James Grago has a nice business going. He runs a website called ClixSense.com that permits users to earn money by completing surveys and watching advertisements. Revenues grew from $6.7 million in 2015 to $9.1 million in 2016, by which time he had over 6 million registered users. Apparently this was a low-overhead business – Mr. Grago appears not to have even formed a corporation or an LLC. He runs the business individually.

In late 2015, a user told Mr. Grago about a publicly available web browser extension that might harm his business. The extension was said to allow users to have their computers automatically click on and display advertisements without user intervention. Users could collect money from ClixSense for watching ads that they did not actually trouble themselves to view.

Concerned about this possible abuse, Mr. Grago downloaded the browser extension onto a computer in February 2016. The computer was connected to the ClixSense network. For the next several months, hackers used that browser extension to obtain information to enable attacks on the ClixSense network. The hacking became apparent when visitors to the ClixSense website were redirected to a porn site.

In September 2016, a hacker took advantage of this browser extension to access an old ClixSense server that had never had its default credentials changed. From there the hacker leapt to ClixSense’s active server and its documents and emails. There the hacker discovered lots of information about ClixSense’s customers, including their sign-in credentials, names, physical and e-mail addresses, gender, answers to challenge questions and even social security numbers, all of which were stored unencrypted.

The Company soon learned that a website known for security exploits was offering for sale information concerning 2.7 million ClixSense customers. ClixSense reported the hack of its data on its website and, two weeks later, sent emails to the affected users warning them of the breach.

The ClixSense website had all along included the following message:

Is my personal information secure?

ClixSense utilizes the latest security and encryption techniques to ensure the security of your account information . . . . We view protection of users’ privacy as a very important community principle. We understand clearly that you and your information are one of our most important assets.

The Federal Trade Commission has legal authority to police unfair and deceptive trade practices. When a company’s website provides assurances regarding privacy and data security that fall short of the reality, the FTC often launches an enforcement action alleging a deceptive policy. And it did just that with ClixSense.

The FTC’s complaint was quite detailed in identifying ClixSense’s security lapses. Here’s a sampling of what the FTC said ClixSense failed to do:

• perform vulnerability and penetration testing of its network;
• use intrusion detection and prevention systems;
• employ transport layer security (an encryption protocol that provides privacy and data security between two communicating computers, such as a consumer’s computer using a web browser and a computer hosting a website);
• prevent employees from storing plain text user credentials in personal email accounts and on ClixSense’s laptops;
• change default login and password credentials for network resources;
• assess cybersecurity events;
• monitor for unauthorized attempts to exfiltrate consumers’ personal information; and
• use encryption to protect consumers’ personal information.

The FTC issued its complaint in April 2019. ClixSense signed the consent order within two months. The order, like many FTC orders before it, requires ClixSense to live up to the commitments set forth in the agreement for twenty years.

This consent order is quite elaborate, considering that ClixSense is a fairly small business that is not involved in an especially sensitive industry such as health care, where data breaches are more likely to attract federal attention.

The consent order breaks new ground in its strictness. Its novelty is underscored by an accompanying statement in which the FTC emphasized its commitment to strengthening its orders pertaining to data security practices.

The ClixSense requires any business controlled by Mr. Grago that collects personal consumer information to:

1. Refrain from any misrepresentations about privacy or security of personal information;
2. Maintain a comprehensive information security program that includes regular testing, monitoring and employee training (and presumably addresses the shortcomings specifically identified by the FTC in its complaint);
3. Retain a certified third party assessor to assess the compliance with and effectiveness of the information security program, first within 180 days of the date of the order, and at least every other year thereafter;
4. Submit the assessment reports to the FTC; and
5. Provide the FTC with a certification from a senior corporate manager regarding compliance with the order and providing a brief description of any actual or suspected data breach that must be reported to any other state, federal or local governmental authority.

In addition, Mr. Grago must inform the FTC annually of all his business interests. For each business in which he has a role, he must provide, under pain and penalty of perjury, a description of the goods and services offered, its advertising, marketing and selling practices, and contact information. The information must be updated within 14 days of any changes.

Finally, Mr. Grago must keep for five years accounting and personnel records of each such business, copies of all privacy- and security-related consumer complaints, and a copy of privacy and security statements made by the businesses that he operates. He must respond to inquiries made from time to time by FTC staff.

Oh, and the part about the 20-year term of the order? That’s only if the FTC or the Justice Department does not sue him for violating the order. If such a lawsuit occurs, the 20-year clock restarts, as it just did for Facebook.

Lessons To Be Learned. Consumer-facing businesses must take great care not to over-promise in their privacy statements. While this single sin accounts for the vast majority of FTC enforcement actions of this sort, the commission is authorized to complain about sloppy security practices even in the absence of a privacy policy that over-promises.

So the focus can’t be just on cleaning up the policy. A consumer-facing business must actually follow reasonable data security practices in order to steer clear of the FTC. The FTC cannot sue everybody, but it is making examples of those who are caught it its crosshairs, resulting in long-term obligations that any businessperson would prefer to avoid.

How best to bring one’s security practices up to snuff? The requirements in Parts II and III of the ClixSense order are not a bad place to start, likewise the list of security weaknesses cited in the complaint. A company that shores up its cybersecurity defenses and practices as suggested by the ClixSense complaint and consent order is likely to stay out of trouble with the FTC, the state regulators and, with luck, the hackers themselves.