FTC Consent Decree Clarifies Data Security StandardsPDF
What type of data security plan is a business legally required to adopt to protect personal information that it collects on its website? While this seems like a basic and straightforward question, the answer has never been clear for businesses operating in the United States. That may be starting to change.
The main reason for the uncertainty has been the lack of a controlling law that directly addresses this question on a nationwide basis. Instead, we are governed by a patchwork of federal and state laws. Federal privacy laws tend to be sector-specific -- for example, HIPAA for health care, Gramm-Leach-Bliley for financial services and the FCRA and FACTA for consumer credit transactions. Different agencies enforce the privacy rules applicable to different sectors, and the definitions of who is covered under these various provisions are still evolving. While many of the general principles carry over from industry to industry, the specific rules vary greatly. In addition, many companies do not operate in any of the covered sectors. On the state side, most states have now followed California’s lead in enacting legislation that targets identity theft in several ways (such as notice of data security breaches and protection of social security numbers), but none of these laws impose general requirements of data security. On top of all of this, the major credit card associations are implementing contracts with their participating merchants that require the merchants to be more vigilant and impose liability for security breaches on merchants rather than issuing banks.
While we are still far from having a comprehensive answer to this question for the operators of websites, we now have some guidance on the minimum required steps from a surprising source: Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive trade practices. Although the Act was enacted long before anyone worried much about privacy, it may be evolving into the closest thing that we have to a national privacy law. The act is enforced by the FTC itself, not private parties. While the FTC has never imposed particular substantive privacy requirements on companies in the past, it has consistently taken the position that a company that makes representations to the public about its privacy policies must live up to those promises and that the failure to do so may be treated as an unfair or deceptive trade practice.
The consent decree requires Life is Good to implement a “comprehensive information-security program.” The program must include the designation of employees to coordinate security protection; the identification of internal and external security risks; the creation and implementation of appropriate safeguards against those risks; the monitoring of the safeguards’ effectiveness; the oversight of service providers that have access to personal information from Life is Good’s customers; and the evaluation of the program’s overall efficacy.
The FTC action does not relieve any business from the obligation to comply with more extensive industry-specific or state requirements. Nevertheless, it is a useful first step in bringing some level of certainty and consistency to this area.