Lessons from Privacy-Related Enforcement Actions

In addition, the FTC asserted that ASUS's routers allowed consumers to plug in a USB hard drive to create their own “cloud” storage, which ASUS advertised as a “private personal cloud for selective file sharing” and a way to “safely secure and access your treasured data through your router,” but that the services had serious security flaws.

There are three essential elements to the consent order the FTC reached with ASUS.

First, ASUS must establish and maintain a comprehensive security program subject to independent audits for the next 20 years.

Second, ASUS must notify consumers about software updates or other steps they can take to protect themselves from security flaws, including through an option to register for direct security notices (e.g., through email, text message, or push notification).

Third, ASUS is prohibited from misleading consumers about the security of its products, including whether a product is using up-to-date software.

Security Programs

For ASUS ' and for other companies seeking to draw lessons from the settlement ' the security program undoubtedly was the crucial component of the settlement. (A security program is not only a typical element of a negotiated settlement, but also is something that the FTC may seek to impose in the absence of a settlement. In late July, for example, the FTC found that medical testing laboratory LabMD had failed to protect consumers' medical and personal information. It ordered LabMD to establish a comprehensive information security program subject to periodic independent, third-party assessments. See, Matter of LabMD, No. 9357 (FTC July 29, 2016). Under the settlement, the ASUS security program must be “reasonably designed” to address security risks related to ASUS's development and management of new and existing routers and software and to protect the privacy, security, confidentiality, and integrity of individually-identifiable information from or about individual consumers that is collected by ASUS.

In addition, the content and implementation of the security program must be fully documented in writing and must contain administrative, technical, and physical safeguards appropriate to ASUS's size and complexity, the nature and scope of ASUS's activities, and the sensitivity of its products' functions or consumers' information.'Specifically, the program must, among other things:

• Designate an employee or employees to coordinate and be accountable for the security program;
• Identify material internal and external risks to the security of the company's products that could result in unauthorized access to or unauthorized modification of a product, and assess the sufficiency of safeguards in place to control these risks;
• Identify material internal and external risks to the privacy of consumers' individually-identifiable information that could result in the unintentional exposure of that information by consumers or the unauthorized disclosure or other compromise of that information, and assess the sufficiency of safeguards in place to control these risks;
• Regularly test or monitor the effectiveness of the safeguards' key controls, systems, and procedures;
• Develop and use reasonable steps to select and retain service providers capable of maintaining required security practices and require service providers by contract to implement and maintain appropriate safeguards; and
• Evaluate and adjust the security program in light of the results of the required testing and monitoring, material changes to ongoing operations or business arrangements, or any other circumstances that may have a material impact on the effectiveness of the security program.

Other Settlements

Less imposing settlements have fewer obligations, but can be demanding for those businesses. Last December, for instance, New York State Attorney General Eric T. Schneiderman reached a settlement with the University of Rochester Medical Center that required that the medical center train its workforce on policies and procedures related to protected patient health information but that did not impose any other significant stringent requirements. See, New York-URMC Letter.

Not surprisingly, when a regulator challenges a company's privacy record, there also is a potential for imposition of a fine or penalty. In March, for example, California authorities reached an $8.5 million settlement with Wells Fargo Bank over alleged privacy violations. The bank also agreed to implement an internal compliance program. See, People v. Wells Fargo Bank, N.A., No. BC611105 (Cal. Super. Ct. March 28, 2016) (stipulated final judgment). As another example, earlier this year, New York Attorney General Schneiderman reached a settlement with Uber regarding its data security practices that, among other things, involved a $20,000 penalty (as well as a number of changes to Uber's privacy procedures). See, Press Release, “A.G. Schneiderman Announces Settlement With Uber To Enhance Rider Privacy” (Jan. 6, 2016).

Conclusion

A company that settles a privacy action with an agency typically will have a continuing entanglement with the government that can last for years ' or for decades. The company also may have to inform its executives and employees about the settlement during that time. Certainly, taking steps to preempt a regulator's challenge through the use of basic risk management techniques and safeguards, data security training for employees, and the like is the more prudent, and the more cost-effective, course of action.

Shari Claire Lewis, a partner in the Long Island office of Rivkin Radler, can be reached at [email protected].