7 reasons the FTC could audit your privacy program
- 21 August, 2012 19:59
The Federal Trade Commission's $22.5 million settlement with Google last month over its user-tracking practices woke up enterprise-risk managers around the country. With penalty thresholds hitting this new range of pain, publicly traded companies now have to ask whether data privacy should be included in their Securities and Exchange Commission filings as a key risk.
What would it take, though, for the FTC to open up an investigation of your company? This is the question I tested last week. I reviewed the roughly 100 privacy cases the FTC has settled and interviewed the general counsel of a company that recently went through this process.
What did I find out? A shortlist of seven practices that will put a bull's eye on your company.
1. Secretly tracking people
The FTC has been saying for the past couple of years that it's wary of so-called online-behavioral advertising -- the amassing of large data dossiers on website visitors, usually through cookies, in order to deliver those visitors highly targeted ads. The FTC has reason to believe that users don't fully know what data is being collected about them. It especially doesn't like it when companies collect and use clickstream data in ways that users probably wouldn't consent to if they knew the full story.
This is what happened in the Google case. Apple had designed a setting in its Safari browser that allowed the user to block third-party cookies. But Google found a way around that setting to place its own cookies, seemingly undermining users' privacy expectations.
The FTC has successfully prosecuted others on this same topic. In 2007, it forced DirectRevenue to give up $1.5 million in "ill-gotten gains" for quietly bundling its adware along with affiliates' software that users thought they were downloading all by itself. In 2011, the FTC prosecuted online-ad company Chitika for expiring users' opt-out cookies after only 10 days, allowing the company to then place new ad cookies on users' computers.
The lesson in all of these cases is to manage your cookies transparently and consistently with users' previously expressed choices and browser settings.
2. Not regularly assessing and improving data security
The most likely reason the FTC will prosecute a company is substandard information security. The FTC has been routinely prosecuting cases in this area for years, in part because such cases are relatively easy to process. Usually, a data breach has occurred that causes a company to send out breach-notification letters. These letters and subsequent press reports give details about the company's security flaws. All the FTC then has to do is determine if the company took steps to assess its vulnerability to such a breach and then to follow up with readily available and affordable measures to prevent the breach.
Companies falling under the FTC's scrutiny in this area have included Twitter, Ceridian, Geeks.com, Life Is Good, Goal Financial, ValueClick, Reed Elsevier, TJX, Petco and BJ Wholesale. The FTC also coordinated with the U.S. Department of Health and Human Services on information-security investigations of Rite Aid and CVS Caremark.
What were these companies' shortcomings? Not assessing Web applications for vulnerabilities to common hacker tactics such as SQL injection and cross-site scripting attacks, not encrypting laptops and wireless connections, storing sensitive information too long, not training employees, and disposing of documents in insecure containers.
If the FTC determines that your company has substandard security, it can use its authority under Section 5 of the FTC Act to prosecute you for an unfair trade practice.
While the FTC doesn't typically impose fines in these cases, its consent orders contain common requirements that can be far more financially draining: appointing a head of information security, documenting a comprehensive information security program, and conducting mandatory independent security audits every other year for 20 years. The year-one price tag for an information security consent decree for a Fortune 1,000 corporation, including audits, fixes, attorney fees and new appointments, could easily top $1 million. If the meter starts at $250,000 for the subsequent audits, the total effective cost would exceed $3 million.
The lesson from these cases for any company storing significant amounts of personal data is to do the things the FTC mandates: appoint the likes of a chief information security officer, conduct regular enterprisewide risk assessments and fix material gaps.
3. Not honoring opt-outs
The FTC is charged with enforcing the Telemarketing Sales Rule (TSR) and the CAN-SPAM Act. It's very easy for it to obtain evidence that your company does not make it easy for consumers to opt out of telemarketing and e-mail marketing or ignores their opt-outs altogether. Several companies -- VoiceTouch, Dish Network, DirecTV, The Broadcast Team and Craftmatic -- have found this out the hard way. Four TSR violations rank among the highest privacy penalties imposed by the FTC (see table below).
The lesson for marketers is clear: regularly test your opt-out processes to make sure they're easily accessible and promptly acted upon.
4. Not collecting parental consent
The FTC also enforces the Children's Online Privacy Protection Act (COPPA). COPPA requires that websites oriented toward children under 13 collect personal data from children only with the consent of a parent. The websites also need parental consent to market to the children and have to provide parents a way to review and delete information about their children.
It's fairly easy to tell if a website isn't doing these things, and the FTC has made some sweeps of children's websites to net millions of enforcement dollars. Among the companies caught in this dragnet have been Playdom, Sony BMG Music, UMG Recordings, W3, Iconix, Industrious Kid and Xanga.
If your company operates a child-oriented website, fully complying with COPPA is the only way to reduce the risk of a million-dollar fine.
