Thank you for sharing!

Your article was successfully shared with the contacts you provided.
For decades, especially in pursuing companies not subject to specific regulation, a principal enforcement tool of the Federal Trade Commission has been �5 of the FTC Act (15 USC � 45). [FOOTNOTE 1] Subsection (a) of that statute provides: “Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” For the past several years, the FTC has used �5 in numerous proceedings against companies engaging in privacy-related conduct that, in the commission’s opinion, amounted to “unfair or deceptive acts or practices.” In these proceedings, the alleged unfair or deceptive practice generally was a violation by the company of its privacy policy. However, in the past few months, two FTC enforcement actions indicate that in the privacy arena the agency is broadening its definition of just what constitutes an unfair or deceptive act or practice. These recent proceedings focus on companies that allegedly failed to employ reasonable and appropriate security measures to protect consumers’ personal information, even though those failures neither violated the companies’ own privacy policies, nor were subject to any law or regulation expressly requiring such security measures. This development underscores the importance of adequate security as companies attempt to comply with the expanding parameters of the FTC’s perception of �5. Insight into how the FTC’s privacy-related enforcement activities under �5 have evolved over time can be illustrated by several key proceedings. Exemplary of the FTC’s proceedings alleging a �5 violation in a company’s failure to conform to its announced privacy policy, was the proceeding against GeoCities, [FOOTNOTE 2] which had a Web site that operated as a “virtual community” where the personal home pages for users were organized into “neighborhoods.” To become a member, users completed an online application that requested certain personal identifying information. As a result, GeoCities compiled a database containing first and last names, e-mail addresses and ZIP codes, as well as information on areas of interest, income, education, gender, marital status and occupation. The FTC complaint against GeoCities alleged that the company misled customers by not informing them about how their personal information would be used. Additionally, the company allegedly stated to customers that their personal identifying information would be used only to provide them with the specific advertising information they requested and would not be released to third parties without their permission. But this personal identifying information was allegedly disclosed to third parties who used it for solicitations beyond those to which the customers had agreed. The proceeding was settled by means of a consent order that required the company to post on its home page a prominent privacy notice identifying for consumers the information being collected, the intended use of the collection, the disclosees, and the means by which members could remove their information from the database. ELI LILLY Some eyebrows were raised when the FTC brought a proceeding against Eli Lilly [FOOTNOTE 3] for a single disclosure that even the FTC conceded was unintentional. In 2000, the large pharmaceutical company instituted a “medical reminder service” whose purpose was to advise users by email as to when to renew their prescriptions for a particular drug. Eli Lilly’s Web site posted a privacy policy statement stating the importance of maintaining user privacy, and that the site employed security measures to maintain confidentiality of user information. In June 2001, Eli Lilly decided to discontinue the site and an employee was directed to inform all users of the discontinuance. Instead of sending an individual notice to each user, the employee sent a single notice to all users, disclosing to each the e-mail addresses of all the others. While the FTC concluded that there was but a single disclosure and that it was unintentional, it nevertheless sued, alleging that Eli Lilly violated �5 by virtue of failing to live up to the security promise in its privacy policy statement. According to the FTC, Eli Lilly failed to provide its employees with adequate training and supervision, and failed to include adequate validation checks in maintaining privacy. This proceeding also was terminated with a consent order that imposed certain security and auditing obligations on the drug maker. To be sure, although based on a failure of security, Eli Lilly’s alleged conduct still fit into the rubric of a privacy policy violation, as the company’s privacy policy stated that it employed security measures to maintain the confidentiality of user information. But the institution of a proceeding for a single unintentional act caused some observers to suspect that the FTC was looking to expand the ambit of its activities under �5 with regard to privacy-related conduct, and might well be focusing on security. BJ’S AND DSW After discount retailer BJ’s Wholesale Club [FOOTNOTE 4] suffered a major credit card breach last year, the FTC on June 15 charged that