UPDATES TO Chapter 10

Regulatory Enforcement – The Federal Trade Commission

UPDATES TO THE SECOND EDITION

10.4 FTC Enforcement Trends Since 2023

An October 2024 proposed settlement with Marriott seems to be the first time that the FTC has required a respondent in a data security case to provide its customers with the right  to delete data bout themselves. At least since its January 2023 settlements with Chegg and Drizly, the FTC has required settling cybersecurity respondents to adopt a data security program that includes retention limits, requiring systematic deletion of personal data that is no longer reasonably necessary to fulfill the purpose for which it was collected. And in its January 2024 proposed settlement with InMarket Media (finalized in May), in what was at core a privacy case, the FTC imposed an obligation to delete location data upon customer request. But the Marriott case may be the first time that the FTC has required a company that suffered a security breach to provide all customers with a link to request deletion of personal information associated with an email address and/or a loyalty rewards program account number--a right that would apparently be available even if the data otherwise met the standard for retention. The right would apply prospectively, over the 20 years that the settlement, if approved, will remain in effect.

A proposed settlement with telehealth firm Cerebral illustrates the FTC’s holistic combination of both privacy and cybersecurity concerns (as well as basic consumer protection) in its approach to enforcement. It appears that the company first came to the attention of regulators due to concerns over its online drug prescription practices. Once the FTC started investigating, it looked broadly at the company’s practices, focusing particularly on its offering of services on a negative option basis, which means consumers are automatically charged unless they cancel those services, and making it hard for consumers to cancel; its use of tracking tools on its website or apps that collected and sent data to third parties for use in advertising; and its cybersecurity practices. Regarding security, the complaint alleged numerous defects in the company’s data security practices, including that it failed to block former employees from accessing confidential electronic medical records of Cerebral patients and that it used a single sign-on method for accessing its patient portal that exposed confidential medical files and patient information to other patients. As with other recent FTC enforcement actions, the complaint alleged both privacy and security violations, plus a consumer protection allegation: that the company’s statements on privacy were deceptive and thus violated Section 5; that its statements on security were deceptive and thus a Section 5 violation; that its failure to employ reasonable measures to protect consumers’ personal information was unfair and thus a violation of Section 5; and that its misrepresentations regarding its cancellation policies were deceptive and thus a violation of Section 5. The complaint also alleged that the company’s unfair or deceptive acts or practices regarding data security and data privacy constituted unfair or deceptive acts or practices with respect to a substance use disorder treatment service in violation of Section 8023(a) of the Opioid Act, 15 U.S.C. § 45d(a). Finally, the complaint alleged that the company’s acts or practices violated Section 4 of the Restore Online Shoppers’ Confidence Act, 15 U.S.C. § 8403. The proposed settlement would require both privacy and cybersecurity measures. The list of cybersecurity measures is familiar; it includes requiring encryption of all covered information and implementing phishing-resistant multi-factor authentication methods for all employees, contractors, and affiliates in order to access any assets (including databases) storing covered information. Unlike other recent orders, the proposed settlement did not contain an explicit data minimization requirement, but it would require the company to set express data retention limits and to delete information as soon as it was no longer necessary to fulfill the purpose for which it was collected.

There are several noteworthy elements of the FTC’s February 2024 settlement with Global Tel*Link Corporation, a company that suffered a data breach in 2020 when it left large amounts of unencrypted data in an unsecured cloud-based environment. As in many other cases, the FTC complaint alleged multiple security failings by the company, leading to a claim of unfair data security practices. However, it is in the FTC’s allegations regarding the company’s misrepresentations about its security practices and its response to the breach that the case is notable. First, the FTC complaint alleged that Global Tel*Link’s failure to timely notify all affected individuals of the incident was an unfair act or practice. The Commission thus embraced the theory, announced in the 2022 staff statement, that the unfairness prong of section 5 of the FTC Act imposes a breach notification requirement. See Chapter 3.1.1.7. Moreover, the complaint separately alleged that Global Tel*Link had violated Section 5 when it (1) misrepresented its cybersecurity practices in connection with the advertising, promotion, offering for sale, or sale of its services, (2) issued a statement that was false or misleading as to the severity of the incident and the risk to individual consumers, (3) misrepresented in the same statement that they would timely notify users whose personally identifiable information had been exposed as a result of the incident, and (4) stated, in bids submitted to potential institutional customers after the incident, that it had never experienced a breach.

