1. BBB Wise Giving Alliance & The International Committee of Fundraising Organizations Advancing Trust in the Charitable Sector Federal Trade Commission, Bureau of Consumer Protection Allison M. Lefrak, Attorney, Division of Privacy and Identity Protection June 12, 2015

2. Disclaimer ► Views expressed in this presentation are my own and are not necessarily those of the Commission or any Commissioners ► Any answers to questions are my own opinion and are not those of the Commission or any Commissioners

3. Overview ► FTC background information ► FTC’s role in data security and privacy ► FTC jurisdiction over non-profits ► FTC’s business guidance

4. Federal Trade Commission Nation’s only general jurisdiction consumer protection agency Nation’s only general jurisdiction consumer protection agency ~1,100 lawyers and staff members in Washington and 7 regional offices ~1,100 lawyers and staff members in Washington and 7 regional offices Federal jurisdiction in the areas of competition and consumer protection Federal jurisdiction in the areas of competition and consumer protection Five Commissioners appointed by President and confirmed by Senate Five Commissioners appointed by President and confirmed by Senate Three bureaus: Competition, Economics, Consumer Protection – Privacy and Identity Protection – newest division, but not the only one addressing issues of identity theft, information security, and privacy

5. Laws the FTC Enforces ► Federal Trade Commission Act (FTC Act) ► Fair Credit Reporting Act (FCRA) ► Gramm-Leach-Bliley Act (GLBA) ► Other federal laws (e.g., COPPA, CAN-SPAM Act)

6. Privacy and Security ► FTC has played a leading role since the mid-90s in examining privacy and security issues and implementing protections for consumers  Crafted rules and regulations  Brought enforcement actions  Educated businesses and consumers  Held workshops to examine new technologies and business practices affecting privacy and data security

7. Legal Framework ► No single law governs privacy and data security in the United States  Rather, a collection of federal laws and regulations govern specific industries and practices  State laws addressing privacy issues, as well as private causes of action compliment federal law  The FTC has supported proposed data security legislation that gives the FTC jurisdiction to bring cases against non-profits

8. Federal Trade Commission Act Section 5 of the FTC Act prohibits unfair or deceptive practices Section 5 of the FTC Act prohibits unfair or deceptive practices Deceptive practices are representations, omissions, or practices that: Deceptive practices are representations, omissions, or practices that: – Are likely to mislead consumers acting reasonably under the circumstances – Representation, omission, or practice must be material Unfair practices are those that: Unfair practices are those that: – Cause or are likely to cause substantial injury – Are not outweighed by the benefits, and – Are not reasonably avoidable by the consumer

9. Guiding Principles ► ► Information security is an ongoing process ► ► A company’s security procedures must be reasonable and appropriate in light of the circumstances ► ► A breach does not necessarily show that a company failed to have reasonable security measures – there is no such thing as perfect security ► ► A company’s practices may be unreasonable and subject to FTC enforcement even without a known security breach

10. FTC Law Enforcement More than 100 privacy-related actions since 2001, including: ► Over 50 Data Security Cases ► Over 100 SPAM and spyware cases ► 18 COPPA cases

12. Wyndham ► ► Complaint filed in June 2012 ► ► Complaint allegations   Since 2008, Wyndham failed to provide reasonable and appropriate security for consumers’ personal information   As a result, intruders gained access to Wyndham’s network on three occasions between 2008 and 2010   More than 619,000 consumer payment card account numbers exposed   More than $10.6 million in fraud loss   Consumers suffered unreimbursed fraudulent charges, increased costs and lost of access to funds or credit   Consumers expended time and money resolving fraud charges and mitigating subsequent harm

13. Wyndham ► ► Count 1 – Deception   Wyndham represented in its privacy policy that it would “safeguard our Customers’ personally identifiable information by using standard industry practices” and “we take commercially reasonable efforts to create and maintain ‘fire walls’ and other appropriate safeguards”   Wyndham did not implement reasonable and appropriate measures to protect consumers’ personal information against unauthorized access   Therefore Wyndham’s representations are false and misleading and constitute deceptive acts or practices under Section 5(a) of the FTC Act ► ► Count 2 – Unfairness   Wyndham failed to employ reasonable and appropriate measures to protect consumers’ personal information against unauthorized access   Wyndham’s actions caused or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition   Therefore, Wyndham’s acts and practices constitute unfair acts in violation of Section 5 of the FTC Act

