Modern field guide to security and privacy

Why industry groups are wary of stronger FTC cybersecurity oversight

With a court ruling reaffirming the Federal Trade Commission's ability to police corporate cybersecurity practices, and Congress considering giving the agency more power, industry groups are now concerned about overregulation.

Alex Brandon/AP/File
The Federal Trade Commission building in Washington on Wednesday, Jan. 28, 2015. The nation's largest prepaid mobile provider, TracFone Wireless, will pay $40 million to settle government claims that it misled millions of smartphone customers with promises of unlimited data service. The FTC said that TracFone's advertising promised unlimited data, but the company then drastically slowed down consumers' data speeds, a practice known as throttling, when they had used a certain amount of data within a 30-day period. In some cases, the FTC said, the company cut off customers' data service when they ran over the limit. (AP Photo/Alex Brandon)

With a federal appeals court this week reaffirming the Federal Trade Commission's regulatory authority of data security practices, the question now becomes: Just how powerful will the agency become in overseeing matters of privacy and cybersecurity? 

Congress is already considering several bills that could expand the role of the FTC to police corporate cybersecurity, and President Obama’s draft Consumer Privacy Bill of Rights Act would also give the agency more power over industry.

Now, many industry groups are worried that at a time when corporations are dedicating more money and resources to protect data from criminal hackers, they'll also face more regulatory oversight and hefty fines from the government for data security practices.

"We are concerned that Monday’s decision will exacerbate the unfortunate trend over the last 10 years of ad hoc litigation and overregulation when it comes to cybersecurity,” said Steven Lehotsky, vice president and chief counsel for regulatory litigation at the US Chamber Litigation Center.

On Monday, the Third Circuit Court of Appeals ruled that the FTC has the authority to regulate corporate cybersecurity practices. The hotel chain Wyndham Worldwide had earlier challenged that authority after the FTC sued it for a series of data breaches in 2008 and 2009 that exposed personal data on some 619,000 of its customers and caused $10.6 million in fraudulent charges.

The FTC claimed that Wyndham’s failure to adequately protect consumer data constituted an unfair practice and that its privacy policy was deceptive. The agency has brought dozens of similar lawsuits against companies that have suffered data breaches over the last 10 years and almost all of them have been settled quietly.

With some, the FTC has managed to extract consent decrees involving hefty fines, and lengthy mandatory monitoring and third party audits of their security practices.

Yet, American businesses are already frequent victims of data breaches and are under pressure to bolster cybersecurity, said Mr. Lehotsky. "However, excessive enforcement by agencies relying on decades-old laws that were not meant to address cybersecurity is not the solution to that national security problem."

Even so, a growing number of consumer advocacy groups, security experts, and technology leaders have come to view such FTC enforcement actions as vital to fostering a greater sense of responsibility among corporations to protecting consumer data.

Many have lauded the FTC for taking on the role of the nation’s top cybersecurity cop while Congress has struggled to pass some kind of federal cybersecurity legislation.

"The decision in FTC v. Wyndham just reaffirms that the FTC authority to enforce 'fair practices' extends to privacy practices," said John Pescatore, director of emerging security threats at the SANS Institute, a cybersecurity training organization. 

But using the ruling as a basis to try and expand the FTC’s cybersecurity authorities is a bad idea, he said. "I would much rather see the Consumer Product Safety Commission make sure products are built with 'cybersafety' in mind, for example,” said Mr. Pescatore. "There is no need for agencies to reach outside of their defined areas of responsibility and there is no reason for everything related to cybersecurity to be in one place."

Still, other industry groups have grown to accept the FTC's authority, said Matthew Starr, director of public advocacy at the Computing Technology Industry Association (CompTIA). “What we have been opposed to in the past is giving them additional authority for additional rule-making.”

Any move that would allow the FTC to start defining terms, changing definitions, and establishing new measures would be troubling, he said.

Other federal agencies have followed FTC's example and begun enforcing cybersecurity rules on organizations under their authority.

For example, Mr. Starr pointed to the Federal Communication Commission's recent initiative to draft cybersecurity recommendations for communications providers and its plans to enforce security rules.

It's a troubling trend, he said. “There is concern about being regulated by multiple agencies implementing different standards."

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.