A few months ago we wrote about the FTC’s decision to launch a Consumer Privacy Bill of Rights. One of the more interesting things about the Bill of Rights was that the FTC seemed to be setting up a regime where a company’s voluntary decision to "opt-in" to the regime could become the basis for FTC enforcement, if the voluntary policy was breached. In fact, Commissioner J. Thomas Rosch dissented from that portion of the FTC’s privacy report and recommendations.
So it was interesting to me to note that Commissioner Rosch voted with a unanimous majority of FTC Commissioners to authorize a complaint against a large, international hotel group where the violation is based upon the group’s own privacy policy. Specifically, the FTC complaint alleges that the hotel group’s "privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers’ personal information." The agency charges that the security practices were unfair and deceptive and violated the FTC Act.
What particularly seems to have upset the FTC in this case is the fact that one breach allegedly facilitated other breaches. The hotel group learned in 2008 of a data breach to its system through one property. The FTC claims the security flaws exploited in that breach were not corrected, allowing two other breaches to occur. In those two subsequent breaches, the FTC says that approximately 120,000 consumer payment card records were stolen. Those records were supposedly used by crime syndicates–including some in Russia–to make fraudulent purchases.
This enforcement action by the FTC again highlights the importance of developing best practices for the protection private consumer data and maintenance of privacy policies. Perhaps more importantly, it also demonstrates that, despite some public misgivings from at least one Commissioner, the FTC seems intent upon using its enforcement powers to require companies to fully comply with their stated privacy policies. This development will bear watching, and, at the same time, it suggests a careful review of privacy policy and practice is in order so as to ensure both are in alignment.