On April 24, 2019, the FTC issued an Order requiring ClixSense, a rewards website that pays users to click ads, take surveys, or complete other tasks, to implement robust security, audit, and certification procedures after suffering a data breach of personal information caused by lax data security measures. The FTC alleged that ClixSense engaged in deceptive conduct by misrepresenting that it used “the latest encryption and security techniques” and engaged in unfair practices by failing to use reasonable security measures.
The FTC issued an accompanying press release noting that this Order contained new, more stringent compliance provisions, including third party audits, annual officer certification of compliance, and explicit prohibitions against misrepresentations via website terms or otherwise.
The take-home for anyone handling personal information online is:
- Make sure you can solidly substantiate any claims you make about your security practices, whether in your website terms and conditions or otherwise.
- You have an obligation to monitor your network systems and respond to any perceived incidents.
- Maintenance of confidential user credentials may be subject to heightened obligations.
If you have questions about the reasonableness and sufficiency of your IT security measures, please contact Bryan Seigworth.
This post was written by Bryan Seigworth.