Call them the data breach police. The Federal Trade Commission (FTC), once known primarily for chasing down flimflammers and makers of shoddy products, has transformed itself into the primary enforcer of federal law and regulations surrounding consumer privacy issues. Even as huge cybercrimes at Target, Home Depot and Sony Pictures Entertainment dominate the headlines, ongoing FTC legal actions aimed at companies like LabMD and Wyndham Worldwide Corp. – where federal courts greenlighted the agency's enforcement authority over data breaches – may ultimately prove far more important in establishing standards for private sector protection of consumer privacy and the penalties for the failure to do so. It comes as no surprise that President Obama, in a preview of his State of the Union address, chose to announce his proposal of a national data breach law in a speech at the FTC, in which he praised the agency's efforts.
If the FTC commissioners have their way, enterprises can expect the agency to assert itself still further in data security matters. “This is where we have seen consumers express concern,” says Maneesha Mithal, associate director, division of privacy and identity protection at the commission. “Identity theft has been the number one complaint we have received over the last decade.” She shrugs off business complaints – made perhaps most forcefully in the Wyndham case – that the FTC hasn't given sufficient guidance to companies trying to stay on the right side of the law. She cites numerous documents as evidence, in particular, a major report on privacy concerns in the Internet of Things (IoT). FTC commissioners and staffers are often speakers at IT and security industry events, because that's where the CISOs are, she notes.
OUR EXPERTS: FTC
Eric Chiu, co-founder and president, HyTrust
In any case, interested parties seeking to figure out where the FTC stands can simply look it up. “We have our 53 settlements in data breach and privacy cases,” says Mithal. “Every one of them is online.” The agency's emphasis is on procedures, not IT products or cybersecurity methods, as the agency avoids being prescriptive about what security technology should be used. “Companies need to do what is reasonable,” she says.
Yet, even with the documents produced by the FTC and the federal government's National Institute of Standards and Technology (NIST), it can still be difficult to meet the FTC's reasonableness standard, says Mike Lloyd, chief technology officer at RedSeal, a Sunnyvale, Calif.-based security analytics firm. “The main objection from Wyndham makes a lot of sense,” he says in a written comment. “What is needed are established guidelines, so that a company can know whether they are doing what is agreed, industry-wide, to be appropriate security.”
Soyong Cho, a former staff attorney for the FTC who is now a partner with K&L Gates, a law firm composed of more than 2,000 lawyers practicing on five continents, also emphasizes that companies must do more than conform to procedures that meet the standards of their particular industries. “The FTC has criticized companies for failing to stay on top of industry standards,” she says, such as taking adequate steps to protect their data from common attacks, like SQL injection.
Yet even more explicit FTC guidelines on data security may not get to the root of the problem, says Eric Chiu, co-founder and president of HyTrust, a cloud control company with U.S. headquarters in Mountain View, Calif. The issue, he says, is that “corporations continue to put revenues ahead of security.” Until that changes, he adds, more stipulations on data and privacy from the FTC may result in more red tape for companies and higher costs for consumers.
The proposed federal data privacy law may bring clarity to the situation, says attorney Paul Paray, a partner at Zimmerman Weiser and Paray, a Westfield, N.J.-based law firm which specializes in commercial litigation services. “If the FTC's staff weathers the storm, the adoption of a federal breach notification law with some baked-in security standards or widespread adoption of the NIST cybersecurity framework standards – or any other federal standard yet to be promulgated – may eventually provide the FTC repellant sought by Wyndham and others,” Paray says.
In the meantime, companies have to adjust themselves to the reality that the FTC's authority is decisive for now. While big corporations have adapted by beefing up privacy protection and bringing on board specialized legal counsel, smaller outfits hoping to make it big in the latest tech boom may be surprised that they have obligations to meet the FTC's consumer protection standards, too. “If you are a small mobile app developer working in a garage, you may not have heard of the FTC,” says Mithal.
For smaller players and big companies alike, the key to avoiding running afoul of the FTC is planning for privacy protection while products and services are still in the planning stages – what FTC Commission Chairwoman Edith Ramirez calls “security by design.”
Gary Kibel (left), an attorney at Davis & Gilbert, a New York-based law firm, agrees. “It is hard to remedy those issues after the fact,” he says. “You are potentially already collecting data under a flawed model.” He adds that the potential liability is “very significant.”
