The existence of policies and procedures surrounding the implementation of a business strategy are the hallmarks of maturity within a company\u2019s growth. When insiders make business decisions that violate the law, or those policies, the potential for increased risk to the business is present. We see this most often when individuals in positions of trust violate policy or procedural constraints, whether on purpose (theft) or accidentally (human error) and data goes missing or flies out the door into the public domain.A recent settlement order, dated March 3, between the Federal Trade Commission (FTC) and Weight Watchers International and its wholly owned subsidiary Kurbo demonstrates what may occur if those insiders evolve a business model that ignores the law. Weight Watchers and Kurbo agreed to pay a fine of $1.5 million, delete information \u201cillegally collected from children under 13,\u201d and \u201cdestroy any algorithms derived from the data.\u201dSelf-inflicted wounds, lost intellectual propertyIn 2017, Volkswagen made a business decision to cheat U.S. emissions tests, was fined $4.3 billion, was forced to buy back millions of vehicles, and found six of its employees indicted. The business decision of Kurbo\/Weight Watchers also has consequences. At this time the consequences affect the business. Whether the Department of Justice (DOJ) will pursue criminal charges against personnel has not yet been determined.DTEX Systems SVP engineering and cyber intelligence, Raj Koo observes how he had never seen an instance where a company agrees to destroy its intellectual property as part of a settlement with the government. \u201cThis settlement carries with it a significant audit trail,\u201d he says.While DTEX\u2019s director, security and business intelligence, Armaan Mahbod, says, \u201cThe world is shifting; we can expect to see more of this.\u201d Mahbod notes as the EU and U.S. data protection laws continue to evolve in the direction of individual control over their information, \u201cmore transparency in the life of data retention and the right to be forgotten will be the norm.\u201dKurbo\u2019s violation of COPPAAccording to the FTC, Kurbo focused its marketing efforts on children under the age of 13 in direct violation of the \u201cChildren\u2019s Online Privacy Protection Act (COPPA). In 2014 Kurbo (then an independent entity) began marketing a \u201cweight management and tracking service designed for use by children ages eight and older, teenagers and families.\u201d In 2018, Weight Watchers acquired Kurbo and rebranded the Kurbo offering targeting children as young as eight. The court documents show that from 2014 through February 2020, over 279,500 people used Kurbo and at least 18,600 were children under the age of 13.Kurbo\u2019s app solicited personal identifying information (PII) from registered users, such as name, sex, date of birth, weight, height, phone number, food intake, and activity level on an ongoing basis. Prior to August 2021, data on users, even defunct users, were retained indefinitely. In August 2021, the policy was adjusted and a child\u2019s data was retained for three years, or when a parent requested to deleted it.The DOJ complaint of February 16, 2022, requested that Kurbo\/Weight Watchers be permanently enjoined and given a monetary civil penalty. FTC Chair Lina M. Khan commented on the settlement, \u201cWeight Watchers and Kurbo marketed weight management services for use by children as young as eight, and then illegally harvested their personal and sensitive health information. Our order against these companies requires them to delete their ill-gotten data, destroy any algorithms derived from it, and pay a penalty for their lawbreaking.\u201dDestruction of algroithms part of Kurbo\u2019s settlement Kurbo, it would appear, opted early on to ignore COPPA, then strategized how to circumvent the law created to protect minors. The fact that the entity agreed to destroy its own intellectual property speaks volumes, and in fact, may turn out to be more damaging than the monetary fine that the company agreed to pay. As the algorithms were created, one would presume they were market differentiating to engage with users over the age of 13.Kurbo and Weight Watchers are required to submit a compliance report after one year to the FTC. Additionally, the company has agreed to significant administrative oversight. For a period of ten years, they must create certain records as directed by the FTC and retain those records for a period of five years. These records include personnel records of each person providing services (employee or otherwise), records necessary to demonstrate full compliance, all consumer complaints, copies of all marketing information including screenshots.Koo\u2019s advice to all companies, \u201cHow well a company communicates their policies and ensuring review of the code development lifecycle is key\u201d to assuring companies minimize their risk of running afoul of data protection laws.