Surviving an FTC Investigation After a Data Breach

Most large companies have likely experienced numerous information security incidents in the recent past. Given the high number of state security breach notification laws, incidents requiring notification have become relatively commonplace. These incidents range from the most innocuous to the most malicious — from a simple theft of an employee’s laptop or a vendor’s loss of backup tapes to a rogue employee stealing customer credit card data, a phishing attempt or a large-scale system intrusion.

Companies that have experienced information security breaches are required to notify not only the individuals whose personal information was impacted but also numerous state regulators. Rather than end the process there, however, in an increasing number of cases, breach notification triggers a new process: an investigation of the company’s privacy and information security practices by the U.S. Federal Trade Commission.

When a company notifies affected individuals of a security breach, the information quickly becomes public. Security breaches garner not only the attention of the media, but also the attention of the consumer advocacy community. Since 2005, the Privacy Rights Clearinghouse, a nonprofit consumer advocacy organization, has maintained a publicly available Web site containing a chronology of reported security breaches. See http://www.privacyrights.org/ar/ChronDataBreaches.htm.

The chronology currently provides details on more than 1,000 breaches impacting more than 236 million records containing sensitive personal information. Given the publicity, it should come as no surprise that a byproduct of the notification requirement is increased awareness by regulators at both the state and federal levels. Most prominently, this has resulted in increased investigatory activity by the FTC.

FTC AUTHORITY

Since 1999, the FTC has asserted its jurisdiction in the privacy and information security arena pursuant to §5 of the FTC Act. See 15 USC §45 (2007). Section 5 states that the FTC is empowered to “prevent persons, partnerships, or corporations … from using … unfair or deceptive acts or practices in or affecting commerce.” Id. at §45(a)(2). The FTC investigates and enforces data privacy and security incidents under both the “deceptiveness” prong and the “unfairness” prong of §5.

The ‘Deceptiveness’ Prong. Between 1999 and 2005, FTC enforcement in the privacy and information security arena focused primarily on the “deceptiveness” prong of §5. A “deceptive” trade practice in the privacy context typically involves inaccurate or untrue representations to the public regarding a company’s information practices. In practice, these representations are made in Web site privacy notices, which California law requires many companies to post. See Calif. Bus. & Prof. Code §§22575-22579 (2005). The FTC has brought a number of enforcement actions against companies for failing to honor representations made in their Web site privacy notices, including enforcement actions against GeoCities, ToySmart.com, Eli Lilly, Microsoft and Gateway Learning Corporation (“Gateway”).

The FTC’s enforcement action against Gateway typifies this line of cases. In the Matter of Gateway Learning (FTC Decision and Order, Docket No. C-4120), the company’s Web site privacy notice originally indicated that the company did not sell, rent or loan personal information about its customers to any third party without explicit consent. After collecting personal information from customers under this privacy notice, Gateway changed its policy to indicate that it would share the information with third parties without notifying customers or obtaining their consent. The new policy offered customers the opportunity to opt out of Gateway’s disclosure of personal information to third parties.

The FTC charged Gateway with violating §5 of the FTC Act by making false claims in its privacy statement and deceptively changing its policy without notifying consumers. The FTC required, among other things, that Gateway obtain opt-in consent from customers prior to disclosing personal information to third parties and to disgorge the money it had earned from renting consumer information without explicit consent under the revised policy.

The ‘Unfairness’ Prong. Starting in 2005, the FTC began to expand its jurisdiction in the privacy and information security context by focusing on information security breaches using the “unfairness” prong of §5. The timing of the FTC’s enhanced scrutiny was perhaps not coincidental; it commenced soon after the vast majority of states passed breach notification laws in 2005. Rather than using companies’ Web site privacy statements as its sole enforcement hook, the FTC’s use of the “unfairness” principle provided the agency with a way to significantly expand its consumer protection powers, resulting in its highest-profile data security cases to date, including those against BJ’s, ChoicePoint, CardSystems, DSW, TJX and Reed Elsevier. These cases undoubtedly were prompted by the publicity generated as a result of the state breach notification laws.

FTC ENFORCEMENT ACTIONS

From beginning to end, an FTC investigation and enforcement action against a company as a result of a data security incident can take over two years and cost the target company millions of dollars in legal and consulting fees. Once the initial process is complete, the FTC often imposes obligations on target companies that last decades into the future.

An FTC enforcement action generally begins with an investigation. Following a data breach, the agency typically sends an access letter to the target company, inquiring into the company’s information security practices. The access letter consists of numerous questions and requests, including inquiries concerning: