Our current legal scheme for data privacy and security is a patchwork of laws. Although there is a proposed bill at the U.S. Capitol, Congress has yet to enact any comprehensive data security legislation and probably will not do so anytime soon. For the time being, expect that the United States Federal Trade Commission (FTC) will continue to fill that void. The FTC has focused significant attention on privacy and data security of consumer information in the last several years. Having just scored a court victory recognizing its authority to regulate cyberspace, the agency will continue to have a major presence in the changing technological and data privacy landscape.
But those looking for clear-cut, easy to follow guidance will be sadly disappointed. In between the vast gaps in the existing legal framework, the FTC has vowed to police the cybersecurity void. The agency’s guidance, however, may be a challenge to implement proactively. What guidance does the FTC provide? What regulatory scheme, industry standard, or ten-step program is required? Perhaps a guiding maxim? “Companies should take reasonable steps to secure sensitive consumer information,” FTC Chairwoman Edith Ramirez has said. “When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers.”
Recent FTC actions
The FTC has brought scores of data security cases over the years. Some recent examples are illustrative of both the agency’s continuing interest in cybersecurity and the evolving nature of the standards applied. Two companies, Fandango and Credit Karma, recently agreed to settle claims that they misrepresented their mobile app security by failing to secure the transmission of consumers’ personal information through their mobile apps. The Fandango Movies app allows users to view show times, trailers, and reviews, as well as buy tickets. Credit Karma’s mobile app allows users to monitor their credit and financial status. In both cases, the FTC alleged the same error: When they designed their mobile apps, Fandango and Credit Karma both disabled Secure Sockets Layer (SSL) certificate validation. Mobile operating systems, such as Apple’s iOS and Google’s Android, secure sensitive transactions by providing app developers with tools to implement the industry standard SSL. When properly implemented, SSL secures an app’s communications and keeps an attacker from intercepting sensitive personal information consumers submit through the app. However, by disabling SSL, both companies allegedly left their apps vulnerable to “man-in-the-middle” attacks, which allow a third party to intercept any of the information the apps sent or received. The FTC alleged that this type of attack is particularly dangerous on unsecured public Wi-Fi networks, such as at coffee shops, airports and shopping centers, where these apps were commonly used.