The FTC Doesn’t Have to Wait for a Data Breach to Review Information Management Policies

Sep 11, 2014 | Blog

Like the Securities and Exchange Commission, the Department of Health and Human Services, and the Department of Treasury, the Federal Trade Commission (“FTC”) is placing an emphasis on reviewing what an organization does with the personal data it collects from its consumers. As stories about data breaches and high-value technology companies merging or acquiring each other appear in the news almost daily, an organization would be well served to always keep an eye on how it treats customer data because, under Section 5 of the Federal Trade Commission Act, the FTC can begin an investigation of an organization and its information management practices, even if there has not been a breach, if the FTC believes that the organization is engaging in unfair or deceptive acts and practices with regard to the information collected from its consumers.

An unfair practice is an act that causes or is likely to cause harm to a consumer where a consumer cannot avoid the practice and where the benefit of the practice does not outweigh the potential harm. This subsection of Section 5 has become a popular vehicle for the FTC to investigate and bring an action against companies. The FTC sued the hotel chain Wyndham Worldwide under this subsection for its information management practices following a breach that resulted in the release of its customer’s credit card information.

Similarly, a deceptive practice is one in which a company tells its consumers that it will act one way with regard to the data it collects, and then acts in a manner that contradicts its statement. For instance, ConnectEDU was a company whose privacy policy stated that it would never sell or provide information to a third party without first obtaining the user’s consent. During the process of begin acquired as a result of bankruptcy proceedings, ConnectEDU intended to sell the data to the acquiring company but did not first obtain their user’s consent.  As a result the FTC intervened by writing a letter to the court. Citing the sale of the data as a deceptive practice, the FTC suggested that either ConnectEDU provide notice to its users, destroy the data, or that the court appoint a privacy ombudsman to ensure that the privacy interests of ConnectEDU’s users.

In light of the fact that the FTC, like other agencies, is increasing the number of audits it conducts with regard to information management practices, an organization should review its privacy, security and information management policies and the safeguards it employs in daily practice to ensure that the organization’s practices are aligned with the law and with its policies. Should you have questions about information management practices, contact Kenneth N. Rashbaum.