At a time when organizations are facing an increased number and intensity of cybersecurity risks, the Federal Trade Commission (FTC) is doubling down on its commitment to keep personally identifiable information (PII) secure. This was the clear message in the agency’s 2015 Privacy and Data Security Update, released on January 28th, 2016—which happened to be, appropriately, Data Privacy Day.
The most recent annual report highlights the FTC’s consumer privacy actions taken and programs implemented last year, including its enforcement actions, public workshops, educational initiatives and international cooperation efforts. Its enforcement actions confirm that the agency is delivering on its promise to closely scrutinize companies’ data privacy and security policies, and execute enforcement when necessary.
The agency stated that it remains committed to ensuring consumers are able to reap “the benefits of innovation in the marketplace, confident that their personal information—online and offline—is being handled responsibly.” And, in fact, the FTC’s activities in 2015, including enforcement of 11 privacy cases, reveal that organizations have never faced such stringent and public scrutiny over their efforts to safeguard sensitive information.
FTC’s 2015 Enforcement Initiatives
Over the years, the FTC’s enforcement actions have addressed offline, online and mobile practices related to general privacy, data security, senior privacy, children’s privacy, credit reporting, financial privacy and more. The agency’s 2015 enforcement actions included the following:
- The FTC brought five security cases against companies that allegedly failed to secure consumers’ personal information, including Oracle, Wyndham and Lifelock. Security cases arise when companies engage in practices, usually unfair or deceptive, that put consumers’ personal data at unreasonable risk.
- The FTC brought 11 privacy cases against businesses that were alleged to be misusing consumers’ information, including Sequoia One and CWB Services, LLC. General privacy cases brought by the agency include spam, social networking, behavioral advertising, pretexting, spyware, peer-to-peer file sharing and mobile.
- Three of the companies cited in privacy cases were alleged to have tricked seniors and others into disclosing their financial information, including Pairsys, Inc. and Click4Support, LLC.
- Three companies cited in privacy cases were alleged to violate children’s privacy by not requiring websites and apps to obtain parental consent before collecting personal information from children under 13, including Retro Dreamer and LAI Systems.
These actions are literal representations of the FTC’s official statement about its expectations for today’s organizations when it comes to consumers’ personal privacy and security:
“Each of our projects in the privacy and data security arena has been informed by a central message: Even in the face of rapidly changing business models and technologies, companies still need to follow fundamental privacy principles including:
- Don’t collect or retain more data than you reasonably need;
- Tell consumers how you plan to use and share their data;
- Give consumers choices about their privacy; and
- Protect data from unauthorized access.
“We’re committed to working with businesses to protect consumers’ privacy in this increasingly digital era.”
Naturally, the FTC efforts are a critical component to the ongoing privacy and security of every consumer’s data. Enforcing actions that violate this trust not only ensures violators are held accountable, but also sends a strong message to today’s business world about the critical care they should give consumer data.
Companies can ensure they are not only meeting FTC guidelines, but also their own organizational goals to become a secure steward of other people’s personal data by creating the strongest possible defense against today’s full range of cyber threats.
One way to build a stronger defense is to conduct a risk analysis that identifies an organization’s greatest areas of weakness. This insight helps organizations create the strongest data security roadmap for their consumers’ data.
Contact us today for more information about how we help organizations to build and improve their cybersecurity and information risk management programs.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.