Facial Recognition in Sports Venues and Lessons Learned from FTC Cybersecurity Enforcement Actions

The future of in-venue sports technology will continue to transform the in-person experience at live sporting events. Specifically, facial recognition technology has played a significant role in that transformation. Facial recognition technology has evolved, allowing fans to scan their faces to enter venues, pick-up mobile orders, and make purchases at concession stands.

However, facial recognition technology poses high cybersecurity and legal risks. Facial data is vulnerable to cybersecurity breaches and hacking that could lead to identity theft, deepfakes^[1], and other malicious activities. The cyber landscape has increasingly advanced, with cybercriminals looking to target venues with weak cyber resilience. Sports venues are working towards implementing cybersecurity measures to safeguard facial data from unauthorized access and establish trust with fans adopting facial recognition technology.

This blog post will explore the cybersecurity risks of facial recognition technology in sports venues and examine the lessons learned from recent Federal Trade Commission (“FTC”) cybersecurity enforcement actions.

FTC Enforcement Actions

Under Section 5 of the Federal Trade Commission Act (FTC Act), the FTC can enter into case-by-case enforcement actions to prevent “unfair or deceptive acts or practices in or affecting commerce.” Since the protection of consumer data has become an issue, the FTC’s consistent view is that it is unfair for a company to collect personal information from consumers and then fail to take reasonable measures to protect that information from unauthorized access or theft. Simply put, companies are responsible for implementing appropriate security measures, such as encryption, access controls, and vulnerability testing, to safeguard consumer data. The FTC can also take enforcement action against companies that make affirmative misrepresentations or deceptive claims about protecting consumer data. For example, the FTC may take action against a company that fails to protect consumer data as promised in its privacy policies or other statements.

Although a data breach is not a per se violation of Section 5 of the FTC Act, Section 5 allows the FTC to examine all aspects of an entity’s handling of data. The FTC can then enter into consent orders with specific companies requiring them to implement security measures subject to monitoring by the FTC. The FTC cannot seek civil penalties for initial violations of the FTC Act, but the FTC can seek civil monetary penalties if a company violates an FTC order entered against the specific company.

The descriptions of the enforcement actions below do not represent  a comprehensive review of the FTC’s enforcement power. Instead, they illustrate how the FTC views its cybersecurity jurisdiction and what the agency considers unfair or deceptive acts or practices for failing to adequately protect consumer personal information.

In the Matter of LightYear Dealer Technologies, LLC

In 2019, the FTC alleged in a complaint that LightYear Dealer Technologies, LLC (LightYear), a company that develops and sells management software and data processing services to auto dealerships, failed to implement reasonable security measures to protect consumer and employee personal information that led to a hacker gaining access to LightYear’s backup database. The FTC alleged that LightYear stored personal information on its network for about 14 million dealership customers and 39,000 dealership employees in plain text without encrypting the data. The FTC also alleged that LightYear Dealer Technologies failed to properly configure a newly attached storage device, which created an open connection port that allowed a hacker to download the information of over 69,000 customers. The FTC deemed the company's failure to employ reasonable security measures an unfair practice.

Lightyear ultimately settled with the FTC. The settlement prohibited LightYear from sharing, collecting, or maintaining personal information without a comprehensive information security program. Specific measures were also required, including the encryption of certain information, vulnerability testing of its network, adoption of data access controls, and limiting employee access to only data that is necessary for their specific job function. The company was also required to restrict inbound connections to approved IP addresses and require authentication to access them. The FTC mandated that LightYear Dealer Technologies obtain biennial assessments of its information security program from an independent third-party professional for twenty years. Lastly, Lightyear must also provide the FTC with an annual certification of compliance with the settlement terms.

FTC v. Equifax, Inc.

In 2017, Equifax experienced a massive data breach, which resulted in the theft of sensitive personal information of millions of individuals, including Social Security numbers, birth dates, and addresses. The breach affected approximately 147 million individuals, making it one of the largest data breaches in history.

The FTC brought a complaint against Equifax for its failure to implement reasonable security measures to protect the sensitive personal information of millions of individuals. The FTC alleged that Equifax's security practices were deficient in several areas, including by failing to (i) implement a policy to ensure security vulnerabilities were patched, (ii) segment its database servers to block access to other parts of the network, and (iii)  implement robust intrusion detection protections for a legacy database. The FTC alleged that Equifax stored network credentials, passwords, Social Security numbers, and other sensitive consumer information in plain text.

As part of Equifax’s settlement with the FTC, Equifax agreed to establish a comprehensive information security program. The settlement required Equifax to improve its cybersecurity posture by, among other things, performing annual assessments of security risks, obtaining annual certifications from the Equifax board or directors or relevant subcommittees attesting that it has complied with the FTC order, testing and monitoring the effectiveness of security safeguards, and ensuring service providers that access personal information also implement safeguards to protect data. Additionally, Equifax agreed to undergo third-party assessments of its information security program every two years for  twenty years.

In the Matter of Zoom Video Communications, Inc.

In the Matter of Zoom Video Communications, Inc., the FTC alleged that Zoom engaged in deceptive and unfair practices related to its security and data privacy practices. In 2021, the FTC claimed that Zoom misrepresented the level of security it provided to users by advertising end-to-end encryption when  Zoom was instead encrypting data using a lower level of encryption.

The FTC also claimed that Zoom engaged in deceptive practices when Zoom secretly installed software on users' computers that allowed Zoom to circumvent Apple's Safari browser settings, which had disabled a feature that allowed video conferences to launch automatically. In other words, Zoom could automatically launch itself when a user clicked on a meeting link without first seeking the user's permission. The FTC claimed this was deceptive because Zoom did not disclose this behavior to users, and users could not make informed decisions about whether to install or use the Zoom App.

As a result of the settlement, Zoom was required to implement a comprehensive security program. Several aspects of the security program included assessing and documenting any potential internal and external security risks on an annual basis, a vulnerability management program, and security measures, including multi-factor authentication, data deletion controls, and taking steps to prevent the use of known compromised user credentials. Zoom must obtain biennial assessments of its security program by an independent third-party assessor for twenty years, implement a data deletion program, provide notice, and obtain affirmative consent before engaging in certain data practices.

Considerations for Sports Venues

The FTC has published guidance on lessons learned from previous enforcement actions and recommendations for cybersecurity teams building out information security programs. Lawyers and cybersecurity teams responsible for overseeing the cybersecurity practices of sports venues can review the FTC’s Start with Security: A Guide for Business, which compiles lessons learned from previous cybersecurity enforcement actions. The FTC’s staff report on facial recognition also provides recommendations for best practices for using facial recognition technologies, including data security. Sports venues may take note of these lessons and recommendations to ensure comprehensive information security programs are in place to protect sensitive personal information.

While facial recognition technology offers many benefits, it also presents high cybersecurity and legal risks. The FTC has taken a firm stance on the necessity for companies to implement appropriate security measures and has brought enforcement actions against companies that failed to protect consumer personal information. As illustrated in the above matters, what constitutes appropriate security measures varies on a case-by-case basis. A proactive approach towards cybersecurity aims to prevent data breaches and retain the trust of those most admired by sports properties—the fans.

"The opinions expressed in this blog are solely those of the author and do not reflect the views of any organization or entity. This blog is not intended to provide legal advice, and no attorney-client relationship is formed by reading or relying on its contents. Readers should not act upon any information in this blog without seeking professional counsel from a qualified attorney licensed in their jurisdiction."