FTC Enforcement of its Unfair Trade Practice Authority in Cybersecurity; Some Observations from 2000 Pages of FTC Documents
Earlier this year I filed a FOIA case against the FTC for
its failure to produce any documents in response to my request for the
standards it uses in deciding whether to open an unfair trade practice
investigation, or bring an unfair trade practice legal action, regarding
cybersecurity under section 5 of the Federal Trade Commission Act, 15 U.S. Code
section 45. On Christmas Eve last year,
the FTC denied my request, saying “We have located responsive records, all of
which are exempt from the FOIA’s disclosure requirements[.]” The FTC produced no documents, not even in
redacted form. After I filed an
administrative appeal, which was denied, I filed suit in order to better inform
the public about what standards are used by the FTC when deciding whether to bring
a case. On July 21, 2015, in the course
of the litigation, the FTC produced over 2000 pages of documents, consisting
almost exclusively of presentations, testimony, and other public
communications. Here are some observations
from these documents – I hope to publish the documents shortly.
As background, there is ongoing litigation challenging the
authority of the FTC to bring enforcement actions for unfair cybersecurity
trade practices, because it has not published standards that it expects
companies to meet. The FTC believes it
has provided sufficient notice in its general public statements, such as its
business guides and other materials. It also
recently published ten recommendations drawn from the more than 50 settlements
it has entered into with companies in data security cases. Start with Security: A Guide for Business,
https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business. Presumably, following these recommendations
will help avoid an investigation, but because the recommendations are not a
standard that can be met, there is no guarantee. More
detail about possible ways to avoid unwanted FTC attention follows.
Executive Summary
The FTC has consistently said it uses the standard of
reasonableness in determining if a company has taken sufficient steps to
protect personal information. The words
used to describe the details of that standard, to the extent that there are
“details,” have varied over time. And
while the FTC has said that cases are brought only for systemic failures, these
“details” tend to indicate that the FTC could bring a case for any significant
breach.
Scope of the Produced Documents
I will start with what was NOT produced. The FTC has not yet produced any documents
from its investigative files – that is a subject of continuing discussion in my
FOIA case – and the FTC recently said that it could not even represent that its
search was complete for non-investigative documents. So the below is at best a partial
report. In addition, the FTC withheld as
a deliberative document (and as law-enforcement privileged) a single, three-page
document. The document was called “Data
Security investigation considerations,” which sounds like it might include the
standards and criteria that would be useful to the public, but the document was
withheld by the FTC, in part because it might “inaccurately reflect the views
of the Agency[.]” Draft Vaughn Index,
https://drive.google.com/file/d/0BwPunpP9UGPqYm9NY04zYm1QVDA/view?usp=sharing.
The FTC also asserted that providing
this document – although a draft that does not reflect the views of the FTC –
“might increase the risk that a person or business will violate the law by
engaging in a particular types of unfair or deceptive data security practices
that the FTC is less likely to investigate.”
Draft Vaughn Index.
To summarize, so far the FTC has identified only one
document that may provide more details about enforcement decisions than the
general “standards” identified below. It
has not produced that document, both because it may be inaccurate and because
if it is accurate, knowing what standards the FTC uses might enable people to
comply and avoid an investigation. That
is, the FTC intends vagueness in order to obtain in terrorem effects. Of particular interest, the subject of the
transmittal email for this “deliberative” document was “my vague piece.” Draft
Vaughn Index, and Email, FTC production, p. 2048. Given that the FTC has been accused of having
no standards or vague standards, the irony is palpable.
Unfairness
Turning to the documents that were produced, the FTC has consistently
stuck by its definition of what is “unfair,” a definition drawn from statute. 15 U.S.C. section 45(n). “Unfair practices” are summarized as those
that: “Cause or are likely to cause substantial injury – Are not outweighed by
countervailing benefits – Are not reasonably avoidable by consumers.” Data
Security Enforcement, Presentation, Dec. 6, 2007 (FTC production, p.
