On February 25, the Federal Trade Commission – the nation’s primary privacy and data security enforcer – released its latest Privacy and Data Security Update, which summarizes the agency’s privacy and data security activities over the last year and provides a preview of what’s to come in 2020. Here are our top five takeaways from the report.
More Aggressive Enforcement Actions
The FTC’s report on its enforcement activities reads like a resume. It highlights the agency’s “decades of experience in consumer privacy enforcement,” and notes that the agency, over the last several decades, has brought hundreds of enforcement actions, including over 130 spam and spyware cases, over 80 general privacy cases, and over 70 cases against companies that failed to maintain adequate data security practices.
The report also signals that the agency has been – and intends to be – an aggressive enforcer, not only bringing a large number of privacy and data security cases but also imposing large fines and sharp compliance obligations. In that vein, the FTC’s report highlights its 2019 settlement with Facebook, in which the agency, joined by the Department of Justice, imposed a massive $5 billion penalty for Facebook’s violation of a 2012 consent order, and also required a “host of modifications” designed “to change Facebook’s overall approach to privacy.” The report also highlights the FTC’s 2019 settlement with Equifax, in which the agency, joined by the Consumer Financial Protection Bureau and 50 state attorneys general, obtained a settlement of over $575 million following Equifax’s 2017 data breach.
In 2020, we expect the FTC to maintain its aggressive enforcement posture, demonstrating to the regulated community – and, importantly, to Congress – that its privacy and data security enforcement efforts are up to the challenge.
More Robust Data Security Orders
The FTC’s report also signals that the agency will continue efforts to strengthen its data security orders. The report notes that in 2019 the agency “strengthened its standard orders in data security cases,” requiring “companies to implement a comprehensive security program, obtain robust biennial assessments of the program, and submit annual certifications by a senior officer about the company’s compliance.” That 2019 effort followed an Eleventh Circuit ruling rejecting the FTC’s data security order with LabMD as too vague.
As FTC Chairman Joe Simons has noted, the FTC’s 2019 effort to strengthen its data security orders led to “more specific security requirements,” required company executives “to take more responsibility for order compliance,” and strengthened “the third party assessor’s accountability” while “providing the FTC with additional tools for oversight.”
We expect more of the same in 2020, with the FTC continuing to refine its data security orders to provide more specificity regarding data security requirements and proper internal controls.
To continue reading the article, please visit Law360.