The FTC not too long ago settled its enforcement motion involving information privateness and safety allegations towards a web based vendor of custom-made merchandise. As well as to agreeing to pay $500,000, the net service provider consented to multiyear compliance, recordkeeping, and FTC reporting necessities. The essence of the FTC’s seven count Complaint is that the service provider failed to correctly disclose a knowledge breach, misrepresented is information privateness and safety practices, and didn’t keep cheap information safety practices.
The federal shopper safety company has broad enforcement authority underneath Part 5 of the Federal Commerce Fee Act (FTC Act) which prohibits ”unfair or misleading acts or practices in or affecting commerce.” This enforcement motion follows different current FTC actions on related points, suggesting the company ramping up constant with the general path of the Biden Administration regarding cybersecurity. There are steps organizations can take to reduce FTC scrutiny, and one place to begin may be web site disclosures, maybe in connection with addressing the upcoming web site privateness compliance obligations underneath the California Privacy Rights Act.
In reviewing the FTC enforcement motion on this matter, it’s attention-grabbing to see what the company thought of private info:
names, electronic mail addresses, phone numbers, delivery dates, gender, pictures, social media handles, safety questions and solutions, passwords, PayPal addresses, the final 4 digits and expiration dates of bank cards, and Social Security or tax identification numbers
Some are apparent, some not a lot.
The FTC additionally examined the service provider’s public disclosures regarding privateness and safety of non-public info, together with from its web site privateness coverage, in addition to electronic mail responses to clients and checkout pages. Right here’s an instance:
[Company] additionally pledges to use one of the best and most accepted strategies and applied sciences to insure [sic] your private info is secure and safe
As well as, the company pointed to practices its considered as not offering cheap safety for private info saved on a community, resembling
- Failing to implement “readily-available…low-cost protections,” towards “well-known and reasonably foreseeable vulnerabilities,” resembling “Structured Query Language” (“SQL”) injection, Cascading Model Sheets (“CSS”) and HTML injection, and many others.
- Storing private info resembling Social Security numbers and safety questions and solutions in clear, readable textual content
- Utilizing the SHA-1 hashing algorithm to defend passwords, a technique deprecated by the Nationwide Institute of Requirements and Expertise in 2011
- Failing to keep a course of for receiving and addressing safety vulnerability reviews from third-party researchers, teachers, or different members of the general public
- Not implementing patch administration insurance policies and procedures to make sure the well timed remediation of crucial safety vulnerabilities
- Sustaining lax password insurance policies that permits, for instance, customers to choose the identical phrase, together with frequent dictionary phrases, as each the password and consumer ID
- Storing private info indefinitely on a community with out a enterprise want
- Failing to log adequate info to adequately assess cybersecurity occasions
- Failing to comply with current written safety insurance policies
- Failing to fairly reply to safety incidents, together with well timed disclosure of safety incidents
- Not adequately assessing the extent of and remediate malware infections after studying that gadgets on the community have been contaminated with malware
The above checklist (together with the extra gadgets listed within the Grievance and the Consent Order) present worthwhile insights into what measures the FTC may count on be in place to safe private info.
The FTC additionally scrutinized the service provider’s disclosures on its web site regarding the EU-U.S. Privacy Protect, alleging it failed to comply with among the representations made in these disclosures. This facet of the FTC’s enforcement motion is notable as a result of the company acknowledged that the Privacy Protect had been invalidated by a resolution of the European Court docket of Justice on July 16, 2020. However the FTC made clear that even when the Privacy Protect was decided to be inadequate underneath GDPR to allow the lawful switch of non-public information from the EU to the U.S., the service provider nonetheless represented that it will comply with the provisions of that framework.
The settlement reached within the Consent Order requires the service provider to take a number of steps, resembling:
- WISP. Inside 60 days of the order, set up and implement a complete written info safety program (WISP) that protects the privateness, safety, confidentiality, and integrity of non-public info. To fulfill this requirement, the service provider should, amongst different issues, (i) present the WISP to its board or senior administration each 12 months and no more than 30 days after a safety incident, (ii) implement a spread of particular safeguards and controls resembling encryption, MFA, annual coaching, and many others., (iii) seek the advice of with third-party specialists regarding the WISP, and (iv) consider the aptitude of third celebration service suppliers to safeguard private info and contractually require them to achieve this.
- Impartial WISP Evaluation. The service provider should receive impartial third-party assessments of its WISP. The reporting interval for these assessments is the primary 180 days after the Consent Order, and every two-year interval for 20 years following the Order.
To assist survive FTC scrutiny, it isn’t sufficient to keep cheap safeguards to defend private info. Firms additionally should make sure the statements that they make about these safeguards are constant with the practices that they keep. This consists of statements in web site privateness insurance policies, buyer receipts, and different correspondence. Moreover, firms should absolutely examine inappropriately reply to potential safety incidents that will have prompted or could lead on to sooner or later unauthorized entry or acquisition of non-public info.