FTC Enforcement of its Unfair Trade Practice Authority in Cybersecurity; Some Observations from 2000 Pages of FTC Documents

Earlier this year I filed a FOIA case against the FTC for its failure to produce any documents in response to my request for the standards it uses in deciding whether to open an unfair trade practice investigation, or bring an unfair trade practice legal action, regarding cybersecurity under section 5 of the Federal Trade Commission Act, 15 U.S. Code section 45.  On Christmas Eve last year, the FTC denied my request, saying “We have located responsive records, all of which are exempt from the FOIA’s disclosure requirements[.]”  The FTC produced no documents, not even in redacted form.  After I filed an administrative appeal, which was denied, I filed suit in order to better inform the public about what standards are used by the FTC when deciding whether to bring a case.  On July 21, 2015, in the course of the litigation, the FTC produced over 2000 pages of documents, consisting almost exclusively of presentations, testimony, and other public communications.  Here are some observations from these documents – I hope to publish the documents shortly.

As background, there is ongoing litigation challenging the authority of the FTC to bring enforcement actions for unfair cybersecurity trade practices, because it has not published standards that it expects companies to meet.  The FTC believes it has provided sufficient notice in its general public statements, such as its business guides and other materials.  It also recently published ten recommendations drawn from the more than 50 settlements it has entered into with companies in data security cases. Start with Security: A Guide for Business, https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business.  Presumably, following these recommendations will help avoid an investigation, but because the recommendations are not a standard that can be met, there is no guarantee.   More detail about possible ways to avoid unwanted FTC attention follows.

Executive Summary

The FTC has consistently said it uses the standard of reasonableness in determining if a company has taken sufficient steps to protect personal information.  The words used to describe the details of that standard, to the extent that there are “details,” have varied over time.  And while the FTC has said that cases are brought only for systemic failures, these “details” tend to indicate that the FTC could bring a case for any significant breach.

Scope of the Produced Documents

I will start with what was NOT produced.  The FTC has not yet produced any documents from its investigative files – that is a subject of continuing discussion in my FOIA case – and the FTC recently said that it could not even represent that its search was complete for non-investigative documents.  So the below is at best a partial report.  In addition, the FTC withheld as a deliberative document (and as law-enforcement privileged) a single, three-page document.  The document was called “Data Security investigation considerations,” which sounds like it might include the standards and criteria that would be useful to the public, but the document was withheld by the FTC, in part because it might “inaccurately reflect the views of the Agency[.]”  Draft Vaughn Index, https://drive.google.com/file/d/0BwPunpP9UGPqYm9NY04zYm1QVDA/view?usp=sharing.   The FTC also asserted that providing this document – although a draft that does not reflect the views of the FTC – “might increase the risk that a person or business will violate the law by engaging in a particular types of unfair or deceptive data security practices that the FTC is less likely to investigate.”  Draft Vaughn Index. 

To summarize, so far the FTC has identified only one document that may provide more details about enforcement decisions than the general “standards” identified below.  It has not produced that document, both because it may be inaccurate and because if it is accurate, knowing what standards the FTC uses might enable people to comply and avoid an investigation.  That is, the FTC intends vagueness in order to obtain in terrorem effects.   Of particular interest, the subject of the transmittal email for this “deliberative” document was “my vague piece.” Draft Vaughn Index, and Email, FTC production, p. 2048.  Given that the FTC has been accused of having no standards or vague standards, the irony is palpable.

Unfairness

Turning to the documents that were produced, the FTC has consistently stuck by its definition of what is “unfair,” a definition drawn from statute.  15 U.S.C. section 45(n).  “Unfair practices” are summarized as those that: “Cause or are likely to cause substantial injury – Are not outweighed by countervailing benefits – Are not reasonably avoidable by consumers.”   Data Security Enforcement, Presentation, Dec. 6, 2007 (FTC production, p. 417).   The FTC has taken the position that this standard is sufficiently definitive: “The FTC’s unfairness jurisdiction has evolved from an amorphous ‘we know it when we see it’ standard in the 1970s, to a principled cost-benefit test.”  Protecting Consumer Information in the 21st Century: The FTC’s Principled Approach, Remarks by Deborah Platt Majoras, May 10, 2006 (FTC production, p. 1139).  

