The U.S.-EU Safe Harbor framework is a voluntary data-security program administered by the U.S. Department of Commerce in consultation with the European Commission, according to information from the FTC.
Fantage.com allegedly falsely claimed it was compliant with the guidelines, which include; “notice, choice, onward transfer, security, data integrity, access, and enforcement.” The settlement, which is subject to public review, alleges the company allowed its annual certification to lapse while continuing to represent itself as compliant.
Fantage.com, maker of an online role-playing game targeted toward children and teenagers,will be prohibited from misrepresenting its privacy and security standards.
Evan Sills, consultant with the American Bar Association Cybersecurity Legal Task Force and Legal Fellow at the Cyber Security Policy & Research Institute, said the FTC has been especially vigilant when it comes to data protection. “An ongoing case, FTC v. Wyndham, accuses Wyndham Hotels of claiming they were protecting customer data, when in fact, they were hacked [of] … personally-identifiable information," he said in an email. "I the FTC wins, that will be an expansion of their current powers.
However, not everyone things the FTC is appropriately approaching the matter. The U.S. Chamber of Commerce has filed an amicus brief in the case claiming the FTC has a pattern of punishing victims of hacking while not providing clear guidelines for what is considered “reasonable” security measures.
“Because FTC has never formally promulgated any data security standards, a business has no way of knowing whether it’s compliant until after it’s been hacked, had its data stolen, completed a costly FTC investigation, and an enforcement action has been filed against it,” according to information from the National Chamber Litigation Center of the U.S Chamber of Commerce.
“The FTC's conduct raises serious due process concerns, is not supported by any statutory grant of authority from Congress, and chills e-commerce and innovation. The brief reiterates that the Chamber and its members are committed to improving data security, but that the FTC's approach wrongly punishes the victims of cyber hacking attacks, without providing businesses fair notice of what is expected of them.”
International data security and protection has been an issue for decades, and has recently gained attentional from the legal field, the government and national security experts in light of current events. The European Commission’s Directive on Data Protection began in October of 1998, and prohibits the transfer of personal information to non-EU countries that fail to adhere to EU “adequacy” standards of protection, according to information from Export.gov.
In an attempt to bridge differences between U.S. and E.U. approaches to privacy standards, the U.S. Department of Commerce along with the European Commission developed the "safe harbor" framework and the export.gov website to provide the information organizations need to asses and join the program, thus allowing them to engage in international commerce.
The reality of the situation, though, is the efforts of the different agencies concerned with privacy are, unfortunately, limited, Sills said. “Safe Harbors and other compliance-related rules do not guarantee safety. A company can meet all of its compliance requirements and still lose customer data, because there's almost nothing connected to the Internet that is 100% secure,” he said.
Dan Sabbatino is an award winning journalist whose accolades include a New York Press Association award for a series of articles he wrote dealing with a small upstate town’s battle over the implications of letting a “big-box” retailer locate within its borders. He has worked as a reporter and editor since 2007 primarily covering state and local politics for a number off publications.