[BreachExchange] The agency that stepped up: Federal Trade Commission

[Audrey McNeil]

http://www.scmagazine.com/the-agency-that-stepped-up-federal-trade-commission/article/398544/

Call them the data breach police. The Federal Trade Commission (FTC), once
known primarily for chasing down flimflammers and makers of shoddy
products, has transformed itself into the primary enforcer of federal law
and regulations surrounding consumer privacy issues. Even as huge
cybercrimes at Target, Home Depot and Sony Pictures Entertainment dominate
the headlines, ongoing FTC legal actions aimed at companies likeLabMD and
Wyndham Worldwide Corp. – where federal courts greenlighted the agency's
enforcement authority over data breaches – may ultimately prove far more
important in establishing standards for private sector protection of
consumer privacy and the penalties for the failure to do so. It comes as no
surprise that President Obama, in a preview of his State of the Union
address, chose to announce his proposal of a national data breach law in a
speech at the FTC, in which he praised the agency's efforts.

If the FTC commissioners have their way, enterprises can expect the agency
to assert itself still further in data security matters. “This is where we
have seen consumers express concern,” says Maneesha Mithal, associate
director, division of privacy and identity protection at the commission.
“Identity theft has been the number one complaint we have received over the
last decade.” She shrugs off business complaints – made perhaps most
forcefully in the Wyndham case – that the FTC hasn't given sufficient
guidance to companies trying to stay on the right side of the law. She
cites numerous documents as evidence, in particular, a major report on
privacy concerns in the Internet of Things (IoT). FTC commissioners and
staffers are often speakers at IT and security industry events, because
that's where the CISOs are, she notes.

In any case, interested parties seeking to figure out where the FTC stands
can simply look it up. “We have our 53 settlements in data breach and
privacy cases,” says Mithal. “Every one of them is online.” The agency's
emphasis is on procedures, not IT products or cybersecurity methods, as the
agency avoids being prescriptive about what security technology should be
used. “Companies need to do what is reasonable,” she says.

Yet, even with the documents produced by the FTC and the federal
government's National Institute of Standards and Technology (NIST), it can
still be difficult to meet the FTC's reasonableness standard, says Mike
Lloyd, chief technology officer at RedSeal, a Sunnyvale, Calif.-based
security analytics firm. “The main objection from Wyndham makes a lot of
sense,” he says in a written comment. “What is needed are established
guidelines, so that a company can know whether they are doing what is
agreed, industry-wide, to be appropriate security.”

Soyong Cho, a former staff attorney for the FTC who is now a partner with
K&L Gates, a law firm composed of more than 2,000 lawyers practicing on
five continents, also emphasizes that companies must do more than conform
to procedures that meet the standards of their particular industries. “The
FTC has criticized companies for failing to stay on top of industry
standards,” she says, such as taking adequate steps to protect their data
from common attacks, like SQL injection.

Yet even more explicit FTC guidelines on data security may not get to the
root of the problem, says Eric Chiu, co-founder and president of HyTrust, a
cloud control company with U.S. headquarters in Mountain View, Calif. The
issue, he says, is that “corporations continue to put revenues ahead of
security.” Until that changes, he adds, more stipulations on data and
privacy from the FTC may result in more red tape for companies and higher
costs for consumers.

The proposed federal data privacy law may bring clarity to the situation,
says attorney Paul Paray, a partner at Zimmerman Weiser and Paray, a
 Westfield, N.J.-based law firm which specializes in commercial litigation
services. “If the FTC's staff weathers the storm, the adoption of a federal
breach notification law with some baked-in security standards or widespread
adoption of the NIST cybersecurity framework standards – or any other
federal standard yet to be promulgated – may eventually provide the FTC
repellant sought by Wyndham and others,” Paray says.

In the meantime, companies have to adjust themselves to the reality that
the FTC's authority is decisive for now. While big corporations have
adapted by beefing up privacy protection and bringing on board specialized
legal counsel, smaller outfits hoping to make it big in the latest tech
boom may be surprised that they have obligations to meet the FTC's consumer
protection standards, too. “If you are a small mobile app developer working
in a garage, you may not have heard of the FTC,” says Mithal.

For smaller players and big companies alike, the key to avoiding running
afoul of the FTC is planning for privacy protection while products and
services are still in the planning stages – what FTC Commission Chairwoman
Edith Ramirez calls “security by design.”

Gary Kibel (left), an attorney at Davis & Gilbert, a New York-based law
firm, agrees. “It is hard to remedy those issues after the fact,” he says.
“You are potentially already collecting data under a flawed model.” He adds
that the potential liability is “very significant.”

