These days, companies across all industries are subject to increased regulatory enforcement and held to a higher standard in terms of protecting customer data. 2022 has seen several significant privacy and cybersecurity regulatory enforcement action settlements, including by the Federal Trade Commission (FTC) and state Attorneys General (AGs).
Businesses should be proactive and take measures to avoid becoming embroiled in similar scenarios. A focus on cyber and privacy law should be on everyone's mind into the New Year, and regulators’ consent orders from settlements can provide valuable lessons. Let’s look back on notable 2022 settlements to learn how organizations can continually improve privacy and cybersecurity and aim to limit their liability exposure.
FTC Cases and Settlements
The FTC is dedicated to protecting US consumers from unfair and deceptive business practices - including when businesses fail to protect consumers’ personal information. The FTC is the main federal regulator in the United States that enforces privacy and security requirements for businesses in sectors without a primary federal regulator. In FTC privacy and security settlements, defendant companies walk away with a 20-year consent decree that imposes specific requirements that must be audited every other year for (typically) 20 years.
ITMedia Solutions LLC
An FTC complaint filed in January 2022 alleged that lead generation company ITMedia Solutions LLC and a number of affiliates enticed customers to hand over sensitive financial information via hundreds of websites. The information included SSNs and bank account information, which the defendants allegedly sold to marketing companies and others, apparently with disregard for how the data would be used, according to the FTC.
Ultimately, the defendants in the case were ordered to pay $1.5 million in civil penalties. They may only share sensitive personal information with third parties who need the information in order to provide the consumer with a financial service product requested by the consumer (or to process payments for sales).
If permitted to share consumer sensitive personal information with third parties (as described above), prior to sharing the information, the defendants must also create a screening process to closely vet the third parties according to requirements spelled out in Section III in the Order. The defendants must also obtain certifications from the third parties, and essentially conduct due diligence to verify the information provided and/or certified by the third parties. Further the defendants have to verify the third parties’ legitimate need for access to sensitive personal information and monitor the third parties’ protection of consumers’ sensitive personal information.
Defendants must also destroy any sensitive information that was obtained impermissibly.
A key lesson learned in this case reflects laws that increasingly require businesses to implement programs to require third parties (e.g., vendors) to protect sensitive information.
WW International, Inc. and Kurbo Inc.
WW International, Inc., formerly known as Weight Watchers, and a subsidiary company, Kurbo, Inc., allegedly marketed weight loss products for use by children and collected their personal and sensitive health information without parental permission. Under the FTC's Children's Online Privacy Protection Act (COPPA), entities may only collect data from children under 13 with parents' consent.
The FTC filed a complaint against the defendants in February 2022. According to the complaint, among other issues, the Kurbo app signup process did not have sufficient controls in place to prevent younger children from signing up. The resulting settlement order required that the companies pay a $1.5 million penalty. They must also delete any illegally collected personal information and destroy any algorithms derived from the data.
This case highlights the need to implement appropriate controls to protect children's data, including ensuring parents are fully informed of and consent to data collection and its use.
CafePress
CafePress allegedly failed to protect sensitive information stored on its network. According to an FTC complaint filed in March 2022, the organization covered up a major data breach. The complaint also alleges that the company failed to use reasonable measures to protect the security of consumer personal information, including plain text Social Security numbers (SSNs), passwords (which were inadequately encrypted), and answers to password reset questions.
A settlement was reached in June 2022 and required the company to pay $500,000, which will be used to compensate data breach victims. The company must also bolster data security practices, including minimizing the amount of data collected and retained, encrypting SSNs, implementing multifactor authentication, and employing third parties to assess information security programs.
This case highlights the need for companies to leverage protections that regulators have come to expect, such as strong encryption and multifactor authentication to adequately protect consumer data. Furthermore, attempting to conceal a data breach is actionable.
Protect your organization with this helpful article: Data Privacy Laws: 6 Best Practices Every Business Should Know
Multi-State AG Settlements
A multi-state AG settlement refers to an agreement between a group of states, often led by their respective state AGs, designed to address fraudulent or deceptive business practices under state consumer protection laws (a flavor of authority similar to the FTC’s). AGs are increasingly beefing up their enforcement efforts in this area. The settlement and accompanying order between the group of state AGs and the company institutes obligations going forward (also similarly to FTC orders).
Wawa, Inc. Data Breach
One such case was brought against Wawa, Inc., a convenience store and gas station chain, in relation to a 2019 data breach. While Wawa, a Pennsylvania-based firm, did not admit wrongdoing, it was alleged that appropriate security measures were not in place when hackers breached the organization's point-of-sale payment systems. As a result, malicious actors were able to deploy malware that allowed access to customer card data. The breach impacted around 34 million payment cards.
AGs representing seven states—Delaware, Florida, Maryland, New Jersey, Pennsylvania, Virginia, and Washington, DC—were involved in the case.
In July 2022, a settlement was reached in which Wawa agreed to pay $8 million to end the investigation into the breach. The company has also pledged to implement stronger data security measures moving forward. The company faced additional litigation by employees, consumers, and financial institutions over the same breach.
This case offers a stark reminder that organizations that fail to adequately protect consumer and employee data face a slew of potential claims and monetary damages.
Not sure what types of data your business holds and how to ensure it’s protected? This article will help: Understanding Types Of Organizational Data And Why It’s Critical For IR Planning
First CCPA Enforcement Action Settlement
The California Consumer Privacy Act (CCPA) was established in 2018 to provide California residents with more control over their data and privacy. The law protects personal information by granting individuals the right to access, delete, and opt out of the sale of collected data.
Sephora 2022 Settlement
As part of the ongoing enforcement of this act, Sephora USA, Inc., a cosmetic and beauty store operator, was the subject of a 2022 settlement. The California Office of the Attorney General (OAG) alleged that Sephora failed to inform customers that their personal data was being sold and failed to process requests to opt out of the sale of information via the Global Privacy Control in violation of CCPA. The company was granted a 30-day period to cure violations at the time, but Sephora did not rectify issues within the timeframe.
The resulting settlement required Sephora to pay $1.2 million. The company must also comply with several injunctive terms including providing clear disclosures and policies, providing opt-out mechanisms, and providing reports to the AG relating to the sale of personal information and other privacy-related activities.
Although it has several different enforcement priorities, this settlement signals to organizations that the OAG will focus enforcement efforts on businesses that share or sell personal information to third parties without complying with CCPA. Organizations must ensure that they are following CCPA and CPRA regulatory standards, in particular, those related to opt-out requests.
Looking Ahead to 2023: Cybersecurity and Privacy Protections
Looking back at these settlements provides valuable insights into the consequences of poor data handling practices and the concealment of errors. Firms involved in settlements typically pay fines, penalties, or compensation. Plus, the public nature of these cases means there is typically reputational damage to consider.
From these settlements, other organizations can learn the importance of appropriate privacy and cybersecurity measures and some key areas to address as we go into 2023.
In addition, these lessons help guide where budget and attention should be focused and serve as key discussion points when building a solid incident response (IR) plan.
How ZeroDay Law Can Help
ZeroDay Law offers vast expertise in privacy and cybersecurity law and incident response planning. Our experts can help support a review of your organization's cybersecurity, incident response and privacy controls and help you overcome vulnerabilities through robust IR planning.
Learn more about ZeroDaw Law’s services and incident response planning now.