Podcast - How the FTC Shapes Privacy and Data Security Standards

Welcome to our seventh podcast of "Clearly Conspicuous." As we've noted in the previous sessions, our goal in these podcasts is to make you succeed in this current and aggressive regulatory and governmental environment, make you aware of what's going on with federal and state consumer protection agencies and give you practical tips for success.

FTC's Interest in Privacy and Data Security

Today we talk about the FTC's interest in privacy and data security. The topic is having a comprehensive data and information security program. It's a must. The Federal Trade Commission (FTC) has recently finalized its order with an education technology provider, Chegg Inc., for its data security practices that exposed sensitive information about millions of Chegg's customers and employees, including Social Security numbers, email addresses and passwords. The company offers an online platform through which consumers utilize the company's subscription-based study aids, which have included tutoring, writing assistance, math problem solving and answers to common textbook questions. The company also has helped consumers search for potential scholarship opportunities. In the course of using its services, the company's tens of millions of users have provided the company with their email addresses, first and last names and passwords. Users of scholarship search service have also provided the company with their religious denominations, their heritage, dates of birth, parents' income ranges, sexual orientation and disability. In addition, the company collects Social Security numbers, financial account information and other sensitive personal information from its employees. According to the FTC, the company failed to utilize reasonable information security measures, and hackers infiltrated the company's networks and accessed consumers' personal information on multiple occasions over the course of several years. The FTC had a two-count complaint that alleges the company violated Section Five of the FTC Act by failing to employ reasonable information security practices to protect consumers' personal information and misrepresenting to consumers that it took reasonable steps to protect their personal information. Specifically, the complaint alleges that the company failed to implement reasonable access controls to safeguard users' personal information and stored users' and employees' personal information on its network and databases in plain text rather than encrypting the information. The complaint also alleges that the company failed to develop and implement an adequate written organizational information standard with policies and procedures and practices. Complaint also said that the company failed to provide adequate guidance or training for its employees or its contractors regarding information security and safeguarding consumers' personal information. The complaint also said that the company failed to have a policy, process or procedure for inventorying and deleting users' and employees' personal information that was stored on the network after that information was no longer needed. And finally, the complaint alleges that the company failed to adequately monitor its networks and systems for unauthorized attempts to transfer or exfiltrate users' and employees' personal information.

The FTC's Order

As you can see, this is quite a complaint concerning this company's information security practices. But it's also important to now look at the order that the FTC provided. It's kind of the blueprint for us on what not only the FTC but other regulators look for in appropriate privacy and data security practices. One central element is that the FTC and regulators look at privacy policies like contracts to consumers. There are promises in those privacy policies that state, "here's what we will do with your sensitive personal information." So therefore, the FTC will definitely challenge any company's deception concerning the extent to which it collects, maintains, uses, discloses or deletes consumers' personal information, or if a company deceptively says that it's going to protect privacy, security, availability and confidentiality of this type of sensitive information. So what you say about your privacy practices is critical. It's a contract. And the FTC and other regulators will look at it as a contract and examine whether or not you breach it. In addition, the FTC has required this company to document and adhere to a retention schedule for the personal information it collects from consumers, including the purposes for which it collects such information and the timeframe for its deletion and a documentation of the opportunity for consumers to request access to and or deletion of their personal information. Information security program also, according to the FTC, requires a multi-factor authentication method and a security assessment by an independent third party professional. Finally, it's important to note that the FTC looks at a company's organizational management, and they want to know who is involved in the team when it comes to information security. They actually look for a senior corporate manager or a senior officer responsible for the security information program.

Key Takeaway

So here's the key takeaway. Privacy and data security is on the front burner of all regulators. It's essential to be aware of your privacy policies and operations, as a breach can substantially impact your brand and your reputation. Simply put, develop a comprehensive information security program. So please stay tuned to further programs as we identify and address the key issues and developments and provide strategies for success. I wish you continued success and have a meaningful day. Thank you.