417). The FTC has taken the position that this
standard is sufficiently definitive: “The FTC’s unfairness jurisdiction has
evolved from an amorphous ‘we know it when we see it’ standard in the 1970s, to
a principled cost-benefit test.” Protecting
Consumer Information in the 21st Century: The FTC’s Principled Approach,
Remarks by Deborah Platt Majoras, May 10, 2006 (FTC production, p. 1139).
Whether this definition limits FTC action in the case of an
actual breach is open to question. The
FTC’s own description of how this test works indicates that the first and third
factors are readily met in any case involving a significant breach. For example, a breach of credit and debit
card information due to system vulnerabilities is by definition substantial and
unavoidable by consumers. Protecting
Consumer Information in the 21st Century: The FTC’s Principled Approach
(FTC production, pp. 1141 and 1143)
(access to credit and debit card information is substantial injury, and
consumers could not have known about the vulnerabilities that led to the access). The FTC states that the second factor –
whether the harm is outweighed by countervailing benefits – is limiting and
requires weighing the harm against the cost that would have been incurred to
prevent the harm. Protecting Consumer
Information in the 21st Century: The FTC’s Principled Approach (FTC
production, p. 1142). Yet it may be the
rare case where an after-the-fact analysis does not disclose a cost-effective
step that could have been taken to prevent the breach, given the after-the-fact
knowledge of how the breach occurred. In
at least one candid set of speaker notes, the FTC appears to admit this. Data Security, Identity Theft, and Health
Privacy – the FTC Perspective, Presentation, Sept. 10. 2014 (FTC
Production, p. 1602) (“For example, data breach where credit card information
breached, risk or even actual occurrence of identity theft, not avoidable, and
no benefit to the consumer – that would be unfair”). And at least one Commissioner has expressed
concerns that unfairness was being interpreted in too broad a fashion, although
in a different context not involving a breach.
The View from 600 Pennsylvania Avenue: Recent Developments in Law and
Policy at the Federal Trade Commission, Remarks of Joshua D. Wright, May
16, 2014 (FTC production, p. 1781) (“I felt that the Commission [in the Apple
case], under the rubric of ‘unfair acts or practices,’ substituted its own
judgment for a private firm’s decisions as to how to design its product to
satisfy as many users as possible.”)
The FTC’s Philosophy
The FTC documents regularly state the “four points” that
guide FTC cybersecurity efforts – one of them is the FTC’s general standard and
other three are observations. First,
information security is an ongoing process; that’s true, but it doesn’t tell
you anything about enforcement standards.
Second comes the general standard of the FTC – that security procedures
must be reasonable and appropriate in light of the circumstances; that’s a good
rule, albeit a general one, and the basis of many actual standards. Third and fourth, a breach doesn’t mean you
are liable and no breach doesn’t mean you are free and clear; again, these are
not standards but expected assurances that administrative enforcement will be
appropriate, looking to reasonableness of the protections for personal
information rather than whether there was a breach. Data Security Enforcement, FTC
production p. 436). If you want to stop here, that’s fine, because this seems
to be the real core of the FTC “standards” – reasonableness – and the FTC says
so repeatedly (see below). Of course, to
borrow the words of Chevy Chase, reasonableness is both a floor wax and a
dessert topping, usable to punish mistakes in many unrelated fact patters.
The Definition of “Reasonableness”
The documents describe how the FTC determines
reasonableness, which has varied a bit over time, at least at the margins, but
kept the same substance. In 2006 then
FTC Chairman Majoras identified two factors that were used in determining
reasonableness: “we require that a company’s data security be reasonable in
light of the nature of its business and the sensitivity of the information it
handles.” Teamwork: The Key to
Victory against Identity Theft, Remarks of Chairman Deborah Platt Majoras,
February 23, 2006 (FTC production, p. 1112) (note that while this specific
language identifies two parts to the definition of reasonableness, cost is
implicit in them, and this definition follows a sentence which states that
perfect information security would be a “costly, unobtainable standard”). A few month later, the Chairman noted that in
evaluating information security programs in many contexts the FTC used the
reasonableness standard, drawn from the GLB Safeguards Rule, and described four
factors. In her words:
In our investigations, we look at
the overall security system that the firm has implemented and its
reasonableness in light of the size and nature of the business, the nature of
the information it maintains, the security tools that are available, and the
security risks it faces. Protecting
Consumer Information in the 21st Century: The FTC’s Principled
Approach, Remarks of Chairman Deborah Platt Majoras, May 10, 2006 (FTC
production, p. 1137).
