In May 2014, the European Court of Justice recognized the controversial “right to be forgotten.” This right has been codified in the new EU data protection law known as the GDPR that became effective May 25, 2018. Residents of the EU now have expanded rights to request access to and deletion of their personal information. Data Security Requirements. The FTC Act does not specifically address data security. The FTC has, however, brought enforcement actions alleging that the failure to take reasonable and appropriate steps to protect personal information is an “unfair act or practice” in violation of the FTC Act. For example, the FTC has found violations of the FTC Act where a company: 1) failed to encrypt information while it was in transit or stored on the network; 2) stored personally identifiable information in a file format that permitted anonymous access; 3) did not use readily accessible security measures to limit access; 4) failed to employ sufficient measures to detect unauthorized access or conduct security investigations; and 5) created unnecessary business risks by storing information after it no longer had any use for the information, in violation of bank rules. Restrictions on Sharing Data with Third Parties. The FTC Act does not expressly prohibit the sharing of personal information with third parties. However, a business can get into trouble when it states that it will not rent, sell, or otherwise disclose personal information to third parties, but then it does. Enforcement. The FTC is the primary enforcer of the FTC Act and is also responsible for the enforcement of some other federal privacy laws for businesses that are not subject to other federal regulations, including GLBA, COPPA, FCRA, and FACTA. Actions the FTC can take include: 1) starting an investigation; 2) issuing a cease and desist order; or 3) referring to the Department of Justice for filing a complaint in court. Sanctions and Other Liability. The FTC Act provides penalties of up to $16,000 per offense. Criminal penalties include imprisonment for up to ten years. The FTC can also: 1) obtain injunctions; 2) provide restitution
26
Made with FlippingBook - Online Brochure Maker