Federal Trade Commission enforces security and privacy practices to safeguard U.S. consumers and businesses

The U.S. Federal Trade Commission was created on September 26, 1914, when President Woodrow Wilson signed into law the Federal Trade Commission Act. The FTC opened its doors about six months later, on March 16, 1915.

The FTC’s primary charters are the Federal Trade Commission Act of 1914 and the Clayton Antitrust Act of 1914. The mission of the FTC is to protect the public from deceptive business practices and unfair methods of competition “through law enforcement, advocacy, research, and education.”

The FTC is organized into eight divisions: Privacy and Identity Protection, Consumer & Business Education, Advertising Practices, Marketing Practices, Financial Practices, Consumer Response & Operations, Litigation Technology & Analysis, and the all-important Enforcement division—because regulations don’t mean much without some sharp teeth.

Scope of FTC Governance

The FTC plays a vital role in ensuring the security and privacy of personally identifiable information that is collected, processed, and stored by organizations in virtually every area of commerce. Among the organizations governed by the FTC Act are those dealing in alcohol, tobacco, appliances, automobiles, clothing, textiles, jewelry, finance, franchises, real estate, mortgages, non-profits, and certain other commercial enterprises.

The FTC role in cybersecurity and privacy is similar to the HHS Office for Civil Rights, which enforces compliance with the HIPPA Security and Privacy Rules.

FTC Role in Protecting Privacy and Identity

The FTC Division of Privacy and Identity Protection oversees “issues related to consumer privacy, credit reporting, identity theft, and information security,” according to its webpage. It enforces the statutes and rules within its jurisdiction, engages in outreach and policy development, and educates consumers and businesses about emerging privacy, credit reporting, and information security issues. This division researches and reports on privacy and security issues, and provides online assistance for victims of identity theft. Following are four laws enforced by the Privacy and Identity Protection division.

• FTC Act, Section 5. Prohibits unfair or deceptive acts or practices, including deceptive statements and unfair practices involving the use or protection of consumers' personal information.
• Gramm-Leach-Bliley Act. Requires financial institutions to ensure the security and confidentiality of customer information, notify customers of their information practices, and provide customers an opportunity to instruct institutions not to share their personal information with certain non-affiliated third parties.
• Fair Credit Reporting Act. Ensures the accuracy and privacy of information maintained by credit bureaus and other consumer reporting agencies and gives consumers the right to know what information is being shared about them with creditors, insurance companies, and employers.
• Health Breach Notification Rule. Requires certain businesses that are not governed by HIPAA rules to notify their customers of any data breaches affecting unsecured, individually identifiable electronic health information.

An Active Enforcement Process

The FTC uses a variety of tools to protect the privacy of customer data. Its primary method is to bring enforcement actions “to stop violations of the law and require companies to take affirmative steps to remediate their unlawful behavior.”

Remediation requirements may include implementation of comprehensive privacy and security programs, expert independent assessments every two years, compensation to consumers, return of illegal profits, deletion of illegally obtained consumer information, and other remedies.

Two primary actions form the backbone of the FTC enforcement process: the Administrative Complaint and the Final Order.

• Administrative Complaint. The FTC issues an Administrative Complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. Complaints are often the result of input from consumers or businesses who have been victimized by scams or other fraud.
• Final Order. When the FTC issues “a Consent Order on a final basis, it carries the force of law with respect to future actions. Each violation of such a Final Order may result in a civil penalty of up to $50,120.” In some cases, before being finalized the order may be modified as new facts emerge or a situation evolves.

In all of its privacy and data security work, the FTC goal is to “protect consumers’ personal information and ensure that consumers have the confidence to take advantage of the many benefits of products offered in the marketplace.”

How Victims Get Their Money Back

One of the FTC’s roles is to enable refunds to consumers who have been deceived or defrauded. As just one of countless examples, in April 2023 the FTC announced a $1.1 million consumer refund.

The court ruling in this case authorized the FTC to send 41,934 checks, totaling more than $1.1 million, to consumers who were victimized by bogus “free trial” offers for tooth whiteners and other products from RevMountain LLC, Anasazi Management Partners, and 59 related corporate defendants. Although the average value per check was slightly more than $26.40, the refund signals that no fraud or deceit of a U.S. consumer is too small to be penalized.

In 2022, the FTC sent the first payments to more than 224,000 distributors of AdvoCare products who were defrauded in an illegal pyramid scheme operated by AdvoCare. The initial payment totals $149 million, for an average check value of $665.15, with more reportedly on the way. As the FTC Refunds chart indicates, in 2022 alone almost two million individuals had cashed their FTC payments.

