Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

New Requirements for FTC Data Security Settlements

Share

Two of the Federal Trade Commission’s (FTC’s) most recent data security settlements include new requirements that go beyond previous data security settlements. The new provisions (1) require that a senior corporate officer provide to the FTC annual certifications of compliance and (2) specifically prohibit making misrepresentations to the third parties conducting required assessments. A statement accompanying these settlements noted that the FTC has instructed staff to examine whether its privacy and data security orders could be strengthened and improved.

ClixSense.com

The first matter is an administrative settlement with James V. Grago, Jr. doing business as ClixSense.com, a website where users earn money by viewing advertisements, performing online tasks, or completing online surveys.

ClixSense collects and stores personal information as part of its enrollment process. The data it collects includes name, address, email address, and social security number for users who earn more than $600 annually from ClixSense. ClixSense represented that it “utilizes the latest security and encryption techniques to ensure the security of your account information.” In fact, according to the FTC’s complaint,  it did not.

The complaint alleges that Respondent:

  • Failed to implement readily available security measures to limit access between computers on the ClixSense network and between such computers and the internet
  • Permitted employees to store plain text user credentials in personal email accounts and on ClixSense laptops
  • Failed to change default login and password credentials for third-party company network resources
  • Maintained consumers’ personal information, including consumers’ names, addresses, email addresses, dates of birth, gender, answers to security questions, login and password credentials, and Social Security numbers in clear text on ClixSense’s network and devices.

The complaint also described how a hacker or hackers used a set of credentials from an employee’s company laptop that allowed the hacker(s) to download clear text information on 6.6 million consumers, including 500,000 U.S. consumers. The hacker(s) then published and offered for sale the personal information of 2.7 million consumers.

Further, the complaint alleges that the Respondent could have addressed the above-noted failures by implementing readily available and low-cost security measures and that the failure to do so was an unfair practice.

The settlement, which has been put out for public comment, would prohibit the Respondent from misrepresenting its data security and privacy protections. In addition, it requires that the Respondent implement and maintain a comprehensive In addition, the settlement requires that the defendants implement and maintain a comprehensive Information Security Program and perform biennial assessments by a third party for 20 years.

The new provisions to the order require that a senior corporate manager or senior officer responsible for the Respondent’s Information Security Program provide an annual certification to the FTC that the Respondent has established, implemented, and maintained the requirements of the order; is not aware of any material noncompliance that has not been corrected or disclosed to the FTC; and includes a brief description of any covered incident.

i-Dressup.com

The second action involves UNIXIZ doing business as i-Dressup.com, and its CEO Zhijun Liu and its secretary Xichen Zhang. i-Dressup.com is a website that allows users, including children, to play dress-up games, design clothes, and decorate their online spaces. In January 2016, i-Dressup had at least 2.1 million users, of which approximately 245,000 were under the age of 13 years.

The complaint alleges that the defendants violated the Children’s Online Privacy Protection Act (COPPA) by failing to obtain parental consent before collecting information from children under the age of 13 years. According to the complaint, when users first register they are required to submit a user name, password, birthdate and email address. Users over the age of 13 years have access to the entire website, including the ability to participate in social media features, create blog posts, add friends, and send direct online messages.

If a prospective user submits a birthdate that indicates he or she is under 13 years of age, the registration field asked for a parent’s email. When a user clicked the “Join Now” button, an email notice was sent to the parent’s email address entered by the user. The email would allow parents to provide consent by clicking the “Activate Now” button. If a parent declined to provide consent, the under-13 user was given a “Safe Mode” membership that allowed access to some games and features and collected personal information, but did not allow access to the social media features.

The complaint also details how a hacker accessed information about i-Dressup’s users and sent the hacked data to journalists who then attempted to contact the defendants, prompting them to implement some security measures.

The complaint alleges that the defendants violated the COPPA Rule by failing to:

  • Include required information in the privacy policy and failing to link certain notices to the privacy policy
  • Obtain verifiable parental consent, and for “Safe Mode” members, failed to obtain any parental consent
  • Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children

The stipulated judgment requires the defendants to pay a civil penalty of $35,000 and enjoins them from violating the COPPA Rule.

This action has been filed in district court by the Department of Justice because it includes alleged violations of COPPA. In addition, the settlement requires that the defendants implement and maintain a comprehensive Information Security Program and perform biennial assessments by a third party for 20 years.

The judgment also includes the new provisions described in the ClixSense settlement.

The public will have an opportunity to comment on the ClixSense settlement because it is an administrative matter that is not final until after the comment period ends. It is likely that there will be comments on the new provisions identified above.

Receive Email Alerts to New Articles

SUBSCRIBE

May 3, 2019
Written by: Discerning Data Editorial Board
Category: FTC
Tags: data security, FTC, personal data

Post navigation

Previous Previous post: HHS Immediately Reduces Annual Limits Across HIPAA Violations
Next Next post: $3 Million Settlement for Exposure of and Latent Response to Exposure of 300,000 Patients’ Protected Health Information

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2022 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT