How The FTC Identifies, Targets & Tracks Companies Learn How to Keep Off Their List David Zetoony, Partner Bryan Cave LLP Leader Global Data Privacy and Security Team Scott J. Stein Online Trust Alliance VP Public Policy
About Us The Online Trust Alliance (OTA) is a 501c3 charitable non-profit with the mission to enhance online trust and empower users, while promoting innovation. Goal is to help educate businesses, policy makers and stakeholders while developing and advancing best practices and tools to enhance the protection of users' security, privacy and identity. Supports collaborative public-private partnerships, benchmark reporting, self-regulation and data stewardship. 2
AGENDA 1. The Who, What, Where, Why of the FTC 2. How the FTC Identifies Enforcement Targets 3. Data Analytics and Company Tracking 3
1. The Who, What, Where, Why of the FTC The Who & What: Established in 1914 Independent Federal Agency 5 person Commission (2 from minority party, 3 from majority) 1,164 full time employees (654 attorneys) ~$300 million budget The Where: Headquartered in DC Seven regional offices around US 4
1. The Who, What, Where, Why of the FTC. The Why: Enforces more than 70 laws* including: Federal Trade Commission Act, Consumer Leasing Act CAN-SPAM Act Credit CARD Act Do-Not-Call Registry Legislation Fair Credit Reporting Act Fair and Accurate Credit Transactions Act Fur Products Labeling Act Gramm-Leach-Bliley Act Identity Theft Act Equal Credit Opportunity Act Data Privacy The FTC s Consumer Protection Mission: Marketing Data Security Advertising * See http://www.ftc.gov/enforcement/statutes for a complete list. 5
2. How the FTC Identifies Enforcement Targets (A) Independent Monitoring of Companies (B) Competitor / Industry / Interest Group Petitions (C) Media Attention (D) Data Mining 6
2. How the FTC Identifies Enforcement Targets (A) Independent Monitoring of Companies Formal programs are set up to monitor FTC Mobile / Internet Lab for reviewing websites Industry / Issue Sweeps. E.g., Children s Apps: Staff searched for Kids in App Store Collected Promotion page for first 960 apps Conducted closer review of 480 (of the 960) chosen at random Don t overlook informal monitoring and remember that FTC staff members, Commissioners, and relatives of staff members are consumers too. 7
2. How the FTC Identifies Enforcement Targets (A) Independent Monitoring of Companies (Cont.) FTC v. DERMAdoctor, Case No. 14-01129-CV-W-BP (W.D. Mo. 2014) 8 * Bryan Cave LLP represented DERMAdoctor in the referenced action
2. How the FTC Identifies Enforcement Targets (B). Competitor / Industry / Interest Group Petitions 9
2. How the FTC Identifies Enforcement Targets (B). Competitor / Industry / Interest Group Petitions (Cont.) November 22, 2011: Humane Society Petition to FTC in re DrJays.com, Eminent, Gilt Groupe, Inc., Neiman Marcus, etc. March 19, 2013: Complaint, In the Matter of DrJays.com, Inc. (Docket No. C-4408) Complaint, In the Matter of Eminent, Inc. (Docket No. C-4409) Complaint, In the Matter of the Neiman Marcus Group (Docket No. C-4407) 10 * Bryan Cave LLP represented the Neiman Marcus Group
2. How the FTC Identifies Enforcement Targets (C) Media Attention: Example In the Matter of CVS, Docket No. C-4259 Sept. 2007: FTC initiates non-public inquiry of CVS and issues an access letter to CVS. May 20, 2008: FTC issues a Civil Investigative Demand to CVS Feb. 18, 2009: Complaint 11
2. How the FTC Identifies Enforcement Targets (C) Media Attention (cont.): Exp. In the Matter of Ceridian Corp., Docket No. C-4325 Feb. 3, 2010 May 3, 2011 FTC Complaint 12 * Bryan Cave LLP represented the Ceridian Corporation
2. How the FTC Identifies Enforcement Targets (D). Data Mining The FTC maintains databases of consumer complaints collectively referred to as Consumer Sentinel : Started in 1997 Contains complaints submitted to FTC by phone or online. Contains complaints submitted to partner agencies including: 20 state attorneys general 8+ federal agencies 100+ Better Business Bureaus Over 25 million total complaints* 13 * Information from Consumer Sentinel Network Data Book for Jan. Dec. 2014
