3. Regulatory Enforcement

Question 1

Which agency has authority over “unfair and deceptive trade practices (UDTPs)”?

Answer 1

Federal Trade Commission (FTC)

Question 2

Which law is commonly cited as giving the FTC the authority to regulate privacy and cybersecurity-related matters?

Answer 2

Unfair and Deceptive Trade Practices (UDTP), 15 USC 45.a.1

Question 3

What additional specific powers does the FTC have?

Answer 3

• Unfair and Deceptive Trade Practices (UDTP)
• Children’s Online Privacy Protection (COPPA)
• Shared authority with the FCC, HHS, and Consumer Financial Protection Bureau (CFPB)

Question 4

After an FTC investigation and legal charges what options does the company have?

Answer 4

1. Negotiate a settlement with the FTC
2. Contest the complaint

Question 5

What steps are taken if a company contests the FTC complaint?

Answer 5

1. Administrative trail with an administrative law judge (ALJ)
2. If the accused disagrees with the ALJ ruling, appeal to the five FTC Commissioners
3. If the commissioners appeal fails, appeals in federal court system

Question 6

In practice, how are most FTC complaints resolved?

Answer 6

1. The FTC and the accused company may decide to informally resolve minor complaints by adjusting the company’s business practices
2. More serious cases, enter into a consent decree. A consent decree is a formal agreement that dictates how the company will behave moving forward

Question 7

Which U.S. case established unfair practices?

Answer 7

FTC vs Sperry & Hutchinson Trading Stamp Co., 1972

Question 8

What are the three factors the FTC uses to determine if a trade practice is unfair?

Answer 8

1. Whether the practice injures consumers
2. Whether the practice violates established public policy
3. Whether the practice is unethical or unscrupulous

Question 9

How does the FTC determine if a practice unfairly injures consumers?

Answer 9

1980 FTC Policy Statement on Unfairness
1. The injury must be substantial
2. The injury must not be outweighed by countervailing benefits to consumers (FTC has discretion to assess the balance)
3. Injury must not be reasonably avoidable

Question 10

Why is FTC v. LabMD important?

Answer 10

In FTC v. LabMD, Inc., a company under FTC investigation for an alleged data breach challenged the FTC’s ability to issue an administrative subpoena. LabMD indirectly disputed the FTC’s role in information security and its use of the unfairness category of the FTC Act as a basis of enforcement in data breach cases. The district court ultimately found that the FTC made a plausible case for its authority, but based its holding on the weight of precedent surrounding the FTC’s general use of the FTC Act in information security cases. Thus, the FTC’s reliance on the FTC Act is currently permitted, but could be challenged in the future. LabMD’s challenge of the FTC’s authority was significant however, because there is no legislative or executive action on privacy, so the FTC’s guidance, best practices, and enforcement set the de facto “privacy law.” As the FTC casts an increasingly wider net with or without congressional or executive action on data security, the future of the FTC Act’s scope in this area is uncertain.

Question 11

Why is FTC v. LifeLock important?

Answer 11

The company settled the complaint in 2010, paying $12 million in fines to the FTC and state governments. Agreed to avoid deceptive advertising and implement strong security controls. In 2019, the company paid an additional $100 million fine after the FTC charged them with violating the earlier court order

Question 12

Why is FTC v. DesignerWare important?

Answer 12

In 2012, DesignerWare (rent-to-own), was accused of placing spyware on the computers it rented to customers. The FTC issued an order declaring this an unfair practice and prohibiting the company from engaging in similar practices in the future.

Question 13

What FTC criteria is used to determine whether a practice is deceptive?

Answer 13

1983 FTC Policy Statement on Deception
1. There must be a representation, omission, or practice that is likely to mislead
2. The practice must be examined from the perspective of a consumer acting reasonably in the circumstances
3. The representation, omission, or practice must be material

Question 14

Why is FTC v. GeoCities important?

