Tech Transactions & Data Privacy 2022 Report

1. FTC Background

The Federal Trade Commission (FTC) is a federal agency that works to protect consumers from fraudulent, deceptive and unfair business practices. Section 5(a) of the FTC Act broadly authorizes the FTC to investigate and challenge “unfair or deceptive acts or practices in or affecting commerce”.¹ The FTC has used this authority to promulgate specific privacy-focused rules, including the Health Breach Notification Rule (HBN Rule) and the Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act (Safeguards Rule). Congress has provided the FTC authority to enforce privacy-focused legislation like the Children’s Online Privacy Protection Act (COPPA)² and the Fair Credit Reporting Act.³Finally, the FTC uses its primary authority under Section 5 of the FTC Act to bring enforcement actions against organizations following data security incidents that the FTC believes involve deceptive practices (often due to misrepresentations in an organization’s privacy policy) or unfair practices (often by failing to use reasonable measures to secure sensitive information).

2. The FTC’s Recent Actions Demonstrate a Trend Towards Increased Cybersecurity and Data Privacy Scrutiny

During the second half of 2021, the FTC took two meaningful actions that signaled the FTC’s desire to expand its role in setting and enforcing cybersecurity and data privacy standards: the FTC clarified the scope of the often ignored HBN Rule and the FTC amended the Safeguards Rule to strengthen the data security requirements for financial institutions.

On September 15, 2021, the FTC issued a Policy Statement that clarified the scope of the HBN Rule and signaled that the FTC intends to begin enforcing the rule. Under the HBN Rule, vendors of personal health records (PHR) and PHR-related entities, not subject to the Health Insurance Portability and Accountability Act (HIPAA), must notify the FTC and consumers if there has been a breach of unsecured identifiable health information. Notification to the media may also be required in certain cases. The FTC clarified that the rule applies to developers of health apps or connected devices. The FTC attributed the Policy Statement to the recent explosion of apps and connected devices that capture sensitive health data. While the FTC has not enforced the rule in the decade since its issuance, the FTC’s Policy Statement signaled that the FTC intends to begin enforcing the rule. Violations of the HBN Rule may result in civil penalties of $43,792 per day.

On October 27, 2021, the FTC announced a final rule amending the Safeguards Rule to strengthen the data security requirements that financial institutions must implement to protect customers’ financial information and by broadening the scope of covered financial institutions. Specifically, the FTC modified the Safeguards Rule in the following key ways:

1. The amended Safeguards Rule includes detailed requirements for the development and establishment of the information security program, such as specific criteria for what the risk assessment must include and that the risk assessment be documented in writing. In addition, the amended Safeguards Rule requires financial institutions to address access controls, authentication, secure development practices, data inventory and classification, information disposal procedures, change management, encryption, testing and incident response.

2. The amended Safeguards Rule adds requirements to ensure that financial institutions are effectively training employees and overseeing services providers.

3. The amended Safeguards Rule requires a financial institution to designate a single Qualified Individual to oversee the implementation of the information security program.

4. The amended Safeguards Rule requires periodic reports to boards of directors or governing bodies.

5. The amended Safeguards Rule exempts financial institutions that collect information on less than 5,000 consumers from the written risk assessment, incident response plan and annual reporting to the boards of directors or governing bodies requirements.

6. The amended Safeguards Rule expands the definition of “financial institution” to include entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities. Through this change, “finders” (i.e., companies that bring together buyers and sellers of a product or service) are now within the scope of the amended Safeguards Rule.⁴

Many new requirements under the amended Safeguards Rule became effective on January 8, 2022, and more significant changes will go into effect on December 9, 2022.

3. The FTC’s Anticipated Enforcement Role in 2022

In addition to enforcing the HBN Rule and the recently amended Safeguards Rule, the FTC has expressly stated its intent to further expand its role in setting and enforcing cybersecurity and data privacy standards. The FTC is “particularly focused on developing rules that allow the agency to recover redress for consumers who have been defrauded and seek penalties for firms that engage in data abuses.” The FTC is considering initiating a rulemaking “to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.”⁵ The FTC is also looking to complete its ongoing review of public comments related to amendments to COPPA.

The FTC recently announced its intent to further amend the Safeguards Rule to require financial institutions to report to the FTC any security event where the financial institutions have determined misuse of customer information has occurred or is reasonably likely and that at least 1,000 consumers have been affected or reasonably may be affected. Therefore, covered financial institutions may have additional reporting requirements under the Safeguards Rule in 2022.

If Congress enacts a federal privacy law in 2022, there is a meaningful chance that such a law will provide further authority to the FTC to enforce the law’s requirements. If no such law is enacted, the FTC will nonetheless use its primary authority and its authority under the specific rules discussed above to ensure that organizations are appropriately safeguarding consumers’ personal information and respecting consumers’ privacy.

In light of the FTC’s recent and likely upcoming actions, organizations should review their operations to ensure they are complying with the FTC’s recently amended rules. Organizations should also review and update their privacy policy, implement or review their written information security program and implement or review their incident response plan. Organizations must ensure they are protecting any sensitive data in their possession, or in the possession of their vendors, and ensure they can effectively respond if a data security incident occurs.

FOOTNOTES

1 See 15 U.S.C. § 45(a).

2 15 U.S.C. 6501–6505.

3 15 U.S.C. §§ 1681-1681x.

4 See Federal Trade Commission, Standards for Safeguarding Customer Information (December 9, 2021), https://www.federalregister.gov/documents/2021/12/09/2021-25736/standards-for-safeguarding-customer-inf

5 See Federal Trade Commission, Trade Regulation Rule on Commercial Surveillance (Fall 2021), https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202110&RIN=3084-AB69