Wisconsin
Lawyer
Vol. 81, No. 3, March
2008
The FTC's Web Site Privacy and Security Rules for Every
Business
Every business engaged in Internet commerce or using
a Web site to collect personal information - not
just those businesses subject to financial services
industry regulations - must comply with
Federal Trade Commission rules governing the use
and protection of personal information. Failure to
comply can be very costly.
Sidebar:
by Mark F. Foley
he Federal Trade Commission (FTC)
has authority under the Federal Trade
Commission Act to bring enforcement
actions1 to stop unfair and deceptive acts
or practices.2 Through the filing, or the
threat of filing, just 20
administrative and civil complaints, the FTC has used this power to
establish minimum
requirements for data privacy and security practices for the online
world.3 This article explores the scope and
content of these rules as they affect entities
engaged in Internet commerce.
Do What You Say
The first lesson that emerges from the FTC cases is one that seems
obvious
to everyone except, apparently, online data collectors: Do what you say.
Anything else is unfair and deceptive.
In its first enforcement action involving online privacy
practices, the
FTC issued a draft administrative complaint against GeoCities, the
operator of a
Web site that hosted personal home pages and provided email addresses to
registered adults and children. GeoCities' "New Member
Application" required users
to provide personal identifying information (name, address, gender, and
age)
and requested additional information about user interests. Applicants
were asked
to select from a list of special offer topics and to designate whether
they
wished to receive specific products or services from individual
companies.
GeoCities' published privacy policy promised that "[w]e
will not share
this information with anyone without your
permission
."4 In truth, GeoCities
sold, rented, or disclosed the collected personal identifying
information to
third parties who used it for purposes not approved by the data
subjects.
GeoCities capitulated in the face of the FTC's threats and
resulting
bad publicity, entering into a 20-year consent decree
establishing what would
become a familiar pattern in FTC enforcement
cases.5 GeoCities agreed not to make any
misrepresentation, expressly or by implication, about its collection or
use of information from or about consumers. GeoCities agreed not to
collect
information from children if GeoCities had actual knowledge that a
parent had not
given permission to provide the information. GeoCities also agreed to
provide a
clear and prominent notice to consumers about its practices regarding
the
collection and use of personal identifying information, including:
- what information is collected;
- its intended uses;
- third parties to whom it will be disclosed;
- consumers' ability to access the information; and
- consumers' ability to remove information from GeoCities'
databases.
The decree requires this information to appear on GeoCities'
home page or
a page accessible from a home page hyperlink and at each location on the
Web
site at which personal identifying information is collected. Finally,
the
decree requires GeoCities to establish a procedure for obtaining express
parental consent before collecting and using personal identifying
information from
children.
Mark F. Foley, Michigan 1981, is a partner at Foley & Lardner
LLP, Milwaukee, practicing in the litigation and data privacy and
security practice groups. He counsels domestic, foreign, and
multinational companies on domestic and international data privacy and
security compliance.
The GeoCities case establishes that it is an unfair or
deceptive trade
practice to mislead consumers about online data privacy practices. The
case
also illustrates the FTC's special sensitivity to the collection and use
of
information about children and establishes a standard for minimum fair
information privacy principles (FIPPs).
The FTC repeated these themes in subsequent cases. Exactly three
months
after the GeoCities consent decree, the FTC reached a settlement
of threatened
charges against Liberty Financial Companies
Inc.6 Liberty created Web pages directed
at children. Through this Web site, known as "The Young Investor
Measure Up
Survey," Liberty collected information about allowances, financial
gifts,
spending, work habits, college plans, and family finances. The survey
stated that "all
of your answers will be totally
anonymous."7 The children's answers
were
merged with contact information for a promised newsletter and quarterly
prize
drawings, but no newsletter was ever created and no prizes were awarded.
The FTC's
core complaint, as in GeoCities, was that the Web site operator
had not done what
it promised to do. The resulting 20-year consent decree prohibited
future
misrepresentations and required Liberty's compliance with the
GeoCities FIPPs.
