The Federal Trade Commission doesn’t investigate every reported breach, but when it comes to prosecuting data security cases it has an impressive 70 percent closure rate, according to agency officials.
FTC Commissioner Maureen Ohlhausen shed light on the agency’s approach to enforcing data security in a keynote address for a panel titled Federal Online Data Security Regulation: Where Are We Going? which was held Tuesday at the Heritage Foundation in D.C.
“We don’t formally investigate every breach, as that would be hundreds of cases each year…” Ohlhausen said, “but for matters where we do open an investigation, we end up closing approximately 70 percent.”
Ohlhausen elaborated that usually when the FTC does close a case, it’s because the agency has deemed the company’s security either reasonable or good, adding that in today’s rapidly evolving, technological world, “reasonableness” is key.
“The touchstone of our data security enforcement is reasonableness,” Ohlhausen said “A company’s data security measures must be reasonable in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operation, and the cost of available tools to improve security and reduce vulnerabilities.”
To date, Ohlhausen claims the FTC has brought in and settled almost 60 cases involving data security issues. While some of the earliest cases were brought as deception cases – companies misleading consumers about their data security practices – most of the cases were brought under Section 5 of the Federal Trade Commission Act, which prohibits deceptive acts or practices.
Ohlhausen told the audience that the agency is still trying to determine exactly how it interprets standards, particularly the Payment Card Industry Data Security Standard, or PCI-DSS, though. The standard, designed to regulate controls around credit card data to reduce fraud, has been around since 2004, but gone through a series of corrections an revisions over the years, the most recent coming in April.
“When evaluating reasonable security what weight should the FTC give to industry standards and to PCI-DSS in particular?” Ohlhausen asked the crowd.
Ohlhausen, who stressed before her keynote her talk wouldn’t necessarily reflect the views of the FTC, admitted the agency’s data security program isn’t perfect. How the PCI-DSS standard is interpreted by the the Commission has been a bone of contention for Ohlhausen.
In late 2015, despite her dissent, the Commission found that PCI certification was not enough to demonstrate reasonable security when it came to an incident involving identity theft protection company LifeLock.
The company has been under order with the FTC since it settled a complaint in 2010 accusing the company of overblown advertising claims. In December it agreed to pay a $100 million fine after the FTC filed contempt charges that it failed to implement and maintain a data security program.
Ohlhausen claims LifeLock held PCI certifications from third party certifiers during the relevant period and believes that should have counted for something.
“Given these certifications and other evidence I believe the record lacked clear and convincing evidence — which is the relevant standard for a contempt proceeding — that LifeLock failed to maintain a comprehensive data security program.”
Ohlhausen dissented from the complaint and settlement (.PDF) at the time, acknowledging the Commission lacked evidence of a breach, and is still convinced the FTC went about the situation the wrong way.
It’s for that reason she claims that the agency is working to learn more about PCI-DSS. She told attendees the FTC has already issued orders to nine PCI certification companies requesting information on how they carry out audits, and that its seeking detailed information about the assessment process used by PCI-DSS certification companies.
Ohlhausen is hopeful the PCI-DSS study will give the FTC a better understanding of the standard and provide them with additional guidance going forward.
She also claimed that if given the opportunity, she would support legislation around the creation of a nationwide data breach notification law, adding that it could simplify compliance for businesses and streamline consumer notifications so conflicting notices do not overwhelm them.
The FTC and the FCC have scuffled, especially of late, over each others jurisdiction to privacy. The FCC reclassified broadband last year as a common carrier service and proposed privacy and data security rules that would only apply to broadband ISPs. In response the FTC suggested the FCC’s proposal would overprotect some information and under protect other information. It argued in a bipartisan 36-page comment at the end of May that the FCC should tweak how it defines identifiable information. The letter also calls into question the FCC’s proposed regulations around data security, breach notifications, and how consumer notice and choice plays a role in business practices.
One of the most recent privacy cases handled by the FTC was settled last week. The mobile advertising firm InMobi will pay $950,000 in civil penalties after it was found tracking customers, children included, without consent. The company was initially asked to pay $4 million but that figure was reduced to $950K because of the “company’s financial condition.”