The operator of an online rewards website will be required to implement a comprehensive information security program before collecting personal information as part of a final settlement with the Federal Trade Commission related to allegations that he failed to take reasonable steps to protect personal data.
In a complaint, the FTC alleged that James V. Grago, Jr., deceived consumers by falsely claiming that his website, ClixSense, “utilizes the latest security and encryption techniques to ensure the security of your account information.” In fact, ClixSense engaged in unreasonable security practices and failed to implement minimal data security measures to secure the personal data it collected, such as Social Security numbers and dates of birth.
Under the settlement with the FTC, Grago is prohibited from misrepresenting the extent to which any company he controls protects the personal information it collects. If any company he controls collects or maintains personal information, Grago must implement a comprehensive information security program and obtain independent biennial assessments of that program. In addition, Grago also is prohibited from making misrepresentations to the third party performing the biennial assessments of any information security program, and must provide an annual certification of compliance to the Commission.
After receiving no comments on the settlement, the Commission voted 5-0 to approve the final settlement order with Grago.
The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.