Similarly, the FTC sued to prevent the bankruptcy trustee of
online
retailer Toysmart.com from selling a customer contact list despite the
company's
express promise that personal information collected through its Web site
"is
never shared with a third party
[and] is used only to personalize
your
experience online."8 In fact, every FTC
privacy case involves an allegation that the
target company failed to do what it expressly or impliedly promised.
Say What You Do
A second lesson from the FTC enforcement cases is that it is not
enough that
a company do what it says; it also must say what it does in a clear and
conspicuous way. In two related cases, Educational Research
Center9 and National Research
Center,10 the FTC complained about data
uses that went beyond what
the Web site operator had disclosed. Both entities collected information
from
students, representing that it would be tabulated into a report used by
colleges and universities to "keep in touch with the interests and
trends among
today's high school students" and to "make funding available
for students'
post-secondary education."11 Although
the information was shared with such
educational institutions, it also was shared with commercial entities
for marketing
purposes. The FTC alleged that the failure to include complete
information about
how data would be used constituted an unfair and deceptive trade
practice.12
A new permutation of this "say what you do" principle
appeared in
Cartmanager International.13Cartmanager provided shopping cart software and
related
services to thousands of online retail merchants. The software generated
customized shopping cart and checkout Web pages for use on merchants'
Web sites.
These pages resided on Cartmanager's Web site, but they were designed to
look like
the other pages on the merchant's site and typically displayed the
merchant's
name and logo. Information collected through the Cartmanager software,
including customers' names, billing and shipping addresses, phone
numbers, email
addresses, credit card information, and merchandise ordered, was
transmitted
to Cartmanager, which then notified the merchant so it could fulfill the
customers' orders.14
Some of the merchants had published privacy policies promising
not to
share personal information with third parties. But in January 2003
Cartmanager
began renting to third parties for marketing purposes consumers'
personal
information that it collected through shopping cart and checkout pages.
The FTC alleged
that this constituted an unfair and deceptive practice because
Cartmanager's
pages appeared to be part of the merchants' individual pages, and
consumers were
not notified that different privacy policies applied to information
provided
through the sales and checkout pages. The FTC also complained that
Cartmanager failed
to disclose to the merchants its intention to share such
information. Although Cartmanager's software license agreement
provided that "Cartmanager shall
retain full ownership of all data submitted by either Merchant or
Purchaser," this
was "buried in the middle of the online agreement and does not
explain
how [Cartmanager] intends to use the information or that such use may
conflict
with the merchants' privacy policies."15
Have Reasonable and Appropriate Security Practices
A third lesson established by the FTC cases is that strong privacy
practices
are not enough; a business also must have security practices that are
reasonable
and appropriate to the nature of the data. In early 2000 the FTC
filed a
lawsuit against ReverseAuction.com16
alleging that the company had become an eBay
user in order to obtain other people's eBay user IDs, email addresses,
and
feedback ratings in violation of eBay's terms and conditions of use.
ReverseAuction.com then sent email to the other eBay users suggesting
that their eBay
membership IDs would expire if the user did not update his or her
information. ReverseAuction, in a precursor to today's phishing
activities, did this in
order to get eBay users to provide personal identifying information to
ReverseAuction, which used the data for its own purposes. Once again,
the FTC demanded that
the company cease the deceptive practices, divest itself of its
ill-gotten
information, and promise to adopt the same FIPPs expressed in
GeoCities and Liberty.
Even though no security breach was involved in ReverseAuction's
unfair
practices, the FTC added a requirement that the company disclose
"the steps
defendant has taken to ensure the security of the information collected
and/or
maintained at the site." This was the first indication that the FTC
would
require security mechanisms for Web site operators not covered by
substantive
legislation such as the Gramm-Leach-Bliley Act (GLBA) or the Fair Credit
Reporting
Act (FCRA).17
Having already established that Web site operators had to
disclose
their practices, the FTC took the next logical step by adding to its
list of
prohibited practices the making of misleading express or implied
statements about
Web site security. In the Microsoft case, the FTC's complaint
alleged that the
company had represented "expressly or by implication, that it
maintained a
high level of online security by employing sufficient measures
reasonable and
appropriate under the circumstances to maintain and protect the privacy
and
confidentiality of personal information obtained from or about consumers
in
connection with the Passport and Passport Wallet
services."18 Specifically, Microsoft
had said that ".NET Passport achieves a high level of Web Security
by using
technologies and systems designed to prevent unauthorized access to your
personal information
is protected by powerful online security
technology and
is stored on secure
servers
in controlled
facilities."19 The FTC complained that
Microsoft did not fulfill these express promises.
The FTC complaint about what Microsoft had failed to do creates,
by
implication, a list of what the FTC thinks a company must do to have
adequate
security policies, even when the Web site operator is not covered by
specific
legislative or regulatory requirements:
"[R]espondent failed to implement and document procedures
that were
reasonable and appropriate to: (1) prevent possible unauthorized access
to the
Passport system; (2) detect possible unauthorized access to the Passport
system;
(3) monitor the Passport system for potential vulnerabilities; and (4)
record
and retain system information sufficient to perform security audits and
investigations."20
In its next administrative proceeding, Guess?,
Inc.,21 the FTC revealed its thinking
about the substantive contents of a reasonable and appropriate
security policy. Guess? sold its clothing and accessories through
various outlets,
including the Web site. To make
purchases on the Web site,
consumers were required to use a credit or debit card and to divulge the
customer's
name, address, and credit or debit card number and expiration date. The
company
stored this information in databases that supported or were connected to
the Web
site. Guess.com's privacy policy said:
"This site has security measures in place to protect the
loss, misuse
and alteration of the information under our control. All orders are
transmitted
over secure Internet connections using SSL (Secure Sockets Layer)
encryption
technology. All of your personal information including your credit card
information
and sign-in password are stored in an unreadable, encrypted format at
all
times. This Website and more importantly all user information, is
further protected
by a multi-layer firewall based security
system."22
In fact, the company did not encrypt stored data. Guess.com's
software
was designed to automatically present in readable text any information
retrieved from or supplied to the
databases.23 Thus, the databases were
vulnerable to
the use of a structured query language (SQL) injection string. By
inserting an
SQL query into the URL address bar of a standard browser, an
unauthorized
individual could retrieve any data held in the Web-connected databases.
The FTC complaint alleged that to avoid violating the Federal
Trade
Commission Act, Web site operators collecting personal identifying
information had
to implement a security policy that would include procedures
"reasonable and
appropriate to: (1) detect reasonably foreseeable vulnerabilities of
their
Website and application and (2) prevent visitors to the Website from
exploiting
such vulnerabilities and gaining access to sensitive
information."24
Guess?'s 20-year consent decree requires adoption of a security
program
having:
"[A]dministrative, technical, and physical safeguards
appropriate to
Respondents' size and complexity, the nature and scope of Respondents'
activities,
and the sensitivity of the personal information collected from or about
consumers, including:
"A. the designation of an employee or employees to
coordinate and be
accountable for the information security program.
"B. the identification of material internal and external
risks to the
security, confidentiality, and integrity of personal information
and assessment
of the sufficiency of any safeguards in place to control these risks
"C. the design and implementation of reasonable safeguards
to control
the risks identified
and regular testing or monitoring of the
effectiveness of
the safeguards' key controls, systems, and procedures
"[and] that Respondents obtain an assessment and report
from a
qualified, objective, independent third-party professional, [to examine,
assess, and
certify] that Respondents' security program is operating with sufficient
effectiveness to provide reasonable assurance that the security,
confidentiality,
and integrity of personal information is protected
."
