7 reasons the FTC could audit your privacy program
Audits can be expensive, and fines and compensatory actions could mean millions more. Here are the things you should be looking out for.
Computerworld - The Federal Trade Commission's $22.5 million settlement with Google last month over its user-tracking practices woke up enterprise-risk managers around the country. With penalty thresholds hitting this new range of pain, publicly traded companies now have to ask whether data privacy should be included in their Securities and Exchange Commission filings as a key risk.
What would it take, though, for the FTC to open up an investigation of your company? This is the question I tested last week. I reviewed the roughly 100 privacy cases the FTC has settled and interviewed the general counsel of a company that recently went through this process.
What did I find out? A shortlist of seven practices that will put a bull's eye on your company.
1. Secretly tracking people
The FTC has been saying for the past couple of years that it's wary of so-called online-behavioral advertising -- the amassing of large data dossiers on website visitors, usually through cookies, in order to deliver those visitors highly targeted ads. The FTC has reason to believe that users don't fully know what data is being collected about them. It especially doesn't like it when companies collect and use clickstream data in ways that users probably wouldn't consent to if they knew the full story.
This is what happened in the Google case. Apple had designed a setting in its Safari browser that allowed the user to block third-party cookies. But Google found a way around that setting to place its own cookies, seemingly undermining users' privacy expectations.
The FTC has successfully prosecuted others on this same topic. In 2007, it forced DirectRevenue to give up $1.5 million in "ill-gotten gains" for quietly bundling its adware along with affiliates' software that users thought they were downloading all by itself. In 2011, the FTC prosecuted online-ad company Chitika for expiring users' opt-out cookies after only 10 days, allowing the company to then place new ad cookies on users' computers.
The lesson in all of these cases is to manage your cookies transparently and consistently with users' previously expressed choices and browser settings.
2. Not regularly assessing and improving data security
The most likely reason the FTC will prosecute a company is substandard information security. The FTC has been routinely prosecuting cases in this area for years, in part because such cases are relatively easy to process. Usually, a data breach has occurred that causes a company to send out breach-notification letters. These letters and subsequent press reports give details about the company's security flaws. All the FTC then has to do is determine if the company took steps to assess its vulnerability to such a breach and then to follow up with readily available and affordable measures to prevent the breach.
More by Jay Cline
- Jay Cline: U.S. takes the gold in doling out privacy fines
- Jay Cline: Is privacy dead?
- Jay Cline: A growing cultural divide on privacy
- Jay Cline: What will Snowden leak next?
- Global winners and losers post-Snowden
- 7 reasons the FTC could audit your privacy program
- Google and the privacy Richter scale
- Jay Cline: Are medical-data breaches overreported?
- iPhone location-tracking incident boosts stock of 'privacy by design'
- Survey: The best privacy advisers of 2010
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Review: Box beats Dropbox - and all the rest - for business Box trumps Dropbox, Engyte, Citrix ShareFile, EMC Syncplicity, and OwnCloud with rich mix of file sync, file sharing, user management, deep reporting and...
- Analyst Report-Mixed All Flash Arrays Delivers Safer Higher Performance What is the impact of an all-flash array with enterprise features and reliability on the mainstream data center? In the mainstream environment, storage...
- Embracing Flash Storage Exec Brief Flash storage can deliver impressive performance, especially for random I/O, by eliminating rotational and seek latencies that are common in all hard disk...
- Embracing Tiered Storage Exec Brief All data is not created equal and thus all data need not be treated the same by the storage system. IT executives must...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them. All Privacy White Papers | Webcasts