Answer 14

The website hosting company collected personal information from customers, informing them that they would not resell this information. The FTC charged them with reselling information in violation of their privacy policy.

Question 15

Why is FTC v. Eli Lilly important?

Answer 15

The pharmaceutical company collected patient information on their website and then inadvertently sent an email to all site users disclosing their identities to one another.

Question 16

Why is FTC v. Nomi important?

Answer 16

The technology company placed sensors in retail stores that collected information about consumers’ mobile devices without their knowledge or consent.

Question 17

Why is FTC v. Snapchat important?

Answer 17

The social media platform informed consumers that messages and photos posted on the service lasted for a short period of time and then disappeared forever, but they were aware of methods users engaged in to preserve those messages.

Question 18

Why is FTC v. TRUSTe important?

Answer 18

The privacy firm provides other companies with certifications of their privacy practices. The FTC charged them with failing to conduct annual recertifications of clients, as required.

Question 19

Which agency is responsible for interstate and international communications?

Answer 19

Federal Communications Commission (FTC)

Question 20

Which act restricts the way communications carriers may handle customer proprietary network information (CPNI)?

Answer 20

Telecommunications Act of 1996

Question 21

Who is the lead agency responsible for the implementation of the Health Insurance Portability and Accountability Act (HIPAA)?

Answer 21

Department of Health and Human Services (HHS)

Question 22

List the federal agencies that share responsibility for regulating the financial industry.

Answer 22

1. Consumer Financial Protection Bureau (CFPB), overall authority for protecting consumers
2. Federal Reserve, supervises and regulates banks
3. National Credit Union Administration (NCUA), performs similar supervision and regulation responsibilities for federal credit unions
4. Federal Deposit Insurance Corporation (FDIC), holds regulatory authority to examine and supervise financial institutions for safety, soundness, and consumer protection
5. Office of the Comptroller of the Currency, supervises national banks and thrift institutions, branches of foreign banks with federal licenses to operation in the United States

Question 23

Which agency has privacy enforcement responsibilities under the Family Educational Rights and Privacy Act (FERPA)?

Answer 23

U.S. Department of Education (ED)

Authority to regulate the handling of student educational records by institutions that receive certain types of federal funding.

Question 24

What is meant by self-regulatory programs?

Answer 24

Adopt and enforce their own set of privacy and/or security standards.

Question 25

Provide examples of self-regulatory programs.

Answer 25

1. Payment Card Industry Data Security Standard (PCI-DSS)
2. Network Advertising Initiative (NAI)
3. Trust Marks

Question 26

List the 12 high-level requirements of PCI-DSS.

Answer 26

1. Install and maintain a firewall configuration
2. Do not use vendor-supplied defaults
3. Protect stored cardholder data
4. Encrypt transmission data across open/public networks
5. Use and update antivirus
6. Develop and maintain secure systems and applications
7. Restrict data access by business need-to-know
8. Assign unique ID to each person with computer access
9. Restrict physical access
10. Track and monitor all access to network resources and data
11. Regularly test security systems and processes
12. Maintain a policy that address information security security for employees and contractors

Question 27

What is Network Advertising Initiative (NAI)?

Answer 27

Self-regulatory program focused on digital marketing.

Question 28

What are the three-phases of the TRUSTe process?

Answer 28

Phase 1: assessment
Phase 2: remediation and certification
Phase 3: ongoing monitoring and guidance

Question 29

What is “safe harbor” agreements?

Answer 29

Participating firms exemption from prosecution under certain laws if they meet certain regulatory requirements. The purpose is to provide legitimate firms with an opportunity to avoid prosecution when they demonstrate acting in good faith and took appropriate actions to protect private information

Question 30

Which one of the following is not part of the three-pronged test used to determine whether a trade practice unfairly injures consumers?

A. The injury must be substantial.
B. The injury must not be outweighed by countervailing benefits.
C. The injury must be directed at a specific group of consumers.
D. The injury must not be reasonably avoidable.

