The Federal Trade Commission (FTC) announced its first action regarding applications for smart phones that may be placed on a user’s device without their knowledge or consent (aka stalking apps). The FTC took action against the developer of stalking apps of violating both the Federal Trade Commission Act (FTC Act) and the Children’s Privacy Protection Rule (COPPA Rule). In its press release, the FTC claimed these apps “allowed purchasers to monitor the mobile devices on which they were installed, without the knowledge or permission of the device’s user.”
Retina-X Studios, LLC agreed to a consent order that permanently restrains and enjoins the company “from, or assisting others in, promoting, selling, or distributing a Monitoring Product or Service unless Respondents” meet a list of requirements, including foreswearing the circumvention of a mobile device’s operating system for installation (aka jail-breaking or rooting), eliciting affirmative agreement that users of any such app will only employ it in lawful, enumerated practices, and that whenever the app is running, there must be a clear and conspicuous icon on the device alerting the user that the run has been installed and is functional.
Like many such settlements, the FTC elicited agreement from the app developer to cease certain past practices and to engage in future practices to both avoid the offensive conduct and that are designed to lead to better data security. Failure to do so would allow the FTC to go back to the court and request an order to show cause against the entity, putting it in jeopardy of facing civil penalties of more than $42,000 per violation.
Of course, the FTC’s power to order entities to take certain, broadly gauged actions, such as institute a comprehensive data security program, have been called into question in LabMD v. FTC. In that 2018 case, U.S. Court of Appeals for the Eleventh Circuit ruled against the FTC and held that the agency may not direct entities to take, future, ill-defined actions. Rather, in the appeals court’s view, the FTC’s underlying statute allows the agency only to spell out the conduct that entities may not engage in whether it be in a cease and desist order issued by the FTC or a consent decree issued by a U.S. District Court. Of course, this is only the view of one circuit, and the other circuits are free to continue operating under the old understanding that the FTC may indeed direct entities to, for example and most relevantly in this case, implement a comprehensive data security regime.
In LabMD, the FTC Order that the Eleventh Circuit found faulty required:
…that the respondent shall, no later than the date this order becomes final and effective, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers by respondent or by any corporation, subsidiary, division, website, or other device or affiliate owned or controlled by respondent. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including…
A.the designation of an employee or employees to coordinate and be accountable for the information security program;
B.the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;
C.the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
D.the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and
E.the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by Subpart C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.
However, in the instant case, the FTC is far more prescriptive than it was by directing Retina-X Studios to
Design, implement, maintain, and document safeguards that control for the internal and external risks to the security, confidentiality, or integrity of Personal Information identified in response to sub-Provision VI.D. Each safeguard shall be based on the volume and sensitivity of the Personal Information that is at risk, and the likelihood that the risk could be realized and result in the unauthorized access, collection, use, alteration, destruction, or disclosure of the Personal Information. Respondents’ safeguards shall also include:
1.Technical measures to monitor all of Respondents’ networks and all systems and assets within those networks to identify data security events, including unauthorized attempts to exfiltrate Personal Information from those networks;
2.Technical measures to secure Respondents’ web applications and mobile applications and address well-known and reasonably foreseeable vulnerabilities, such as cross-site scripting, structured query language injection, and other risks identified by Respondents through risk assessments and/or penetration testing;
3.Data access controls for all databases storing Personal Information, including by, at a minimum, (a) requiring authentication to access them, and (b) limiting employee or service provider access to what is needed to perform that employee’s job function;
4.Encryption of all Personal Information on Respondents’ computer networks; and
5.Establishing and enforcing policies and procedures to ensure that all service providers with access to Respondents’ network or access to Personal Information are adhering to Respondents’ Information Security Program.
The FTC continues by requiring:
F. Assess, at least once every twelve (12) months and promptly following a Covered Incident, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of Personal Information, and modify the Information Security Program based on the results.
G. Test and monitor the effectiveness of the safeguards at least once every twelve months and promptly following a Covered Incident, and modify the Information Security Program based on the results. Such testing shall include vulnerability testing of each of Respondents’ network(s) once every four (4) months and promptly after any Covered Incident, and penetration testing of each Covered Business’s network(s) at least once every twelve (12) months and promptly after any Covered Incident;
H. Select and retain service providers capable of safeguarding Personal Information they receive from each Covered Business, and contractually require service providers to implement and maintain safeguards for Personal Information; and
I. Evaluate and adjust the Information Security Program in light of any changes to Respondents’ operations or business arrangements, a Covered Incident, or any other circumstances that Respondents know or have reason to know may have an impact on the effectiveness of the Information Security Program. At a minimum, each Covered Business must evaluate the Information Security Program at least once every twelve (12) months and modify the Information Security Program based on the results.
Is it possible the FTC is seeking to forestall future actions based on LabMD through the use of more descriptive, prescriptive requirements for entities in establishing and running better data security programs? It absolutely could be. Some have suggested that the agency telegraphed its current thinking on what is proper data security in draft regulations earlier this year that are more detailed than the current regulations and the numerous settlements the FTC has entered into.