The Federal Trade Commission (FTC) is a privacy regulator, sure. But it’s not out to get the good guys trying to do the right thing. Its primary concern is making sure organizations are keeping the privacy promises they make to consumers.
That was how Federal Trade Commissioner Maureen Ohlhausen kicked off her keynote address at the IAPP’s preconference session at RSA, “Engineering Privacy: Why Security Isn’t Enough.”
Despite the fact that the FTC has brought cases against companies following data breaches—like Cbr Systems, for example, the blood bank that breached the records of more than 300,000 consumers—a breach isn’t the only reason the FTC would go after a company. Outlining the more than 100 cases the FTC has brought against companies it considered to have deceived or been unfair to consumers in some way—including movie ticket site Fandango and rent-to-own retailer Aaron’s—Ohlhausen told the information-security and IT professionals at RSA that the FTC is out to regulate how entities keep secure the data consumers entrust to them. And that’s where IT professionals can play a role.
And it’s not just about how consumer information is used at the time its collected or processed, Ohlhausen said. It also matters how it’s used down the road, especially with medical or health information.
The touchstone of the FTC’s data security enforcement, she continued, is “reasonableness.” Organizations must take reasonable actions to protect consumer information. But the regulator itself takes a reasonable approach to enforcing that. It’s not out to jump on a company at the first sign of trouble.
“We recognize there’s no such thing as perfect security,” she said. With that in mind, the agency has never gone after a company in the case of a “close call,” for example. Reasonableness means reassessing risk consistently, but “there’s no one-size-fits-all” data security program.
“And the mere fact that a breach occurred doesn’t mean a company broke the law,” she said. “We don’t impose strict liability for a breach. We don’t expect companies to be perfect.”
If a company is attacked by a nation-state, for example, there isn’t a whole lot of liability there, ostensibly.
Asked by an attendee when she thinks consumers might start having control of their own data rather than being forced to sign all-or-none terms and giving companies broad-scale decision-making power, Ohlhausen said that’s kind of up to the consumer. And they might not be there, yet.
Take her refrigerator, for example. She never read any of the paperwork that came with the fridge. That is, until she couldn’t figure out why it wouldn’t stop dinging one day. Then, the fine print mattered.
“Consumers are busy people,” she said. “I don’t think we should expect consumers are going to read every part of privacy policies. But will they control more of their data down the road? Yes, if there are harms they can foresee. You start to care about it when the door is dinging and there’s a harm that comes to you from a data use you didn’t expect or didn’t like.”
That being said, Ohlhausen would like to see the agency move toward a more harms-based approach to enforcement, as well.
The kind of data that concerns the commissioner the most is the kind of data that’s increasingly proliferating, like real-time location data, health data and information about children.
“All deserve elevated protection,” she said.
For IT and info-sec professionals, that means considering, at the system level, the sensitivity of the data being collected. That’s one way to stay out of trouble.
“Enforcement will continue to evolve as consumers face new challenges,” she said. “Businesses can and should prepare themselves for the challenges ahead by embracing best practices that evaluate risk for privacy and security.”
If you want to comment on this post, you need to login.