FTC move against Microsoft could hint at future action

WASHINGTON -- In its enforcement action against Microsoft Corp. this week, the U.S. Federal Trade Commission demonstrated its ability, once again, to hang companies with their own words.

This is the essence of the FTC's legal power: If a company makes a claim, it has to live up to it and be able to back it up.

And privacy analysts say the FTC agreement with Microsoft announced yesterday delivers a message to every company (see story).

"The message is: If you don't clean your own house first, you are going to be required to have others clean it for you," said Ray Everett-Church, chief privacy officer at ePrivacy Group Inc. a Malvern, Pa.-based consulting organization.

Indeed, as a result of this agreement, Microsoft will be required to have an independent audit every two years for the next 20 years.

The requirement for independent audits may well be emerging as a common legal tool in settlements of this kind. For instance, in March a civil privacy case against online network advertiser DoubleClick Inc. was settled with a requirement for an audit (see story).

And an FTC settlement in January with Eli Lilly and Co. for its release last year of the e-mail addresses of nearly 700 customer addresses collected through its Prozac.com Web site requires annual written review of its practices by "qualified persons" (see story).

Microsoft was subject to a complaint by privacy and consumer groups led by the Electronic Privacy Information Center (EPIC) here. The complaint alleged that Microsoft wasn't adequately protecting consumers using its Passport authentication services.

No security breaches were uncovered during the FTC's investigation, but the commission said the company falsely represented its security promises and noted that the potential for problems was present.

The FTC action "does send a message that privacy practices have to match privacy policies," said EPIC's legislative counsel, Chris Hoofnagle. And the remedy is essentially one of "clean up your act," so other companies might consider independent audits as a preemptive move.

The independent review requirement is a "a very, very strong hint, if you will, to other companies that the FTC looks very favorably on independent reviews," said Paul Paez, CEO of Privastaff LLC, a San Jose-based consulting firm.

But Paez doesn't see the FTC's decision as a pivotal step that will spur companies to hire auditors -- though he believes more companies will eventually review this issue.

Last October, FTC Chairman Timothy Muris promised stepped-up privacy enforcement actions. This week's move "seems to be an example of the FTC putting its actions behind Chairman Muris' words," said Russ Sapienza, the partner-in-charge of the PricewaterhouseCoopers privacy practice.


Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon