The Federal Trade Commission (FTC) has brought 52 enforcement actions involving data breaches. Fifty of those businesses, whose computer systems were illegally accessed by hackers, settled rather than fight FTC’s accusations that they acted “deceptively” or “unfairly” under § 5 of the FTC Act. And yet, the data breaches just keep on coming, with unlawful intrusions on Home Depot’s payment-card processing system and the federal HealthCare.gov website occurring just this past week. It’s high time the Commission utilized tools at its disposal aside from the enforcement hammer to address data security.
WLF is not the only organization advancing this notion. On March 25, 2014, Consumer Action, Consumer Federation of America, National Consumer League, and the Privacy Rights Clearinghouse wrote FTC Chairwoman Edith Ramirez, asking the Commission to “convene a public forum, bringing stakeholders together to discuss strategies for combating the growing threat of data breaches.”
FTC Commissioners routinely note in public statements that in addition to enforcement and advocacy, the Commission protects consumers and competition through education and information sharing. Public forums, workshops, and other events of the type the consumer groups sought in their letter have long been an integral part of FTC’s “educate and inform” function. Such events educate not only the public, but also the Commission and its staff.
In a prepared statement provided to the Senate Committee on Homeland Security and Governmental Affairs on April 2—just one week after receiving the consumer groups’ letter—Chairwoman Ramirez referenced some FTC policy initiatives and business guidance related to data security. The workshops she referenced though, such as those on privacy, the “Internet of Things,” and mobile device security, at best touched on data security only collaterally. She also touted the Commission’s “Protecting Personal Information: A Guide for Businesses,” but failed to note that FTC issued the guidance in 2011.
The Commission has focused considerable resources and attention on data privacy, holding 16 public forums and workshops on an issue where the majority of consumer harms are not actual, but speculative. FTC’s senior staff maintains that focus when making presentations to regulated entities. For instance, Bureau of Consumer Protection Director Jessica Rich spoke just last week at the Email Sender and Provider Coalition’s annual meeting on “The FTC’s Big Data Message: Privacy is Fundamental.” Ms. Rich spent a good bit of time on Commission policy initiatives, none of which address data security. Given the very tangible harms threatened by data breaches, we agree with the consumer activists, who urged in their letter, “This is no longer an issue that can be limited to discussion among cybersecurity experts.”
Ironically, the Commission’s predominant approach when it comes to data security—enforcement—undermines what minimal education and guidance work it has pursued. FTC and its defenders in academia claim that the complaints, consent orders, and Commissioner statements arising from the Commission’s dozens of unfairness actions comprise a body of data security “common law” to which businesses can conform. But FTC complaints and consent orders apply only to each targeted company and their unique situation, and they are not binding on third parties. The orders routinely point to a large number of factors which, taken together, violate the FTC Act but which, taken individually or in some combination, may not. The orders leave third-party businesses in the dark as to which factors are most critical or which “failures” were fatal to the settling entity. Such resolutions are not useful guidance or fair notice in any sense of either concept.
While we do question the FTC’s authority to bring data security enforcement actions under FTC Act § 5, we don’t doubt its good intentions. But the Commission can more effectively protect consumers from data breach harms by being a facilitator of discussion and debate, convening experts to describe the latest threats and tools so that companies and consumers can learn the latest state of play on data security.
Also published at WLF’s Forbes.com contributor site