Skip to main content
Top Button
Increasingly Active FTC Pursues Steep Penalties for Data Security and Privacy Practices Increasingly Active FTC Pursues Steep Penalties for Data Security and Privacy Practices

Increasingly Active FTC Pursues Steep Penalties for Data Security and Privacy Practices

As new appointments to the Federal Trade Commission (FTC) have shifted the control and priorities of the Commission, we have seen an emboldened FTC dedicated to strategically leveraging enforcement actions and settlements against companies for their cybersecurity compliance. Beyond pursuing aggressive “unfairness” enforcement actions and embarking on a targeted removal of dark patterns (to the tune of $100 million fines), [1] the FTC has also honed in on companies engaging in lax or misleading data security and privacy practices. This builds upon the FTC’s focus the previous year on how organizations characterize and describe their data breach incidents. [2] And as the FTC eyes an even more aggressive 2023 term, we reflect on two of their more aggressive 2022 actions that expose warning signs for M&A, corporate executives, and compliance officers alike.

CafePress: A Warning Shot for Mergers & Acquisitions

The CafePress enforcement action focused on a 2019 breach that impacted CafePress, an online retailer, and exposed an array of what the FTC claimed were poorly structured and maintained cybersecurity measures. [3] While the FTC’s investigation focused on claims that the company had implemented inadequate encryption, retained data longer than necessary, and failed to fully investigate the incident, the company was harshly punished for failing to disclose the breach to impacted individuals or federal regulators until it was leaked to the media.

This case poses a unique foreshadowing for M&A considerations, as both the buyer and seller were impacted by the FTC action. While the purchasing entity bore the brunt of changing and maintaining CafePress’s data security and privacy moving forward, the seller was still hit with a half-million-dollar fine for its failure to report and address its previous security incidents and vulnerabilities.

The decision underscores the importance for all parties in mergers and acquisitions to ensure that they engage in proper and thorough due diligence of cybersecurity stature throughout the transaction. Accordingly, companies pursuing future mergers should, at a minimum, (1) fully evaluate a target’s cybersecurity posture, (2) prepare IT-based questions for a compliance review, and (3) require disclosures of any recent data breaches or cybersecurity incidents. Meanwhile, target entities must also remain responsive to the demands of the FTC and enhance security practices even if they will be offloading other liabilities or compliance matters onto potential buyers.

Drizly: Cybersecurity Enforcement Orders for CEOs

Turning to the FTC’s actions against Drizly, we again see the Commission leverage an unusual and aggressive tactic of holding the CEO of the company, James Cory Rellas, directly liable for Drizly’s data security failures. Here, Drizly, a subsidiary of Uber, was hit with a cyberattack in 2020 that exposed the information of more than 2.5 million of its consumers. The company was, in part, targeted by the FTC due to the fact that it had been repeatedly warned about its lax cybersecurity posture for at least two years leading up to the breach and failed to take any meaningful steps to address the issues. [4] In particular, the FTC identified the company’s failure to implement two-factor authentication, establish basic security policies, maintain data security training for employees, or implement safeguards for customer data. Additionally, the company was accused of misrepresenting the state of its security measures, as well as its remediation efforts, following a 2018 cybersecurity incident.

In light of these pervasive cybersecurity concerns, and in lieu of a fine, the FTC expanded its enforcement order to attach to Rellas—regardless of if he leads Drizly or another organization. Accordingly, this unprecedented order underscores the FTC’s efforts to creatively hold corporate leadership responsible for its cybersecurity violations. To that end, Rellas, for at least 20 years, must now ensure that any company he helps lead and that collects certain personal information implement complaint security programs and procedures, with specific requirements for data destruction and control policies, as well as mandatory cybersecurity training for the company’s employees.

While this decision predominately remains unique to Rellas, it signals an expansion of the FTC’s enforcement scope and remedies, and foreshadows possible future mechanisms by which the Commission can hold corporate leadership responsible for not only their current organization’s cybersecurity compliance, but also bind future companies.

Connect with Ice Miller Cybersecurity Attorneys

Ice Miller has extensive experience assisting companies to navigate and comply with federal cybersecurity laws and regulations, as well as how to advantage of cyber incident prevention practices. Our team includes Reena Bajowala (CIPT, CIPP/US, CIPM), a partner in Ice Miller’s Chicago office and chair of the Data Security & Privacy and Information and Software Disputes practices; and Dakota Coates, an associate in Ice Miller’s Litigation and Data, Security, and Privacy Groups.

[1] See FTC Action Against Vonage Results in $100 Million to Customers Trapped by Illegal Dark Patterns and Junk Fees When Trying to Cancel Service, FTC (Nov. 3, 2022); Staff Report, Bringing Dark Patterns to Light, FTC (Sept. 2022).
[2] See Decision and Order, In the Matter of Support King, LLC et al., Dkt. No. C-4756, FTC File No. 1923003 (Dec. 20, 2021) (Finding that SpyFone misrepresented how it retained a forensic firm and how law enforcement was contacted. The Decision and Order barred the organization from making future misrepresentations about how the entity “work[s] with privacy and security firms, and the extent to which [they] maintain and protect the privacy, security, confidentiality, or integrity of personal data.”).
[3] Decision and Order, In the Matter of Residual Pumpkin Entity, LLC et al., Dkt. No. C-4768, FTC File No. 1923209 (June 23, 2022).
[4] FTC Takes Action Against Drizly and Its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers, Press Release, FTC (Oct. 24, 2022).

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.
View Full Site View Mobile Optimized