Libby Meadows
Associate Editor
Loyola University Chicago School of Law, JD 2021
As our society evolves over to a more digital world, it is important to take a step back and review what we are putting online. Recently, data breaches have become a common occurrence in our day-to-day lives. In 2016, personal information from about 25 million Uber customers and drivers in the United States. The notorious website for individuals seeking extra marital affairs, Ashley Madison, has itself fallen victim to a data breach. The hacker dumped 9.7 gigabytes of data into/onto the dark web. The data released in the Ashley Madison breach included names, passwords, addresses, and telephone numbers of users who created an account on the site. When data breaches like these happen, the Federal Trade Commission (FTC) steps in to protect the United States consumers by investigating the source of data breaches and prosecuting hackers.
About the FTC
In 1914, President Woodrow Wilson signed into law the Federal Trade Commission Act, creating what we not know to be the FTC. The FTC has three main goals. The first, is to protect consumers from unfair and deceptive practices and consumer access to accurate information. The FTC accomplishes this goal by bringing suits against companies who have dishonest policies and misrepresent those policies to the general public who use their services. The FTC develops rules to educate business about its rights and responsibilities and to help educate consumers. The FTC’s second goal is to maintain competition and to promote a marketplace free from anticompetitive mergers, business practices, or public policy outcomes. The FTC challenges anticompetitive practices that could harm consumers. It monitors the market to ensure there are competitive prices and a large choice of products
Finally, to advance the FTC’s performance through excellence in managing resources, human capital, and information technology. The FTC shares what it learns from its work with the federal and state legislatures and international government agencies. It creates educational programs for consumers and businesses in a global marketplace. Since its creation, Congress has given the FTC greater agency authority to police anticompetitive practices. When the FTC brings a claim against a company and a settlement, or consent decree, cannot be reached, the claim goes to court.
The Facebook breach
In recent news, the FTC claim against Facebook ended with an unprecedented fine. Facebook was fined $5 billion and must follow a new set of restrictions a modified corporation structure due to a violation of a 2012 FTC order by deceiving its users about their ability to control their personal information on their accounts. Facebook shared the data of the user’s Facebook friends to third party app developers. This is the largest fine ever imposed and it almost 20 times greater than the largest data security penalty ever imposed worldwide.
Investigative, enforcement, and rulemaking authority of the FTC
The Federal Trade Commission Act of 1914 provides the FTC with its investigative, enforcement, and rulemaking authority, all of which were used in their case against Facebook. The FTC may “prosecute any inquiry necessary to its duties in any part of the United States” and is authorized “to gather and compile information concerning, and to investigate from time to time the organization, business, conduct, practices, and management of any person, partnership, or corporation engaged in or whose business affects commerce….” After a thorough investigation, and with “reason to believe” the law is being violated or has been violated, the FTC can employ enforcement actions against the company. In doing so, the FTC is permitted to use either an administrative or judicial processes.
The process is as follows: first, the FTC administration makes a determination as to whether the conduct of the company was unlawful or not. Most cases eventually settle through a consent decree. A consent decree is a public document that a company must follow to ensure they are using fair and accurate policies. If a company does not follow the consent decree it could be held in contempt and be subject to a minimum of 20 years of subsequent auditing by the FTC. If the claim does not settle and the FTC uses the judicial route, the FTC typically seeks civil penalties or another form of consumer reparation. Alternatively, the FTC is permitted to force preliminary and/or permanent injunctions against a company, via the judicial system. As the FTC pursues these claims, the commission create rules to combat unfair, anticompetitive practices. To be proper, the practice that the rule seeks to address must also be “prevalent” to unfair consumer practices and anticompetition. After the rule is created, any company that violates said rule is liable for civil penalties for each violation.
While the $5 billion FTC fine to Facebook is unprecedented, it does not seem to halt the company’s unsecure data protocols. Facebook’s stock reached its highest price in nearly a year, after reports that the FTC fine would be such a large sum. The spike in stock price causes many to believe that the company owners are unconcerned with the privacy of site users. Notably, shortly after the news of Facebook’s data breach, only nine percent of people surveyed said they had already stopped using the social media site. This lack of action leads to speculation regarding whether the average person is actually concerned about their personal information leaking, or, and more importantly, whether they even understand the significance of the issue. The FTC is only one organization tasked with protecting all American consumers. The FTC is faced with an enormous undertaking as the commissions main goal here is to discover and audit billion-dollar companies, many of whom seem to lack concern over the significance of their own mistakes.