Press "Enter" to skip to content

Companies With Lax Data Security Risk Running Afoul of FTC

FTC BuildingIn a pair of recent enforcement actions, the Federal Trade Commission cracked down on companies with allegedly lax data security measures that resulted in the theft of personal information of millions of consumers.

In the first enforcement action, the FTC alleged that an online marketplace company and its CEO “were alerted to security problems two years prior to the breach yet failed to take steps to protect consumers’ data from hackers.”

Specifically, in 2018 hackers infiltrated the company’s servers until the login information for its cloud computing account was changed. Unfortunately, according to the FTC, the company did not address that breach with adequate security measures yet continued to represent to the public it had appropriate security protections. Two years later, an employee’s account was breached, and customers’ information was stolen.

In the second enforcement action, the FTC alleged an education technology company suffered four security breaches since 2017 but failed to undertake adequate remediation, resulting in the exfiltration of millions of consumers’ personal information.

A number of alleged violations were common to both companies, including:

  • Failing to require multifactor authentication
  • Limiting access to consumers’ personal information
  • Neglecting to monitor for security threats
  • Failing to develop adequate security policies
  • Failing to properly train employees

Pursuant to the proposed consent orders, both companies are required to remediate these and other issues. Notably, the order concerning the online marketplace company extends to its CEO individually, who “will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.”

The FTC has published a description of the first and second consent agreement packages in the Federal Register.  The agreements are subject to public comment for 30 days after publication, following which the Commission will decide whether to make the proposed consent orders final.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.