After a great deal of work, the IAPP Westin Research Center has launched its casebook of FTC privacy and data security enforcement actions. The casebook is a digital resource, collecting all 180 FTC enforcement actions (for now) and making them easily accessible, full-text searchable, tagged, indexed and annotated. To help you better understand the benefits and functionality of this tool, we have developed several use cases displaying how you might search the casebook and make use of the results.
Let’s imagine (hypothetical only!) that you are a retailer suspecting a data breach has occurred and that it might have been caused by an errant employee download of peer-to-peer file sharing software.
A powerful tool in the casebook resource is a tag search. Tag searches draw on the editorial work of the research fellows, who categorized the 180 cases into dozens of categories. One “group” of tags is titled “security,” and comprises tags such as data security, encryption and security breach. Let’s begin, then, by checking the box next to the “security breach” tag. Notice that you can drill down further by tagging one of the mini-tags under the security breach group, say “hacking” or “notification.” But for now, we’ll settle for the larger group of cases tagged with “security breach.”
As you can see next to the tag, 41 cases appear under that heading. That’s already better than reviewing 180 cases. When you look at the list of results, you’ll see each case with its date, a short summary prepared by the Westin Research Fellows and a complete list with all of the tags associated with that case. You can thus browse the tags, for example by now checking Snapchat’s “Login Credentials (User Authentication)” tag, and are immediately referred to a search result for that item, yielding nine cases. Notice that if you check both the “security breach” and “Login Credentials (User Authentication)” tags you will get the result of an “AND” search with a cross-section of both categories, yielding six cases.
But let’s get back to our data breach P2P (hypothetical!) scenario and narrow it down a bit more. On the results page featuring the 41 security breach cases, let’s enter a full text search for “file sharing.” The results page shows the subset of cases tagged “security breach” that also feature the term “file sharing.” As you can see, the results page for a full text search is different than the one for a tag search. Here, the four cases appear with their dates, summaries and tag list, but also with an excerpt from the various documents featuring the search term. It is important to note that by default, the results of a full text search are ordered by relevance. Hence, the HTC case, though most recent, appears last on the list (file sharing was mentioned only in the analysis of that case). Of course you can alternatively set the order to chronological or reverse chronological.
When you click on a case, for example LabMD, you are sent to a home page that contains either the Westin Research Center analysis of the case or the FTC press release announcing the settlement. The Westin Research Center analyzed, annotated, footnoted and cross referenced 40 cases, which we found to be the most important landmarks in the FTC’s enforcement history. On the sidebar, you see links to other case documents, such as the all-important complaint, the decision and order, and the FTC’s Analysis of Proposed Consent Order to Aid Public Comment.
At all times, you can use the “breadcrumbs” feature at the top of the page to return to a previous point in your search history. In addition, you can click on the star icon to save the document in your “My IAPP” folder, or print or share the case through your social media networks.
Now, your IT experts tell you the culprit was not necessarily that P2P program found on your server, but rather a hacking job aided by SQL injection. You can quickly search all “hacking” cases (a sub-tag of “security breach,” 25 cases), which also potentially involved “SQL injection” (full text search, narrows the hacking cases to 7 results). Interestingly, if you use the industry tag filters, you find that five of those seven cases occurred in the retail industry, including Life is Good, Guess and PetCo.
Broadening the net again to look at all 41 “security breach” cases, you examine how many of them involved an allegation of Section 5 deception (tag “deception”), finding 28 results; compared to the number of cases alleging Section 5 unfairness – 23 results. This can help you determine your legal strategy.
If worse comes to worse, what kind of sanctions are you facing? Specifically, have “monetary penalties” (tag) been imposed in security breach cases? Here, you find solace in the fact that only eight of the 41 security breach cases resulted in monetary penalties, and only three in an amount greater than $1 million (tag).
Now that you have found the FTC resources on cases involving security breaches, you will hopefully soon discover that this (totally hypothetical!) breach was just a false alarm. Whew!
The IAPP’s FTC Casebook is your best resource for researching the FTC’s privacy and security complaints and consent decrees. Find it here.
If you want to comment on this post, you need to login.