The Federal Trade Commission (FTC) wants increased power and regulatory authority, including the ability to enforce civil penalties, when it comes to data security.
FTC chair Joseph Simons argued before a federal committee that the FTC doesn’t have all of the authority it needs to address privacy and data security concerns adequately. “The Commission lacks authority over nonprofits and common carrier activity, even though these acts or practices often have serious implications for consumer privacy and data security. Finally, the FTC lacks broad APA rulemaking authority for privacy and data security generally. The Commission continues to reiterate its longstanding bipartisan call for comprehensive data security legislation,” Chairman Simons wrote in his prepared testimony before the committee on energy and commerce subcommittee on digital commerce and consumer protection before the U.S. House of Representatives.
Since 2002, the FTC has gone after 60 companies that the commission believed to have engaged in deceptive or unfair cybersecurity practices or didn’t protect consumer data, the commission wrote in its Privacy & Data Security Update: 2017. Some of the recent cases highlighted include those against a ride-sharing company which allegedly deceived consumers by failing to reasonably secure sensitive consumer data stored in the cloud. In another case, the FTC and 32 U.S. State Attorneys General alleged that “a computer maker sold hundreds of thousands of laptops with a pre-installed "man-in-the-middle" software program called VisualDiscovery that, among other things, created serious security vulnerabilities.”
In another action, the FTC filed a complaint against a computer networking equipment manufacturer, alleging that inadequate security measures taken by the company left its wireless routers and internet cameras vulnerable to hackers. According to the complaint, the networking equipment maker promoted the security of its routers on the company’s website, but the company failed to take steps to address well-known and easily preventable security flaws.
Interestingly, this request for increased authority from the FTC came a little more than a month after a federal appeals court tossed an FTC order that directed a medical testing lab to improve its data security efforts. As healthITSecurity.com reported, In 2013, the FTC filed a complaint against LabMD for failing to protect the security of consumers' data, including medical information, resulting in data breaches that affected close to 10,000 individuals.”
However, an appeals court found on June 6, 2018, ruling that the FTC order against LabMD was unenforceable because it mandated a complete overhaul of LabMD’s data security program while failing to detail how that was to be accomplished. “Moreover, it [the FTC ruling] effectually charges the district court with managing the overhaul. This is a scheme Congress could not have envisioned. We, therefore, grant LabMD’s petition for review and vacate the Commission’s order,” the appeals court wrote.
Legal analysts were quick to point out that the LabMD decision constrains the FTC’s authority to impose broad and comprehensive cybersecurity programs on companies without providing specifics appropriate to the context of the situation. As the law firm Alston & Bird wrote in a blog post LabMD: The End of the FTC in Cyber, or Just a New Path?: “In our view, though, it would be a mistake to interpret the decision as preventing the FTC from regulating cybersecurity and data privacy. The 11th Circuit indeed recognized the FTC’s authority to do just that. Instead, LabMD requires the FTC to issue orders with greater specificity, depending on the facts of the case, and does not call into question the broader issue of whether the FTC can regulate data security at all.”
The law firm pointed out that it'd be a miscalculation to conclude that there are no more enforcement teeth for the FTC when it comes to data security. Quite the contrary, "The 11th Circuit’s holding in LabMD must also be considered in light of the Third Circuit’s earlier ruling in FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (Third Cir. 2015). There, Wyndham Worldwide’s privacy statement promised its customers that the company would protect their data, including credit card information, using “industry standard practices,” including encryption, firewalls, and other “commercially reasonable methods. ”In fact, the company implemented none of these measures. Also, after an initial security breach, the company failed to remediate appropriately, resulting in two more breaches and the compromise of personal information of hundreds of thousands of consumers," they wrote.
“Rather, read together, the cases show how the individualized circumstances of a security incident informs whether there has been an unfair practice and, thus, the scope of the FTC’s regulatory power to impose remedial measures,” Alston & Bird concluded.
As the Wyndham ruling found, this is especially true when a firm’s stated security efforts don't match reality, and in such cases, the FTC can come down hard on deceitful practices. That is if an organization makes specific privacy and/or security promises it had better live up to them.
Whatever the courts have decided, the FTC continues to move forward with its proactive role in information security. “The Commission must continue to prioritize, examine, and address privacy and data security with a fresh perspective. One way in which the agency plans to inform its work is through the recently announced Hearings on Competition and Consumer Protection in the 21st century, which will begin this fall. The Commission's remedial authority concerning privacy and data security will be a key topic in these hearings, and the comments and discussions on these issues will be one source to inform the FTC's enforcement and policy priorities," chairman Simons said.
This is a space well worth watching in the years ahead, especially following European’s GDPR going into effect, and the U.S. deciding over time how it could implement similar measures and how such regulations will be enforced and who will enforce them.