If You Could See the Coach’s Playbook

Posted on

By: James K. Paulick, Esq.

A recent cybersecurity and privacy enforcement by the FTC against a large online merchandise company reveals the FTC’s (Federal Trade Commission) focal points in the areas of cybersecurity and data privacy. Fortunately for everyone getting to read about the enforcement, and unfortunately for the merchandise company, a very high number of violations were noted. A review of the highlights of this enforcement is literally a peak into the FTC’s playbook to help your company devise a workable plan to reduce liability exposure. The FTC found both cybersecurity vulnerabilities as well as privacy-related issues.

On the cybersecurity side, the FTC’s findings create a roadmap of what companies should have in place to protect from data breaches. The online merchandise company, according to the FTC, lacked the following:

  1. No intrusion detection system in place.
  2. Patches not applied for well-known system vulnerabilities.
  3. Social security numbers stored in plain text.
  4. Using password-hashing algorithms that were deprecated by the NIST (National Institute of Standards and Technology) back in 2011.
  5. Failed to implement a process for receiving and addressing security vulnerability reports from third-party researchers, academics, or other members of the public – thereby delaying its opportunity to correct discovered vulnerabilities.
  6. Used obsolete versions of database and webserver software that no longer received patches.
  7. Poor password policies, i.e., did not require complex passwords, permitted the use of the same word or phrase for both username and password, and allowed common dictionary words.
  8. Lack of data retention policies and Personally Identifiable Information was stored indefinitely with no business need.

As a result of these lax security implements, a hacker exploited vulnerabilities and obtained more than 180,000 unencrypted social security numbers, millions of unencrypted names, physical addresses, security questions and answers, etc.

On the privacy side, the FTC noted the following problems:

  1. The company represented, through its Privacy Policy, that it followed the EU-U.S. Privacy Shield framework, particularly principle 2, 4 and 6 which, respectively, promise to adhere to opt-out instructions for sharing info with a third party, maintaining reasonable and appropriate security measures to prevent disclosure of personal data, and individuals must have access to personal information about them and have the right to correct, amend, or delete such information (though this framework was invalidated by European Courts in 2020 in Schremms II litigation, it still remains as a list if promises that the company makes to the consumer).
  2. The company’s website stated, at the point of collection, that their collection of customers’ email addresses is only for “order notification and receipt” when in fact the submission of one’s email would result in receiving marketing information.
  3. The same email form submission contained a checkbox to “opt in” to deals and promotions, i.e. marketing, but even if you left it unchecked, the individual would still receive marketing material.
  4. The company took months to notify individuals that their personal information had been breached, and many individuals had their accounts stolen, and because of the lax policies on the use of complex passwords and outdated hashing techniques, the encrypted passwords that were released in the breach were able to be decrypted.

The FTC charged them with:

  1. Data Security Misrepresentations
  2. Response to Data Security Incident Misrepresentations
  3. Unfair Data Security Practices
  4. Data Collection and Use Misrepresentation
  5. Misrepresentation Relating to Privacy Shield Frameworks
  6. Misrepresentation Relating to Deletion of Consumer Data
  7. Unfair Withholding of Payable Commissions After Security Breach.

This case by the FTC offers a miniature playbook to contrast with your own security and data practices to perform a bit of a health check. What is remarkable about this enforcement is that a substantial amount of the trouble was caused by making representations in their Privacy Policy that were not true.

Particularly, their promises to abide by the principles in the Privacy Shield Framework, their failure to delete data when they received requests from individuals requesting data/account deletion, and their failure to maintain adequate security protections. As the FTC has done in the past, it found an “unfair act or practice” by failing to employ “reasonable data security measures to protect personal information”. This is an important reminder that despite what your company states in its written policies, if you don’t have reasonable security measures to protect personal data, the FTC will consider such practices to be unfair or deceptive if you have a data breach. If your company’s officers ever wonder why your information security officer is requiring complex passwords, encryption and multi-factor authentication, this enforcement case exemplifies this need. If complex passwords were used with modern hashing, it is likely that the encrypted passwords that were breached could not have been decrypted. If multi-factor authentication was employed, even if the passwords were decrypted, it is unlikely that the nefarious actors could have logged in.  Finally, if this data had been encrypted at rest, and only individuals with proper authority and access could decrypt the data, it would have been far more difficult for the hackers to have gained anything useful from the breach.

Another notable issue in this enforcement is the charge of Data Collection and Use Misrepresentation. The FTC charged this count based on the company’s failure to prevent the sending of marketing emails whether or not the user clicked a consent box to receive marketing. Among the charges, this was probably the easiest one to avoid. Company’s need to review and test their data collection flows on their websites to make sure that opt-out/in buttons do what they purport to do. It is so important to review the promises made in your privacy policy, and make an honest assessment of whether you can actually meet each promise made. Further, given how much businesses depend on the storage and use of personal data, it is more critical than ever to have an outside firm validate your cybersecurity and data privacy practices.

For more information or assistance with reviewing data privacy and cybersecurity policies,  please contact James K. Paulick. Jim co-leads the Data Privacy & Cybersecurity Group, part of Leech Tishman’s Corporate Practice Group. He is also the co-host of Leech Tishman’s Data Privacy LawTalk Podcast. He can be reached at 412.261.1600 or jpaulick@leechtishman.com.

Leech Tishman’s Facebook Page: https://www.facebook.com/leechtishman

Leech Tishman’s Twitter: https://twitter.com/LeechTishman

Leech Tishman’s Company Page on LinkedIn: https://www.linkedin.com/company/leech-tishman

Leech Tishman Fuscaldo & Lampl is a full-service law firm dedicated to assisting individuals, businesses, and institutions. Leech Tishman offers legal services in business restructuring & insolvency, corporate matters, employment & labor, estates & trusts, intellectual property, litigation & alternative dispute resolution, and real estate. In addition, the firm offers a wide range of legal services to clients in the aviation & aerospace, cannabis, construction, energy & natural resources, healthcare, and hospitality industries. Headquartered in Pittsburgh, PA, Leech Tishman also has offices in Chicago, Los Angeles, New York, Philadelphia, Sarasota, and Washington, D.C.