330 likes | 334 Views
Gain insights into the Federal Trade Commission's role in data security and privacy for non-profit organizations. Learn about FTC laws and regulations, enforcement actions, and the importance of implementing comprehensive information security programs.
E N D
BBB Wise Giving Alliance & The International Committee of Fundraising OrganizationsAdvancing Trust in the Charitable SectorFederal Trade Commission, Bureau of Consumer ProtectionAllison M. Lefrak, Attorney, Division of Privacy and Identity ProtectionJune 12, 2015
Disclaimer Views expressed in this presentation are my own and are not necessarily those of the Commission or any Commissioners Any answers to questions are my own opinion and are not those of the Commission or any Commissioners
Overview FTC background information FTC’s role in data security and privacy FTC jurisdiction over non-profits FTC’s business guidance
Federal Trade Commission • Nation’s only general jurisdiction consumer protection agency • ~1,100 lawyers and staff members in Washington and 7 regional offices • Federal jurisdiction in the areas of competition and consumer protection • Five Commissioners appointed by President and confirmed by Senate • Three bureaus: Competition, Economics, Consumer Protection • Privacy and Identity Protection – newest division, but not the only one addressing issues of identity theft, information security, and privacy
Laws the FTC Enforces Federal Trade Commission Act (FTC Act) Fair Credit Reporting Act (FCRA) Gramm-Leach-Bliley Act (GLBA) Other federal laws (e.g., COPPA, CAN-SPAM Act)
Privacy and Security FTC has played a leading role since the mid-90s in examining privacy and security issues and implementing protections for consumers • Crafted rules and regulations • Brought enforcement actions • Educated businesses and consumers • Held workshops to examine new technologies and business practices affecting privacy and data security
Legal Framework No single law governs privacy and data security in the United States • Rather, a collection of federal laws and regulations govern specific industries and practices • State laws addressing privacy issues, as well as private causes of action compliment federal law • The FTC has supported proposed data security legislation that gives the FTC jurisdiction to bring cases against non-profits
Federal Trade Commission Act Section 5 of the FTC Act prohibits unfair or deceptive practices Deceptive practices are representations, omissions, or practices that: • Are likely to mislead consumers acting reasonably under the circumstances • Representation, omission, or practice must be material Unfair practices are those that: • Cause or are likely to cause substantial injury • Are not outweighed by the benefits, and • Are not reasonably avoidable by the consumer
Guiding Principles • Information security is an ongoing process • A company’s security procedures must be reasonable and appropriate in light of the circumstances • A breach does not necessarily show that a company failed to have reasonable security measures – there is no such thing as perfect security • A company’s practices may be unreasonable and subject to FTC enforcement even without a known security breach
FTC Law Enforcement More than 100 privacy-related actions since 2001, including: Over 50 Data Security Cases Over 100 SPAM and spyware cases 18 COPPA cases
Wyndham • Complaint filed in June 2012 • Complaint allegations • Since 2008, Wyndham failed to provide reasonable and appropriate security for consumers’ personal information • As a result, intruders gained access to Wyndham’s network on three occasions between 2008 and 2010 • More than 619,000 consumer payment card account numbers exposed • More than $10.6 million in fraud loss • Consumers suffered unreimbursed fraudulent charges, increased costs and lost of access to funds or credit • Consumers expended time and money resolving fraud charges and mitigating subsequent harm
Wyndham • Count 1 – Deception • Wyndham represented in its privacy policy that it would “safeguard our Customers’ personally identifiable information by using standard industry practices” and “we take commercially reasonable efforts to create and maintain ‘fire walls’ and other appropriate safeguards” • Wyndham did not implement reasonable and appropriate measures to protect consumers’ personal information against unauthorized access • Therefore Wyndham’s representations are false and misleading and constitute deceptive acts or practices under Section 5(a) of the FTC Act • Count 2 – Unfairness • Wyndham failed to employ reasonable and appropriate measures to protect consumers’ personal information against unauthorized access • Wyndham’s actions caused or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition • Therefore, Wyndham’s acts and practices constitute unfair acts in violation of Section 5 of the FTC Act
FTC Orders Require • Implementation of Comprehensive Information Security Program for Data Security Cases • Implementation of Comprehensive Privacy Program for Privacy Cases • Independent Third-Party Audits Every Two Years for up to 20 Years • FTC Monitoring of Compliance
Some Common Remedies Injunction against misrepresentations; Comprehensive data security or privacy program appropriate to the company’s size, nature of activities, and information collected; Third party assessments of these programs; Other specific requirements, e.g., disclosures, privacy choices, data deletion, or software updates; and Civil penalties for rule and order violations.
FTC Jurisdiction over non-profits FTC’s statutory consumer protection mandate is broad Under Section 5 of the FTC Act, the FTC has power to prevent “persons, partnerships, or corporations” from using unfair or deceptive acts or practices in or affecting commerce, with certain limited exceptions. 15 USC §45 (a)(2) Exceptions: banks, savings and loan institutions, federal credit unions, “common carriers” The Act defines “corporation” as any company that carries on business for its profit or that of its members. 15 USC 44 Therefore, a bona fide non-profit corporation is not subject to FTC jurisdiction
FTC Jurisdiction over non-profits FTC can reach non-profits where the non-profit is a sham • Affirmatively misrepresenting that donations are going to charity, or • Engage in activities that provide substantial economic benefit to for-profit members
FTC Jurisdiction over non-profits Certain rules that the FTC enforces apply to charities, for example – the Telemarketing Sales Rule (TSR) • The USA Patriot Act (2001) brought charitable solicitations by for-profit telemarketers within the scope of the TSR • Now, most of the rule’s provisions are applicable to “telefunders” – telemarketers who solicit charitable contributions
FTC Jurisdiction over non-profits TSR continued Telefunders are required to: • make certain prompt disclosures in every outbound call. • get express verifiable authorization if accepting payment by methods other than credit or debit card. • maintain records for 24 months. • comply with the entity-specific Do Not Call requirements, but are exempt from the National Do Not Call Registry provision. • include in any prerecorded message call on behalf of a non-profit organization to a member of, or previous donor to, the non-profit, a prompt keypress or voice-activated opt-out mechanism.
FTC Jurisdiction over non-profits TSR continued Telefunders are prohibited from: • making a false or misleading statement to induce a charitable contribution. • making any of several specific prohibited misrepresentations. • engaging in credit card laundering. • placing “cold” calls that deliver prerecorded messages. • engaging in acts defined as abusive under the TSR, such as calling before 8 a.m. or after 9 p.m., disclosing or receiving consumers’ unencrypted account information, and denying or interfering with a consumer’s right to be placed on a Do Not Call list.
FTC DATA SECURITY RESOURCES FOR BUSINESS • 50+ law enforcement actions on data security • FTC workshops and staff reports • Nuts-and-bolts brochures for business at business.ftc.gov • Protecting Personal Information: A Guide for Business • 20-minute online training tutorial for your staff • Free copies of publications at ftc.gov/bulkorder • Compliance videos • 120 blog posts on the Business Blog, business.ftc.gov/blog
TAKE STOCK. Know what sensitive information you have in your files and on your computers. SCALE DOWN. Carefully consider what information to collect and maintain. LOCK IT. Securely store information you keep. PITCH IT. Properly dispose of what you no longer need. PLAN AHEAD. Create a plan to respond to security incidents.
Questions My contact information: • Alefrak@ftc.gov • (202) 326-2804