On Tuesday, November 12, 2019, the U.S. Federal Trade Commission (“FTC” or “Commission”) announced a proposed settlement with InfoTrax Systems, L.C. (“InfoTrax”), a third-party service provider, regarding multiple data security failures. As a result of these security shortcomings, a hacker accessed about one million consumers’ sensitive personal information after more than twenty intrusions into InfoTrax’s network. This settlement marks one of the first instances in which the FTC has alleged a violation of the FTC Act predicated solely upon the failure to maintain reasonable security measures by a third-party service provider. The settlement is also notable for a Commissioner’s concurring statement criticizing the settlement’s standard twenty-year term.
The Settlement Order
Unlike many respondents facing FTC scrutiny for its data security practices, InfoTrax is not a consumer-facing company. Rather, InfoTrax operates website portals for direct sales companies. The clients of the direct sales companies, in turn, use the website portals to register and place orders on behalf of themselves and the end consumers. The distributors, through registering and placing orders, submit significant amounts of personal information (such as Social Security numbers and credit card numbers) about themselves and end consumers to InfoTrax.
The FTC alleges that InfoTrax failed to follow numerous best practices to protect the personal information it held on behalf of the direct sales companies. For example:
- InfoTrax failed to perform adequate code review and penetration testing to assess cyber risks;
- InfoTrax failed to take precautions to detect malicious file uploads or limit their upload on its network;
- InfoTrax failed to adequately silo clients’ data;
- InfoTrax failed to regularly monitor for unauthorized attempts to transfer sensitive data from its network;
- InfoTrax stored confidential information in clear, readable text; and
- InfoTrax did not systematically delete personal information it no longer needed.
Exploiting these weaknesses, hackers allegedly accessed InfoTrax’s systems more than twenty times over nearly two years, culminating with the theft of about one million consumers’ sensitive personal information. InfoTrax was unaware of the intrusion until the hackers’ activities impacted its servers’ performance.
The complaint alleges that InfoTrax’s “failure to employ reasonable data security practices to protect personal information” constitutes an unfair act or practice in violation of the FTC Act. As a result of the violation and according to the terms of the settlement, InfoTrax is not permitted to handle personal information until it implements several specific safeguards to its security information program. Specifically, the Commission provides over two pages of directions, requiring improvements ranging from encrypting sensitive data and documenting its security practices to segmenting its network, performing annual penetration testing, and obtaining third-party assessments of its information security program. As is common in these cases, the settlement order runs for twenty years.
FTC Now Targeting Shoddy Security Practices Directly. Historically, the FTC connected a failure to properly safeguard data to a FTC Act violation in two discrete steps: (1) the FTC argues that the respondent’s deficient data privacy practices do not comply with its own stated practices then (2) the FTC argues that the respondent’s failure to follow its own stated practices is an unfair or deceptive act.
Here, the FTC contends that InfoTrax’s security shortcomings themselves constitute an unfair or deceptive act itself. The FTC’s contention is novel and untested, and may indicate a shift towards a more direct approach to regulating data security. This approach may be necessary to regulate respondents, like InfoTrax, that do not directly serve consumers or maintain privacy policies directed towards consumers. Such third-party service providers have become a recent focal point for the Commission.
FTC Mandates Specific Data Security Practices. Between the laundry list of security failures and the two pages of remediation requirements, the InfoTrax settlement outlines the security practices that the FTC expects entities handling personal data to maintain. In the past, the FTC provided limited direction in its settlement orders on how to ensure data security programs would be “reasonable designed” to protect confidential information. But last year the Eighth Circuit ruled that the FTC cannot enforce such vague settlement orders. Perhaps to address the concerns expressed in that decision, the order in this case and in connection with other recent settlements now direct the implementation of specific security practices. The FTC has also issued a statement acknowledging that it was mandating “new requirements that go beyond requirements from previous data security orders” and will continue to reevaluate requirements order-to-order.
Ten or Twenty Year Obligations? As Commissioner Wilson noted in her concurring statement regarding the settlement, the FTC’ practice is to require undertakings in settlement orders in data privacy matters to extend for twenty years. Following the suggestion of the American Bar Association, Commissioner Wilson argued that FTC orders in data privacy settlements should sunset after only ten years. The tenor of Commissioner Wilson’s comments suggest that the FTC is unlikely to change its practice anytime soon, but nonetheless her comments provide ammunition to respondents during settlement negotiations to argue for a shorter period of time. Of course, particularly in the fast-moving technology sector, even ten years of dated security requirements and third-party assessments may still feel like an onerous burden for a company.