FTC Hearings #9: Data Security
The ninth FTC hearing on Competition and Consumer Protection in the 21st Century took place last week at the Constitution Center and focused on data security. The two day hearing addressed a range of topics in data security with presentations and panels on data breaches, incentives to invest in data security, consumer demand for data security, the U.S. approach to consumer data security, and FTC data security enforcement.
Andrew Smith, from the FTC, began the two day hearing with his opening remarks about the FTC’s role in data security enforcement and the importance of data security concerns in the 21st century:
“This is an excellent opportunity for us, to revisit policies and question old assumptions. Data security will continue to be an important priority for the FTC and the FTC will not be retreating from its role as the nation’s primary data security law enforcement agency.”
The first day began with presentations on data breaches focused on academic research and reports, including trends that experts were seeing. Sebastian Gay, Professor at Georgetown University, discussed his research findings from his article, Strategic News Bundling and Privacy Breach Disclosures, where he examined how firms can offset prices during privacy breaches. He pointed that even though Marriott and Target experienced data breaches recently there was no dive in their stock prices and attempted to explain the rationale behind this phenomenon. John Marc Spitler, Senior Manager at Verizon Security Research, talked about the results that his team found in the publication they put out annually, including the calculations of confirmed data breaches and confirmed data incidents. Al Pascual, Senior Vice President for Research at Javelin Strategy & Research, outlined his firm’s national study which examined identity fraud concerning consumers and the seriousness of the consequences.
The conversation then shifted to incentives to invest in data security, with the moderators suggesting eight key factors: customer trust, reputation, ex ante compliance, ex post liability, customer demand, competitive advantage, cost reduction, and cyber insurance coverage. Panelists were in agreement that each factor was important in its own right and no single one drives companies to prioritize data security — rather, it is the consideration of several different factors and each panelist weighed those factors slightly differently. Tyler Moore, Professor at the University of Tulsa, argued that while compliance was the single biggest driver in investment in security, all of the incentives had an impact. Lawrence B. Gordon, Professor at the University of Maryland, and Sasha Romanosky, a Policy Researcher at RAND Corporation, also agreed that while all of these factors were important, businesses have the challenge of cyber investments and resource allocation. Each company has its own circumstances to be weighed with the incentives and must make a cost-benefit analysis fitting its needs. Gordon remarked:
“When companies are looking at security they’re thinking of potential cost, cost to reputation, cost to lawsuit, cost to not complying, cost in protecting breaches.”
The first day ended with a discussion on consumer demand for data security. The moderators posed the following question with the possible answers:
“How important is perceived security to consumers making purchasing decisions?”
(A) important, but they expect the firm to be responsible for security;
(B) important and they understand that security is a shared responsibility between themselves and the firm;
(C) moderately important and they expect firms to be responsible for security;
(D) moderately important and they understand it’s a shared responsibility;
(E) not important because consumers don’t expect security; or
Panelists gave a wide variety of different answers to the question posed. Rick Wash, Professor at Michigan State University, thought that (B) was the closest answer and that people seem to think that security is important but realize it is a shared responsibility. Kirsten Martin, Professor at George Washington University, agreed with Professor Wash, but believed the answer to be closer to (A). Michael Higgins, Partner at Bluewater International, disagreed with both Professor Wash and Martin, and argued that while consumers may think it’s moderately important their actions don’t align with that opinion, therefore holding a view closer to answer (E). Justin Brookman, Director of Consumer Privacy and Technology Policy at Consumer Reports Advocacy, was split between the views of Higgins and Martin, and thought that consumers only had a vague sense of how it’s important and that “people expect firms to take care of security for them”. Lastly, Wiley Hodges, Director of Product Marketing at Apple, believed that consumers tend to place a high value on security.
Day two began with a panel focused on data security assessments, with moderators using seven hypotheticals for the panelists to respond to and to foster debate. There was a general consensus among the panelists that firms can be doing more to provide better data security but panelists held varying arguments for certain data security practices over others.
Malcolm Harkins, Chief Security and Trust Officer at Cylance, raised the concern that while a larger company may have more resources we must not assume that the maturity of a company means they will be secure. Both Garin Pace, Cyber Product Leader at American International Group, and Tom McAndrew, CEO of Coalfire, spoke briefly on cyber insurance as a means of managing data security breaches and how it factors into general data security practices. Wendy Nather, Head of Advisory CISOs, Duo Security, at Cisco, raised the point that both internal and external assessments should be used in companies’ security operations to maintain security over time. Returning to the seven hypotheticals, panelists agreed security is a constant effort that companies must maintain and that each company has their own cost-benefit analysis to make when conducting their data security practices.
After the first panel was a short fireside chat on emerging threats with FTC Commissioner Rebecca Kelly Slaughter and Joshua Corman, Chief Security Officer, PTC. The discussion touched upon multiple issues, including technical literacy, communication, transparency, regulation, privacy, and security. Corman emphasized the dangers of ignorance of this new wave of connected technology, the threats it creates (citing multiple instances of attacks such as the Mirai Botnet taking down much of the internet for an hour or two and NotPetya wreaking havoc on the world’s shipping), and how it affects all parties. In the wake of these emerging threats and real damages due to lack of security Corman stated, “we appreciate the benefits that many digital services provide but don’t internalise the harms.” Corman argued for greater transparency, information, labeling, patching commitments, and disclosure programs. However, rather than burdensome legislation, he argued that policy geared towards minimum privacy and security hygiene and better-informed customers will begin to self-correct the problem.
The afternoon session focused on the U.S. approach to data security. Lisa J. Sotto, Partner at Hunton Andrews Kurth, summarized the present landscape of what data security looks like in the United States:
“There is a cacophony of data security laws in the U.S. We have many different rules, they’re not uniform and do not dovetail nicely with each other and that really makes a hodgepodge, a fragmented approach to data security.”
Other panelists agreed that current data security laws are either lacking or confusing for companies to fully comply with. Janis Kestenbaum, Partner at Perkins Coie, believed that the unifying theme with companies was reasonableness, and that while companies would like to comply with regulations no one was really telling them what the right thing to do was. Daniel Solove, Professor at the George Washington University Law School, had similarly harsh words about the current U.S. legal system:
“Data security is weak. Our networks are porous, being infiltrated left and right. Our approach is not particularly effective, and seems to be getting worse. Consumers bear a lot of the cost and never recoup that loss. The law can do a lot better job in preventing breaches.”
The last panel of the day was on the FTC’s role in data security enforcement. Lydia Parnes, Partner at Wilson Sonsini, spoke positively on the FTC’s active role in data security, and believed that the Commission has played and will continue to play a role in this space. Michelle Richardson, Director at the Center for Democracy & Technology, cautioned against setting a different standard than the one that the FTC currently uses, which is the reasonableness standard. Geoffrey Manne, President and Founder of the International Center for Law and Economics, had advice on what the FTC should be improving upon:
“I think it’s important for the FTC to more consistently adapt themselves as a convener of information, as an entity that needs to be informed and disseminate that information to firms out there along the lines of cybersecurity guidance. The FTC is doing a terrible job telling us why they’re bringing cases.”
The next series of FTC hearings will be held February 12-13, 2019 at the Constitution Center, where the focus will be on consumer privacy.