Whether this definition limits FTC action in the case of an actual breach is open to question.  The FTC’s own description of how this test works indicates that the first and third factors are readily met in any case involving a significant breach.  For example, a breach of credit and debit card information due to system vulnerabilities is by definition substantial and unavoidable by consumers.  Protecting Consumer Information in the 21st Century: The FTC’s Principled Approach (FTC production, pp.  1141 and 1143) (access to credit and debit card information is substantial injury, and consumers could not have known about the vulnerabilities that led to the access).  The FTC states that the second factor – whether the harm is outweighed by countervailing benefits – is limiting and requires weighing the harm against the cost that would have been incurred to prevent the harm.  Protecting Consumer Information in the 21st Century: The FTC’s Principled Approach (FTC production, p. 1142).  Yet it may be the rare case where an after-the-fact analysis does not disclose a cost-effective step that could have been taken to prevent the breach, given the after-the-fact knowledge of how the breach occurred.  In at least one candid set of speaker notes, the FTC appears to admit this.  Data Security, Identity Theft, and Health Privacy – the FTC Perspective, Presentation, Sept. 10. 2014 (FTC Production, p. 1602) (“For example, data breach where credit card information breached, risk or even actual occurrence of identity theft, not avoidable, and no benefit to the consumer – that would be unfair”).  And at least one Commissioner has expressed concerns that unfairness was being interpreted in too broad a fashion, although in a different context not involving a breach.  The View from 600 Pennsylvania Avenue: Recent Developments in Law and Policy at the Federal Trade Commission, Remarks of Joshua D. Wright, May 16, 2014 (FTC production, p. 1781) (“I felt that the Commission [in the Apple case], under the rubric of ‘unfair acts or practices,’ substituted its own judgment for a private firm’s decisions as to how to design its product to satisfy as many users as possible.”)

The FTC’s Philosophy

The FTC documents regularly state the “four points” that guide FTC cybersecurity efforts – one of them is the FTC’s general standard and other three are observations.  First, information security is an ongoing process; that’s true, but it doesn’t tell you anything about enforcement standards.  Second comes the general standard of the FTC – that security procedures must be reasonable and appropriate in light of the circumstances; that’s a good rule, albeit a general one, and the basis of many actual standards.  Third and fourth, a breach doesn’t mean you are liable and no breach doesn’t mean you are free and clear; again, these are not standards but expected assurances that administrative enforcement will be appropriate, looking to reasonableness of the protections for personal information rather than whether there was a breach.  Data Security Enforcement, FTC production p. 436). If you want to stop here, that’s fine, because this seems to be the real core of the FTC “standards” – reasonableness – and the FTC says so repeatedly (see below).  Of course, to borrow the words of Chevy Chase, reasonableness is both a floor wax and a dessert topping, usable to punish mistakes in many unrelated fact patters.

The Definition of “Reasonableness”

The documents describe how the FTC determines reasonableness, which has varied a bit over time, at least at the margins, but kept the same substance.  In 2006 then FTC Chairman Majoras identified two factors that were used in determining reasonableness: “we require that a company’s data security be reasonable in light of the nature of its business and the sensitivity of the information it handles.”  Teamwork: The Key to Victory against Identity Theft, Remarks of Chairman Deborah Platt Majoras, February 23, 2006 (FTC production, p. 1112) (note that while this specific language identifies two parts to the definition of reasonableness, cost is implicit in them, and this definition follows a sentence which states that perfect information security would be a “costly, unobtainable standard”).  A few month later, the Chairman noted that in evaluating information security programs in many contexts the FTC used the reasonableness standard, drawn from the GLB Safeguards Rule, and described four factors.  In her words:

In our investigations, we look at the overall security system that the firm has implemented and its reasonableness in light of the size and nature of the business, the nature of the information it maintains, the security tools that are available, and the security risks it faces.  Protecting Consumer Information in the 21^st Century: The FTC’s Principled Approach, Remarks of Chairman Deborah Platt Majoras, May 10, 2006 (FTC production, p. 1137).

