What the FTC Wants, the FTC (Mostly) Gets
In recent weeks the Federal Trade Commission has been on a tear. As one example, on July 22 it announced a $700 million settlement with Equifax for “the 2017 data breach that jeopardized the personal data of a staggering 147 million people.” But it is a decision earlier this year that is perhaps more ominous, at least regarding personal liability for directors and officers (“D&Os”).
On February 27, 2019, after announcing a $5.7 million settlement with TikTok for various privacy violations relating to its lip-syncing app, two of the five FTC commissioners, Rebecca Kelly Slaughter and Rohit Chopra, issued this joint statement:
When any company appears to have made a business decision to violate or disregard the law, the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them. As we continue to pursue violations of law, we should prioritize uncovering the role of corporate officers and directors and hold accountable everyone who broke the law.
This approach appears to have some traction with the current FTC Chairman, Joe Simons, and the Bureau of Consumer Protection Director, Andrew Smith, who both discussed Slaughter and Chopra’s statement at the 2019 International Association of Privacy Professionals Global Privacy Summit. Smith described naming D&Os as a “way to make companies take notice that [the FTC] is serious about compliance.”
Still, Chairman Simons seems less enthusiastic than Commissioners Slaughter and Chopra, stating he would “be open to” personal liability for D&Os, but implied that it would still be reserved for edge cases only and not every cybersecurity or privacy-related FTC action. His hesitation seems to come at least in part from the risk to an overarching enforcement strategy: if the FTC pursues individual liability for D&Os, companies may resist settlement and opt to try their luck in court. Time-consuming litigation would mean FTC staff have less bandwidth to seek broad enforcement through consent agreements, leading to fewer FTC actions overall. The FTC only has about 40 attorneys.
Director Smith’s comments about D&O liability were similarly equivocal, saying only that the FTC was looking into the issue and “trying to figure out what’s important,” and that it might hold additional hearings.
Back to July 22nd and Equifax. In a statement aimed at least at accountability for D&Os if not personal liability, Commissioner Slaughter stated that since “internal warnings went unheeded,” the FTC was providing an email address and website for Equifax employees to report any future failures by Equifax “to abide by data security promises.” Notably, in the settlement agreement with Equifax the FTC is mandating that the board, a relevant subcommittee, or a senior officer:
- Be informed about “any material evaluations or updates” to a comprehensive information security program every 12 months;
- Cooperate with an assessor to provide an evaluation, assessment, or identification of any gaps or weaknesses in the information security program; and
- Certify every year for 20 years that Equifax is fulfilling the order’s requirements and is not aware of any noncompliance.
To avoid the specter of personal liability, which in the long run could hurt companies just as much as D&Os, companies and their D&Os should start with these basics:
- Treat cybersecurity and privacy as an issue they must know, not just an issue for a company department, IT, or outsourcing;
- Understand the legal implications of the data that their companies collect, store, and process;
- Have quarterly not just yearly discussions about cybersecurity and privacy governance programs with relevant stakeholders; and
- Identify risks and strategies for management of the programs annually or when there has been an operational change, and then develop a prioritized approach to addressing them.
As Equifax and public statements by FTC Commissioners indicate, individual liability may be just around the corner if D&Os fail to stay informed through appropriate cybersecurity and privacy governance programs.