Quiz — FTC Act Section 5 Cybersecurity Enforcement

Module: 02d — FTC Act Section 5 Cybersecurity Enforcement Difficulty: Intermediate

Questions

Q1. FTC Act Section 5, codified at 15 U.S.C. § 45, prohibits "unfair or deceptive acts or practices in or affecting commerce." Under the unfairness theory applied to cybersecurity, which three-part test did the Third Circuit establish in FTC v. Wyndham Worldwide Corp. (2015)?

• A) Intentional misconduct, failure to disclose, and causation of financial harm
• B) Substantial harm to consumers, harm not reasonably avoidable by consumers, and harm not outweighed by countervailing benefits
• C) Material misrepresentation, reliance by consumers, and actual damages
• D) Breach of duty, foreseeability of harm, and proximate cause

Correct answer: B Explanation: The Third Circuit in FTC v. Wyndham Worldwide Corp., 799 F.3d 236, established the three-part unfairness test for cybersecurity cases: (1) the practice causes or is likely to cause substantial injury to consumers; (2) consumers cannot reasonably avoid the harm because they cannot evaluate a company's backend security; and (3) there is no legitimate countervailing benefit to the security failure.

Q2. In LabMD, Inc. v. FTC (11th Cir. 2018), the Eleventh Circuit vacated the FTC's cease-and-desist order against LabMD. What was the court's basis for vacating the order?

• A) The FTC lacks authority to regulate cybersecurity practices under Section 5
• B) LabMD was too small a company to constitute a threat to consumers in interstate commerce
• C) The FTC's order was too vague to comply with, requiring a "reasonably designed" security program without specifying what it must do
• D) The underlying breach data was fabricated by Tiversa, which deprived the FTC of jurisdiction

Correct answer: C Explanation: The Eleventh Circuit vacated the FTC's order not because the FTC lacked cybersecurity authority — that was established by Wyndham — but because the order itself lacked sufficient specificity. A cease-and-desist order must be clear enough that a company knows what it must do to comply. An order requiring a "reasonably designed" security program without specifying required controls failed that standard.

Q3. Section 5 of the FTC Act carries no per-violation civil penalty on its own. Under what mechanism does the FTC obtain significant financial penalties, and what is the current maximum per-day amount?

• A) Section 5 authorizes a $1 million lump sum fine per enforcement action
• B) 15 U.S.C. § 45(m) authorizes up to $51,744 per day per violation of an existing consent decree
• C) The FTC obtains penalties through private class actions brought under Section 5's private right of action
• D) Penalties are authorized under the Gramm-Leach-Bliley Act, not Section 5 itself

Correct answer: B Explanation: Section 5 itself carries no per-violation civil penalty, but 15 U.S.C. § 45(m) authorizes civil penalties of up to $51,744 per day per violation when a company violates an existing consent decree. This is the mechanism behind Twitter's $150 million penalty (2022) and Facebook's $5 billion penalty (2019) — both arose from violations of prior consent orders, not from initial Section 5 enforcement.

Q4. The FTC's Safeguards Rule (16 C.F.R. Part 314), issued under the Gramm-Leach-Bliley Act, covers which category of entities?

• A) All businesses that collect consumer data, including retailers and social media platforms
• B) HIPAA-covered entities such as hospitals and health insurers
• C) Non-bank financial institutions "significantly engaged" in providing financial products or services, such as mortgage brokers, tax preparers, and auto dealers that arrange financing
• D) Banks, credit unions, broker-dealers, and investment companies

Correct answer: C Explanation: The Safeguards Rule covers non-bank financial institutions significantly engaged in financial products or services — including mortgage brokers, payday lenders, auto dealers arranging financing, tax preparers, and collection agencies. It explicitly does NOT cover banks, credit unions, broker-dealers, or investment companies regulated under other GLBA titles, which are covered by separate rules from their primary regulators.

Q5. The revised FTC Safeguards Rule (effective June 2023) added which two prescriptive technical controls that were previously stated only as general "reasonable security" standards?

• A) Firewall deployment and antivirus software installation
• B) Encryption of customer information in transit and at rest, and multi-factor authentication (MFA) for access to customer information systems
• C) Penetration testing and vulnerability assessments on a quarterly schedule
• D) Incident response plans and 90-day breach notification to the FTC

Correct answer: B Explanation: The 2021 revision to the Safeguards Rule added specific prescriptive requirements for encryption (of customer information both in transit over external networks and at rest) and MFA (required for any individual accessing customer information systems). These replaced previously vague "reasonable security" standards. The rule also requires annual penetration testing and vulnerability assessments at least every six months, and 30-day FTC breach notification for institutions with 500+ affected customers.