BJ’s failure to take appropriate security measures to protect the sensitive information of its 8 million customers was an unfair act or practice. Under the terms of its settlement with the FTC, BJ’s agreed to implement a comprehensive information security program. Additionally, in keeping with the FTC’s history of inserting long-term audit requirements into its settlement agreements, BJ’s will be subject to third-party audits every other year for 20 years. More recently, on Dec. 1, 2005, the FTC announced a proposed settlement against DSW Inc., [FOOTNOTE 5] a retailer of footwear for men and women that has approximately 190 stores in 32 states. [FOOTNOTE 6] As in BJ’s, the complaint made no mention of a violation of any privacy policy. Rather, the allegation was that DSW’s “failure to employ reasonable and appropriate security measures to protect personal information and files caused or is likely to cause substantial injury to consumers that is not offset by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers,” and constituted an unfair act or practice. Thus, in the FTC’s view, not only was violation of a privacy policy unnecessary for a violation of �5 to occur, but a balancing of injury against benefit, and reasonable avoidability by consumers, also seemed to be pertinent. Specifically, the FTC alleged that DSW’s failure properly to secure its systems allowed hackers to gain access to the sensitive credit card, debit card and checking account information of more than 1.4 million customers. Like the other FTC proceedings in the privacy area, the DSW matter was resolved by a consent order, with the respondent admitting no violation. Accordingly, as the FTC expands its ambit under �5 in the privacy arena, it has not yet had to litigate whether this expansion is legitimate. With regard to precedential values, this is unfortunate. It may not be a stretch to conclude that a security failure violates a privacy policy statement requiring adequate security. And most would agree that inadequate security is not a “good” thing. But where there is no representation at all about security, does a security breach nevertheless constitute an “unfair method of competition” or an “unfair or deceptive act or practice”? Whatever the answer to that question, and whether or not the FTC is correct in its expanded view of �5, the prospect of defending an FTC proceeding is one to which not many companies would look forward. Defense costs may be quite high and, even if the company is exonerated, the effect on its customers, its employees, its brands, and in some instances even the value of its stock, may be toxic. PRIVACY AUDITS The message here is that the FTC is on the march with regard to security. The theme of FTC privacy enforcement this year appears to be that adequate security is required — whether or not it is promised in the company’s privacy policy statement. Perhaps this emphasis is the result of the rapidly increasing number of security breach announcements that have proliferated over the past year and a half. At any rate, in the present environment even living up to the promises made in one’s privacy policy statement may not be enough to avoid unwanted attention. If there are lapses in a company’s security practices, now would be an excellent time to rectify them. The best way to test a company’s security practices, and its privacy compliance in general, is with a thorough privacy audit designed to bring all of a company’s practices and policies — including those involving security — into conformity with applicable law. David Bender heads White & Case’s global privacy practice in New York. He advises on data privacy issues, including cross-border transfers, privacy audits and compliance and privacy-related litigation. ::::FOOTNOTES:::: FN1 The FTC also has jurisdiction over privacy matters under certain statutes focused on specific industries or types of conduct (e.g., the Gramm-Leach-Bliley Act, and the Children’s Online Privacy Protection Act), and pursuant to some of those statutes the FTC has promulgated express security regulations or guidelines. Moreover, security guidelines focusing on particular industries have been issued pursuant to various federal privacy statutes. For example, the federal banking regulatory agencies have handed down security guidelines applicable to the industries they regulate, and security regulations applicable to health care have been promulgated under HIPAA. However, this article deals only with proceedings brought by the FTC under �5 of the FTC Act. That statute applies to any company over whose activities the FTC has jurisdiction — which encompasses a majority of the industries in our entire economy. FN2 Geocities Inc., 127 FTC 94 (1999). FN3 Eli Lilly & Co., No C-4047, 2002 WL 972504 (F.T.C. May 8, 2002). FN4 BJ’s Wholesale Club, Inc., No. C-4148, 2005 WL 2395788 (F.T.C. Sep. 20, 2005) FN5 DSW, Inc., File No. 052-3096, 2005 WL 3366974 (F.T.C. Dec. 1, 2005) FN6 A public comment period extended through Jan. 2, 2006; the commission has yet to decide whether the proposed order should be made final.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.