Total Tests:

FTC Compliance and Cybersecurity (GLBA, FCRA, SEC)

Read Time: 15 min. Updated: September 6, 2023

In the United States, the Federal Trade Commission (FTC) is the primary cybersecurity and privacy regulatory
body. The FTC relentlessly brings enforcement actions against corporations and public sector organisations
in response to bad data protection or poor privacy practices, under a range of regulations.

FTC Compliance and Cybersecurity (GLBA, FCRA, SEC)

What is the Federal Trade Commission?

Established over a century ago in 1914, the Federal Trade Commission (FTC) is an independent US federal agency empowered to regulate competition and protect consumers from fraudulent or deceptive trade practices in the United States. The FTC is comprised of several bureaus and offices - for example, the Bureau of Consumer Protection (BCP) that, among other things, regulates abusive telemarketing and robo calls.

FTCA compliance ImmuniWeb can help you comply with the FTC Cybersecurity Regulations. How We Help

What laws and regulations does the FTC enforce?

The Commission has enforcement authority, or other responsibilities, under more than 70 federal laws, oftentimes in collaboration with other regulatory agencies, the US Department of Justice (DOJ) and state Attorneys General (AG). Although there is currently no single overarching privacy and data protection law in the US, if one day such legislation is finally enacted, the FTC will most likely be empowered to enforce it and implement additional rules under the statute.

The FTC brought its first enforcement action involving Internet fraud in 1994, and today is the de facto federal regulator of cybersecurity and privacy across the US. It developed the HIPAA Breach Notification Rule and enforces a range of other laws related to the digital space, some of which are highlighted below.

Federal Trade Commission Act

The Federal Trade Commission Act was enacted in 1914, and established the FTC. The Act was initially passed to ensure healthy competition, prevent a wide spectrum of unfair trade practices and protect American consumers from fraud.

The Act generally applies to all industries and all company sizes unless regulated separately by another federal law. The Act delegates pretty broad power to the FTC including, but not limited to, the following:

  • Preventing unfair methods of competition, and unfair or deceptive acts or practices in or affecting commerce;
  • Seeking monetary redress and other relief for conduct injurious to consumers;
  • Prescribing trade regulation rules defining with specificity acts or practices that are unfair or deceptive, and establishing requirements designed to prevent such acts or practices;
  • Conducting investigations relating to the organization, business, practices, and management of entities engaged in commerce.

Today, the FTC commonly leverages Section 5(a) of the Act to assert and energetically exercise its regulatory authority to police poor cybersecurity or flawed privacy practices. Section 5(a) prohibits unfair or deceptive trade practices in the marketplace but the FTC construes its plain language in a broad manner. In a nutshell, if a company declares, promotes or otherwise advertises strong or reasonably expected protection of customer data or privacy, and then fails to implement the requisite security controls, the company will likely be in breach of Section 5(a) of the FTC Act and trigger the Commission’s scrutiny.

According to the FTC website, it usually mandates companies to take necessary steps to remediate privacy and data security deficiencies, for instance, by implementing comprehensive privacy and security programs, conducting regular security assessments and penetration tests by independent security vendors, and maintaining up-to-date data protection policies and procedures. The Commission may also undertake monetary redress to aggrieved consumers, disgorge ill-gotten gains, impose deletion of unlawfully obtained consumer information, and order implementation of transparent and fair data handling and privacy practices.

Finally, the FTC also provides practical cybersecurity and privacy guides for businesses, including:

  • Data Breach Response: A Guide for Business
  • App Developers: Start with Security
  • Careful Connections: Keeping the Internet of Things Secure
  • FTC Safeguards Rule: What Your Business Needs to Know

Notable enforcement actions

The Commission has brought many hundreds of enforcement cases against companies of all sizes from all industries in the US. If a company violates an FTC order, the Commission may sanction disobedience by seeking monetary penalties. After Facebook (now Meta) allegedly breached a 2012 FTC relating to deception of users about their ability to control the privacy of their personal information, the FTC settled with Facebook for a record 5 billion USD, convincingly demonstrating that non-compliance is costly and painful.

