FTC Says Failure To Protect Private Info Is An Unfair Business Practice

from the out-come-the-fines dept

Earlier this week, we noted that the issue of companies leaking or exposing all sorts of private data was nothing new — and wondered why it wasn’t considered negligence. Apparently, that might be changing. The FTC today said that they had fined BJ’s Wholesale Club for revealing private data and said very clearly that “inadequate data security can be an unfair business practice.” It seems like they might have a lot of fines to give out these days, if the last few months of headlines concerning has been any indication. Of course, while the statement today says this is the “first time” inadequate data protection is being viewed as a potential unfair business practice by the FTC, that’s not true. Last year, we wrote about the FTC fining Tower Records over a nearly identical issue. In that case, Tower’s computer system had been hacked. Of course, this raises the inevitable question: at what point is the company liable? A determined hacker will find a way to break in to almost any system. Does it always make sense to blame the company for inadequately protecting the data? It seems like the FTC may face a very fine line here. There are some cases where companies are clearly negligent in protecting data, but in cases where the company is hacked, how does anyone determine if the company made a reasonable effort to protect the data or not?

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FTC Says Failure To Protect Private Info Is An Unfair Business Practice”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Economic consequences

If a company “loses”, leaks or allow unauthorized copying of your data, they
did not make enough of an effort to protect your data.

I think the FDA, uh, FTC is attempting to assign consequences to that.

This could result in companies taking the easily implemented steps in
securing the data (such as encrypted backups). Also, they may reconsider
whether collecting your data is worth it: there is profit but the potential
liabilities can wipe that out…

I think this is what Wired meant by “Require businesses to secure
data and levy fines against those who don’t.”

Personally, I would of gone with a HIPPA-style law. Calling it an “unfair” business practice is an odd way of doing it.


SuperJudge says:

Re: Economic consequences

They may have made enough of an effort to protect the data, or they may not have.

Either way, they need to own up to the fact that it was lost/stolen, and pay the price of the loss.

If you don’t have the clout to back the loss, don’t get in the business. That’s the chance you take by starting a company that handles such sensitive material.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...