The FTC has released its annual report summarizing its activity during 2017 relating to privacy and data security issues. In its self-declared role as “the nation’s primary privacy and data security enforcer,” the FTC outlines 10 privacy cases and 4 data security cases that it brought in 2017, including Uber Technologies (transportation service), Vizio (television manufacturer), Blue Global (lead generator), Upromise (college rewards program), ACDI Group (an alleged debt buyer), TaxSlayer (tax preparation service), and D-Link (wireless routers and Internet cameras). In addition, the FTC also brought its first actions to enforce the EU-US Privacy Shield in 2017. The FTC report also described its activities relating to international enforcement, children’s privacy, and Do-Not-Call.
A number of these cases were noteworthy because of the conduct and legal issues involved. The Uber Technologies enforcement action, for instance, involved charges that Uber violated the FTC Act by deceiving customers by making inaccurate clams that it closely monitored employee access to customer and driver data, as well as charges that Uber failed to reasonably secure customer data that it stored in the cloud. The FTC is now investigating a subsequent data breach that Uber disclosed after negotiating the FTC consent order. The D-Link action alleged that the company’s inadequate security measures exposed its Internet of Things (IoT) devices, including wireless routers and Internet cameras, to hackers. The Blue Global and ACDI Group actions focused on the collection and sale of personal financial information that was used in financial fraud schemes focused on the misuse of the personal information.
The FTC also highlighted its advocacy efforts, workshops, and publications, many of which focus on what are likely future areas of FTC enforcement, such as privacy and security concerns with IoT devices, payment systems, artificial intelligence and blockchain technologies, connected cars, and student privacy. One of the FTC’s new publications of note is its Stick with Security blog series, which offers periodic insights into key takeaways from recent law enforcement actions, closed investigations, and experiences of companies. The FTC report also demonstrated that the agency is attempting to be flexible in light of the changing nature of identity theft, informational injuries, and modern technologies while remaining vigilant in its mission to protect consumers. Companies should similarly remain cognizant of the FTC’s role as “one of the most active privacy and data security enforcers in the world.”
The FTC also included a reminder that its third annual PrivacyCon event will be held on February 28, 2018, in Washington, D.C.