Answer 30

C. The three prongs of the test used to determine whether a trade practice unfairly injures consumers are that the injury must be substantial; the injury must not be outweighed by countervailing benefits to consumers and to competition; and the injury must not be reasonably avoidable.

Question 31

Which one of the following firms was charged by the FTC with failing to conduct required privacy recertifications of its clients?

A. TrustE
B. Geocities
C. Designer Ware
D. Nomi

Answer 31

A. TrustE is a privacy certification firm that conducts privacy assessments of other firms seeking to participate in safe harbor agreements. The FTC charged them with failing to conduct required annual recertifications.

Question 32

What federal agency has lead responsibility for enforcing the privacy and security obligations of healthcare providers under HIPAA?

A. FTC
B. CFPB
C. HHS
D. FCC

Answer 32

C. The U.S. Department of Health and Human Services (HHS) has responsibility for promulgating and enforcing the administrative law associated with HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Question 33

Your firm was the target of an FTC investigation into unfair trade practices. Rather than engaging in litigation, you negotiated a formal settlement with the agency. What type of document did you most likely sign?

A. Consent decree
B. Court order
C. Negotiated agreement
D. Merchant agreement

Answer 33

A. The FTC uses consent decrees to create formal agreements between companies and the government that dictate how the company will behave moving forward. If the company later violates the consent decree, the government can bring legal action against them.

Question 34

Acme Widgets failed to implement reasonable security controls and was the subject of an FTC enforcement action. What criterion did the FTC most likely use to bring this action?

A. The action was deceptive.
B. The action was unfair.
C. The action was both deceptive and unfair.
D. The action was neither deceptive nor unfair.

Answer 34

B. There is no indication in the scenario that Acme Widgets made any false or misleading statements about their security. Therefore, this is not likely a deceptive practice. The FTC enforcement action was likely based on the practice being unfair.

Question 35

What firm received the largest privacy-related fine in FTC history?

A. Snapchat
B. Facebook
C. Google
D. Amazon

Answer 35

B. In July 2019, the FTC charged Facebook with violating the terms of a 2012 court order and issued them a record fine of $5 billion, the largest fine ever imposed on a firm for privacy violations.

Question 36

What industry is subject to the privacy regulations found in Family Educational Rights and Privacy Act (FERPA)?

A. Healthcare
B. Financial services
C. Education
D. Brokerages

Answer 36

C. Educational institutions that receive certain types of federal funding are obligated under FERPA to protect the privacy of student educational records.

Question 37

What self-regulatory scheme includes detailed requirements for the protection of credit card information?

A. NAI
B. TRUSTe
C. COPPA
D. PCI DSS

Answer 37

D. PCI DSS was created in 2004 by Visa, Mastercard, American Express, Discover, and JCB to regulate the credit card processing industry. The standard primarily focuses on security, rather than privacy, issues, but it does include data retention requirements that enhance consumer privacy.

Question 38

What industry group operates a self-regulatory framework that governs organizations that advertise specifically to children?

A. Network Advertising Initiative
B. Better Business Bureau
C. U.S. Chamber of Commerce
D. U.S. Department of Commerce

Answer 38

B. The Better Business Bureau operates a self-regulatory framework for advertisers that target children. This is different from the broader digital advertising framework operated by the Network Advertising Initiative.

Question 39

Anytown Savings Bank engaged in deceptive practices in promoting their money market accounts to consumers. What federal agency would have jurisdiction over this deceptive practice?

A. FTC
B. FCC
C. CFPB
D. NCUA

Answer 39

C. The Consumer Financial Protection Bureau (CFPB) has enforcement authority over
consumer interactions with financial institutions.

Question 40

When reviewing the website of a potential business partner, you see the following graphic. What term describes this graphic (TRUSTe Logo)?