Taken together, these allegations mean that the Commission will take a comprehensive view of a company’s statements--to individuals whose data it holds, to the public, and to potential enterprise customers—about its cybersecurity practices and about any breach it suffers. For example, the complaint alleged that, after the breach, the respondent stated in its RFP responses to potential facility customers that “there were no system incidents that resulted in a significant failure in the achievement of one or more of service commitments and system requirements,” where “system requirements” were defined to include that “Logical access to programs, data and computer resources is restricted to authorized and appropriate users, and such users are restricted to performing authorized and appropriate actions.”

Also in February 2024, the FTC settled with Blackbaud, which provides data services and financial, fundraising, and administrative software services. In 2020, Blackbaud suffered a breach. The FTC complaint alleged that the company failed to implement appropriate safeguards and that it failed to give timely notice to its customers. (The breach also generated class action litigation discussed in Chapters 4 and 5 of the book and an SEC enforcement action described in Chapter 3.) What is noteworthy is that the FTC also alleged that the company held onto data far longer than was necessary. The failure to implement and enforce reasonable data retention practices for sensitive consumer data was an unfair practice, the Commission alleged, further expanding on the data minimization theme identified in Chapter 10.4 in the book.

____________________________________________________________________

ARCHIVED UPDATES TO THE FIRST EDITION (last updated August 11, 2022), INCORPORATED INTO THE SECOND EDITION

10.1 Overview - The Origins and Evolution of FTC Cybersecurity Enforcement

Scroll down to the new Chapter 10.4.10 for a discussion of the FTC’s potentially momentous first steps towards a rulemaking on data security. The process will take at least a year, if not longer. Meanwhile, the FTC continues to exercise and evolve its case-by-case enforcement under Section 5 of the FTC Act.

On January 4, 2022, the FTC issued a blog post warning companies to remediate the Log4j security vulnerability, which was ubiquitous at the time: “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.” The warning was significant in itself, in that I do not recall the FTC making such an express statement on a specific security measure—almost a directive—outside of its settlements in individual cases and its press releases and compilations drawing lessons from enforcement actions. Moreover, the post included a quite definitive statement of the FTC’s view that there is a general duty to mitigate vulnerabilities: “The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act.” I’m not sure the FTC had ever used the word “duty” in this way. (“Duty” is also an important concept under negligence law. The FTC’s authority under Section 5 of the FTC Act shares some similarities with the cost-utility analysis at the core of negligence law.) The blog went on to say: “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” Note as well the re-emergence of the word “reasonable.”

Through 2022 and into 2023, some very interesting themes emerged in FTC data security enforcement:

  • The integration of privacy and security: The FTC used to treat privacy and security as separate concerns; an enforcement action was either a privacy case or a data security case. No longer. When the FTC opens a privacy or consumer fraud investigation, it may look at the respondent’s data security practices, and when it opens a data security investigation, it may look at privacy practices. Ensuing complaints and settlements may encompass the full range of issues that the Commission believes are within its purview. For example, in a case against MoviePass, which seems to have begun as a consumer fraud case, the FTC alleged after its investigation that the company deceptively marketed its one day per movie service and that it failed to take reasonable steps to secure personal information it collected. The proposed settlement prohibited the company’s operators from misrepresenting the services provided (for example, how many movies a subscriber could access) and to adopt a comprehensive security program along the lines of other data security settlements. Similarly, in an enforcement action against CafePress, what seems to have started as a data security case expanded to include the email marketing practices of the respondent, and the resulting settlement covered both data security and privacy, including a requirement that the respondent minimize data collection.