Then the FTC, in a formal statement issued for its 50th case, used three factors instead of four.  The circumstances used in determining reasonableness include the same first two factors – size of the business and the sensitivity of the information it holds – but cost has been added to the third factor to make it more explicitly about whether security tools are cost effective, and the fourth factor, regarding security risks facing the company, was dropped:

The touchstone of the Commission’s approach to data security is reasonableness: a company’s data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities.  Commission Statement Marking the FTC’s 50th Data Security Settlement, January 31, 2014 (referred to in the produced documents, but not produced in response to the FOIA request) (https://www.ftc.gov/system/files/documents/cases/140131gmrstatement.pdf).

These factors morphed again, just slightly, a few days later in FTC testimony where the second factor changed from the “size and complexity of [a company’s] business” to the “size and complexity of its data operations.”   Protecting Consumer Information, Can Data Breaches be Prevented?, FTC Prepared Statement, Feb. 5, 2014 (FTC production, p. 1940).  And around the same time, the speaker notes from an undated FTC presentation did include a fourth factor different from the original fourth factor – “Look at all platforms – web, mobile, internal systems” – which may be just a general observation.  The FTC and Data Security, Presentation, Undated (FTC production, p. 1400). 

Also of interest, the FTC staff altered these factors in the context of devices in its report on the Internet of Things:

Of course, what constitutes reasonable security for a given device will depend on a number of factors, including the amount and sensitivity of data collected, the sensitivity of the device’s functionality, and the costs of remedying the security vulnerabilities.  Internet of Things, FTC Staff Report, January 2015 (FTC production, 1891)

Preventing a Breach – General Advice

Turning from the definition of reasonableness, the FTC also offers reams of advice for preventing a problem through good security.  Until recently, the FTC commonly provided advice on prevention using the rubric of its “Protecting Personal Information: A Guide for Business,” first published in 2007 and updated in 2011.  This document offers recommendations under five principles – principles that appear at many places in the produced documents: 1) Take stock; 2) Scale down; 3) Lock it; 4) Pitch it; and 5) Plan ahead.  E.g., Data Privacy and Security in the United States: A Flexible, Harm-Based Model, Presentation, August 4, 2009 (FTC production, p. 473); Data Security and Privacy Basics, Presentation, August 10, 2014 (FTC production, p. 1448).  This rubric was used in the FTC’s statement marking its 50^th data security case:

[W]hile there is no single solution, a [security] program follows certain basic principles. First, companies should know what consumer information they have and what employees or third parties have access to it. Understanding how information moves into, through, and out of a business is essential to assessing its security vulnerabilities. Second, companies should limit the information they collect and retain based on their legitimate business needs so that needless storage of data does not create unnecessary risks of unauthorized access to the data. Third, businesses should protect the information they maintain by assessing risks and implementing protections in certain key areas – physical security, electronic security, employee training, and oversight of service providers. Fourth, companies should properly dispose of information that they no longer need. Finally, companies should have a plan in place to respond to security incidents, should they occur. Commission Statement Marking the FTC’s 50th Data Security Settlement.

However, by later in 2014, in one exposition these recommendations had morphed, in two ways.  “Take stock” had moved from a recommendation to have a personal information inventory or data map to a recommendation to conduct a personal information risk assessment, with the need to also look at vulnerabilities in systems handling personal information.  And “Pitch it” disappeared, replaced with “Train employees to handle personal information properly.”  On the Front Lines – The FTC’s Role in Data Security, Remarks of Commissioner Julie Brill, Sept. 17, 2014 (FTC Production p. 1794-5).   (Note: other rubrics were in vogue at different times, especially before the Business Guide was first published.)

