Call them the data breach police. The Federal Trade Commission (FTC), once known primarily for chasing down flimflammers and makers of shoddy products, has transformed itself into the primary enforcer of federal law and regulations surrounding consumer privacy issues. Even as huge cybercrimes at Target, Home Depot and Sony Pictures Entertainment dominate the headlines, ongoing FTC legal actions aimed at companies like LabMD and Wyndham Worldwide Corp. – where federal courts greenlighted the agency's enforcement authority over data breaches – may ultimately prove far more important in establishing standards for private sector protection of consumer privacy and the penalties for the failure to do so. It comes as no surprise that President Obama, in a preview of his State of the Union address, chose to announce his proposal of a national data breach law in a speech at the FTC, in which he praised the agency's efforts.
If the FTC commissioners have their way, enterprises can expect the agency to assert itself still further in data security matters. “This is where we have seen consumers express concern,” says Maneesha Mithal, associate director, division of privacy and identity protection at the commission. “Identity theft has been the number one complaint we have received over the last decade.” She shrugs off business complaints – made perhaps most forcefully in the Wyndham case – that the FTC hasn't given sufficient guidance to companies trying to stay on the right side of the law. She cites numerous documents as evidence, in particular, a major report on privacy concerns in the Internet of Things (IoT). FTC commissioners and staffers are often speakers at IT and security industry events, because that's where the CISOs are, she notes.
OUR EXPERTS: FTC
Eric Chiu, co-founder and president, HyTrust
In any case, interested parties seeking to figure out where the FTC stands can simply look it up. “We have our 53 settlements in data breach and privacy cases,” says Mithal. “Every one of them is online.” The agency's emphasis is on procedures, not IT products or cybersecurity methods, as the agency avoids being prescriptive about what security technology should be used. “Companies need to do what is reasonable,” she says.
Yet, even with the documents produced by the FTC and the federal government's National Institute of Standards and Technology (NIST), it can still be difficult to meet the FTC's reasonableness standard, says Mike Lloyd, chief technology officer at RedSeal, a Sunnyvale, Calif.-based security analytics firm. “The main objection from Wyndham makes a lot of sense,” he says in a written comment. “What is needed are established guidelines, so that a company can know whether they are doing what is agreed, industry-wide, to be appropriate security.”
Soyong Cho, a former staff attorney for the FTC who is now a partner with K&L Gates, a law firm composed of more than 2,000 lawyers practicing on five continents, also emphasizes that companies must do more than conform to procedures that meet the standards of their particular industries. “The FTC has criticized companies for failing to stay on top of industry standards,” she says, such as taking adequate steps to protect their data from common attacks, like SQL injection.
Yet even more explicit FTC guidelines on data security may not get to the root of the problem, says Eric Chiu, co-founder and president of HyTrust, a cloud control company with U.S. headquarters in Mountain View, Calif. The issue, he says, is that “corporations continue to put revenues ahead of security.” Until that changes, he adds, more stipulations on data and privacy from the FTC may result in more red tape for companies and higher costs for consumers.
The proposed federal data privacy law may bring clarity to the situation, says attorney Paul Paray, a partner at Zimmerman Weiser and Paray, a Westfield, N.J.-based law firm which specializes in commercial litigation services. “If the FTC's staff weathers the storm, the adoption of a federal breach notification law with some baked-in security standards or widespread adoption of the NIST cybersecurity framework standards – or any other federal standard yet to be promulgated – may eventually provide the FTC repellant sought by Wyndham and others,” Paray says.