted for 10 days FTC alleged that Chitika’s claims about its opt-out mechanism were deceptive ScanScout Online behavioral advertising company deceptively claimed to users they could opt out of receiving targeted ads by changing their browser settings In truth, company used flash cookies for tracking that browser settings could not block Order requires company to adopt user-friendly mechanism that allows consumers to opt out of being tracked
Implications of new technologies Cloud computing Mobile
Questions? More information available at: Kristin Krause Cohen Federal Trade Commission