Last week, as the keynote speaker at the Center for Strategic and International Studies’ event about the role of independent agencies in cybersecurity, FTC Commissioner Julie Brill discussed the FTC’s current efforts to enforce sound cyber and data security practices in the commercial sector, and the challenges the Commission faces as data-driven apps and technologies grow more prevalent.
The Commission’s primary means of recommending and enforcing reasonable behavior in the data security space is through the authority granted by section 5 of the FTC Act, which allows it to stop unfair or deceptive acts or practices. With unfair practices, the FTC brings a case when a particular company’s data security practices caused, or were likely to cause, a substantial injury that consumers could not reasonably avoid and were not outweighed by benefits to consumers or competition. In the case of deceptive acts, the FTC brings cases when it believes a company has failed to support a promise to keep information secure with reasonable and appropriate processes.
Through settlements and guidances informed by the last decade of data security cases, the Commission has developed reasonable security practices that, importantly, companies should implement in a manner appropriate for their business. Companies should, at minimum: do a risk assessment; minimize personal information they hold about consumers to what is necessary to fulfill legitimate business needs; implement technical and physical safeguards; train employees in handling of personal information; and have a response plan for data security incidents.
Commissioner Brill highlighted several recent cases where the FTC has used section 5 to bring enforcement actions for data security breaches or procedural lapses in the mobile and health information sectors. In the mobile context, the FTC brought actions against Credit Karma and Fandago for flawed implementations of the SSL data encryption protocol, and Snapchat for misrepresenting the degree of ephemerality of users’ messages and potentially exposing consumers’ mobile numbers. With respect to health information, the FTC announced a settlement with Accretive Health that resulted from the theft of an unencrypted laptop (with health information of 23,000 patients) from an employee’s car. The company’s failure to train employees, limit the amount of data stored portably, and implement reasonable security safeguards provided the underlying rationale for the FTC’s action.
While the FTC’s adaptive use of existing enforcement tools in these contexts is commendable, the ever-increasing number of connected devices and emergence of big data tools makes it unlikely that the Commission’s enforcement efforts will be able to keep up with the concomitant level of data breaches. In fact, Verizon’s latest data breach report shows nearly 1,400 breaches for 2013. Unfortunately, FTC staff can only investigate hundreds, and has brought just 53 cases under section 5.
Commissioner Brill’s speech was forward-looking and realistic. She recognized the limitations of the FTC’s enforcement capabilities in the face of the exponential increase in the production and collection of consumer data, and emphasized that the FTC would need more authority from Congress to better respond to these changes in the data security landscape.
In addition to using its enforcement tools to target truly bad actors with systematic process failings, the Commission must look to its aforementioned policy tools for setting bounds of reasonable behavior by companies that are sufficiently flexible for innovative business models to thrive. Most importantly, it should seek to work with industry and consumer advocates in a multistakeholder process to develop these guidelines, and establish safe harbors for companies that certify compliance. Lastly, the Commission should encourage opportunities for industry self-regulation to fill growing gaps in oversight, and promote a federal data breach notification standard to preempt the burdensome patchwork of state laws.