7 reasons the FTC could audit your privacy program
Audits can be expensive, and fines and compensatory actions could mean millions more. Here are the things you should be looking out for.
Computerworld - The Federal Trade Commission's $22.5 million settlement with Google last month over its user-tracking practices woke up enterprise-risk managers around the country. With penalty thresholds hitting this new range of pain, publicly traded companies now have to ask whether data privacy should be included in their Securities and Exchange Commission filings as a key risk.
What would it take, though, for the FTC to open up an investigation of your company? This is the question I tested last week. I reviewed the roughly 100 privacy cases the FTC has settled and interviewed the general counsel of a company that recently went through this process.
What did I find out? A shortlist of seven practices that will put a bull's eye on your company.
1. Secretly tracking people
The FTC has been saying for the past couple of years that it's wary of so-called online-behavioral advertising -- the amassing of large data dossiers on website visitors, usually through cookies, in order to deliver those visitors highly targeted ads. The FTC has reason to believe that users don't fully know what data is being collected about them. It especially doesn't like it when companies collect and use clickstream data in ways that users probably wouldn't consent to if they knew the full story.
This is what happened in the Google case. Apple had designed a setting in its Safari browser that allowed the user to block third-party cookies. But Google found a way around that setting to place its own cookies, seemingly undermining users' privacy expectations.
The FTC has successfully prosecuted others on this same topic. In 2007, it forced DirectRevenue to give up $1.5 million in "ill-gotten gains" for quietly bundling its adware along with affiliates' software that users thought they were downloading all by itself. In 2011, the FTC prosecuted online-ad company Chitika for expiring users' opt-out cookies after only 10 days, allowing the company to then place new ad cookies on users' computers.
The lesson in all of these cases is to manage your cookies transparently and consistently with users' previously expressed choices and browser settings.
2. Not regularly assessing and improving data security
The most likely reason the FTC will prosecute a company is substandard information security. The FTC has been routinely prosecuting cases in this area for years, in part because such cases are relatively easy to process. Usually, a data breach has occurred that causes a company to send out breach-notification letters. These letters and subsequent press reports give details about the company's security flaws. All the FTC then has to do is determine if the company took steps to assess its vulnerability to such a breach and then to follow up with readily available and affordable measures to prevent the breach.
More by Jay Cline
- Jay Cline: U.S. takes the gold in doling out privacy fines
- Jay Cline: Is privacy dead?
- Jay Cline: A growing cultural divide on privacy
- Jay Cline: What will Snowden leak next?
- Global winners and losers post-Snowden
- 7 reasons the FTC could audit your privacy program
- Google and the privacy Richter scale
- Jay Cline: Are medical-data breaches overreported?
- iPhone location-tracking incident boosts stock of 'privacy by design'
- Survey: The best privacy advisers of 2010
- Combating Identity Theft in a Mobile, Social World Offering identity theft protection and remediation allows businesses to give their workforce the confidence to efficiently engage while bringing financial reward to the...
- After a Breach: Managing Identity Theft Effectively This white paper from LifeLock Business Solutions notes that FIs in addition to managing fraud should strive to turn a negative event for...
- Combating Identity Fraud in a Virtual World This slide presentation reveals findings from the Javelin Strategy & Research 2012 Identity Fraud Report about mobile and social trends, the real risks...
- Cloud Computing Drives IT and Business Agility Hybrid Cloud Accelerates Time to Value What is the main focus for IT in your organization - cost or agility? Many IT discussions today focus on cost controls rather...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Cloud BI in Action: Recorded Webinar of Customer, Kony, Inc. See how Kony, Inc., a leading enterprise mobility company, is using TIBCO Jaspersoft for Amazon Web Services and Redshift to achieve embedded analytics... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!