  • Direct notice to consumers: The CafePress settlement requires the current owner of the platform to send a letter to consumers whose personal information was accessed as a result of several data breaches. The letter would include security advice to consumers. Moreover, in the draft letter, CafePress would expressly tell consumers “CafePress didn’t have reasonable practices to keep your information safe.” This is pretty remarkable, since settlements, including this one, always contain a statement that the respondent neither admits nor denies any wrongdoing. This may reflect a Commission determination to regularly require settling respondents to notify their customers about the outcome of a matter and its findings. In January 2021, Commissioner Phillips reviewed the use of notice by the FTC and commented upon the apparent shift in Commission policy, in a separate statement in a case against Flo Health.

  • “Even absent a breach, COPPA-covered ed tech providers violate COPPA if they lack reasonable security.” That is what the FTC said in a May 2022 policy statement on education technology and the Children’s Online Privacy Protection Act. At some level, the comment merely restates the obvious: the COPPA rule, 16 C.F.R. § 312.8, requires reasonable security, so failure to provide reasonable security violates the rule. However, in the absence of a breach, it will be interesting to see whether the FTC can comply with, or avoid, Section 5(n) of the FTC Act. Pursuant to Section 1303(c) of COPPA, 15 U.S.C. § 6502(c), and Section 18(d)(3) of the FTC Act, 15 U.S.C. § 57a(d)(3), a violation of the COPPA Rule constitutes an unfair or deceptive act or practice in or affecting commerce, in violation of Section 5(a) of the FTC Act. But Section 5(n) of the FTC act states that the Commission shall have no authority under Section 5 or Section 18 of the Act to declare unlawful an act or practice on the grounds that such act or practice is unfair “unless the act or practice causes or is likely to cause substantial injury to consumers.”

  • Heightened expectations for MFA: In an October 2022 settlement with online alcohol marketplace Drizly and its CEO over allegations that the company’s security failures led to a data breach exposing the personal information of 2.5 million consumers, the FTC ordered the company to require MFA for all employees, contractors, and affiliates in order to access any assets, including databases, storing customer information. Moreover, in recognition that some forms of MFA are vulnerable, the Commission specified that the MFA methods must be resistant to phishing attacks. Likewise, in a settlement with ed tech provider Chegg Inc. for its lax data security practices, the Commission again ordered the company to require phishing-resistant MFA for all employees, contractors, and affiliates accessing customer information. Never before had the Commission specified that MFA must be phishing-resistant. Note that Drizly and Chegg were required to adopt phishing-resistant authentication for all employees, contractors, and affiliates in order to access assets (including databases) containing customer information, but the companies were only required to offer MFA as an option for consumers and there is no requirement that it be phishing-resistant. Also, both settlements specify that the companies will be able to avoid MFA if they use “equivalent, widely adopted industry authentication options that are not multi-factor” if they can justify the decision.

10.4.5 Fines and Penalties

In response to AMG Capital Management, the FTC has invoked a unique process under the FTC Act to partially restore its ability to impose monetary penalties through district court proceedings. Under Section 5(m)(1)(B) of the Act, 15 U.S.C. 45(m)(1)(B), the FTC may notify companies that certain acts or practices have been found in administrative decisions, other than consent orders, to be deceptive or unfair. Companies that receive such a “Notice of Penalty Offenses” then have “actual knowledge” that those practices violate the law. If a company engages in that conduct in the future, even though it was not a party to the initial proceeding that declared the practice illegal, Section 5(m)(1)(B) allows the FTC to sue the company in district court and obtain monetary penalties. In October 2021, the FTC began sending large numbers of such notices, starting with for-profit educational institutions listing deceptive employment and earnings claims and then warning an array of large companies, top advertisers, leading retailers, top consumer product companies, and major advertising agencies about the use of endorsements. As of early December 2021, the FTC had not used the same tactic with regards to cybersecurity, and it is not clear whether it can do so, because almost all FTC cybersecurity enforcement actions have resulted in a consent order, for which the Section 5(m)(1)(B) is not available, but the issue merits monitoring.