14. FTC Orders Require ► ► Implementation of Comprehensive Information Security Program for Data Security Cases ► ► Implementation of Comprehensive Privacy Program for Privacy Cases ► ► Independent Third-Party Audits Every Two Years for up to 20 Years ► ► FTC Monitoring of Compliance

15. Some Common Remedies ► ► Injunction against misrepresentations; ► ► Comprehensive data security or privacy program appropriate to the company’s size, nature of activities, and information collected; ► ► Third party assessments of these programs; ► ► Other specific requirements, e.g., disclosures, privacy choices, data deletion, or software updates; and ► ► Civil penalties for rule and order violations. 15

16. FTC Jurisdiction over non-profits ► FTC’s statutory consumer protection mandate is broad ► Under Section 5 of the FTC Act, the FTC has power to prevent “persons, partnerships, or corporations” from using unfair or deceptive acts or practices in or affecting commerce, with certain limited exceptions. 15 USC §45 (a)(2) ► Exceptions: banks, savings and loan institutions, federal credit unions, “common carriers” ► The Act defines “corporation” as any company that carries on business for its profit or that of its members. 15 USC 44 ► Therefore, a bona fide non-profit corporation is not subject to FTC jurisdiction

17. FTC Jurisdiction over non-profits ► FTC can reach non-profits where the non-profit is a sham ► Affirmatively misrepresenting that donations are going to charity, or ► Engage in activities that provide substantial economic benefit to for-profit members

22. FTC Jurisdiction over non-profits ► Certain rules that the FTC enforces apply to charities, for example – the Telemarketing Sales Rule (TSR) ► The USA Patriot Act (2001) brought charitable solicitations by for-profit telemarketers within the scope of the TSR ► Now, most of the rule’s provisions are applicable to “telefunders” – telemarketers who solicit charitable contributions

23. FTC Jurisdiction over non-profits ► TSR continued ► Telefunders are required to:  make certain prompt disclosures in every outbound call.  get express verifiable authorization if accepting payment by methods other than credit or debit card.  maintain records for 24 months.  comply with the entity-specific Do Not Call requirements, but are exempt from the National Do Not Call Registry provision.  include in any prerecorded message call on behalf of a non- profit organization to a member of, or previous donor to, the non-profit, a prompt keypress or voice-activated opt-out mechanism.

24. FTC Jurisdiction over non-profits ► TSR continued ► Telefunders are prohibited from:  making a false or misleading statement to induce a charitable contribution.  making any of several specific prohibited misrepresentations.  engaging in credit card laundering.  placing “cold” calls that deliver prerecorded messages.  engaging in acts defined as abusive under the TSR, such as calling before 8 a.m. or after 9 p.m., disclosing or receiving consumers’ unencrypted account information, and denying or interfering with a consumer’s right to be placed on a Do Not Call list.

25.  50+ law enforcement actions on data security  FTC workshops and staff reports  Nuts-and-bolts brochures for business at business.ftc.gov  Protecting Personal Information: A Guide for Business  20-minute online training tutorial for your staff  Free copies of publications at ftc.gov/bulkorder  Compliance videos  120 blog posts on the Business Blog, business.ftc.gov/blog FTC DATA SECURITY RESOURCES FOR BUSINESS

29. TAKE STOCK. Know what sensitive information you have in your files and on your computers. SCALE DOWN. Carefully consider what information to collect and maintain. LOCK IT. Securely store information you keep. PITCH IT. Properly dispose of what you no longer need. PLAN AHEAD. Create a plan to respond to security incidents.

33. Questions ► My contact information: ► Alefrak@ftc.gov Alefrak@ftc.gov ► (202) 326-2804