FTC Reports on 2017 Privacy, Data Security Enforcement


The Federal Trade Commission’s monumental challenge as the primary U.S. regulator of consumer privacy and data security in the age of ubiquitous internet connectivity hasn’t stopped it from pursuing enforcement actions against some major companies.

To date, the FTC has filed more than 500 privacy enforcement cases, including against tech giants Facebook Inc., Alphabet Inc.’s Google, Twitter Inc., and Microsoft Corp., the commission said in its most recent annual report.

Major 2017 privacy and security cases filed by the FTC, and highlighted in the report, include one against Lenovo Group Ltd.  The FTC and 32 state attorneys general alleged that the computer manufacturer sold computers with preinstalled malware that compromised customers’ web security and invaded users’ privacy. The Chinese laptop-maker, while not admitting liability, agreed to a settlement that required it to pay $35 million, remove the malware, and submit biennial audit reports to the FTC for 20 years.

In addition to privacy cases, the FTC has filed more than 60 data security cases against companies since 2002, according to the report. In 2017, the agency sued Uber Technologies Inc. for failing to reasonably secure sensitive consumer data in the cloud. The ride-hailing company didn’t admit liability but agreed to settlement terms that included implementing a comprehensive privacy program and conducting independent audits for 20 years.

In a major internet of things case, the FTC filed a complaint against computer networking equipment maker D-Link over its alleged failure to adequately protect wireless routers and internet cameras, the report said. A court trimmed some of the FTC’s charges but litigation over the remaining claims is ongoing. 

The FTC relies on Section 5 of the FTC Act’s general authority to take action against unfair or deceptive acts or practices as the basis for most of its privacy and data security actions. But the commission also has specific authority in some areas.

The FTC is authorized, for instance, to enforce the data security provisions of the Gramm-Leach-Bliley Safeguards Rule for financial institutions. In 2017, the commission settled with online tax preparation company TaxSlayer over charges that it failed to implement adequate security procedures to protect client information.  The company didn’t admit liability but agreed to conduct biennial, third-party assessments to ensure compliance with federal privacy and financial services laws. The FTC retained jurisdiction to oversee compliance with the agreement for 20 years.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.