Inside the FTC: Data Security Battles and Hunt for Identity Thieves

Inside the FTC: Data Security Battles and Hunt for Identity Thieves

Inside the FTC: Data Security Battles and Hunt for Identity Thieves 150 150 nextpointguest

Nextpoint’s Expert Witness is a feature offering insights from lawyers, technologists, law enforcement, entrepreneurs, and other interesting people influencing our industry and world. Check back regularly for thought-provoking expert opinions.


EXPERT WITNESS: Steve Wernikoff

Nextpoint recently spoke with Steve Wernikoff, attorney with the Federal Trade Commission in Chicago who specializes in consumer protection matters involving e-commerce and emerging technologies.

Steve has led numerous investigations and civil prosecutions involving online advertising, spam, mobile marketing, financial fraud, telemarketing, and data privacy and security.

He also has served as an adjunct faculty member at two Chicago law schools where he has taught courses involving Internet fraud, online advertising, and privacy issues. Prior to working at the FTC, Steve worked at a Chicago law firm and clerked for two federal court judges.

The FTC is a relatively small organization with a broad mission and jurisdiction. How does the FTC choose where to deploy resources?

One major way that the FTC prioritizes its efforts is based on the complaints it receives from consumers. The FTC accepts consumer complaints by telephone and at the FTC’s website, which are then added to the FTC’s Consumer Sentinel complaint database.

A number of other state and federal government agencies, as well as some private entities, provide consumer complaints for the Consumer Sentinel. The database allows the FTC staff to identify fraud trends and search for top violators.

The Internet poses additional challenges for identifying investigation targets because consumers often do not know the identity of the party that has defrauded them. So the FTC staff also spends a lot of time scouring the Internet, like a consumer would, looking for areas of concern.

What role does technology play in effectively litigating against large, well-funded businesses?

SW: From forensic data acquisition and document management solutions, to courtroom technology and general consulting services, our need for technical litigation support is growing. To support this growing need for eDiscovery tools and services, an FTC litigation support system was created.

The system uses advanced tools for litigation support that enable users to acquire, analyze, organize, and present large volumes of digital evidence. Program managers are continuously evaluating new software and hardware to increase efficiency and respond to new technologies used by third parties.

What are the habits of effective companies in data security?

At a minimum, a company has to live up to the privacy and security promises the company makes. And, even if the company doesn’t say anything specific about what it will do with a user’s information, under the law, the company still has to take reasonable steps to keep sensitive data secure.

A company with good data security habits will adopt reasonable and appropriate security measures, and the level of security will depend on a number of factors, including the sensitivity of the data the company maintains, the size and complexity of the company and the security risks that the company faces. One way to make that task easier: if a company doesn’t have a specific need for the information, it shouldn’t collect it in the first place.

If you are a company trying to promote effective data security, your wisest policy is to:
(1) Collect only the information that you need
(2) Tell users upfront what you collect and how you use it
(3) Secure the data you keep by taking reasonable precautions against known security risks
(4) Limit access to data on a need-to-know basis
(5) Safely dispose of data when you no longer need it. A company cognizant of its data security responsibilities will bake privacy and security into its products and services as they are developed.

What are some best practices for business to engage in when evaluating a social media policy?

As an initial matter, if a business is making representations on a social media site about what a product will do, it is advertising. So, any such statements on a social media site should be truthful and not misleading.

Additionally, a company cannot hide material information, including if a person commenting about a company’s product has a material connection to the company that is not otherwise apparent. Endorsements must reflect the honest opinions or experiences of the endorser, and the goal is to give people the facts they need so they can decide for themselves how to weigh endorsements.

Companies seeking to comply with the FTC guides in this area should follow the three “M”s:
(1) Mandate a disclosure policy that complies with the law
(2) Make sure everyone in the company knows what the rules are
(3) Monitor what those people are doing on your behalf.
More information on the FTC’s endorsement guidelines..

There’s been a lot of news about significant data breaches and private, personal data going missing, but little insight into what the effects are. Where is that data going and how is it being abused? Once data is out, is there any way to protect yourself?

A serious effect of data breaches is the potential for identity theft. Identity theft can disrupt your finances, credit history, and reputation, and take time, money and patience to resolve. Identity theft has been the top complaint that consumers have reported to the FTC for 12 years in a row. We’ve also heard from companies that ID theft can cause huge headaches in the form of unauthorized charges, worthless receivables, and customer service snafus. That’s why business executives should be at the forefront in the drive for identity protection.

If you suspect that your identity has been stolen, acting quickly is the best way to limit the damage. The FTC has prepared a guide to help consumers repair the damage that identity theft can cause, and reduce the risk of identity theft happening in the first place. The guide is available at

With the proliferation of mobile devices and new platforms like micro-blogs, how does one properly disclose something online? What scenarios result in the harshest of penalties if not properly disclosed?

Businesses often need to disclose information to make sure what they say is accurate, and, in those cases, the disclosures have to be “clear and conspicuous.” That means the disclosures are big enough and clear enough for users to notice them and understand what is being said.

Generally, the law doesn’t dictate a specific font or type size, but, in recent years, the FTC has taken action against companies that have buried important terms and conditions in fine print footnotes, in dense blocks of legal mumbo jumbo, or behind vague hyperlinks. The FTC first provided business guidance regarding online disclosures in 2000.

Since then, a lot has changed, and the FTC is in the process of reworking the guidelines. The Commission held a workshop at the end of May to consider the need for new guidance concerning advertising and privacy disclosures in today’s online and mobile environments. Stay tuned. The updated guidelines are expected to be released by the end of the year.

What are some of the most compelling or interesting cases the FTC has been involved in lately?

With respect to privacy, the FTC recently announced settlements against Google, alleging that Google violated a prior privacy settlement with the FTC by misrepresenting to users of Apple’s Safari Internet browser that it would not place tracking “cookies” or serve targeted ads to those users. With Facebook, alleging that it told consumers that they could keep their information on Facebook private and then repeatedly allowing it to be shared and made public.

On the data security front, the FTC recently filed a law enforcement action against hotel company Wyndham Worldwide Corporation and three of its subsidiaries alleging that a series of security breaches — three within two years — resulted in fraudulent charges, millions of dollars in fraud loss, and the export of hundreds of thousands of people’s account information to an Internet domain address registered in Russia.

The FTC also has recently brought cases shutting down operations sending billions of spam email message, billions of illegal robocalls, and the operators of deceptive “scareware”. Last year, the FTC also stopped ten operations using fake news sites to market acai berry weight loss products.

FROM STEVE: The views expressed here are my own and do not necessarily represent the views of the Federal Trade Commission or any Commissioner.