FTC: Anatomy of a Data Security/Privacy Investigation and the Future of PrivacyJohn Jay College of Criminal JusticeCenter for Cybercrime StudiesNovember 10, 2011

Kristin Krause Cohen, Staff Attorney

Division of Privacy and Identity Protection

Federal Trade Commission

Disclaimer

The views expressed in this presentation are mine and are not necessarily those of the Commission or any individual Commissioner.

Meet the Federal Trade Commission

Nation’s only general jurisdiction consumer protection agency

~1,100 lawyers and staff members in Washington and 7 regional offices

Federal jurisdiction in the areas of antitrust and consumer protection

Three bureaus: Competition Economics Consumer Protection

Agenda for Today

How the FTC’s Data Security Program Has Evolved

The FTC Privacy Report Recent Privacy Enforcement Actions New Areas

Legal Standards

Relevant laws governing data security and privacy:

Fair Credit Reporting Act (FCRA) – Disposal Rule

Federal Trade Commission Act (FTC Act)

Other federal laws (HIPAA, DPPA, FERPA)

State laws

Anatomy of a FTC Investigation

Finding cases Pre-search Civil Investigative Demand or access letter Analyzing the facts Litigation or consent negotiation (or closing

letter) Compliance and monitoring

Perspective

FTC data security enforcement has become more granular

From the enforcement actions are specific lessons for businesses to learn, including those in the health industry

FTC’s definition of what is unfair or unreasonable will help to inform evaluation of privacy and security practices in other contexts.

Four Points that Guide the FTC’s Information Security Enforcement Information security is an ongoing process. A company’s security procedures must be

reasonable and appropriate in light of the circumstances.

A breach does not necessarily show that a company failed to have reasonable security measures – there is no such thing as perfect security.

A company’s practices may be unreasonable and subject to FTC enforcement even without a known security breach.

The Early Years

The FTC’s early privacy and data security enforcement is characterized by targeting companies that engaged in practices contrary to their published privacy policies

The Early Years

Geocities (1999) (first Internet privacy case) and Gateway (2004) The FTC alleged the companies used

personal information in a manner contrary to promises made to consumers.

Order required Geocities to notify members and allow their information to be deleted and prohibited Gateway from sharing personal information obtained under their original privacy policy without express consent.

False Representations About Data Security and FTC Enforcement

Common Vulnerabilities: Petco

Petco (2005) FTC alleged that Petco falsely represented that

personal information it obtained from consumers was maintained in an encrypted format

Petco’s website and web application were vulnerable to commonly known or reasonably foreseeable attacks

Order against Petco prohibited misrepresentations and required it to implement a comprehensive information security plan and obtain independent assessments of the plan

FTC use of “unfairness” prong of Section 5

Duty to protect data implied in requirement not to engage in unfair practices

Multiple Risks: BJ’s

FTC alleged BJ’s engaged in an unfair practice by “failing to employ reasonable and appropriate security measures to protect personal information. . . .”

Multiple Risks: BJ’s Specifically, FTC alleged BJ’s did not employ reasonable

and appropriate measures to secure personal information. Among other things, it: did not encrypt information while in transit or when

stored stored information in files that could be accessed

using a commonly known default user ID and password

did not use readily available security measures to limit access to its networks through wireless access points on the networks

did not employ sufficient measures to detect unauthorized access or conduct security investigations

stored information for up to 30 days when it no longer had a business need to keep the information

Peer-to-Peer Application Warning Letters Notified almost 100 organizations that files

containing PII shared from their computer networks to P2P networks

FTC simultaneously released business education on risks associated with P2P

Dartmouth study found thousands of documents with sensitive patient information on P2P networks

Social Networking: Twitter

Twitter (2010) FTC alleged Twitter failed to require strong

administrative passwords, secure storage of administrative passwords, periodic password changes, suspend accounts after repeated login failures

Consumers’ non-public tweets were revealed and unauthorized tweets sent from accounts

Employee Data: Ceridian/Lookout Services Ceridian/Lookout Services (2011) FTC

alleged companies failed to use reasonable and appropriate security to protect the personal information of its clients’ employees

Ceridian is a payroll processor and Lookout Services provided employers assistance with complying with immigration laws

Privacy Roundtables

Three public roundtables to explore privacy in light of new technologies, including social media

Significant public participation 200 participants reflecting range of perspectives Transcripts and comments on FTC’s website

Roundtable Themes

Increased collection and use of consumer data

Lack of understanding and informed consent

Consumers are interested in privacy Benefits of data collection and use Decreasing relevance of PII/non-PII

distinction

Privacy Report – Proposed Framework

Companies Should “Bake in” Privacy Employ reasonable safeguards to protect data Limit collection and length of retention Procedures to promote data accuracy Implement internal privacy programs

Simplified Privacy Choices Carve out commonly accepted business practices – fraud

prevention, fulfillment All other practices should have simple choice at relevant time and

context Improve Transparency

Improving and standardizing privacy disclosures to compare across businesses

Tiered access to consumer data that companies maintain Consumer education

Behavioral Advertising

Industry has made some progress in developing and implementing tools to allow consumers to control the collection and use of their online browsing data.

Privacy report included a recommendation to implement a universal choice mechanism for behavioral tracking, including behavioral advertising.

Do Not Track – 5 Issues to Consider

Any system should be implemented universally, so consumers do not have to opt out as they go from site to site

The choice mechanism should be easy to find, easy to understand, and easy to use

Any choices offered should be persistent and should not be deleted

Any system should be effective and enforceable Any system should let consumers opt out of being tracked

through any means and not permit technical loopholes

Recent FTC Privacy Enforcement Google Buzz

FTC alleged Google did not adequately disclose to gmail users that signing up for Buzz meant the identity of their frequent email correspondents would be made public, OR that they would be enrolled in some features of Buzz even if they chose not to sign up.

First FTC Settlement to require a company to adopt a comprehensive privacy program.

Recent FTC Privacy Enforcement

Chitika Online advertising company tracked consumers’ online activities even after

they chose to opt out of online tracking Unbeknownst to consumers, the opt-out cookie only lasted for 10 days

FTC alleged that Chitika’s claims about its opt-out mechanism were deceptive

ScanScout• Online behavioral advertising company deceptively claimed to users they could

opt out of receiving targeted ads by changing their browser settings• In truth, company used flash cookies for tracking that browser settings could not

block• Order requires company to adopt user-friendly mechanism that allows

consumers to opt out of being tracked

Implications of new technologies

Cloud computing Mobile

Questions?

More information available at:

www.ftc.gov

Kristin Krause Cohen

Federal Trade Commission

kcohen@ftc.gov