In the United States, the Federal Trade Commission (FTC) is a lead cybersecurity and privacy regulator at the federal level that relentlessly brings enforcement actions for bad data protection or poor privacy practices across the country, notably under the FTC Act, GLBA and FCRA / FACTA.
Some of the key laws and regulations that the FTC enforces include:
1. The Federal Trade Commission Act (FTC Act): This law gives the FTC broad authority to investigate and take action against unfair or deceptive trade practices that harm consumers or competition.
2. The Fair Credit Reporting Act (FCRA): This law regulates the collection, use, and disclosure of consumer credit information by credit reporting agencies, as well as the obligations of companies that use this information.
3. The Children’s Online Privacy Protection Act (COPPA): This law requires websites and online services that collect personal information from children under 13 to obtain parental consent first.
4. The Telemarketing Sales Rule (TSR): This rule regulates telemarketing calls and prohibits deceptive or abusive practices.
5. The CAN-SPAM Act: This law regulates commercial email messages and requires companies to provide recipients with a way to opt-out of receiving future emails.
6. The Health Breach Notification Rule: This rule requires certain entities to notify individuals if their health information is compromised in a data breach.
Overall, the FTC’s mission is to promote competition, protect consumers, and prevent anticompetitive business practices.
Children’s Online Privacy Protection Act (COPPA)
In 1998, the Children’s Online Privacy Protection Act (COPPA) was enacted to protect the privacy of children under the age of 13 who use the internet. COPPA requires operators of websites and online services directed to children or who have actual knowledge that they are collecting personal information from children to obtain parental consent before collecting, using, or disclosing any personal information from a child. The FTC enforces COPPA and has brought numerous enforcement actions against companies for violating its requirements.
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA) was passed in 1999 and requires financial institutions to protect the privacy and security of their customers’ personal information. The GLBA requires financial institutions to provide customers with a privacy notice explaining what information is collected, how it is used and shared, and how it is protected. The FTC has the authority to enforce the GLBA and has brought a number of enforcement actions against financial institutions for violating its requirements.
Fair Credit Reporting Act (FCRA)
The Fair Credit Reporting Act (FCRA) was passed in 1970 and regulates the collection, dissemination, and use of consumer credit information. The FCRA requires that consumer reporting agencies maintain accurate and complete information about consumers and limit who can access that information. The FTC enforces the FCRA and has brought numerous enforcement actions against consumer reporting agencies for violating its requirements.
In conclusion, while there is no comprehensive privacy law in the US yet, the FTC has been enforcing several laws related to data privacy for decades. It remains to be seen whether any new federal privacy law will emerge in the near future.
The FTC uses Section 5(a) of the FTC Act to regulate poor cybersecurity and privacy practices. This section prohibits unfair or deceptive trade practices, and the FTC interprets it broadly. If a company claims to protect customer data or privacy but fails to implement necessary security controls, they may violate Section 5(a) and face scrutiny from the Commission. The FTC requires companies to remediate deficiencies by implementing comprehensive privacy and security programs, conducting regular security assessments, and maintaining up-to-date data protection policies. The Commission may also provide monetary redress to consumers, order the deletion of unlawfully obtained consumer information, and impose transparent and fair data handling practices. The FTC has brought hundreds of enforcement cases against companies of all sizes and industries in the US. Non-compliance can result in monetary penalties, as demonstrated by Facebook’s record $5 billion settlement for alleged violation of the FTC’s 2012 order.
The Gramm-Leach-Bliley Act (GLBA) also includes provisions related to cybersecurity and data protection. Specifically, the GLBA requires financial institutions to develop, implement, and maintain a comprehensive written information security program that includes administrative, technical, and physical safeguards to protect customer information. The program must be designed to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. Financial institutions are also required to regularly monitor and test their information security program to ensure its effectiveness and to adjust the program as necessary in response to changes in technology, threats to information security, or other circumstances that may impact the security of customer information. The GLBA also requires financial institutions to provide customers with notice of their privacy policies and practices, including how customer information is collected, used, and shared.
