FTC Speaks On Cybersecurity, How Data Security Policy Should Be Handled

September 22, 2014

Last week, as the keynote speaker at the Center for Strategic and International Studies’ event about the role of independent agencies in cybersecurity, FTC Commissioner Julie Brill discussed the FTC’s current efforts to enforce sound cyber and data security practices in the commercial sector, and the challenges the Commission faces as data-driven apps and technologies grow more prevalent.

The Commission’s primary means of recommending and enforcing reasonable behavior in the data security space is through the authority granted by section 5 of the FTC Act, which allows it to stop unfair or deceptive acts or practices. With unfair practices, the FTC brings a case when a particular company’s data security practices caused, or were likely to cause, a substantial injury that consumers could not reasonably avoid and were not outweighed by benefits to consumers or competition. In the case of deceptive acts, the FTC brings cases when it believes a company has failed to support a promise to keep information secure with reasonable and appropriate processes.

Through settlements and guidances informed by the last decade of data security cases, the Commission has developed reasonable security practices that, importantly, companies should implement in a manner appropriate for their business. Companies should, at minimum: do a risk assessment; minimize personal information they hold about consumers to what is necessary to fulfill legitimate business needs; implement technical and physical safeguards; train employees in handling of personal information; and have a response plan for data security incidents.

Commissioner Brill highlighted several recent cases where the FTC has used section 5 to bring enforcement actions for data security breaches or procedural lapses in the mobile and health information sectors. In the mobile context, the FTC brought actions against Credit Karma and Fandago for flawed implementations of the SSL data encryption protocol, and Snapchat for misrepresenting the degree of ephemerality of users’ messages and potentially exposing consumers’ mobile numbers. With respect to health information, the FTC announced a settlement with Accretive Health that resulted from the theft of an unencrypted laptop (with health information of 23,000 patients) from an employee’s car. The company’s failure to train employees, limit the amount of data stored portably, and implement reasonable security safeguards provided the underlying rationale for the FTC’s action.

While the FTC’s adaptive use of existing enforcement tools in these contexts is commendable, the ever-increasing number of connected devices and emergence of big data tools makes it unlikely that the Commission’s enforcement efforts will be able to keep up with the concomitant level of data breaches. In fact, Verizon’s latest data breach report shows nearly 1,400 breaches for 2013. Unfortunately, FTC staff can only investigate hundreds, and has brought just 53 cases under section 5.

Commissioner Brill’s speech was forward-looking and realistic. She recognized the limitations of the FTC’s enforcement capabilities in the face of the exponential increase in the production and collection of consumer data, and emphasized that the FTC would need more authority from Congress to better respond to these changes in the data security landscape.

In addition to using its enforcement tools to target truly bad actors with systematic process failings, the Commission must look to its aforementioned policy tools for setting bounds of reasonable behavior by companies that are sufficiently flexible for innovative business models to thrive. Most importantly, it should seek to work with industry and consumer advocates in a multistakeholder process to develop these guidelines, and establish safe harbors for companies that certify compliance. Lastly, the Commission should encourage opportunities for industry self-regulation to fill growing gaps in oversight, and promote a federal data breach notification standard to preempt the burdensome patchwork of state laws.

Related Articles

CCIA, 10 Associations, Groups Warn Senate Judiciary Leaders EARN IT Bill Would Make Internet Less Safe, Weaken Ability To Remove Illegal Content

Feb 9, 2022

Washington – The Senate Judiciary Committee is scheduled to mark up the “Eliminating Abusive and Rampant Neglect of Interactive Technologies” (EARN IT) Act on Thursday, which would weaken the law companies rely upon to address objectionable activity online, commonly referred to as Section 230, in a misdirected effort to combat child sexual abuse material (CSAM)…

Study Offers Reasons Why Government Technology and Procurement Practices Needs to Change

Nov 15, 2021

Washington — A study by market research firm Omdia released Monday explores reasons why most government departments rely on just one vendor for productivity software and why IT departments are choosing to select ease of management and end user familiarity with the tools at the expense of developing a best of breed approach that would…

CCIA Whitepaper Identifies National Security Risks Posed By House Bills Targeting U.S. Tech Companies

Sep 13, 2021

Washington — The Computer & Communications Industry Association has released a white paper on the national security implications of several House-passed bills aimed at a handful of U.S. tech companies as they compete with foreign companies. These bills were introduced in June 2021 and were marked up without legislative hearings or input from stakeholders, particularly…