The FTC Steps Up Business Engagement on Data Security
Earlier this month, the Federal Trade Commission (“FTC” or “the Commission”) announced a new “Start with Security” campaign. Announced in a speech by Chairwoman Edith Ramirez, the campaign she described will be centered on a series of resources and presentations that the FTC’s Consumer Protection Bureau will deliver to corporate groups to provide companies, especially small to medium sized businesses, with best practices and other guidance on specific data security topics.
This is a welcome development. The “Start with Security” presentations are intended to fill a gap presented by the FTC’s current method of protecting consumers and ensuring good corporate data security practices, which embodies light-touch regulatory principles. Today, the FTC’s primary tool for recommending and enforcing reasonable behavior in the data security space is through the enforcement authority granted to it by Section 5 of the FTC Act, which allows it to stop unfair or deceptive acts or practices.
With unfair practices, the FTC brings a case when a particular company’s data security practices caused, or were likely to cause, a substantial injury that consumers could not reasonably avoid and were not outweighed by benefits to consumers or competition. In the case of deceptive acts, the FTC brings cases when it believes a company has failed to support a promise to keep information secure with reasonable and appropriate processes.
Through settlements and guidances informed by the last decade of data security cases, the Commission has developed a set of commercially reasonable security practices that companies should implement in a manner appropriate for their respective businesses. This case-by-case approach allows for the flexible development of policy that reflects what companies are actually doing with consumers’ information and points to areas for improvement or minimum standards.
Of course, the problem with post-hoc evaluation of corporate data security practices is that it is difficult for the Commission to point to a centralized, well-articulated synthesis of what sorts of actions the series of consent decrees requires going forward. Large organizations armed with consumer protection and privacy attorneys might be able to develop a coherent internal policy from the Commission’s 60-odd data security actions, but startups and other small- to medium-sized enterprises without such resources could easily find themselves non-compliant.
The “Start with Security” presentations will allow the FTC to engage with industry in a flexible manner, without resorting to more rigid regulatory measures that might fall behind the best commercially available technologies or hinder innovation. The Commission already has a strong example in its “Start with Security” tips for mobile app developers. Those dozen tips do not contain prescriptive technical requirements about the level of encryption required for data when it is at rest or in transit, or impose standards for the generation of user credentials. Instead the FTC encourages app developers to think critically about security and make informed choices about, for example, the appropriate software libraries or third-party services they decide to employ.
The FTC’s wider “Start with Security” series will likely be similar. Hopefully, the best practices and guidelines detailed in the coming presentations will be as clear and accessible as possible, to ensure that smaller organizations are able to easily implement sound data security practices while growing their businesses.