The Gramm-Leach-Bliley Act (GLBA) is a federal law enacted in 1999 that regulates the banking and financial industry in the United States. One of its main provisions requires financial institutions to disclose their information-sharing practices to customers and protect their financial data. This law covers a broad range of companies that offer financial products or services, including loan brokers, debt collectors, and tax return preparers. Vendors and suppliers of regulated financial institutions must also comply with GLBA if they process financial data on behalf of the covered institutions.
The Privacy Rule, a part of GLBA, establishes a comprehensive privacy regime for covered financial institutions. It protects the privacy of nonpublic personal information (NPI) of customers, which includes contact information, income, financial transactions data and history, credit and debit card purchases, account numbers and information, and other nonpublic information that customers share with the financial institution for provision of services. Customers must provide informed consent to a privacy notice that explains how their NPI will or may be used or shared. They have an “opt-out” right for their NPI sharing with third parties unless it is necessary for the provision of service by the covered organization. Any changes to the privacy policy must be communicated to customers in a timely manner.
The Safeguards Rule, another part of GLBA, requires covered financial institutions and their subcontractors to develop a data protection strategy and maintain up-to-date information security policies and procedures. Covered entities must regularly perform risk assessments, develop and test security controls to mitigate cyber risks and digital threats, ensure confidentiality, integrity, and availability of customer data. Management must designate a qualified individual to lead cybersecurity and data protection practices within the organization. Personnel who have access to NPI should undergo vetting and ongoing security training. The FTC has promulgated specific security recommendations under the Safeguards Rule, such as knowing where sensitive customer information is stored, ensuring secure transmission of customer information, monitoring vendor websites and industry publications for emerging threats and available defenses, using appropriate oversight or audit procedures to detect improper disclosure or theft of customer information, and considering notifying consumers, law enforcement, or businesses in case of a security breach.
GLBA requires third-party risk management for covered financial institutions, ensuring that external service providers have adequate safeguards for customer NPI. QuikTekCompliance can assist with compliance to the FTC Cybersecurity Regulations. Additionally, the FCRA and FACTA provide data protection safeguards through the Red Flags Rule, which applies to a broad range of businesses with covered accounts. FACTA defines “covered accounts” broadly and mandates a written information security program implementation to detect and mitigate identity theft in connection with these accounts, including continual security monitoring, incident detection and response, antifraud measures, and complaints management processes.
To ensure compliance with GLBA, covered financial institutions must implement third-party risk management measures. QuikTekCompliance can help with this by ensuring that external service providers have adequate safeguards in place to protect customer NPI. The FCRA and FACTA also provide data protection safeguards through the Red Flags Rule, which applies to a wide range of businesses with covered accounts such as credit cards, utility bills, and social security numbers. FACTA mandates a written information security program to detect and prevent identity theft in connection with covered accounts, including security monitoring, incident detection and response, antifraud measures, and complaints management.
For publicly traded companies, investment funds, and other entities regulated by the SEC, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 transferred identity theft rulemaking responsibility and enforcement authority to the SEC and CFTC. The SEC’s Division of Examinations has issued non-binding “Cybersecurity and Resiliency Observations” guidance to provide practical data protection instructions. The guidelines cover seven interrelated sections, including governance, risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness.
To ensure adequate cybersecurity measures are in place, covered organizations should maintain an inventory of hardware and software assets, establish a vulnerability management program that includes routine scans of software code and web applications, establish a patch management program covering all software, and implement a vendor management program to ensure vendors meet security requirements. It is also important to stay up to date with cybersecurity best practices through resources such as CISA Cyber Alerts.
In summary, covered organizations must take proactive measures to detect and prevent identity theft, mitigate its consequences, and implement an adequate post-incident response to prevent similar cases in the future. This includes implementing third-party risk management measures, complying with the Red Flags Rule, and following cybersecurity best practices outlined by regulatory bodies such as the SEC and CFTC.