Then the FTC, in a formal statement issued for its 50th
case, used three factors instead of four.
The circumstances used in determining reasonableness include the same
first two factors – size of the business and the sensitivity of the information
it holds – but cost has been added to the third factor to make it more explicitly
about whether security tools are cost effective, and the fourth factor,
regarding security risks facing the company, was dropped:
The touchstone of the Commission’s
approach to data security is reasonableness: a company’s data security measures
must be reasonable and appropriate in light of the sensitivity and volume of
consumer information it holds, the size and complexity of its business, and the
cost of available tools to improve security and reduce vulnerabilities. Commission Statement Marking the FTC’s
50th Data Security Settlement, January 31, 2014 (referred to in the
produced documents, but not produced in response to the FOIA request) (https://www.ftc.gov/system/files/documents/cases/140131gmrstatement.pdf).
These factors morphed again, just
slightly, a few days later in FTC testimony where the second factor changed
from the “size and complexity of [a company’s] business” to the “size and
complexity of its data operations.” Protecting
Consumer Information, Can Data Breaches be Prevented?, FTC Prepared
Statement, Feb. 5, 2014 (FTC production, p. 1940). And around the same time, the speaker notes
from an undated FTC presentation did include a fourth factor different from the
original fourth factor – “Look at all platforms – web, mobile, internal
systems” – which may be just a general observation. The FTC and Data Security,
Presentation, Undated (FTC production, p. 1400).
Also of interest, the FTC staff altered these factors in the
context of devices in its report on the Internet of Things:
Of course, what constitutes
reasonable security for a given device will depend on a number of factors,
including the amount and sensitivity of data collected, the sensitivity of the
device’s functionality, and the costs of remedying the security vulnerabilities. Internet of Things, FTC Staff Report,
January 2015 (FTC production, 1891)
Preventing a Breach – General Advice
Turning from the definition of reasonableness, the FTC also
offers reams of advice for preventing a problem through good security. Until recently, the FTC commonly provided advice
on prevention using the rubric of its “Protecting Personal Information: A Guide
for Business,” first published in 2007 and updated in 2011. This document offers recommendations under
five principles – principles that appear at many places in the produced
documents: 1) Take stock; 2) Scale down; 3) Lock it; 4) Pitch it; and 5) Plan
ahead. E.g., Data Privacy and
Security in the United States: A Flexible, Harm-Based Model, Presentation,
August 4, 2009 (FTC production, p. 473); Data Security and Privacy Basics,
Presentation, August 10, 2014 (FTC production, p. 1448). This rubric was used in the FTC’s statement
marking its 50th data security case:
[W]hile there is no single
solution, a [security] program follows certain basic principles. First,
companies should know what consumer information they have and what employees or
third parties have access to it. Understanding how information moves into,
through, and out of a business is essential to assessing its security
vulnerabilities. Second, companies should limit the information they collect
and retain based on their legitimate business needs so that needless storage of
data does not create unnecessary risks of unauthorized access to the data.
Third, businesses should protect the information they maintain by assessing
risks and implementing protections in certain key areas – physical security,
electronic security, employee training, and oversight of service providers.
Fourth, companies should properly dispose of information that they no longer
need. Finally, companies should have a plan in place to respond to security
incidents, should they occur. Commission Statement Marking the FTC’s 50th
Data Security Settlement.
However, by later in 2014, in one exposition these
recommendations had morphed, in two ways.
