New FTC Standards for Data

Author:Mr Kenneth Dort
Profession:Drinker Biddle & Reath LLP

When the Federal Trade Commission, in conjunction with the White House, promulgated its Consumer Privacy Bill of Rights in February 2012, one of the more intriguing considerations was that the FTC appeared to be setting up a matrix by which a company's voluntary decision to adopt that matrix could become the basis for an FTC enforcement action. Now, after several months, it should be back at the forefront of data security considerations for U.S. businesses.

Earlier this summer, the FTC used that matrix in authorizing a federal action against Wyndham Worldwide Corp. and three of its subsidiaries – a development that highlights a possible change in stance from FTC Commissioner J. Thomas Rosch and illustrates for businesses the importance of developing detailed data/privacy policies.

In its action, the FTC's asserted claim is based entirely upon the alleged violation of the Wyndham group's own internally generated and approved privacy/security policy. In particular, the FTC complaint alleges that the hotel group's "privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information." The agency charges that the hotel's security practices as represented to the public were "unfair and deceptive" and thus violated the FTC Act.

Rosch voted with a unanimous majority of FTC Commissioners to authorize the federal action against Wyndham, but had dissented from the same portion of the FTC's privacy report and recommendation, which accompanied the release of the Consumer Privacy Bill of Rights in February.

This apparent development at the FTC will bear continued observation across the United States business community, and, at the same time, presents an excellent opportunity for all companies handling sensitive data to conduct an immediate evaluation of their privacy/data security policies and practices to assure that their practices are in complete alignment with their policies. Specific issues of concern include:

Enforcement and litigation risks and developments; Contingency breach response planning (including breach notification efforts to affected persons and relevant governmental agencies); Incident response planning (including possible external forensic investigations and...

To continue reading