On-line Privacy Update: FTC Uses Its Mandate to Expand Reach of Consumer Data Security Laws to Non-Financial Businesses

The Federal Trade Commission (FTC) is increasingly using its broad powers to require businesses to enact privacy measures to protect their customers’ personal data. According to the FTC, all companies must “maintain reasonable and appropriate measures to protect sensitive consumer information.” And the FTC is ready and willing to step in and make them implement such measures — regardless of whether Congress has enacted a specific statute requiring the business to do so.

When most people think about the Federal Trade Commission (FTC), they think about a federal agency that fights monopolies or big consumer frauds. However, the FTC Act, the statute that created the FTC, gave it a very broad mandate: “to prevent persons, partnerships or corporations . . . from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(2). In the digital media world, throughout the past decade, the FTC has used this vague “unfairness” mandate to require consumer-based businesses to enact data security measures.

There are federal laws that impose data security requirements, such as the Fair Credit Reporting Act (15 U.S.C. § 1681e) and the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.). These laws apply to financial institutions and credit reporting agencies. However, in its recent enforcement actions, the FTC has begun apply these data security rules to consumer businesses as a whole. (Fn1) According to a June 17, 2009 statement by the FTC to the U.S. House (Fn2), since 2001, the FCT has brought 26 cases against businesses that allegedly failed to protect consumer’s personal information. This includes cases against Microsoft, TJX, LexisNexis, Tower Records, Petco, Reed Elsevier, CVS and None of these companies would commonly be considered financial or credit reporting companies.

The legal authority for the FTC’s actions in each case differed, but in some cases, such as the TJX and Compgeeks.comcases, rested solely on the FTC’s broad mandate to fight “unfairness.” (Fn3) Nevertheless, the terms of the consent orders reached in both cases imposed on TJX and the same obligations required of financial companies under the Gramm-Leach-Bliley Act. Both consent orders required the implementation of “a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” This is language taken directly from 16 C.F.R. §314.3, the FTC’s rules implementing Gramm-Leach-Bliley.

The FTC complaints in its cases against non-financial businesses “have alleged such practices as the failure to (1) comply with posted privacy policies; (2) take even the most basic steps to protect against common technology threats, (3) dispose of data properly, and (4) take reasonable steps to ensure that they do not share customer data with unauthorized third parties.” According to the FTC, “all of the cases stand for the principle that companies must maintain reasonable and appropriate measures to protect sensitive consumer information.”

Some may wonder about the breadth of the FTC’s powers. However, prior case law had held that the FTC is not limited to merely enforcing specific laws that the Congress has elsewhere enacted. To the contrary, the FTC has the power to declare legal practices as unfair or deceptive, hence making them illegal.