The Federal Trade Commission (FTC) enforces federal laws prohibiting false advertising. It also enforces consumer protection laws aimed to prevent fraud, cyberattacks and identity theft. The FTC has become increasingly active when those two issues collide — when companies falsely represent the extent to which they protect consumers’ data from unauthorized access.
Companies that experience data security incidents face the possibility of regulatory fines from the events themselves. But, it is possible that those same companies will face additional fines and claims for another, independent violation — falling short of their own flowery statements about security measures.
One way companies endeavor to differentiate themselves in the market is to highlight their investments in robust data security systems, because some consumers may gravitate toward companies that demonstrate a commitment to protecting their data. And, as states adopt comprehensive privacy laws, more companies will be required to adopt new protocols to protect their data and implement the rights afforded to consumers under those laws.
These and other factors push companies to make more detailed public statements about the extent to which they safeguard privacy and data security. The companies’ public statements can be used against them, as a de facto standard of care, if a breach occurs.
One of the more high-profile actions by the FTC occurred during the early days of the pandemic, as companies and consumers turned to online platforms to conduct business. After a series of hacks into Zoom meetings, the FTC filed a complaint against Zoom alleging that the company had misrepresented that its product supported “end-to-end, 256-bit encryption” and that its calls would be recorded in an encrypted format. The FTC highlighted Zoom’s actively touting its encryption as a means to attract users and argued that these and other statements gave users a “false sense of security.” Zoom ultimately settled these charges with the FTC, without having to pay a fine, but it was forced to agree to a series of operational changes and to refrain from further misrepresentations about its security features.
More recently, the FTC filed a complaint against Vitagene, a now-defunct genetic testing company, alleging that the company misrepresented how it protected genetic data and samples. The FTC focused on a page from the company’s website where Vitagene prominently publicized its plans to protect the privacy of the genetic information it maintained.
According to the FTC’s complaint, Vitagene contradicted its own stated policies by storing genetic results along with names and other personal information, rather than segregating them as it advertised. The company lacked the ability to delete data, despite promises that it could do so. Vitagene also allegedly failed to adopt measures to ensure that third-party vendors, such as testing laboratories, destroyed genetic samples after completing testing.
Vitagene eventually entered into a consent order in which it agreed not to further misrepresent its security measures, establish a robust plan for protecting the privacy of its customers, undergo ongoing monitoring by a third party (who will provide reports to the FTC), pay a fine of $75,000 and refund approximately $50,000 to consumers who were deceived by the false promises of security.
All companies should take care when making public statements about the security of their systems. In the absence of such statements, a claimant or regulator would have to establish the appropriate level of security required under the circumstances, which is akin to establishing a standard of care.
Reasonable people may differ about what investments are necessary for any given situation. However, when companies publish to the world that they have implemented robust security measures, they effectively lock in at least part of their own standard of care. Regulators and aggrieved consumers will look for ways in which companies fall short of their representations as a shortcut to establishing liability.
In addition to the statutes enforced by the FTC, other statutes empower regulators and consumers to bring actions or claims based on false representations. In New Hampshire, both the attorney general and consumers can utilize the Consumer Protection Act, NHRSA 358-A, to seek redress when companies represent that services (such as the security measures adopted) “are of a particular standard, quality, or grade, or that goods are of a particular style or model, if they are of another.” That statute carries a minimum of $1,000 in damages per violation, the possibility of double or treble damages, and an award of attorneys’ fees to a prevailing plaintiff.
The risks associated with a data breach are significant on their own, but an additional, independent fine or claim for mispresenting the efforts to prevent data breaches is essentially a self-inflicted wound. While companies cannot prevent all cyberattacks, they do exert total control over what they say publicly about their security measures. All companies should carefully review their public statements about security and audit their adherence to those standards at least yearly to mitigate this additional risk.
James P Harris is a shareholder with Sheehan Phinney.