Since the landmark “LabMD” case of 2018, when the Eleventh Circuit Court of Appeals determined that FTC’s order to implement a “reasonable security program” lacked specificity and was thus unenforceable, FTC enforcement orders became more detailed and more specific, including such components as vendor risk management and penetration testing. For example, a subsequent FTC consent order with Zoom contained, among other elements, the following cybersecurity provisions:

  • Testing for OWASP Top 10 and publicly known (e.g. available in the National Vulnerability Database (NVD) database) web application vulnerabilities prior to deploying a web application to production.
  • Testing and monitoring of the efficiency of security controls at least every 12 months that must include penetration testing from a qualified and independent third-party.
  • Conducting vulnerability scans of all networks on at least a quarterly basis and remediating high-risk vulnerabilities no later than 30 days after any security vulnerability is detected.
  • Selecting external service providers capable of safeguarding the entrusted information both from internal and external risks and threats.

More recently, the FTC has proposed an order which could see Amazon Ring pay 5.8 million USD in consumer refunds. It has accused the company of breaching its obligations to protect customer privacy by:

  1. “allowing any employee or contractor to access consumers’ private videos” and
  2. “failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.”

Aside from the financial penalty, the FTC order - which must be approved by a federal court before it can go into effect - requires the company to:

  • “delete data products such as data, models, and algorithms derived from videos it unlawfully reviewed” and
  • “implement a privacy and security program with novel safeguards on human review of videos as well as other stringent security controls, such as multi-factor authentication for both employee and customer accounts.”

Of particular note to cybersecurity, Ring is accused of failing to protect consumer information from two relatively basic and well known threats: “credential stuffing” and “brute force” attacks. As a result, the accounts of approximately 55,000 U.S. customers were compromised.

A separate order, filed in conjunction with the DoJ at around the same time, requires Amazon to pay 25 million USD and delete children’s data, geolocation data, and other voice recordings, in relation to its Alexa products., including:

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA) is a US federal law enacted in 1999 which aimed to modernize the financial services industry. Its provisions include requiring financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.

Financial institutions are broadly defined under the statute as “companies that offer financial products or services to individuals like loans, financial or investment advice, or insurance”. This definition encompasses loan brokers, debt collectors and even tax return preparers.

Importantly, the data security obligations imposed under the GLBA must also be respected by vendors and suppliers of the regulated financial institutions if they process financial data on behalf of the covered institutions.

By virtue of the Privacy Rule (16 CFR Part 313), the GLBA establishes a fairly comprehensive privacy regime for covered financial institutions. The rule shields privacy of Nonpublic Personal Information (NPI) of customers. NPI is broadly interpreted and includes a customer’s:

  • contact information
  • individual income
  • financial transactions data and history
  • credit and debit card purchases
  • bank account numbers and information
  • any other NPI that the customer shares with the financial institution for provision of services.

Under the Privacy Rule, customers must be provided with a “clear and conspicuous” privacy notice explaining how their NPI may be used, shared or processed. With some narrow exceptions, customers should have an easily exercisable “opt out” right from their NPI being shared with third parties - unless necessary for the provision of service by the covered organization. All changes to the privacy policy must be promptly communicated to customers, giving them a reasonable opportunity to exercise their “opt right” before the information is processed or shared in a new manner. Although the GLBA Privacy Rule provides a lower level of protection compared to the “opt-in” approach prescribed by GDPR, it nonetheless offers substantial protection of financial data across the country.

In addition to its Privacy Rule, the GLBA ensures NPI data protection by virtue of the Safeguards Rule (16 CFR Part 314). The rule requires covered entities and their subcontractors to develop a well thought out data protection strategy and maintain up-to-date information security policies and procedures. Covered entities must regularly perform risk assessments, and develop and test the adequacy of security controls designed to mitigate cyber risks and digital threats. form theA Qualified Individual must be designated to lead cybersecurity and data protection practices within the organization, and personnel should receive regular security training.

Some of the specific security recommendations, pertaining to the Safeguards Rule, include:

  • Know where sensitive customer information is stored, and store it securely.
  • Take steps to ensure the secure transmission of customer information.
  • Monitor the websites of your software vendors and read relevant industry publications for news about emerging threats and available defenses.
  • Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information.
  • Consider notifying consumers, law enforcement, and/or businesses in the event of a security breach.

