FTC Enforcement

Subscribe to FTC Enforcement via RSS

The Federal Trade Commission recently announced that it reached a settlement with three consumer credit report resellers whose information security practices and procedures were not sufficient to prevent hackers to obtain more than 1,800 consumer credit reports without authorization. The settlement resolves allegations that the resellers violated the Fair Credit Reporting Act, the FTC Act and the Gramm Leach Bliley Safeguards Rule by failing to take appropriate precautions to protect credit reports and the personal information such reports contain. According to the FTC, the resellers’ information security deficiencies included (1) not having comprehensive information security policies or procedures in place; (2) releasing consumer reports to clients who lacked basic security measures, such as firewalls and updated antivirus software; (3) failing to protect their own internet portals and thereby furnishing credit reports to hackers who lacked a permissible purpose for having them; and (4) not making reasonable efforts to protect against future breaches even after becoming aware of the hackers’ illegitimate activities.

The social networking and micro-blogging service Twitter recently agreed to settle charges with the Federal Trade Commission (FTC) regarding its privacy and data security practices. Similar to settlement terms reached with other online merchants, the settlement bars Twitter for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information. Notably, the agreement also requires Twitter to maintain a comprehensive information security program and submit to audits of the program for 10 years. The settlement agreement does not include a monetary penalty. The FTC alleged that despite Twitter’s promises on its website to protect the personal information of its users, Twitter’s practices failed to provide reasonable and appropriate security. Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter does not sell goods online or collect financial information from its users.

On March 25, 2010, the Federal Trade Commission (“FTC”) announced that it had entered into a settlement with entertainment operator, Dave & Buster’s, Inc., for alleged violations of Section 5(a) of the FTC Act, and for “engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its networks.”
The settlement marks the 27th case brought by the FTC against a company for insufficient data security practices.

On March 9, 2010, the Federal Trade Commission and 35 state attorneys general announced a negotiated settlement with LifeLock, Inc. which resolves charges that LifeLock misrepresented the nature and effectiveness of the identity theft protection services it offers, and made false claims about its own data security practices. In the words of FTC Chairman Jon Leibowitz, “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it.”

Over the course of the last decade, many companies have become accustomed to notifying consumers of their data collection practices in their online privacy policy.  However, in a recent proposed settlement, the FTC indicated that, at least under the facts before them, disclosures that were “buried” in a privacy policy were not sufficient.

On June 4, the FTC reported a proposed settlement with Sears Holding Management Corporation of a complaint that Sears had failed to meaningfully disclose to customers the extent of the information it was collecting through its online market research software.  The FTC claimed that this failure to disclose constituted an “unfair or deceptive act” under the Federal Trade Commission Act. 
 

Section 315 of FACTA requires institutions that utilize consumer reports (“users”) to develop and follow certain procedures when notified of an address discrepancy  by a national CRA (Equifax, Experian and TransUnion). Under FACTA, national CRAs are required to issue a “notice of address discrepancy” when an address provided by a user requesting a consumer report “substantially differs” from the address the CRA has on file for that consumer. The Address Discrepancy Rule then requires users of consumer reports to develop and implement written policies and procedures to respond to receipt of a discrepancy notice. There are two components to the policies required by the Rule: the first relates to the user’s evaluation of the address discrepancy; the second relates to the user’s potential obligation to report the consumer’s address to the CRA.

A U.S. District Court for the Middle District of Florida recently issued a preliminary injunction ordering CyberSpy Software, LLC to stop promoting and selling “RemoteSpy,” a keylogger software program that, once installed on a computer, collects information regarding use of the computer.