Even the simplest online activities require that we hand over personal, sensitive data. Privacy policies are normally bypassed with a click. While each company has its own legal jargon regarding the risks we take on when we use their services, the standards for consumer protection remain murky.
According to law professor Woodrow Hartzog, whose work concentrates on the area of privacy law and online communication, “There is no one law in the United States that mandates that websites and phone applications have good data security.”
Of course, most of us in the privacy sector are well aware of this. Yet, we still need to think about who the burden of responsibility falls upon.
Wyndham Fights Back
In the last decade or so, the Federal Trade Commission (FTC) has stepped in to fill the void and be a sort of watch dog for data security, drawing upon its authority to protect consumers. Since the early 2000s, the FTC has brought almost fifty cases against companies with allegedly lax data security practices that have put consumers at risk.
Notably, 2013 saw one of these companies responding. Wyndham Worldwide Corporation is currently challenging the FTC’s authority to bring complaints against companies in the first place. According to the FTC, the company’s “unreasonable data security practices permitted hackers to access its network on three separate occasions over the course of two years.” This was brought to light by Jessica Rich, the FTC’s director of consumer protection.
Back in June 2012, the FTC filed suit against global hospitality company Wyndham Worldwide and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years. According to the FTC, these failures resulted in fraudulent charges on consumers’ accounts, almost $11 million in fraud loss and the export of hundreds of thousands of consumers’ payment card account information to an internet domain address registered in Russia.
Rich points out that Wyndham could have taken some pretty basic steps to prevent the damage: “Just some examples: Wyndham didn’t require complex passwords for systems that managed consumers’ payment card information; Wyndham stored credit card information in plain, readable text, making it much more available to hackers.”
An Issue of Jurisdiction
In their defense, Wyndham pointed out that Congress did not provide the FTC with “the authority to pursue such cases against American businesses.”
Rich argued that the charges are well within the FTC’s jurisdiction:
“We have authority to bring action against companies that engage in either deceptive or unfair practices. Deceptive practices means that companies have made misstatements about the level of security they provide’ or ‘unfairness’ basically means putting consumers at unreasonable risk of injury.”
In order to protect consumers, the FTC demands that companies take stronger measures to prevent personal data from falling into the wrong hands. It’s no surprise that there have been many data breaches in recent years, and identity theft is on the rise. It is apparently the number one reported complaint at the FTC.
Should the FTC find a company has failed to adequately protect consumers, it has the right to levy penalties. Companies are required to implement a data security program, often for up to twenty years. They must then report to the FTC, adhering to third-party audit requirements. In certain cases, civil penalties may also apply.
Wyndham argues that it has substantial security measures in place, suggesting that the criminals responsible for the attacks have not yet been apprehended by law enforcement.
Hartzog remains skeptical,
“A popular argument is that the FTC is punishing the victim here. I think the much better analogy is that the FTC is punishing companies like Wyndham for leaving their door unlocked, but it was someone else’s stuff that was in the house. If you have health information… if you have financial information, then you have to provide a certain level of data security. But for the most part, this is largely an unregulated area. We’ve made the decision years ago to try to approach privacy in a fragmented kind of way. Inevitably, what that means is that things fall through the cracks.”
Whose job is it to police the transparency of privacy policies for consumers? The FTC argues that this task falls under their jurisdiction and has been bringing cases against companies with supposedly lax data security policies.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/US Government (CIPP/US), a privacy professional should be comfortable with topics related to this post, including:
- Regulatory authorities – FTC (I.A.d.i.)