The Safeguards Rule was updated in June 2023, expanding the range of covered entities to include certain non-banking financial institutions such as mortgage brokers and accountants, as well as “finders” (companies which connect relevant buyers with sellers of financial products). Some of the new requirements include:

  • Implementing multi-factor authentication
  • Encrypting customer data
  • Training personnel regarding security obligations
  • Develop risk assessments and incident response plans

As briefly mentioned above, the GLBA imposes obligations regarding third-party risk management. The law mandates covered financial institutions to take appropriate precautionary steps to engage external service providers that are capable of maintaining adequate safeguards and security controls for the customer NPI entrusted to them.

FTCA compliance ImmuniWeb can help you comply with the FTC Cybersecurity Regulations. How We Help

Fair Credit Reporting Act (FCRA) and Fair and Accurate Credit Transactions Act (FACTA)

Enacted by Congress in 1970, the Fair Credit Reporting Act (FCRA) was one of the first federal privacy-related laws in the United States, primarily covering consumer credit reports.

Amended by the Fair and Accurate Credit Transactions Act (FACTA) in 2003, the FCRA provides data protection safeguards by the virtue of the Red Flags Rule, for which the FTC retains responsibility. The Red Flags Rule applies to a very broad range of businesses including:

Among other duties, the rule mandates covered entities to implement a written information security program to timely detect, prevent and mitigate identity theft in connection with the opening or maintenance of covered accounts. This includes continuous security monitoring, data breach detection, incident detection and response, antifraud and incoming complaints management processes.

  • financial institutions
  • automobile dealers
  • mortgage brokers
  • utility companies and telecoms companies that have “covered accounts” ( comprising credit cards, monthly utility or mobile phone bills, social security numbers, driver license numbers, medical insurance accounts – all accounts where identity theft is foreseeable).

The Red Flags Rule imposes various duties on covered entities, notably the requirement to implement a written information security program to quickly detect, prevent and mitigate identity theft in connection with the opening or maintenance of covered accounts. This includes continuous security monitoring, data breach detection, incident detection and response, fraud detection, and incoming complaints management processes.

In a nutshell, covered organizations must promptly detect identity theft, mitigate its consequences, and provide an adequate post-incident response to prevent similar cases in the future.

ImmuniWeb Newsletter

Get exclusive updates to cybersecurity laws and regulations:


Private and Confidential Your data will stay private and confidential

Security Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC)

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 amended the above-mentioned FCRA to transfer responsibility for the rulemaking and enforcement of identity theft (the Red Flags Rule) to the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC).

Without entering the highly complex regulation of publicly traded companies, investment funds and other entities falling into the purview of the SEC, it is relevant to briefly analyze the non-binding “Cybersecurity and Resiliency Observations” guidance issued by the SEC’s Office of Compliance Inspections and Examinations (OCIE), now known as Division of Examinations, for practical data protection instructions. The guidelines are composed of seven interrelated sections:

  • Governance and Risk Management
  • Access Rights and Controls
  • Data Loss Prevention
  • Mobile Security
  • Incident Response and Resiliency
  • Vendor Management
  • Training and Awareness

Some specific security controls and cybersecurity measures include the following:

  • Maintaining an inventory of hardware and software assets, including identification of critical assets and information (i.e., know where they are located, and how they are protected).
  • Establishing a vulnerability management program that includes routine scans of software code, web applications, servers and databases both within the organization and applicable third-party providers.
  • Establishing a patch management program covering all software (i.e., in-house developed, custom off-the-shelf, and other third-party software).
  • Establishing a vendor management program to ensure vendors meet security requirements and that appropriate safeguards are implemented.

To stay up to date with the foregoing and other cybersecurity best practices, you may subscribe to CISA Cyber Alerts.

Introduction to FTC by FTC

List of authoritative FTC cybersecurity compliance resources

Share on LinkedIn
Share on Twitter

Share on WhatsApp

Share on Telegram
Share on Facebook
Please fill in the fields highlighted in red below
I’d like to learn more about:*

I Am Interested in:*
Please select up to 3 items:
and/or
Please select up to 3 items:


My Contact Details:
*
*
*
I prefer to be contacted by
    *
Private and ConfidentialYour data will stay private and confidential
DISCLAIMER: ImmuniWeb SA is not a law firm and does not provide legal advice or services. All legal services are provided directly by law firms to ensure the high quality, integrity and independence of legal advice. This page does not endorse the services of a specific law firm or provide legal advice.
Book a Call Ask a Question
Close
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a Technical Question?

Our security experts will answer within
one business day. No obligations.

Have a Sales Question?
Email:
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
*
*
*
*
Your data will stay private and confidential