25
The FTC added in a later case that such security assessments
must be
completed by a person "qualified as a Certified Information System
Security
Professional (CISSP);
a Certified Information Systems Auditor
(CISA); a person
holding Global Information Assurance Certification (GIAC)
, or a
similarly
qualified person or organization approved by the Associate Director for
Enforcement."26
In subsequent cases, the FTC expanded its definition of what
constitutes reasonable and appropriate security. In
Tower Records,27 the FTC took the
position that companies must implement fixes for "widely
known" security threats
and must implement appropriate change controls to ensure that existing
privacy
and security practices are continued. In
Cardsystems, the FTC added requirements that "(i) companies
should not store sensitive information for
unnecessarily long periods of time or in a vulnerable
(i.e., unencrypted) format, (ii) must use strong passwords to
prevent a hacker from gaining control over computers
and access to personal information stored on a network, (iii) must use
readily available security measures to limit access between computers on
its network
and with the internet; and (iv) must employ sufficient measures to
detect
unauthorized access to personal information or to conduct security
investigations."28
The FTC's imposition on companies of a duty to implement
reasonable and
appropriate information data security practices stems from the agency's
work
under the GLBA. Pursuant to the GLBA, the FTC and several other federal
agencies overseeing the financial services industry issued identical
regulations
titled "Guidelines Establishing Standards for Safeguarding Consumer
Information." According to these guidelines, later adopted by the
FTC as its GLBA
Safeguards Rule in 2002, "security is more a process than a
state."29 The Department of Health and
Human Services adopted the same approach in the HIPAA Security
Standards for health care
information.30 The FTC has taken these
process
oriented, fact-driven standards, which were created under
industry-specific
regulations, and established them as a general standard for data
security.
Training and Oversight Are Required
In the Eli Lilly case, the FTC taught that merely having a
suitable
privacy policy is not sufficient; companies must take appropriate steps
to
implement their policies.31
The FTC complained that Eli Lilly had inadvertently disclosed
personal
identifying information about users of an antidepressant drug, Prozac,
by sending
an email with every user's address in the "To" box. This made
all the email
addresses viewable by all the recipients and therefore arguably
disclosed
the addressees' use of the drug. The agency complained that this error
had
occurred as a result of inadequate training and oversight of the
personnel who sent
the email, and the FTC required the company to improve training and
supervision. Having the right policy was not enough; the company also
had to take
reasonable steps to make sure the policy was properly implemented.
Don't Change the Rules Retroactively
The fifth lesson is that a company cannot retroactively change the
rules of
the privacy and security game to the detriment of consumers. In
Gateway,32 the FTC objected to the
"Hooked-on-Phonics" company's use of personal identifying
information collected from parents in violation of previously published
privacy policies. Gateway had said that it would not sell, rent, or loan
personally identifiable information to any third party without receiving
the
customer's explicit consent.33 Those same
policies informed users that the policy
might change in the future, but promised that Gateway would notify
consumers of
such changes "on this Site or by e-mail. You will then be able to
opt-out of
this information usage by sending an
email."34
In April 2003, Gateway began renting personal information
provided by
consumers on the Gateway Learning Web site without seeking or receiving
consumers' consent. On June 20, 2003, Gateway posted on its Web site a
new privacy
policy that contained a revised statement permitting the sharing of
personal
information with third parties and requiring consumers to write to
Gateway to object
if they wished to opt out of the new policy. Gateway later made
additional
changes and added "updated July 17, 2003" to its privacy
policy. But Gateway took
no additional steps to alert customers that it had changed its policy to
permit third-party sharing of personal information without explicit
consent.
The FTC complained that the retroactive application of privacy
policy
changes caused or is likely to cause substantial injury to consumers.
The FTC said
that Gateway should have provided additional notice that its policy had
materially changed and what aspects of the policy had
changed.35 The resultant 20-year consent
decree prohibits Gateway from applying material changes in its
privacy policy to information collected before the posting and
notification of the
new policy, unless Gateway obtains the express affirmative (opt-in)
consent of
the affected consumers.36
The High Cost of Noncompliance
As the cases discussed above demonstrate, the FTC commonly resolves
complaints by requiring a consent decree describing in detail specific
steps the
target company must take, subject to agency oversight, typically for a
20-year period.
If that is not enough by itself to encourage compliance, the
agency
demonstrated in ChoicePoint37 just
how aggressive it can be in seeking to
rectify unfair and deceptive practices. ChoicePoint collected
information from
consumer reporting agencies and public sources, not the consumers
themselves.
ChoicePoint sold compilations of this information to fee-paying
subscribers,
qualifying certain of ChoicePoint's subsidiaries as "consumer
reporting agencies" under
the FCRA.38 To become a subscriber, a
business had to submit an application
that included information and documentation to establish that the
applicant is
a legitimate business with a lawful purpose for purchasing consumer
data.
