Hitmetrix - User behavior analytics & recording

Opinion: Data Security Remains Top FTC Priority

Data privacy and security continue to be a top priority for the Federal Trade Commission. This past month, the FTC brought its 13th data security case based on alleged failures by the Nations Title Agency Inc. and its subsidiary, National Title Agency, to take reasonable measures to protect the security of personal and sensitive financial information that they collected.

Since every direct response marketer collects, stores and typically transmits sensitive personal data, including account number information, this case provides a good road map as to the procedures and measures the FTC believes companies should implement to protect the security of the data they collect.

The defendants in this case were title companies that provided real estate financing services. In connection with these services, the defendants obtained sensitive consumer information such as name, social security and bank account information. The FTC alleged that the defendants engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security to protect the sensitive information they collected.

The FTC’s allegations reflect the types of measures the FTC believes companies engaged in the collection of sensitive personal information should take. Specifically, the FTC alleged that the defendants failed to:

  1. 1. Assess the risks to the information they collected and stored, both on and offline
  2. 2. Implement reasonable policies and procedures in key areas such as employee screening and training
  3. 3. Implement simple defenses to common Web site attacks
  4. 4. Employ reasonable measures to detect and respond to unauthorized access.
  5. 5. Provide reasonable oversight for the handling of personal information by third party service providers.

An interesting side note to this case is that the defendants included a statement in their privacy policy, which stated that they “maintained physical, electronic and procedural safeguards to protect confidential financial information.”

The FTC considered the fact that the company included such a statement in its privacy policy to be an aggravating factor, because in the FTC’s view, this constituted a misrepresentation by the company as to the measures it took to protect the security of consumer data.

This is not the first time the FTC has used the fact that a company has touted its security measures as a basis for enforcement. Several months ago the FTC brought an action against Tower Records arising out of a data security breach based on the fact that the Tower Records included a statement in its privacy policy assuring consumers that it used the most up-to-date technology to protect the security of personal information collected on its site.

This is significant, because while companies like to assure their customers that their information will be protected, companies need to be aware that such assurances will be interpreted as an express claim by the FTC, which will heighten the potential liability of a company in the event of an inadvertent data security breach. Companies would thus be well advised to think carefully about what representations they make about their data security practices in their privacy policies. As with all other advertising claims, these statements need to be truthful and substantiated.

It is clear from the volume and severity of cases being brought by the FTC in the data security area that the FTC has a zero tolerance level for data security breaches. Every direct response marketer who collects, stores and/or transmits personal information would be well advised to review this and similar cases to determine if it has procedures in place that are reasonably designed to prevent such breaches.

While encryption of data pursuant to recent credit card company requirements is an important step in the process, it is not the only step companies need to take. As the National Title Agency and similar cases demonstrate, companies need to have comprehensive data protection programs and procedures which include consideration of employee screening and training, procedures for access to data, internal testing against Web attacks and thorough consideration of contractual arrangements with third parties to whom data is being transferred.

Given the current regulatory climate, expending the time and resources necessary to develop a comprehensive risk management and data security program should be a top priority for every direct response marketer.

Related Posts