New Requirements for FTC Data Security Settlements
Two of the Federal Trade Commission’s (FTC’s) most recent data security settlements include new requirements that go beyond previous data security settlements. The new provisions (1) require that a senior corporate officer provide to the FTC annual certifications of compliance and (2) specifically prohibit making misrepresentations to the third parties conducting required assessments. A statement accompanying these settlements noted that the FTC has instructed staff to examine whether its privacy and data security orders could be strengthened and improved.
The first matter is an administrative settlement with James V. Grago, Jr. doing business as ClixSense.com, a website where users earn money by viewing advertisements, performing online tasks, or completing online surveys.
ClixSense collects and stores personal information as part of its enrollment process. The data it collects includes name, address, email address, and social security number for users who earn more than $600 annually from ClixSense. ClixSense represented that it “utilizes the latest security and encryption techniques to ensure the security of your account information.” In fact, according to the FTC’s complaint, it did not.
The complaint alleges that Respondent:
- Failed to implement readily available security measures to limit access between computers on the ClixSense network and between such computers and the internet
- Permitted employees to store plain text user credentials in personal email accounts and on ClixSense laptops
- Failed to change default login and password credentials for third-party company network resources
- Maintained consumers’ personal information, including consumers’ names, addresses, email addresses, dates of birth, gender, answers to security questions, login and password credentials, and Social Security numbers in clear text on ClixSense’s network and devices.
The complaint also described how a hacker or hackers used a set of credentials from an employee’s company laptop that allowed the hacker(s) to download clear text information on 6.6 million consumers, including 500,000 U.S. consumers. The hacker(s) then published and offered for sale the personal information of 2.7 million consumers.
Further, the complaint alleges that the Respondent could have addressed the above-noted failures by implementing readily available and low-cost security measures and that the failure to do so was an unfair practice.
The settlement, which has been put out for public comment, would prohibit the Respondent from misrepresenting its data security and privacy protections. In addition, it requires that the Respondent implement and maintain a comprehensive In addition, the settlement requires that the defendants implement and maintain a comprehensive Information Security Program and perform biennial assessments by a third party for 20 years.
The new provisions to the order require that a senior corporate manager or senior officer responsible for the Respondent’s Information Security Program provide an annual certification to the FTC that the Respondent has established, implemented, and maintained the requirements of the order; is not aware of any material noncompliance that has not been corrected or disclosed to the FTC; and includes a brief description of any covered incident.
The second action involves UNIXIZ doing business as i-Dressup.com, and its CEO Zhijun Liu and its secretary Xichen Zhang. i-Dressup.com is a website that allows users, including children, to play dress-up games, design clothes, and decorate their online spaces. In January 2016, i-Dressup had at least 2.1 million users, of which approximately 245,000 were under the age of 13 years.
The complaint alleges that the defendants violated the Children’s Online Privacy Protection Act (COPPA) by failing to obtain parental consent before collecting information from children under the age of 13 years. According to the complaint, when users first register they are required to submit a user name, password, birthdate and email address. Users over the age of 13 years have access to the entire website, including the ability to participate in social media features, create blog posts, add friends, and send direct online messages.
If a prospective user submits a birthdate that indicates he or she is under 13 years of age, the registration field asked for a parent’s email. When a user clicked the “Join Now” button, an email notice was sent to the parent’s email address entered by the user. The email would allow parents to provide consent by clicking the “Activate Now” button. If a parent declined to provide consent, the under-13 user was given a “Safe Mode” membership that allowed access to some games and features and collected personal information, but did not allow access to the social media features.
The complaint also details how a hacker accessed information about i-Dressup’s users and sent the hacked data to journalists who then attempted to contact the defendants, prompting them to implement some security measures.
The complaint alleges that the defendants violated the COPPA Rule by failing to:
- Obtain verifiable parental consent, and for “Safe Mode” members, failed to obtain any parental consent
- Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children
The stipulated judgment requires the defendants to pay a civil penalty of $35,000 and enjoins them from violating the COPPA Rule.
This action has been filed in district court by the Department of Justice because it includes alleged violations of COPPA. In addition, the settlement requires that the defendants implement and maintain a comprehensive Information Security Program and perform biennial assessments by a third party for 20 years.
The judgment also includes the new provisions described in the ClixSense settlement.
The public will have an opportunity to comment on the ClixSense settlement because it is an administrative matter that is not final until after the comment period ends. It is likely that there will be comments on the new provisions identified above.