As the settlement announced in March 2022 against CafePress shows, the Supreme Court ruling in AMG Capital Management did not prevent the FTC from obtain monetary relief in settlements of administrative proceedings. In the settlement, the company that owned CafePress at the time it experienced several breaches agreed to pay into a fund managed by the FTC $500,000 “to be used for relief, including consumer redress.”

10.4.7 GLBA Safeguards: The Next Generation

In October 2021, the FTC adopted the amendments to the GLBA Safeguards Rule described in the book. The new rule is considerably more detailed in terms of the elements required in an information security plan. See revisions to Chapter 9.2.10.1.

[New subchapter:] 10.4.10  FTC Rulemaking

On August 11, 2022, the FTC issued an Advanced Notice of Proposed Rulemaking (ANPR) to request public comment on the prevalence of commercial surveillance and data security practices that harm consumers. Specifically, the Commission invited comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies (1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.

Under Section 18(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 57a(a)(1), the Commission may prescribe--

(A)  interpretive rules and general statements of policy with respect to unfair or deceptive acts or practices in or affecting commerce (within the meaning of section 45(a)(1) of this title), and

(B)  rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce (within the meaning of section 45(a)(1) of this title) … .

This language and specific procedures that go beyond the Administrative Procedure Act were added to the FTC Act by the Magnuson-Moss Warranty-Federal Trade Commission Improvement Act of 1975. The statute’s unique rulemaking procedures are referred to as “Mag-Moss.”

For decades, Mag-Moss procedures had been presumed to be so cumbersome as to be impossible to use. However, in 2020, Commissioner Rebecca Kelly Slaughter began arguing that the real impediments to effective rulemaking came not from the statute but from self-imposed requirements. She argued: “With revised Rules of Practice, the Commission would be well positioned to initiate Mag-Moss rulemakings designed to curb problematic data abuses.” In July 1, 2021, under its new chair, Lina Khan, the FTC voted, 3-2, to streamline its Mag-Moss rulemaking procedures, essentially adopting Commissioner Slaughter’s concept.

The August 2022 ANPRM does not contain any proposed regulatory language. That would come in a subsequent Notice of Proposed Rulemaking. Instead, the ANPRM invites public comment on three broad questions: (a) the nature and prevalence of harmful commercial surveillance and lax data security practices, (b) the balance of costs and countervailing benefits of such practices for consumers and competition, as well as the costs and benefits of any given potential trade regulation rule, and (c) proposals for protecting consumers from harmful and prevalent commercial surveillance and lax data security practices. Specifically on the question of data security, the ANPRM poses six specific questions, some with several subparts, including —

  • Should new rules require businesses to implement administrative, technical, and physical data security measures, including encryption techniques, to protect against risks to the security, confidentiality, or integrity of covered data?

  • If so, how granular should such measures be?

  • Do the data security requirements under COPPA or the GLBA Safeguards Rule offer any constructive guidance for a more general trade regulation rule on data security across sectors?

  • To what extent, if at all, should the Commission require firms to certify that their data practices meet clear security standards? If so, who should set those standards, the FTC or a third-party entity?

Comments were due in October, 2022.

Caveat: The Supreme Court’s June 30, 2022 ruling in West Virginia v. EPA may have cast doubt on the authority of the FTC to issue rules on privacy or data security. In the EPA case, the Court indicated that, “in certain extraordinary cases,” regulatory agencies could not issue rules on “major questions” affecting “a significant portion of the American economy” without “clear congressional authorization.” The FTC has such authorization for financial institutions and online services collecting data on children, but it has none for the rest of the economy.


Last updated: Oct. 11, 2024.

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.