The Federal Trade Commission (FTC) has taken a proactive and leading role in privacy enforcement and cybersecurity education. One widely viewed resource is its Start with Securityguidance issued in 2015, which was based upon fifty FTC enforcement actions and outlined ten principles touching upon the vulnerabilities that can affect companies. As part of the FTC’s ongoing efforts to educate businesses on how to take reasonable steps to protect and secure consumer data, the FTC announced on July 21 that it will publish a series of blog posts as part of a new initiative titled Stick with Security.
Over the next few months, the FTC will publish a business blog post every Friday addressing the ten principles delineated in its Start with Security guidance. The FTC intends to “use a series of hypotheticals to take a deeper dive into steps companies can take to safeguard sensitive data in their possession.” The blog posts will build upon lessons learned from new settlements and litigated cases subsequent to the publication of Start with Security.
In its first blog post, the FTC notes that there are important lessons learned from investigations that its staff closed without further action. Among those cases, the FTC has noticed recurring themes in companies’ compliance with the “common sense security fundamentals” in Start with Security, such as effective procedures to train staff, keep sensitive information secure, address vulnerabilities and respond quickly and proactively to new threats. Other themes that have developed in such cases where there is a reported breach but no FTC law enforcement:
• There’s more (or less) to the story than meets the eye: As an example, the FTC notes that press reports of a breach may note the compromise of data, but fail to note that it was encrypted and thereby substantially reducing the risk of consumer injury. The FTC notes that often “there may be smoke, but further investigation revealed no fire.”
• Proceeding further wouldn’t be a good use of the FTC’s resources: To maximize its resources and expenditures of public dollars, the FTC must prioritize the scope of its investigation and the extent of its response.
• The FTC is not the right agency: While the FTC has broad jurisdictional powers over commercial activities in its enforcement of “unfair or deceptive trade practices” violating the FTC Act, there are often several regulators at the federal level who may have oversight authority, including but not limited to the Department of Justice, Department of Health and Human Services, Consumer Financial Protection Bureau, the Federal Communications Commission and the National Highway Traffic Safety Administration. With broad sectoral oversight at the federal level (plus state regulators), the FTC may conclude that it either does not have jurisdiction or another regulator should take the lead in the investigative and remedial actions.
• The risk to data is theoretical: With constantly evolving threats and growing research addressing them, the FTC has to prioritize what threats are actively imminent and not merely theoretical. The FTC cites the following example: “there may be vulnerability in a mobile device that would take highly sophisticated tools to exploit, and even then, data could be compromised only if the hacker has the consumer’s phone in hand. If that’s the case, we’re more likely to pass on an investigation than proceed.”
We will monitor and report on the FTC’s informative blog postings in furtherance of its Stick with Security initiative.