Q6. In FTC v. Drizly, LLC (2023), the FTC took an unprecedented enforcement step that is directly relevant to any company executive who receives and ignores a security researcher's disclosure. What was that step?

• A) The FTC imposed criminal penalties on Drizly's engineering team under 18 U.S.C. § 1030
• B) The FTC required Drizly to publish all security findings on a public breach notification registry
• C) The FTC named CEO James Rellas personally in the consent order, requiring him to implement a security program at any future company he leads for ten years
• D) The FTC seized Drizly's assets and appointed a receiver to manage its data security operations

Correct answer: C Explanation: The Drizly consent order imposed personal liability on CEO James Rellas — not because he hacked anyone, but because he knew about security deficiencies since at least 2018 and failed to remediate them before the 2020 breach exposing 2.5 million user records. The order requires Rellas to implement a security program at any future company he leads (with 25+ users) for ten years — making documented receipt of a security disclosure now a personal liability event for executives.

Q7. The Twitter/X $150 million civil penalty (2022) arose from Twitter's violation of its 2011 consent order. What specific deceptive practice triggered the enforcement action?

• A) Twitter stored user passwords in plaintext and failed to disclose the practice in its privacy policy
• B) Twitter collected phone numbers and email addresses for two-factor authentication security purposes and then used that data for advertising targeting
• C) Twitter shared user direct message content with third-party analytics firms without consent
• D) Twitter failed to implement the Safeguards Rule's MFA requirement for administrative access to user account systems

Correct answer: B Explanation: Twitter had represented to users that phone numbers and email addresses collected for 2FA security purposes would be used only for security. Twitter instead used this data for advertising targeting — a direct mismatch between representation and practice. This deception theory violation, combined with the existing 2011 consent order, triggered the $150 million penalty under the § 45(m) consent decree violation mechanism.

Q8. Under COPPA (15 U.S.C. §§ 6501–6506 and 16 C.F.R. Part 312), which type of age-gate mechanism has the FTC indicated is insufficient for compliance when it is designed to allow children to circumvent it by entering a false age?

• A) Government ID verification systems
• B) Credit card transaction verification
• C) Neutral text entry of a birth date with no verification mechanism and no block on retry after a child self-identifies as under 13
• D) Two-step verification combining a date-of-birth entry with parental email confirmation

Correct answer: C Explanation: The FTC has made clear that a simple text-entry birth date field that allows children to lie about their age with no retry block and no further verification is insufficient for COPPA compliance when it is "designed to fail." Effective age-gating requires a neutral age screen that does not signal which ages are accepted, a block on children who self-identify as under 13 without allowing retry, and collection of parental consent for identified minors.

Q9. The FTC Health Breach Notification Rule (16 C.F.R. Part 318) covers which category of entities, and what is the maximum time allowed for notification to affected individuals after breach discovery?

• A) HIPAA covered entities; 30 days
• B) Personal health record vendors that are not HIPAA covered entities or business associates; 60 days
• C) Any company that collects consumer health data for commercial purposes; 72 hours
• D) Non-bank financial institutions handling health payment data; 90 days

Correct answer: B Explanation: The Health Breach Notification Rule fills the gap left by HIPAA by covering "personal health record vendors" — companies that handle individually identifiable health information but are not HIPAA covered entities or business associates (such as health apps, fitness trackers, and period-tracking apps). Notification must occur without unreasonable delay and in no case later than 60 days after discovery of the breach, mirroring HIPAA's standard.

Q10. California's Unfair Competition Law (Cal. Bus. & Prof. Code § 17200) differs from FTC Act Section 5 in two important ways that make it a more powerful tool for consumer cybersecurity litigation. Which answer correctly identifies both differences?

• A) The UCL applies only to companies headquartered in California; Section 5 applies nationally
• B) The UCL allows private lawsuits by injured consumers and includes an "unlawful" prong that makes any violation of another law independently actionable as an unfair business practice; Section 5 has no private right of action
• C) The UCL authorizes punitive damages without cap; Section 5 is limited to injunctive relief
• D) The UCL requires proof of intent to deceive; Section 5 applies a strict liability standard

Correct answer: B Explanation: California's UCL provides two critical advantages over Section 5: (1) it includes a private right of action for any person who has suffered injury in fact and lost money or property, enabling class action litigation against companies with poor cybersecurity, and (2) its "unlawful" prong makes any violation of another law (HIPAA, COPPA, California's breach statute) independently actionable as an unfair business practice — a powerful borrowing mechanism that converts regulatory violations into UCL claims.