FTC Data Security Enforcement Is Work in Progress

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

The three vacant seats on the Federal Trade Commission have had “tremendous effect” on the commission’s case selection and present “great potential for deadlock,” FTC Acting Director of Bureau of Consumer Protection Thomas B. Pahl said Oct. 5.

The commission, which has consumer data security and privacy regulatory authority over various companies from internet giants Amazon.com Inc. and Facebook Inc. to smaller businesses such as medical testing laboratory LabMD Inc., can’t make decisions unless its two sitting members, Republican Acting Chairman Maureen K. Ohlhausen and Democrat Terrell McSweeny, agree on which cases to pursue. At full strength, the FTC has five Senate-confirmed members appointed to seven-year terms, with no more than three members from the same political party.

Ohlhausen’s focus on fraud-related cases hasn’t created ideological splits on the commission, but differences will eventually arise, Pahl said at the Privacy+Security Forum in Washington. The vacancies aren’t sustainable in “the long term,” he said.”

McSweeny’s term expired in September, but a spokeswoman for the commissioner told Bloomberg BNA that she intends to remain at the FTC until other commissioners are in place. In May, Senate Minority Leader Charles E. Schumer (D-N.Y.) recommended Rohit Chopra, a consumer advocate, for a Democratic seat, but President Donald Trump hasn’t made any nominations to fill any of the vacancies.

The vacancies will be filled “soon,” Pahl said.

Reasonable Security

Companies under the FTC’s jurisdiction have struggled with what level of data security they must provide to convince the nation’s main data security and privacy enforcement agency that their efforts to protect personal data are reasonable. Instead of regulatory standards defining reasonable data security, the FTC has told companies they must parse what is required by looking at consent decrees reached with alleged violators in past cases and guidance issued by the commission. There is no specific statutory or regulatory guidance detailing data security requirements that the FTC enforces.

The FTC has been “kicking the can” down the road on the definition of reasonable security, Pahl said. The FTC is working to clarify the “reasonable security” it demands of companies, Pahl said. Data security is “fact-specific,” and strict rules may not be the best option, he said.

Pahl highlighted the FTC’s recent “ Stick with Security” blog initiative that uses hypothetical examples of security best practices to highlight common themes that have emerged from closed data security investigations.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security