3. Data Analytics and Company Tracking The majority of FTC actions target a company identified in Consumer Sentinel 14 *
3. Data Analytics and Company Tracking 2(D). Data Mining (cont.) How the FTC uses Consumer Sentinel: Each month the FTC s Division of Planning and Information ( DPI ) creates a Top Violators Report that ranks the fifty companies with the greatest volume of consumer complaints that month 15 * O f f
3. Data Analytics and Company Tracking NOTES: Top Violators February 2012 Top Companies Receiving Complaint in Consumer Sentinel Network November 1 to November 30, 2014 Top Violator s Report From Nov. 2014 16 Rank Rank # of Complaints Entered During November October Company Product/Service Code(s) Reporting Period 1 1 IRS Imposter Impostor: Government 8,293 2 2 Publishers Clearing House Imposter Impostor: Business 3,342 3 3 Microsoft Corporation Computers: Equipment \ Software; Impostor: Business 1,333 4 4 AT&T Mobile: Other 1,289 5 5 Verizon Wireless Mobile: Other 1,078 6 7 Bank of America Lending: Mortgage; Bank: National \ Commercial 813 7 8 Wells Fargo Bank Lending: Mortgage 748 8 6 Comcast Cable Television: Satellite & Cable 734 9 9 DirecTV, Inc. Television: Satellite & Cable 609 10 11 Experian Credit Bureaus 607 11 10 Us Treasury Impostor: Government 539 12 13 Equifax Credit Bureaus 525 13 12 T Mobile Mobile: Other 459 14 14 TransUnion Credit Bureaus 459 15 16 Federal Government Impostor: Government 451 16 Credit One Bank Credit Cards 341 17 17 Time Warner Cable Television: Satellite & Cable 320 18 19 Ocwen Loan Servicing, LLC Lending: Mortgage 319 19 22 Capital One Bank Credit Cards 300 20 20 Medicare Impostor: Government 271 21 Federal Grant Department Impostor: Government 268 22 18 Dish Network LLC Television: Satellite & Cable 256 23 21 Credit Card Services Telemarketing: Other 250 24 30 Nationstar Mortgage Lending: Mortgage 247 25 29 FTC Imposter Impostor: Government 234 26 27 JP Morgan Chase Lending: Mortgage / Bank: National\Commercial 234 27 24 Chase Lending: Mortgage 229 28 36 Wal-Mart Impostor: Business 226 29 28 Green Tree Servicing, Llc Lending: Mortgage 218 30 34 Charter Communications Inc Television: Satellite & Cable 203 31 36 Cash Net USA Third Party Debt Collection / Lending: Payday Loans 199 32 42 Citibank Credit Cards 195 33 15 ebay Shop-at-Home \ Catalog Sales 194 34 46 Cash Advance Advanced Feel Loans, Credit Arrangers 189 35 32 Synchrony Bank Credit Cards 186 36 Enhanced Recovery Corporation Information Furnishers 185 37 38 Government Grants Impostor: Government 184 38 25 Amazon.com Shop-at-Home \ Catalog Sales 183 39 40 Midland Credit Management Third Party Debt Collection 179 40 26 Craigslist Shop-at-Home \ Catalog Sales 176 41 31 Sallie Mae Lending: Mortgae 174 42 39 Verizon Third Party Debt Collction 163 43 35 Wells Fargo Home Mortgage Lending: Mortgage 162 44 23 FBI Impostor: Government 141 45 43 Mega Millions Prizes \ Sweepstakes 139 46 Cardholder Services Telemarketing: Other 135 47 41 Dell Computer Corporation Impostor: Government 133 48 US Government Grants Impostor: Government 127 49 American Express Credit Cards 125 50 33 US Bank Bank: National / Commercial 122
3. Data Analytics and Company Tracking (D). Data Mining (cont.) How the FTC uses Consumer Sentinel: Each month the FTC s Division of Planning and Information ( DPI ) also creates a Surge Report that identifies companies with the greatest increase, or surge, in complaint volume. 17 * O f f
3. Data Analytics and Company Tracking Surge Report from October 2014 18