With limited capacity, the FTC has been forced to choose its targets carefully with the apparent aim of disciplining the tech industry as a whole. High-profile actions in 2012 resulted in a $22.5 million penalty paid by Google to settle charges that it misrepresented privacy to some users to a fine-free do-over for Facebook that compelled the social media giant to obtain consent for sharing information beyond privacy settings.
Google could shrug off a penalty that amounts to a rounding error in the company's $50 billion in revenue that year. Nevertheless, the FTC's actions against other companies, particularly in the retail and customer service sectors, are systematically reshaping the ways in which those businesses collect and safeguard customer data, says Tom Smedinghoff, a partner at Edwards Wildman Palmer, a law firm with 16 offices worldwide. A milestone, he says, came in 2005 when retailer BJ's Wholesale Club reached a consent agreement with the FTC that the company violated the law even though it made no explicit representation about, or promise to protect, customer privacy. Essentially, the FTC commissioner's decision was that “a failure to provide reasonable security is an unfair business practice and they started bringing cases on that basis,” Smedinghoff says.
Eduard Goodman, chief privacy officer at IDT911 (Identity Theft 911), a Scottsdale, Ariz.-based provider of identity protection solutions, agrees. The FTC's message in the BJ's Wholesale case was, “listen, you are big retailer, and consumers have an expectation, that their data will be protected,” he says. The FTC's direction ever since is that this requirement is part of data protection, he says.
The BJ's Wholesale decision, along with state laws protecting data privacy and security passed in the last decade, have created a fairly clear picture governing the protection of consumer data and personally identifying information, says Smedinghoff. “Step back from all the state laws, court cases and FTC decisions, and a pattern starts to emerge – or a trend – saying that all companies have some level of data security obligation,” he says. “At the end of the day, the obligations here may be stronger than they are in the European Union. There is just no one place to look at to come to those conclusions.”
Marcus Christian, a partner with Mayer Brown, a legal services provider, makes a similar point – and credits the FTC for driving the data protection legislative agenda at the state level and giving cues to federal law enforcement. A former Congressional staffer and federal prosecutor who now advises companies on how to secure their data and meet FTC guidelines, Christian has engaged with the agency in all three roles. It was the FTC, he said, that spotted the trends that helped law enforcement determine that South Florida was a hot spot for identity theft.
His conclusion: “You haven't had any other federal agency that has had such broad authority and that has been doing this for so long.” Whatever the fate of federal data privacy protection legislation, the FTC's imprint on data security practices appears likely to last.
FTC: A brief history
The FTC's unexpected role as top cybercop developed nearly a century after its creation in 1915 during the Woodrow Wilson administration, a few years after Upton Sinclair's novel The Jungle shocked the country with its exposé of unsanitary and unsafe conditions in the meatpacking industry. A product of Progressive Era reforms, the FTC was charged with exposing fraud and deceptive business practices and challenging anticompetitive business mergers. The New Deal of the 1930s gave the FTC much greater prominence, as President Franklin Roosevelt personally laid the cornerstone for the FTC headquarters in 1937. Typical FTC actions for that era concerned overpriced mattresses, poorly made perfumes and badly manufactured underwear.
Thirty years later, the FTC's enforcement capabilities were found wanting by consumer advocate Ralph Nader, whose band of researchers embedded themselves into the agency and found it unwilling to push back against fraud and deception in business. The agency revived its potency in the 1970s as consumer groups established themselves in Washington. But the pro-business forces dominant in Washington since the 1980s left the FTC unable to meet the challenges posed by the digital revolution, both in terms of technology and the number of legal personnel, critics say. In a 2012 article for the investigative reporting organization ProPublica, journalist Peter Maass concluded that “the agency is like a runner with two sprained ankles, because in addition to its narrow legal power, it has a surprisingly small staff to pursue its legal cases.” Soon after this report was published, the FTC was hit with a $16 million budget cuts in fiscal year 2013 as the result of the federal budget sequester.
Despite those constraints, the FTC has forged ahead in its attempt to bring order to the tussle between privacy campaigners and Big Data-fueled companies out to turn consumer information into targeted marketing. Many Obama-era FTC personnel have been recruited from the ranks of nonprofits and consumer groups. Moreover, the focus of the work of the FTC's latest chief technologist, Ashkan Soltani, has focused on privacy and security issues for more than 20 years.