A. Privacy Shield
B. Trust mark
C. Privacy emblem
D. Trust shield

Answer 40

B. The TRUSTe seal is an example of a trust mark issued to websites that meet certain privacy criteria.

Question 41

What law grants the FTC authority to regulate websites that are targeted specifically at children?

A. COPPA
B. SOX
C. GLBA
D. FERPA

Answer 41

A. The Children’s Online Privacy Protection Act (COPPA) grants the FTC authority to regulate websites that are targeted at children under the age of 13.

Question 42

If the FTC files a complaint against a company and the company contests that complaint, who oversees the first trial that may take place?

A. Administrative law judge
B. FTC commissioners
C. US District Court judge
D. US Circuit Court judge

Answer 42

A. Disputes related to FTC complaints are first heard by an administrative law judge (ALJ). They may then be appealed to the FTC commissioners before being brought into the U.S. federal court

Question 43

In 2014, the FCC reached a settlement with Verizon related to the firm’s use of customer information for marketing purposes without consent. What law did the FCC accuse Verizon of violating?

A. Federal Trade Commission Act
B. Telecommunications Act
C. Telemarketing Sales Rule
D. Broadband Privacy Rule

Answer 43

B. Verizon inappropriately shared customer proprietary network information (CPNI) with its marketing division without customer consent. This practice violates the provisions of the Telecommunications Act of 1996.

Question 44

Who is the chief law enforcement officer of a state who may bring enforcement actions against firms under the laws of that state?

A. Governor
B. Lieutenant Governor
C. Solicitor general
D. Attorney general

Answer 44

D. State attorneys general are the chief law enforcement officers of their states and legal action against firms for violations of the laws of their state.

Question 45

What decision by the EU Court of Justice invalidated the EU/US Privacy Shield?

A. Schrems II
B. Colburn I
C. Riley II
D. Granger I

Answer 45

A. The Department of Commerce was responsible for administering the U.S. side of the EU/US Privacy Shield. In July 2020, the EU Court of Justice issued the Schrems II decision declaring the Privacy Shield illegal.

Question 46

What federal agency is responsible for the supervision of federally chartered credit unions?

A. CFPB
B. FDIC
C. OCC
D. NCUA

Answer 46

D. The National Credit Union Administration (NCUA) is responsible for the supervision of federal credit unions. The Consumer Financial Protection Bureau (CFPB) may regulate the trade practices of a credit union, but it does not have supervisory authority.

Question 47

Which one of the following is not an element of the definition of deceptive practices?

A. There must be a representation, omission, or practice that is likely to mislead the
consumer.
B. The practice must be examined from the perspective of a consumer acting reasonably in
the circumstances.
C. The injury must not be outweighed by countervailing benefits to consumers and to com- petition.
rice must be material.
D. The representation, omission, or practice must be material.

Answer 47

C. The three components of a deceptive trade practice are that there must be a representation, omission, or practice that is likely to mislead the consumer; the practice must be examined from the perspective of a consumer acting reasonably in the circumstances; and the representation, omission, or practice must be material. The criteria that an injury must not be outweighed by countervailing benefits to consumers and to competition is for judging an unfair practice, not a deceptive practice.

Question 48

Which one of these firms was charged with an unfair trade practice after installing sensors in retail stores that collected information from mobile devices without consumer consent?

A. Designer Ware
B. Wyndham
C. Snapchat
D. Nomi

Answer 48

D. Nomi was a technology company that placed sensors in retail stores collecting information about cell phones visiting the stores. The FTC charged them with failing to obtain consent before collecting and storing this personal information.

Question 49

What federal regulatory agency has the primary authority to take enforcement actions against unfair and deceptive practices?

A. Federal Trade Commission
B. Federal Communications Commission
C. Federal Regulatory Commission
D. Department of Commerce

Answer 49

A. The Federal Trade Commission (FTC) has the primary authority to bring enforcement actions against most U.S. firms who the agency believes are engaged in unfair and/or deceptive trade practices.