For a device or application, a recent FTC publication recommends at least six principles or best practices that cover the same areas as the five-part Business Guide approach, but under a different rubric.  Internet of Things (FTC production, pp. 1891-5) (security by design, personnel practices promote good security, third party selection and oversight, defense in depth for systems at significant risk, reasonable access control measures, and monitor and patch known vulnerabilities). 

Unfair Software and Service Development

Software developers and cloud providers take note – make sure you have a Security Development Lifecycle (SDL) and a vulnerability reporting portal and process, because, for example, the FTC recommends testing and review of software, and taking user feedback on vulnerabilities.  Federal Trade Commission: Privacy and Data Security, Presentation, July 17, 2014 (FTC production, pp. 1486 & 1493); Get Security and Privacy Right, Presentation, January 30, 2014 (FTC production, pp. 1701 & 1704).  As the FTC asks, “Is the software you offer to consumers (e.g., your mobile app) secure?”  FTC: Privacy and Data Security (FTC production at 1486).  See also Start with Security, Lessons 7 and 9 (“Apply Sound Security Practices when Developing New Products” and “Put Measures in Place to Keep your Security Content Current and Address Vulnerabilities that may Arise”).  It will be interesting to see how this principle is extended beyond devices and mobile applications to platforms or web browsers – there is a least a hint of this in the  FTC investigation of HTC, where the “failure to secure the software … for smartphones and tablet computers … left the devices vulnerable to malware[.]”  The FTC’s Privacy Program: Grounding Principles, Recent Initiatives, Remarks of Jessica Rich, Dec. 1, 2014 (FTC production, p. 1775).

Avoiding Trouble with the FTC

Besides the top-down, principles-to-best-practices approach typified by the Business Guide, the produced documents also contain many, many examples of identifying business failures and recommending “don’t do these things” to avoid trouble with the FTC.  E.g., Federal Trade Commission: Protecting Information, Update on the FTC, Presentation, Undated (FTC production, p. 30) (“Things you can do to get into trouble with the FTC – Share private information with the world – Toss loan applications in the dumpster – Keep sensitive information you don’t need – Store PII in plain text – Use weak passwords – Don’t apply security patches or use antivirus or firewalls – And No. 1, have no security info program!”);  and Emerging Trends in FTC Enforcement, Presentation, June 3, 2010 (FTC production, p. 609) (“Technology changes, but the vulnerabilities seem to stay the same: - Storing and transmitting sensitive information in clear text – Failure to secure wireless access points – Storing sensitive information for an unreasonable period of time – Vulnerabilities to command injection attacks – Failure to monitor network or unauthorized access“).  That approach reached its apogee with the Start with Security document mentioned in the first paragraph, which generalizes principles from FTC enforcement actions.

There is one overarching recommendation that is clear across these materials – have an information security program/enterprise security program based on risk.  E.g., Federal Trade Commission: Protecting Information, Update on the FTC (FTC production, p. 30); Data Security and Privacy: Legal, Policy and Enterprise Issues, Presentation, Winter 2011 (FTC production, p. 956).  You will similarly find this requirement in the GLB Safeguards Rule. 

Becoming the Target of an Investigation

In terms of who is at risk to be the target of an investigation, the FTC often says that its cases involve companies with clear failures and systemic problems.  E.g., ID Theft and Cybercrime: Where Thieves, Victims, Industry and Government Intersect, Remarks of Chairman Deborah Platt Majoras, February 6, 2007 (FTC production, p.  1306); The FTC’s Consumer Protection Agenda: Strategies for the Present and Future, Remarks of Chairman Deborah Platt Majoras, Jan. 30, 2007 (FTC production, p. 1259) (“None of [the FTC’s data security enforcement actions in the prior two years] has been a close call”). One more recent presentation puts it slightly differently.  After providing a list of eight “common data security failures,” the speaker notes say:

Lets start with data security enforcement-some of the types of failures we have found in prior cases.  Not only is this list not exclusive but things are added to it.  These mistakes still occur.  Company might have multiple failures.  Early on in our program we might pursue a case where a company said they had encrypted your data but did not, but this doesn’t happen as much anymore.  Now our cases typically allege that there were several things a company failed to do.  (on its own, one might not be enough to say that practices were unreasonable, but taken together, we believe there was a law violation). Data Security, Identity Theft, and Health Privacy – the FTC Perspective (FTC Production, p. 1609).