In early 2005 ChoicePoint discovered that it may have disclosed
the
personal information of 163,000 consumers to persons who did not have a
lawful
purpose for acquiring the data. The information disclosed included birth
dates,
Social Security numbers, and, in many cases, credit reports. At least
800 cases
of identity theft arose out of these disclosures.
According to the FTC complaint, this disclosure occurred because
ChoicePoint had failed to implement reasonable procedures to verify or
authenticate
the identities and qualifications of prospective
subscribers39 and failed to monitor
unauthorized activity by subscribers, even after subpoenas from law
enforcement authorities alerting it to fraudulent accounts and its own
experiences with
a subscriber should have raised doubts about the legitimacy of the
subscriber's business.40
The FTC and ChoicePoint stipulated to entry of a civil judgment
imposing
what had become the FTC's standard 20-year consent decree oversight
terms. The
judgment also required ChoicePoint to pay a $10 million civil penalty
and to
deposit $5 million into a fund administered by the FTC for equitable
relief,
including consumer redress. The court ordered the company to adopt
specific
internal procedures for investigating subscribers and a comprehensive
information
security program, fully documented in writing. As part of this program,
the
company had to designate an employee to coordinate and be held
accountable for
the information security program; identify the material internal and
external
risks to security, confidentiality, and integrity of personal
information that
could result in unauthorized disclosures, misuse, loss, alteration,
destruction,
or other compromise of such information; and design and implement
reasonable
safeguards to control the risks through assessment and regular testing.
ChoicePoint also reportedly spent $9 million in legal and technical fees
as a result of
the breach and FTC action and suffered significant declines in its stock
price. These costs and fines should be large enough to get a business's
attention.
The nature of ChoicePoint's deficiencies also is instructive.
This was not
a case of a sophisticated hacker penetrating technical defenses, but
plain old
con artists using simple, sloppy, tricks easily detected by anyone
paying
attention. ChoicePoint's lapse was not so much in failing to have
privacy and
security policies in place but in failing to administer them in a
diligent
way.41
Finally, it also is noteworthy that the FTC raised these issues
and
imposed these sanctions both under the FCRA regulations applicable to
consumer
reporting agencies and pursuant to its general powers to prohibit unfair
and
deceptive trade practices. That is, the agency has made clear that it
believes all
companies should adopt security practices like those required under
financial
industry regulations, even if those regulations do not specifically
apply.
Conclusion
The FTC's enforcement actions establish important lessons for every
company collecting or using personal identifying information. While the
FTC has
not established specific minimum substantive content for privacy
policies, it
has established procedural minimums. A company must tell data subjects
what
information it is collecting about them and how it is going to use the
information.
A company must do what it says, not just in theory, but in practice. It
is
not enough to have a published privacy and security policy; a company
also
must provide appropriate training and oversight to make policy
implementation
a reality, and it must not apply to data a less restrictive usage policy
if
the data was collected under a more restrictive policy.
The FTC cases and recently published guidelines also establish
specific
minimum content for security policies. Every company should:
- know what information it has in its files and on its computers;
- keep only the information it needs for a specific, legitimate
business purpose;
- use strong passwords and controls to prevent unauthorized access
to
systems, data, and communications;
- establish technical and nontechnical methods to detect
unauthorized
access, use, or alteration of data;
- record and retain system information sufficient to perform
security
audits and investigations;
- store sensitive data only for so long as it is needed;
- encrypt sensitive data when stored or transmitted;
- establish personal responsibility for data security;
- perform risk and vulnerability assessments and make adjustments
based
on the results;
- test and monitor the effectiveness of the safeguards' key
controls,
systems, and procedures;
- promptly apply industry-recognized procedures and fixes;
- document the security system in writing;
- use qualified, credentialed, independent third parties to assess
and
test its systems; and
- develop plans for responding to security incidents if they
occur.42
Most important, the FTC has established the requirements that
privacy
and security policies must be based on the sensitivity of the data at
issue,
and that such policies and practices must evolve continually in light of
the
ever changing nature of the threats. That is, security is a process, not
a state
or destination.
The final lesson is that all companies must be aware of
these rules, not
just those companies specifically subject to detailed financial services
industry regulations. Failure to comply with the FTC's data privacy and
security
rules can lead to very costly lessons.
Endnotes
Wisconsin
Lawyer