By Eduard Goodman
The Federal Trade Commission is taking its role as America’s privacy and data protection authority more seriously than ever.
Fresh on the heels of its new-era privacy manifesto, which lays out its evolving expectations around the intersection of privacy and business, the FTC secured a settlement with three credit report resellers that failed to protect consumers’ personal information when hackers gained access to more than 1,800 credit reports.
“The FTC will take action against companies that cross the line with consumer data and violate consumers’ privacy … I think you’ll see more privacy cases in the coming weeks and months,” said Jon Leibowitz, FTC chairman, when the privacy report was released.
[Article: What Does Privacy Even Mean These Days?]
The resellers bought credit reports from the three nationwide credit-reporting bureaus and combined them into reports for sale to mortgage brokers. The FTC said the resellers failed to:
- Develop and disseminate information security policies for their own institutions and their end user clients;
- Assess the risks of allowing end users with unverified or inadequate security to access consumer reports through their portals;
- Evaluate the security of end users’ computer networks, require appropriate information security measures, and train end user clients;
- Implement reasonable steps to maintain an effective system for monitoring end users’ access to consumer reports, including monitoring to detect anomalies and other suspicious activity; and
- Take appropriate action to correct existing vulnerabilities or threats to personal information in light of known risks.
These failures resulted in the exposure of consumer information to a number of groups and individuals without the authority to access it, including hackers.
What’s interesting about these complaints was their uniformity. In fact they were nearly identical. From my perspective this shows a systemic problem within the industry, one that is general enough for a “form complaint” approach by the FTC.
What I find most interesting, though, is the fact that there isn’t much that’s interesting here. The nature of the complaints and issues in the cases don’t stand out; these are not “groundbreaking privacy enforcement cases.” They are common privacy related complaints around improperly protecting access to consumer data.
Interestingly too, the punishment is also becoming the norm: 20 years of biannual third-party audits that check for proper processes and procedures to correct and improve the protection of sensitive data. This “life sentence” (as I refer to it) for privacy violations begins to drive home the seriousness of these issues in the eyes of the FTC.
If anything, the vanilla nature of these complaints clearly lays out that companies still aren’t doing enough to protect access to consumer information, and that there is no shortage of this type of lax behaviour in any industry. The FTC will just keep chipping away at consumer-oriented privacy abuses, one case—or maybe three cases—at a time.