Active Pursuit of Violators

The FTC takes its protective role very seriously and has opened hundreds of privacy and data security cases in the past few years. Below are just two examples of the ten total FTC Administrative Complaints—related specifically to data privacy and security violations—that were resolved or modified in 2023 and 2022.

First Case Ever Brought Against a DNA Testing Company

On June 16, 2023, the FTC announced that genetic testing firm 1Health.io had failed to protect the privacy and security of DNA data it was entrusted with. The company had been known as VitaGene, Inc. before changing its name in 2020, after an independent researcher exposed the company’s poor security.

The FTC Complaint charges that the company (1) left sensitive genetic and health data unsecured, (2) deceived customers about their ability to have their data deleted, and (3) retroactively expanded the types of third parties it shares individual’s data with to include supermarket chains and nutrition and supplement manufacturers, without notifying consumers who had previously shared personal data with the company or obtaining their consent to share such sensitive information.

Under the terms of the settlement described in the FTC’s proposed Final Oder, 1Health must meet these requirements:

• Pay a $75,000 penalty (which the FTC will add to its budget to support various consumer refunds);
• Strengthen protections for genetic information and instruct third-party contract laboratories to destroy all consumer DNA samples that have been retained for more than 180 days;
• May not share health data with third parties, including information provided by consumers before and after its improper privacy policy change, without obtaining consumers’ affirmative express consent;
• Ensure that any company who purchases all or parts of 1Health’s business agrees, by contract, to adhere to these same provisions;
• Notify the FTC about incidents of unauthorized disclosure of consumers’ personal health data; and

• Implement a comprehensive Information Security Program addressing the security failures cited in the Administrative Complaint.

The required remediation actions address cybersecurity, privacy, and identity protection—issues that fall clearly within the domain of the Federal Trade Commission and its Enforcement division.

Recurring FTC Cases Against Twitter

In May 2022, the FTC charged Twitter, Inc. with deceptively using account security data for targeted advertising, citing that the company asked users to provide phone numbers and email addresses to protect their accounts, but then allowed advertisers to use this data to target specific users, at Twitter’s profit. This deception violated a ten-year-old FTC order, from 2011, that explicitly prohibited the company from misrepresenting its privacy and security practices.

A modified order and proposed settlement were announced in June 2023, in which Twitter would be required to pay a $150 million penalty and be banned from profiting from data it collects deceptively. Among numerous other requirements, the proposed settlement also mandates that Twitter implement a Privacy and Security Program “to protect the privacy, security, confidentiality, and integrity of the data it collects, maintains, uses, discloses, or allows access to.”

At a high level, the Privacy and Security Program requirements include:

1. Document in writing the content, implementation, and maintenance of the Program;
2. At least once every calendar quarter, provide the written program and any updates to the board of directors, governing body or, senior Twitter officer responsible for the Program;
3. Designate a qualified employee(s) to coordinate and be responsible for the Program;
4. At least once every 12 months, and promptly following the resolution of a security incident (within 90 days of discovery), assess and document the internal and external risks to the privacy, security, confidentiality, or integrity of data that could result in its unauthorized collection, maintenance, use, disclosure, alteration, destruction, or provision of access, or the misuse, loss, theft, or other compromise of the data; and
5. Design, implement, maintain, and document safeguards that control the material internal and external risks outlined in D above. Each safeguard must reflect the volume and sensitivity of data that is at risk, and the likelihood that the risk could be realized.

The settlement includes pages of highly detailed requirements supporting these five mandates. This 2022 charge remains open and the case is ongoing. In light of recent ownership changes at Twitter, and the resulting organizational cleansing process, it will be interesting to learn how this case is finally resolved. Any agreed resolution will be posted on the FTC website.

Summary

The FTC role in cybersecurity and data privacy is a crucial one, not just for U.S. consumers but also for U.S. businesses. The Federal Trade Commission works steadily and quietly investigating consumer complaints against deceitful or fraudulent businesses. The FTC files charges in the form of Administrative Complaints and settles violations in its Final Orders.

Of vital importance, the FTC is empowered to impose civil monetary penalties upon violators and also to mandate remedial actions that strengthen their cybersecurity and privacy safeguards for individually identifiable consumer information.

Businesses who are subject to the FTC Act, the GLBA, and certain other laws should familiarize themselves with the details of those regulations to ensure they are adequately protecting customer data. A security risk assessment is always the best way to begin.

Learn more about cybersecurity by becoming a sponsor of Cybersecurity Awareness Month. This October marks the 20th year the National Cybersecurity Alliance has promoted cybersecurity in this manner. Join 24By7Security and thousands of other organizations in supporting this vital initiative!