Privacy Advisor

Federal and State Regulators Talk Data Security Lessons

Taking proactive and reasonable steps to secure customer data will go a long way to help a business avoid enforcement action

November 7, 2013

By Jedidiah Bracy, CIPP/US, CIPP/E

The Federal Trade Commission (FTC) has been a busy agency. It has now brought 47 data security cases against businesses to date and, according to FTC Consumer Protection Bureau Deputy Director Daniel Kaufman, there are more in the pipeline. On top of that, state attorneys general are aggressively pursuing breach notification law. With 46 different state breach notification regimes—not including Washington, DC, or Puerto Rico—there’s a lot for a business to consider.

That’s why I’m here to scream at you to deal with it proactively. You can save yourself pain and cost.

And the thing is, it’s not that difficult. There is one word: encryption. If you use encryption, you’re off the hook.
- New Jersey Supervising Deputy Attorney General Kenneth Ray Sharpe, CIPP/US

Kaufman, noting that he was speaking personally and not officially on behalf of the FTC, put it this way: “Just because you have a breach doesn’t mean you’ve violated the FTC Act, but just because you haven’t had a breach doesn’t mean you haven’t breached the FTC Act.”

New Jersey Supervising Deputy Attorney General Kenneth Ray Sharpe, CIPP/US, expressed a similar sentiment, again, as a personal opinion. “My question to you today is that sooner or later, you’re going to be a victim of a breach,” he said. “So what are you going to do, be proactive or reactive?”

Kaufman, along with Sharpe, made these statements to a room full of privacy pros at the IAPP Practical Privacy Series in New York City. The main takeaway? Businesses taking proactive and reasonable steps to protect their customers’ private information will not be looked on harshly.

Sharpe highlighted the complex state-based notification landscape, and with little hope of a federal statute in the near future, he said navigating the sometimes-conflicting state statutes can be next to impossible.

“That’s why I’m here to scream at you to deal with it proactively. You can save yourself pain and cost,” he said. “And the thing is, it’s not that difficult. There is one word: encryption.”

Sharpe said applying encryption across your data assets, whether in storage or transit, acts as a sort of safe harbor.

“If you use encryption,” he added, “you’re off the hook.”

But, of course, encryption is not the only answer.

Kaufman stressed the importance of the FTC’s enforcement actions and made it clear that privacy pros should really take a look at them. “Our cases each have significant messages and lessons to be learned,” he said.

To better illustrate his point, Kaufman highlighted a few recent cases. The FTC’s settlement with TRENDnet—it’s 47th and most recent case—alleged the company failed to take reasonable steps to safeguard the privacy of its customers.

Each FTC settlement almost has a moral from which other businesses can draw. HTC customized software without testing it for vulnerabilities prior to releasing it. In another case with the Cord Blood Registry, the FTC found that data stored on a laptop in transit wasn’t encrypted. And a case settled with PLS Financial Services found the company improperly disposed of sensitive financial information.

But companies under FTC consent decrees are not in trouble for one isolated error, Kaufman said.

“Our complaints are never about one thing a business did wrong. It’s always a series of things,” he said. For example, in addition to not taking reasonable steps to transfer sensitive data, CBR didn’t appropriately train staff on privacy or encrypt its sensitive personal information.

Perhaps the biggest case, however, surrounds Wyndham Hotel’s motion to dismiss an action brought on by the FTC. A New Jersey court was scheduled to hear the case on Thursday and the decision could have profound effects for the federal agency. Saying the FTC put together a strong case against the hotel chain, Kaufman was optimistic the court would find in favor of the FTC, but said it would “be a big deal” if the court found otherwise.  

What else may be on the FTC’s radar?

Kaufman said the agency may eventually look into the burgeoning bring-your-own-device issue. “There are huge challenges in that area,” he said, “so I wouldn’t be surprised if we take a look into that area.”

Though nothing “concrete was coming down the pike,” Kaufman said mobile privacy has not left the gaze of the FTC either. He said they’ll be watching what the California AG does. He also said the FTC’s separate study and subsequent report on the data broker industry should be out early next year.

For businesses trying to meet the FTC’s mission, Kaufman said, “Training of staff is a huge part of it and making sure the CPO is in a corner somewhere.” He lauded instilling privacy consideration into product and system design and recommended having company-wide breach awareness days or data privacy weeks among staff.

Read more by Jedidiah Bracy:
Hack the Trackers Taps Into the Post-Snowden Zeitgeist
U.S. Intel Officials Defend Programs; EU Fallout Continues
FTC’s Brill to Technologists: This Is Your Call to Arms
Acxiom, MasterCard CPOs Talk Transparency, De-identification, FTC Consent Orders