These two ways of looking at the problem, (1) looking at when a company acts “unreasonably” and (2) recommending things a company can do to prevent a problem, come together when the produced documents describe how a data security case is evaluated for possible prosecution.  One joint presentation involving both an FTC employee and a private lawyer identifies four principles on evaluating a data security case: “- Did the company have effective security measures in place to protect personal information? - If not, could the information have been protected at as reasonable cost? - Were the security vulnerabilities at issue well-known within the information technology industry? - Were simple, readily-available low cost measures available to prevent them?”  Emerging Trends in FTC Enforcement, Presentation by Katrina Blodgett and Tim Tobin, January 25, 2011 (FTC production, p. 551).   An FTC only presentation says much the same thing but in different words:  “Typical Questions from the FTC – Were the security vulnerabilities at issue well-known in the information technology industry? – Did the company have effective security measures in place to protect personal information? – If not, could the information have been protected at a reasonable cost, or were fixes readily-available?”   Privacy at the Federal Trade Commission, Presentation, Undated (FTC Production, p. 284).

Self-Regulation

Another way to work to comply with FTC mandates is to adopt a self-regulatory regime.  The FTC documents are very supportive of self-regulation, especially with backstop enforcement by government.  However, compliance with a self-regulatory regime is no guarantee that the FTC will not take action – for example PCI compliance does not mean that your cybersecurity practices across your entire business were fair. Protect your Customers, Protect Yourself: FTC Law and Practical Advice for Safeguarding Customer Information, Presentation, Oct. 30, 2007 (FTC production, p. 508).  See also Data Security and Privacy: Legal, Policy, and Enterprise Issues, Presentation, Winter 2012 (FTC production, p. 978) (self-regulatory organizations can be particularly helpful but the FTC always retains backstop enforcement powers).

Avoiding an Investigation in the First Place

Also of interest is how a target may come to the interest of the FTC.  The ways are much what you would expect, including press reports.  One interesting note is FTC has represented it doesn’t have the resources to investigate a single consumer complaint, but congressional inquiries can trigger an investigation (as can consumer or business “complaints,” probably more than one).  Specific Privacy Issues for Consideration, Presentation, May 2011 (FTC production, pp. 59-60).   In addition, the FTC likes to make an example of companies and looks to bring cases where there is likely to be a large risk of injury to consumers or that may affect what consumers buy (hitting companies in the pocket), because “such enforcement actions typically have ripple effects through the entire industry by sending a clear message” about non-compliance with the law as the FTC defines it.   Data Security and Privacy: Legal, Policy, and Enterprise Issues, FTC production, p. 977).

Conclusion

To conclude, nine years ago, then FTC Chairman Majoras noted “The FTC’s 2006 Chairman’s Annual Report states that uncertainty ‘is the primary enemy of efficiency in law enforcement.’ The FTC has worked to increase the clarity of our legal standards and that will continue.”  Protecting Consumer Information in the 21^st Century: The FTC’s Principled Approach (FTC production, p. 1140).   I will leave it to you and others to judge how successful the FTC has been at informing businesses what is expected in order to avoid a law enforcement investigation and significant penalties.

Acknowledgement: I would like to thank Steptoe and Johnson, and its lawyers Stewart Baker, Kaitlin Cassel, John Casciano, and Michael Baratz for representing me in the litigation with the FTC, and for obtaining the documents that I used to write this analysis.