5. Not providing complete and accurate privacy policies
6. Disclosing consumer data without consent
Another way to get the FTC's attention is to share data in ways that would surprise people. Google found this out after the 2010 launch of its now-defunct Buzz social-media platform. The FTC found that Gmail users were not made sufficiently aware of how to avoid joining the platform and sharing their personal information with other Buzz users. The case was the first time the FTC enforced the U.S.-EU Safe Harbor agreement against an existing member, and the settlement became the first time the FTC required the implementation of a comprehensive privacy program.
The FTC has dinged other companies, including Action Research Group ($606,000 fine) and AccuSearch ($200,000 fine), for selling personal data to third parties. Most recently, the FTC settled with popular data aggregator Spokeo for $800,000 for selling consumer data in violation of the Fair Credit Reporting Act (FCRA).
I caught up this week with Angela Saverice-Rohan, Spokeo's new general counsel. She explained how her company inadvertently appeared on the FTC's radar.
"Spokeo, like other people-search companies, does not purport to be a consumer reporting agency, and we expressly instruct our users on the appropriate uses of our data," she said.
"However, when the company was just getting off the ground, we made the mistake of targeting certain advertising to human resources professionals, a practice regulated by FCRA," she elaborated.
7. Not assessing vendor and client security
Because credit-reporting agencies make sensitive personal data available to thousands of business clients, their vast stores of data are a magnet for identity thieves, who try to pose as legitimate buyers of consumer reports.
This is what happened in 2005 when a crime ring accessed over 163,000 consumer records in the databases of ChoicePoint and subsequently conducted at least 800 acts of account fraud, according the FTC. The commission settled with ChoicePoint for $15 million in a lengthy and highly publicized case. Similar cases have involved ACRAnet, Teletrack and Rental Research Services.
If your company is a credit-reporting agency, you must implement a rigorous screening process for new clients if you want to avoid an FTC investigation.
If you are investigated
If your company is engaging in any of the seven practices above, how would the risk of an FTC privacy consent decree become a reality?
You can expect a five-step process:
1. Triggering event. Something has to bring your situation to the FTC's attention. This can be a press report of a data breach or product launch, or a consumer complaint that results in a congressional inquiry or lawsuit by a privacy advocate such as the Electronic Privacy Information Center (EPIC). The FTC staff might also proactively conduct a sweep or other type of cross-cutting analysis of companies on a particular data practice.
2. Pre-search. Before the FTC contacts your company, its Bureau of Consumer Protection will assign the case to one of its 100-plus lawyers in its Washington headquarters and seven regional offices. The assigned attorney will usually search the Internet for readily available information about the subject matter. This helps the FTC determine which cases are worth devoting further resources to.
"During this phase, the FTC will likely look closely at any consumer complaints or negative press regarding your privacy practices or business model," Saverice-Rohan explained.
3. Civil Investigative Demand or access letter. The first your company will hear of it usually will come in the form of a letter from the FTC sent to your general counsel. The FTC will list the information it expects you to provide. Over the course of the next several months, the FTC may submit additional requests for information via e-mail or over the phone, but rarely if ever in person.
Saverice-Rohan recommends securing outside help for this phase. "We retained outside counsel that was experienced with FTC investigations. This is very important," she said. "Lack of experience could have a material impact on your investigation and the ultimate outcome."
Andrew Serwin, a partner at law firm Foley and Lardner who has participated in several FTC privacy decrees and investigations, echoed this advice. "Managing your communications with the FTC is a critical component of the process."
Saverice-Rohan added that "a consent decree will usually force a company to acknowledge the value of having an attorney in-house that understands the business model and the operational practices and can proactively advise on legal compliance."
4. Proposed settlement. In the end, an investigation may be closed without further ado. If the FTC has determined that your company has done something wrong, however, it will normally propose a settlement. The agreed-upon settlement will be published as a Federal Register Notice open for public comment for a period of time. Some time after the close of public comments, the FTC will issue the final settlement terms. If your company refuses to agree to the consent order, the FTC may initiate proceedings before an administrative law judge.
"The settlements are called 'consent decrees' for a reason," Serwin explained. "It means that both sides ultimately have to feel the settlement is in their best interest. For the company, it means that there has to be a strong working relationship with the FTC that is built upon trust, as well as the understanding that if a deal is not made the case will be litigated."
5. Settlement terms go into effect. The FTC's privacy settlements often include injunctions to stop doing the things at the root of the investigation. Some include penalties, fines and orders to pay restitution to victims. Settlements that include a requirement to establish a privacy and security program and conduct an audit usually allow for a grace period of 180 days. If your company subsequently violates the terms of the settlement, the FTC may seek additional monetary penalties and an injunction in federal court.
Getting investigated by the government for the first time can put a chill through a company. Saverice-Rohan recommends against letting a defensive posture take root.
"Be cooperative and maintain a positive dialogue upon completion of the investigation," she told me.
"When appropriate, engage with the commission and their staff prior to making material changes to your business model or privacy practices that you think may spur scrutiny."
This is advice you can take to the data bank.
Read more about privacy in Computerworld's Privacy Topic Center.