FTC Holds Company’s CEO Personally Liable for Security Failures

The FTC issued a proposed consent order, finding that a company and its CEO had violated the FTC Act because of the company’s security failures that resulted in a data breach impacting 2.5 million consumers.  As part of the proposed consent order, the company will be restricted in the types of data it can collect and retain, and the CEO will be bound to specific data security requirements for his role in the alleged acts and practices.

Following an investigation into the company’s data management and security practices, the FTC found that the company and its CEO had failed to develop and implement appropriate measures to protect consumers’ personal information.  The FTC found that the company had failed to develop, assess, and enforce adequate written information security standards, policies, procedures, and practices, and to implement employee trainings on such standards, policies, procedures, and practices.  Relatedly, the FTC found that the company had failed to securely maintain login credentials, scan its databases and platforms for unsecured credentials, require reasonable data access controls, or monitor its databases and platforms for data security breaches.  As a result of these various security failures, a hacker gained access to 2.5 million records in 2020.

The FTC held the CEO liable, in both his individual and official capacities, because of his failure to act after the company had experienced a similar security breach in 2018.  The FTC found that the CEO was on notice following the 2018 incident, but failed to implement reasonable security practices, or delegate this responsibility to another senior executive.

As part of the proposed settlement, the company will be required to destroy personal information that is not used or retained to provide products or service, and it will be refrained from collecting and maintaining such personal information moving forward.  The company will also be required to develop and implement a comprehensive information security program, aimed at addressing the security failures the FTC identified through its investigation.  The CEO will be required to submit annual certifications concerning the company’s compliance with the consent order, and any subsequent data breaches that may occur.  Additionally, the CEO will be required to implement information security programs for any business in which he has majority ownership, or serves as a senior officer, for the next 10 years.

The FTC will publish the proposed consent order to the Federal Register, and it will be subject to public comment for 30 days, after which the Commission will decide whether to finalize the consent order.