Like the Securities and Exchange Commission, the Department of Health and Human Services, and the Department of Treasury, the Federal Trade Commission (“FTC”) is placing an emphasis on reviewing what an organization does with the personal data it collects from its consumers. As stories about data breaches and high-value technology companies merging or acquiring each other appear in the news almost daily, an organization would be well served to always keep an eye on how it treats customer data because, under Section 5 of the Federal Trade Commission Act, the FTC can begin an investigation of an organization and its information management practices, even if there has not been a breach, if the FTC believes that the organization is engaging in unfair or deceptive acts and practices with regard to the information collected from its consumers.
An unfair practice is an act that causes or is likely to cause harm to a consumer where a consumer cannot avoid the practice and where the benefit of the practice does not outweigh the potential harm. This subsection of Section 5 has become a popular vehicle for the FTC to investigate and bring an action against companies. The FTC sued the hotel chain Wyndham Worldwide under this subsection for its information management practices following a breach that resulted in the release of its customer’s credit card information.
In light of the fact that the FTC, like other agencies, is increasing the number of audits it conducts with regard to information management practices, an organization should review its privacy, security and information management policies and the safeguards it employs in daily practice to ensure that the organization’s practices are aligned with the law and with its policies. Should you have questions about information management practices, contact Kenneth N. Rashbaum.