Why industry groups are wary of stronger FTC cybersecurity oversight
With a court ruling reaffirming the Federal Trade Commission's ability to police corporate cybersecurity practices, and Congress considering giving the agency more power, industry groups are now concerned about overregulation.
The Federal Trade Commission building in Washington on Wednesday, Jan. 28, 2015. The nation's largest prepaid mobile provider, TracFone Wireless, will pay $40 million to settle government claims that it misled millions of smartphone customers with promises of unlimited data service. The FTC said that TracFone's advertising promised unlimited data, but the company then drastically slowed down consumers' data speeds, a practice known as throttling, when they had used a certain amount of data within a 30-day period. In some cases, the FTC said, the company cut off customers' data service when they ran over the limit. (AP Photo/Alex Brandon)
Alex Brandon/AP/File
With a federal appeals court this week reaffirming the Federal Trade Commission's regulatory authority of data security practices, the question now becomes: Just how powerful will the agency become in overseeing matters of privacy and cybersecurity?
Congress is already considering several bills that could expand the role of the FTC to police corporate cybersecurity, and President Obama’s draft Consumer Privacy Bill of Rights Act would also give the agency more power over industry.
Now, many industry groups are worried that at a time when corporations are dedicating more money and resources to protect data from criminal hackers, they'll also face more regulatory oversight and hefty fines from the government for data security practices.
"We are concerned that Monday’s decision will exacerbate the unfortunate trend over the last 10 years of ad hoc litigation and overregulation when it comes to cybersecurity,” said Steven Lehotsky, vice president and chief counsel for regulatory litigation at the US Chamber Litigation Center.
On Monday, the Third Circuit Court of Appeals ruled that the FTC has the authority to regulate corporate cybersecurity practices. The hotel chain Wyndham Worldwide had earlier challenged that authority after the FTC sued it for a series of data breaches in 2008 and 2009 that exposed personal data on some 619,000 of its customers and caused $10.6 million in fraudulent charges.
The FTC claimed that Wyndham’s failure to adequately protect consumer data constituted an unfair practice and that its privacy policy was deceptive. The agency has brought dozens of similar lawsuits against companies that have suffered data breaches over the last 10 years and almost all of them have been settled quietly.
With some, the FTC has managed to extract consent decrees involving hefty fines, and lengthy mandatory monitoring and third party audits of their security practices.
Yet, American businesses are already frequent victims of data breaches and are under pressure to bolster cybersecurity, said Mr. Lehotsky. "However, excessive enforcement by agencies relying on decades-old laws that were not meant to address cybersecurity is not the solution to that national security problem."
Even so, a growing number of consumer advocacy groups, security experts, and technology leaders have come to view such FTC enforcement actions as vital to fostering a greater sense of responsibility among corporations to protecting consumer data.
Many have lauded the FTC for taking on the role of the nation’s top cybersecurity cop while Congress has struggled to pass some kind of federal cybersecurity legislation.
"The decision in FTC v. Wyndham just reaffirms that the FTC authority to enforce 'fair practices' extends to privacy practices," said John Pescatore, director of emerging security threats at the SANS Institute, a cybersecurity training organization.
But using the ruling as a basis to try and expand the FTC’s cybersecurity authorities is a bad idea, he said. "I would much rather see the Consumer Product Safety Commission make sure products are built with 'cybersafety' in mind, for example,” said Mr. Pescatore. "There is no need for agencies to reach outside of their defined areas of responsibility and there is no reason for everything related to cybersecurity to be in one place."
Still, other industry groups have grown to accept the FTC's authority, said Matthew Starr, director of public advocacy at the Computing Technology Industry Association (CompTIA). “What we have been opposed to in the past is giving them additional authority for additional rule-making.”
Any move that would allow the FTC to start defining terms, changing definitions, and establishing new measures would be troubling, he said.
Other federal agencies have followed FTC's example and begun enforcing cybersecurity rules on organizations under their authority.
For example, Mr. Starr pointed to the Federal Communication Commission's recent initiative to draft cybersecurity recommendations for communications providers and its plans to enforce security rules.
It's a troubling trend, he said. “There is concern about being regulated by multiple agencies implementing different standards."