Apparently the FTC is aggressively targeting companies with poor information security postures. The author of this article states, “Of all the U.S. government regulatory oversight agencies, the Federal Trade Commission (FTC) is the most active and aggressive in looking for and applying penalties to organizations that not only are in noncompliance with laws and regulations, but also those who are not in compliance with their own information security and privacy promises; in other words, those that are practicing “unfair and deceptive trade practices.”
What the FTC is doing is applying Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices, and they also violated the Fair Credit Reporting Act. However, this section does not allow for the imposition of fines, so for that they are leveraging the Fair Credit Reporting Act (FCRA). The example given was that of ChoicePoint, which was fined $10 million in January, 2006. In addition, The FTC currently has more than 24 open information security investigations going on. I find it interesting that the FTC is getting in on the security enforcement bandwagon by equating companies’ non-compliance with their own information security and privacy promises to practicing “unfair and deceptive trade practices.” Hmmm. Is this simply a money grab by the FTC in the form of fines? If so, does it even matter if the end result is better security? Regardless, the article makes it clear that the FTC can, and will, apply penalties against organizations that do not have proper information security and privacy practices and programs in place, even if there has not yet been a breach!
No related articles.
