On April 24, 2019, the FTC published an article advising companies to: (1) deliver on any security pledges the companies make; (2) monitor company networks for suspicious activity; (3) respond quickly and thoughtfully to any suspicious activity; and (4) keep consumers’ personal information and login credentials confidential.
The FTC’s article stems from a data security case against an online rewards website company. In its complaint, the FTC alleged the company not only deceived consumers by falsely claiming the company “utilized the latest security and encryption techniques” to ensure the security of its users’ information, but that the company “failed to meet minimal data security measures prescribed by data security professionals since at least 2013.” The FTC also alleged that the company did not use encryption techniques to secure consumers’ personal information and that the company downloaded a potentially harmful web browser extension to its network that hackers used for months to access 6.6 million consumers’ information, including, among other things, personal information, login credentials, and answers to security questions.
According to the FTC’s proposed order, the company is prohibited against misrepresentations about privacy or security of personal information. The company is also required to have a documented information security program that, among other things, assesses and documents, every 12 months and promptly following a covered incident, internal and external risks to the security, confidentiality, and integrity of consumers’ personal information. Additionally, the company must have an independent third party assess its information security program every two years for the next 20 years.