7 reasons the FTC could audit your privacy program
Audits can be expensive, and fines and compensatory actions could mean millions more. Here are the things you should be looking out for.
Computerworld - The Federal Trade Commission's $22.5 million settlement with Google last month over its user-tracking practices woke up enterprise-risk managers around the country. With penalty thresholds hitting this new range of pain, publicly traded companies now have to ask whether data privacy should be included in their Securities and Exchange Commission filings as a key risk.
What would it take, though, for the FTC to open up an investigation of your company? This is the question I tested last week. I reviewed the roughly 100 privacy cases the FTC has settled and interviewed the general counsel of a company that recently went through this process.
What did I find out? A shortlist of seven practices that will put a bull's eye on your company.
1. Secretly tracking people
The FTC has been saying for the past couple of years that it's wary of so-called online-behavioral advertising -- the amassing of large data dossiers on website visitors, usually through cookies, in order to deliver those visitors highly targeted ads. The FTC has reason to believe that users don't fully know what data is being collected about them. It especially doesn't like it when companies collect and use clickstream data in ways that users probably wouldn't consent to if they knew the full story.
This is what happened in the Google case. Apple had designed a setting in its Safari browser that allowed the user to block third-party cookies. But Google found a way around that setting to place its own cookies, seemingly undermining users' privacy expectations.
The FTC has successfully prosecuted others on this same topic. In 2007, it forced DirectRevenue to give up $1.5 million in "ill-gotten gains" for quietly bundling its adware along with affiliates' software that users thought they were downloading all by itself. In 2011, the FTC prosecuted online-ad company Chitika for expiring users' opt-out cookies after only 10 days, allowing the company to then place new ad cookies on users' computers.
The lesson in all of these cases is to manage your cookies transparently and consistently with users' previously expressed choices and browser settings.
2. Not regularly assessing and improving data security
The most likely reason the FTC will prosecute a company is substandard information security. The FTC has been routinely prosecuting cases in this area for years, in part because such cases are relatively easy to process. Usually, a data breach has occurred that causes a company to send out breach-notification letters. These letters and subsequent press reports give details about the company's security flaws. All the FTC then has to do is determine if the company took steps to assess its vulnerability to such a breach and then to follow up with readily available and affordable measures to prevent the breach.
More by Jay Cline
- Jay Cline: U.S. takes the gold in doling out privacy fines
- Jay Cline: Is privacy dead?
- Jay Cline: A growing cultural divide on privacy
- Jay Cline: What will Snowden leak next?
- Global winners and losers post-Snowden
- 7 reasons the FTC could audit your privacy program
- Google and the privacy Richter scale
- Jay Cline: Are medical-data breaches overreported?
- iPhone location-tracking incident boosts stock of 'privacy by design'
- Survey: The best privacy advisers of 2010
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Privacy White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!