An online company provides products to individuals and small businesses. Like most online companies, it collects various types of information from its customers such as email addresses for notifications, mailing addresses for product shipment, and credit and debit card numbers for payment.
From its inception, the company’s management takes data security very seriously. The company forms an interdepartmental team to assess potential vulnerabilities to the company’s website, computers, and physical building, creates a written data security plan and policy, and, each year, conducts a data inventory to help identify where it stores the information that it collects and who has access to that information. As the company grows, it may even hire a Chief Privacy Officer who does everything from training employees on how to shred old invoices to making sure that the company’s growing list of outside vendors don’t have disparate data security practices. This company has complied with its obligation to secure consumer data, right?
Maybe not. The Federal Trade Commission’s settlements with SettlementOne Credit, ACRAnet, Inc., and Fajilan and Associates, Inc. suggest that in addition to enacting good practices for their own operations and making sure that their vendors do the same, companies are responsible for making sure that their customers have adequate data security. Although the FTC cites several statutes as the basis for this “duty to police customers,” it is not at all clear that the FTC’s theory could survive judicial scrutiny. Part I of this article provides a brief history of the FTC’s success over the past ten years to position itself as the primary federal regulator concerning issues of data security. Part II discusses the FTC’s recent enforcement actions and settlements with SettlementOne Credit, ACRAnet, and Fajilan. Part III analyzes the limits of the FTC’s data security enforcement powers. As part of this analysis, it reviews the scope of the new duty that the Commission proposes as part of the Reseller settlements, and analyzes whether the duty that the Commission seeks to impose can be supported by the Commission’s authorizing legislation. Finally the article concludes that the Commission’s attempt to create a new duty to police customers lacks firm statutory support and may not be successful if challenged in court.