Federal Trade Commission Security Enforcement Actions

Section 5(a) of the Federal Trade Commission (FTC) Act prohibits “unfair or deceptive acts or practices in or affecting interstate commerce.” The following article summarises a number of high-profile and recent enforcement actions taken by the FTC to enforce the security policies implemented under the Act.


The FTC alleged that lapses in Twitter’s data security system allowed hackers to obtain unauthorised administrative control of twitter, giving them the capacity to view private information and send fake messages from accounts, including from the account of Barack Obama. The hackers gained access to the system by repeatedly attempting to enter a password for a site administrator. The FTC alleged that the following reasonable steps should have been taken by Twitter to prevent such hacking to occur:

  • Require employees to use more difficult passwords that were not used for any other websites or networks;
  • Prohibit employees from storing their passwords in plain text in their e-mail accounts;
  • Suspend or disable administrative passwords after a certain number of login attempts;
  • Provide an administrative login page for authorised persons rather than a general login page for site administrators and users;
  • Enforce a requirement to regularly change administrative passwords;
  • Restrict access to administrative controls to those staff whose roles require such access;
  • Impose other restrictions on administrative access such as IP restrictions.

Under the settlement, Twitter were barred for 20 years for misleading consumers on the extent of its security protection, and were ordered to create and implement a security system that would be assessed by independent auditors for one decade following the order.


In an action under the FTC Act and the Children’s Online Privacy Protection Act, the FTC took an action against the social media gaming company RockYou. The FTC alleged that RockYou had failed to use appropriate security measures to protect consumers’ private data, resulting in hackers gaining access to users’ e-mail addresses and RockYou passwords. The FTC also charged RockYou with allowing almost 200,000 children under 13 to access the site without providing notice or obtaining the parental consent as required under COPPA. RockYou were ordered to create and implement a comprehensive data security plan and also to undertake independent privacy audits every other year for two decades following the order. RockYou also agreed to pay $250,000.

Wyndham Hotels

In its case against Wyndham Hotels, the FTC claimed that Wyndham’s privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers’ personal information. The FTC claim stated that this failure led to fraudulent charges to customers resulting in the loss of millions of dollars. The FTC alleged that breaches took place on three separate occasions and that Wyndham took no further action to secure their servers after the first breach, resulting in the further significant theft of data and fraud on the following two occasions.

PLS Financial Services

The FTC charged PLS (Payday Loan Store) with failing to take reasonable measures to protect consumer information.  This failure resulted in the disposal of documents containing sensitive personal identifying information, including sensitive financial information.  Further to this, the FTC also alleged that the defendants violated the FTC Act by misrepresenting that they had implemented reasonable measures to protect sensitive consumer information. The company agreed to make a settlement for $101,500 and also agreed to implement and maintain a data security program with independent third-party audits every other year for two decades following the order.


The FTC’s complaint alleged that Microsoft misrepresented security measures on a technology referred to as ‘Passport’. They claimed that Microsoft had failed:

  • to implement reasonable and appropriate procedure to prevent unauthorised access;
  • to monitor the system for vulnerabilities;
  • to record information for security audits.

The FTC charge also alleged that Microsoft collected certain personal information while declaring in its privacy policy that did not collect the information. An agreement was made with Microsoft to the effect that:

  • Microsoft would not misrepresent its information practices;
  •  Microsoft would establish a competent and appropriate security program;
  • Microsoft would provide material showing their compliance with the FTC order for a period of five years from the date of the order.


This article summarises a number of high-profile and recent enforcement actions taken by the FTC (Federal Trade Commission) to enforce the security policies implemented under the FTC Act.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam,  a privacy professional should be comfortable with topics related to this post, including:

  • FTC security enforcement actions (II.A.c.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>