Limits on Private Sector Collection and Use of Data (25 questions)

Question 1

FTC Act as passed in 1914

Answer 1

founded federal trade commission which was independent admin agency designed to enforce anti trust law and consumer protection

governed by chairperson + 4 commissioners

Question 2

FTC act as amendment by wheeler lea actin 1938

Answer 2

added section 5 authority (unfair or deceptive acts or practices in or affecting commerce are hereby unlawful)

limitations on authority= only applies to acts that affect interstate commerce not:
- nonprofit orgs
- banks
- financial institutions
- common carriers

Question 3

FTC act- Magnuson moss warranty federal trade commission improvement act

Answer 3

passed in 1975

FTC is permitted to issue regulations under section 5 authority pursuant to Magnuson moss regulation

FTC has never utilized this for privacy or data protection

Question 4

FTC act amendment 2006

Answer 4

section 5 amendment to apply to acts of foreign commerce as well

must
1. cause or likely to cause reasonably foreseeable injury within US or
2. involve material conduct occurring within US

Question 5

FTC regulation today

Answer 5

1. privacy related legislation
2. FCRA
3. CAN-SPAM Act
4. TSR
5. COPPA
6. FTC act

Question 6

FTC enforcement- minor actions

Answer 6

FTC will reach out to company and seek to resolve violation informally

Question 7

FTC enforcement- severe violation- pre complaint investigation

Answer 7

section 6 of FTC act gives broad investigatory power including power to gather and compile info

business must submit written reports under oath

has broad subpoena power

Question 8

FTC enforcement- severe violation- enforcement proceeding

Answer 8

1. FTC files formal complaint if reason to believe person or company engaged in unfair or deceptive trade practices
2. complaints are heard before ALJ who may issue injunction prohibiting behavior if violation

CAN NEVER IMPOSE CIVIL PENALTIES

Question 9

What constitutes deceptive trade practices for FTC enforcement action

Answer 9

FTC must show company made
1. material statement or omission
2. that is likely to mislead consumers who are acting reasonably under circumstances

ex. false statement in privacy notice

Question 10

what constitutes unfair trade practices for FTC enforcement action

Answer 10

FTC must establish that a practice results in
1. substantial injury
2. with lack of off setting benefits
3. injury is one that consumers themselves could not reasonable have avoided

doesn’t require false statement

ex. privacy policy published that fails to make good on promise by inadequate resources in cybersecurity

Question 11

FTC enforcement- severe violation- appeal

Answer 11

1. 5 member commission
2. circuit court of appeals

decision is effective 60 days after serviced on offending company

can issue injunction only (no civil penalties)

Question 12

FTC federal court enforcement

Answer 12

FTC can seek
1. enforcement of injunction in federal court
2. go directly to court under section 13

remedies
1. injunctions
2. compensation for those harmed by illegal conduct
3. civil penalties ($50120/violation)

Question 13

is there a private cause of action for FTC

Answer 13

no

Question 14

FTC enforcement- consent degree

Answer 14

most FTC enforcement actions are resolved by consent degrees

D must generally maintain proof of compliance

benefits
1. enforce good practice
2. avoid cost of trial
3. easily enforceable
4. avoid negative press
5. limit exposure of business practices

Question 15

importance of in the matter of geocities inc

Answer 15

1st privacy enforcement action taken by FTC against company based on web based promises

holding= settlement through consent decree where company agreed to post accurate online privacy notice and comply with its terms

Question 16

importance of in the matter of Eli Lilly and co

Answer 16

1st enforcement action where FTC entered into consent decree requiring company to develop and maintain info privacy and security program

holding= settlement through consent degree requiring company to create and maintain privacy and security program

Question 17

importance of FTC v Wyndham worldwide corp

Answer 17

court upheld authority of FTC to regulate cyber security under section 5 authority

holding- settlement through consent degree where company agreed to maintain info security program and submit annual security audits to ensure compliance with PCI-DSS for 20 years

Question 18

importance of labmd inc v ftc

Answer 18

cease and desist orders must be specific not general

holding- FTC cease and desist order based on company’s general negligence failure to act was unenforceable because prohibitions and directive to implement reasonable security program were not specific enough

Question 19

importance of US v tech electronics ltd

Answer 19

1st FTC section 5 and COPPA enforcement action maker of internet connected toys

holding- settlement through consent degree

Question 20

importance of in the matter of uber tech

Answer 20

FTC considers the following reasonable data security practices:
1. requiring engineers to use unique access keys
2. requiring engineers to use multi factor authentication to access customer info
3. storing sensitive info in encrypted form

Question 21

importance of in the matter of Lenovo inc

Answer 21

FTC considers the following a reasonable data security practice
1. confidentiality clause indicating that processor will not share the controllers data with 3rd parties without consent

Question 22

importance of in the matter of blu products inc

Answer 22

FTC considers the following a reasonable data security practice
adequately overseeing 3rd party contractors and software suppliers