3. Data Analytics and Company Tracking Although it is impossible to know how often the FTC takes actions based upon the top violators / surge reports (among other things investigations that do not lead to enforcement actions are typically not made public), there does appear to be a high correlation between the report and FTC action. For example, the FTC identified the following companies as the top violators between 1/1/2009 and 12/12/2014: Rank Company FTC Action 1 Publisher s Clearing House Imposters Consumer Information Press Release 2014 http://www.consumer.ftc.gov/articles/ 0199-prize-scams) 2 Bank of America OUTSIDE FTC JURISDICTION 3 T Mobile 12/19/2014 FTC Law Enforcement Action resulting in $90 million consumer redress. http://www.ftc.gov/news-events/press-releases/2014/12/t-mobile-payleast-90-million-including-full-consumer-refunds. 4 DirectTV, Inc. 2009 FTC Law Enforcement Action resulting in $2.31 million civil penalty. 5 IRS Imposter fraud Consumer Information Press Release 2015: http://www.ftc.gov/newsevents/blogs/external/my-very-own-irs-imposter-call 6 Verizon Wireless 11/12/2014 data security investigation (closed). http://www.ftc.gov/system/files/documents/closing_letters/verizoncommunications-inc./141112verizonclosingletter.pdf 19
3. Data Analytics and Company Tracking Other ways in which the FTC could use information when analyzing specific companies: Complaints that are received directly by the FTC are coded to reflect a specific area of law that has been allegedly violated. When analyzed the statute codes can give the FTC a profile of potential compliance problems 20
Sep Nov Jan Mar May Jul Sep Nov Jan Mar May Jul Sep Nov Jan Mar May Jul Sep Nov Jan Mar May Jul Sep Nov Jan Apr Jun Aug Oct Dec Feb Apr Jul 3. Data Analytics and Company Tracking Other ways in which the FTC could use information when analyzing specific companies: When complaint volume and date are analyzed they can also provide insight concerning trends and patterns within a company. The following shows the complaint volume of MySpace before the FTC issued its complaint (In the Matter of MySpace LLC, Docket No. C-4369 (Sept. 11, 2012)). 20 18 16 14 12 10 8 6 4 2 0 Case Study 2013 Enforcement Target Date of Submission CIS-Related Complaints (n=534) 2007 2008 2009 2010 2011 2012 2013 21
3. Data Analytics and Company Tracking Other ways in which the FTC could use information when analyzing specific companies: 22
3. Data Analytics and Company Tracking Other ways in which the FTC could use information when analyzing specific companies: If viewed geographically, complaint volume may disclose distribution or regional marketing related issues. When lined up against competitors as a benchmark it may disclose practices that appear out of sync within an industry. 23
3. Data Analytics and Company Tracking Practical take-aways for in-house counsel: Self-Monitoring. Do you track the quantity of complaints that appear in the FTC s database about your company? If so, how often? Do the complaints filed against your company suggest a legal compliance issue? If so, were a FTC investigation to be initiated can you explain the complaint volume, patterns, and trends? 24
3. Data Analytics and Company Tracking Practical take-aways for in-house counsel: Evaluating your Risk Level Is your complaint volume high enough to put you on the Top Violator s Report? Is the variation in complaint volume large enough to place you on the Surge Report? 25
3. Data Analytics and Company Tracking Practical take-aways for in-house counsel: Benchmarking Do competitors in your industry have a significantly greater or smaller proportion of complaints? 26
3. Data Analytics and Company Tracking Practical take-aways for in-house counsel: Other Companies Are there other companies for which it would be important to know their complaint volume (e.g., clients, service providers, business partners)? 27
David A. Zetoony Bryan Cave LLP Phone: 202 508 6030 Fax: 202 220 7330 Email: david.zetoony@bryancave.com David Zetoony is the leader of the firm's global data privacy and security practice. He has extensive experience advising clients on how to comply with state and federal privacy, security, and advertising laws, representing clients before the Federal Trade Commission, and defending national class actions. He has assisted hundreds of companies in responding to data security incidents and breaches, and has represented human resource management companies, financial institutions, facial recognition companies, and consumer tracking companies before the Federal Trade Commission on issues involving data security and data privacy. 28