With limited capacity, the FTC has been forced to choose its targets
carefully with the apparent aim of disciplining the tech industry as a
whole. High-profile actions in 2012 resulted in a $22.5 million penalty
paid by Google to settle charges that it misrepresented privacy to some
users to a fine-free do-over for Facebook that compelled the social media
giant to obtain consent for sharing information beyond privacy settings.

Google could shrug off a penalty that amounts to a rounding error in the
company's $50 billion in revenue that year. Nevertheless, the FTC's actions
against other companies, particularly in the retail and customer service
sectors, are systematically reshaping the ways in which those businesses
collect and safeguard customer data, says Tom Smedinghoff, a partner at
Edwards Wildman Palmer, a law firm with 16 offices worldwide. A milestone,
he says, came in 2005 when retailer BJ's Wholesale Club reached a consent
agreement with the FTC that the company violated the law even though it
made no explicit representation about, or promise to protect, customer
privacy. Essentially, the FTC commissioner's decision was that “a failure
to provide reasonable security is an unfair business practice and they
started bringing cases on that basis,” Smedinghoff says.

Eduard Goodman, chief privacy officer at IDT911 (Identity Theft 911), a
Scottsdale, Ariz.-based provider of identity protection solutions, agrees.
The FTC's message in the BJ's Wholesale case was, “listen, you are big
retailer, and consumers have an expectation, that their data will be
protected,” he says. The FTC's direction ever since is that this
requirement is part of data protection, he says.

The BJ's Wholesale decision, along with state laws protecting data privacy
and security passed in the last decade, have created a fairly clear picture
governing the protection of consumer data and personally identifying
information, says Smedinghoff. “Step back from all the state laws, court
cases and FTC decisions, and a pattern starts to emerge – or a trend –
saying that all companies have some level of data security obligation,” he
says. “At the end of the day, the obligations here may be stronger than
they are in the European Union. There is just no one place to look at to
come to those conclusions.”

Marcus Christian, a partner with Mayer Brown, a legal services provider,
makes a similar point – and credits the FTC for driving the data protection
legislative agenda at the state level and giving cues to federal law
enforcement. A former Congressional staffer and federal prosecutor who now
advises companies on how to secure their data and meet FTC guidelines,
Christian has engaged with the agency in all three roles. It was the FTC,
he said, that spotted the trends that helped law enforcement determine that
South Florida was a hot spot for identity theft.

His conclusion: “You haven't had any other federal agency that has had such
broad authority and that has been doing this for so long.” Whatever the
fate of federal data privacy protection legislation, the FTC's imprint on
data security practices appears likely to last.

________________________________

FTC: A brief history

The FTC's unexpected role as top cybercop developed nearly a century after
its creation in 1915 during the Woodrow Wilson administration, a few years
after Upton Sinclair's novel The Jungle shocked the country with its exposé
of unsanitary and unsafe conditions in the meatpacking industry. A product
of Progressive Era reforms, the FTC was charged with exposing fraud and
deceptive business practices and challenging anticompetitive business
mergers. The New Deal of the 1930s gave the FTC much greater prominence, as
President Franklin Roosevelt personally laid the cornerstone for the FTC
headquarters in 1937. Typical FTC actions for that era concerned overpriced
mattresses, poorly made perfumes and badly manufactured underwear.

Thirty years later, the FTC's enforcement capabilities were found wanting
by consumer advocate Ralph Nader, whose band of researchers embedded
themselves into the agency and found it unwilling to push back against
fraud and deception in business. The agency revived its potency in the
1970s as consumer groups established themselves in Washington. But the
pro-business forces dominant in Washington since the 1980s left the FTC
unable to meet the challenges posed by the digital revolution, both in
terms of technology and the number of legal personnel, critics say. In a
2012 article for the investigative reporting organization ProPublica,
journalist Peter Maass concluded that “the agency is like a runner with two
sprained ankles, because in addition to its narrow legal power, it has a
surprisingly small staff to pursue its legal cases.” Soon after this report
was published, the FTC was hit with a $16 million budget cuts in fiscal
year 2013 as the result of the federal budget sequester.

Despite those constraints, the FTC has forged ahead in its attempt to bring
order to the tussle between privacy campaigners and Big Data-fueled
companies out to turn consumer information into targeted marketing. Many
Obama-era FTC personnel have been recruited from the ranks of nonprofits
and consumer groups. Moreover, the focus of the work of the FTC's latest
chief technologist, Ashkan Soltani, has focused on privacy and security
issues for more than 20 years.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160323/2d4c55c3/attachment.html>