FTC Actions Emphasize Data Security

Advertising Law

In the most recent Federal Trade Commission (FTC) actions alleging data security violations, the agency settled with an online rewards website and a dress-up games website over allegations that the sites failed to take reasonable steps to secure consumers’ data.

ClixSense, the rewards site, pays users to view ads, perform online tasks and complete surveys. The site collects personal information from users (such as full names, dates of birth, Social Security numbers, and email addresses and passwords), promising that it uses “the latest security and encryption techniques.”

In reality, the site failed to implement minimal data security measures and stored personal information in clear text with no encryption, the FTC said. For example, ClixSense did not implement readily available measures to limit access between the computers on its network, and it failed to change default login and password credentials for third-party company network resources.

According to the FTC, these data security failures allowed hackers to gain access to the company’s network. ClixSense was put on notice that the company’s network was compromised—the hackers changed employees’ logins and passwords and redirected visitors to an unaffiliated adult-themed website. The hackers also downloaded a document with clear text information of 6.6 million consumers (approximately 50,000 of whom were U.S. residents).

The hackers published the document and offered for sale the detailed personal consumer information, the FTC alleged.

To resolve the action, the operator agreed to a prohibition on future misrepresentations about the extent of privacy, security or confidentiality protections and to implement a comprehensive information security program with biennial assessments.

As for the other company, Unixiz, its i-Dressup website violated the Children’s Online Privacy Protection Act (COPPA) by failing to obtain parental consent before collecting personal information from children under the age of 13 or providing reasonable and appropriate security for the data it collected, the FTC alleged.

The site—which was shut down following an action brought by the New Jersey attorney general last year—allowed users, including children, to play dress-up games, design clothes and decorate online spaces within an online community where users could create personal profiles and interact with each other. When a user registered as a member and indicated that he or she was under the age of 13, the registration field asked for a parent’s email address. An email was sent to the parent’s address when the user clicked the “join now” button, and parents could provide consent by clicking a link in the email.

If a parent did not provide consent, children under the age of 13 could use the site with a “Safe Mode” membership that prevented access to the community features. However, i-Dressup still collected personal information from these children even when their parents did not provide consent, the FTC alleged.

The site also did not keep secure the information it collected, as required by COPPA, the agency added. Personal information was transmitted in plain text, and the company neglected to perform vulnerability testing of its network, implement an intrusion detection and prevention system, or monitor for potential security incidents.

Similar to the case of ClixSense, i-Dressup also suffered a security breach. In September 2016, the operators of the i-Dressup site discovered that a hacker had accessed the network and the information of roughly 2.1 million users, including about 245,000 children under the age of 13.

The site and its owners agreed to pay $35,000 and are prohibited from future violations of COPPA.

To read the complaints, stipulated consent orders and statement from the FTC, click here.

Why it matters: Reinforcing the importance of data security to the current commissioners, the five members of the FTC issued a statement accompanying the complaints and stipulated consent orders in the cases against ClixSense and i-Dressup. They noted the “strong injunctive provisions” included in the settlement agreements, particularly as compared with prior data security orders. The orders contain requirements that a senior officer provide to the FTC annual certifications of compliance as well as explicit provisions that prohibit the defendants from making misrepresentations to third parties conducting assessments of their data security programs. “These new requirements will provide greater assurances that consumers’ data will be protected going forward,” the commissioners wrote. “We are particularly committed to strengthening the order provisions regarding data security assessments of companies by third parties.” Future orders will focus on ensuring that third-party assessors know they are accountable for providing meaningful, independent analysis of the data practices under examination, the commissioners said, although they predicted that “further refinements” in data security enforcement actions are likely going forward.