By Tripp Baltz
Aug. 20 — Although it has investigated hundreds of data breaches, the Federal Trade Commission has taken enforcement action in only a small percentage of cases, FTC Commissioner Julie Brill said Aug. 18.
“The bit of good news I'd like to bring is, hundreds of companies come before us, and we have not taken action,” Brill said at a panel on data security at the Aspen Forum, which was sponsored by the Technology Policy Institute, a Washington-based think tank.
“We realize stuff happens in this space, and we are not looking for perfect security,” she said. “You can't protect from everything.”
The FTC takes action against “companies that didn't engage in very reasonable practices, didn't patch known vulnerabilities and that engaged in activities that really fell below the reasonableness line,” Brill said.
The FTC has brought 53 data security cases under Section 5 of the FTC Act, she said.
“The FTC has become in effect the national enforcement agency dealing with data security,” Brill said.
The FTC's authority to bring data security enforcement actions has come under fire in some quarters, including in legal actions involving Wyndham Hotels and Resorts LLC and LabMD Inc.
Ninety-two percent of data breach cases fall within nine “garden-variety” categories, said Craig Silliman, senior vice president for public policy at Verizon Communications Inc., citing the company's experience in preparing data breach reports. “The risks aren't as varied as you might think, and they differ by industry,” he added.
The latest Verizon data breach report cites the nine categories as: point-of-sale attacks, Web application attacks, insider misuse, physical theft or loss, malicious software, card skimmers, operating system attacks, cyberespionage and miscellaneous errors.
Panel moderator Alan Raul, a partner and lead global coordinator for privacy, security and information law at Sidley Austin LLP in Washington, said that “nobody is safe” from data breach risks.
Raul said there is a long list of companies, government agencies and other entities that have been the victims of data breaches. “Most of them have been trying very hard to safeguard their information,” he said.
White House Cybersecurity Coordinator Michael Daniel said data breaches are a national threat “and not a problem that any one part of the federal government, nor the federal government alone, can solve.”
He said as the White House is “getting down to the brass tacks” of the cybersecurity issue, consideration has to be given to the implications for consumer privacy.
Brill agreed. “Privacy and data security are two sides of the same coin,” she said.
Nick Rossi, deputy staff director for the minority staff on the Senate Committee on Commerce, Science and Transportation, said he hopes the Senate will pass cybersecurity legislation.
“But privacy is the thorny issue,” he said.
A cyberthreat information-sharing bill awaiting action by the Senate is getting strong support from the U.S. Chamber of Commerce and other leading industry associations, despite unresolved regulatory issues and other privacy concerns.
To contact the reporter on this story: Tripp Baltz in Aspen, Colo. at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Further information on the Technology Policy Institute's Aspen Forum is available at https://www.techpolicyinstitute.org/aspen2014/.
To view additional stories from Corporate Law & Accountability Report register for a free trial now