“Take stock” had moved from a recommendation to have a personal
information inventory or data map to a recommendation to conduct a personal
information risk assessment, with the need to also look at vulnerabilities in systems
handling personal information. And
“Pitch it” disappeared, replaced with “Train employees to handle personal
information properly.” On the Front
Lines – The FTC’s Role in Data Security, Remarks of Commissioner Julie
Brill, Sept. 17, 2014 (FTC Production p. 1794-5). (Note: other rubrics were in vogue at
different times, especially before the Business Guide was first published.)
For a device or application, a recent FTC publication recommends
at least six principles or best practices that cover the same areas as the
five-part Business Guide approach, but under a different rubric. Internet of Things (FTC production,
pp. 1891-5) (security by design, personnel practices promote good security,
third party selection and oversight, defense in depth for systems at
significant risk, reasonable access control measures, and monitor and patch
known vulnerabilities).
Unfair Software and Service Development
Software developers and cloud providers take note – make
sure you have a Security Development Lifecycle (SDL) and a vulnerability
reporting portal and process, because, for example, the FTC recommends testing
and review of software, and taking user feedback on vulnerabilities. Federal Trade Commission: Privacy and Data
Security, Presentation, July 17, 2014 (FTC production, pp. 1486 & 1493);
Get Security and Privacy Right, Presentation, January 30, 2014 (FTC
production, pp. 1701 & 1704). As the
FTC asks, “Is the software you offer to consumers (e.g., your mobile app)
secure?” FTC: Privacy and Data
Security (FTC production at 1486). See
also Start with Security, Lessons 7 and 9 (“Apply Sound Security
Practices when Developing New Products” and “Put Measures in Place to Keep your
Security Content Current and Address Vulnerabilities that may Arise”). It will be interesting to see how this
principle is extended beyond devices and mobile applications to platforms or
web browsers – there is a least a hint of this in the FTC investigation of HTC, where the “failure
to secure the software … for smartphones and tablet computers … left the
devices vulnerable to malware[.]” The
FTC’s Privacy Program: Grounding Principles, Recent Initiatives, Remarks of
Jessica Rich, Dec. 1, 2014 (FTC production, p. 1775).
Avoiding Trouble with the FTC
Besides the top-down, principles-to-best-practices approach
typified by the Business Guide, the produced documents also contain many, many
examples of identifying business failures and recommending “don’t do these
things” to avoid trouble with the FTC. E.g.,
Federal Trade Commission: Protecting Information, Update on the FTC, Presentation,
Undated (FTC production, p. 30) (“Things you can do to get into trouble with
the FTC – Share private information with the world – Toss loan applications in
the dumpster – Keep sensitive information you don’t need – Store PII in plain
text – Use weak passwords – Don’t apply security patches or use antivirus or
firewalls – And No. 1, have no security info program!”); and Emerging Trends in FTC Enforcement,
Presentation, June 3, 2010 (FTC production, p. 609) (“Technology changes, but
the vulnerabilities seem to stay the same: - Storing and transmitting sensitive
information in clear text – Failure to secure wireless access points – Storing
sensitive information for an unreasonable period of time – Vulnerabilities to
command injection attacks – Failure to monitor network or unauthorized
access“). That approach reached its
apogee with the Start with Security document mentioned in the first
paragraph, which generalizes principles from FTC enforcement actions.
There is one overarching recommendation that is clear across
these materials – have an information security program/enterprise security
program based on risk. E.g., Federal
Trade Commission: Protecting Information, Update on the FTC (FTC
production, p. 30); Data Security and Privacy: Legal, Policy and Enterprise Issues,
Presentation, Winter 2011 (FTC production, p. 956). You will similarly find this requirement in
the GLB Safeguards Rule.
Becoming the Target of an Investigation
In terms of who is at risk to be the target of an
investigation, the FTC often says that its cases involve companies with clear
failures and systemic problems. E.g.,
ID Theft and Cybercrime: Where Thieves, Victims, Industry and Government
Intersect, Remarks of Chairman Deborah Platt Majoras, February 6, 2007 (FTC
production, p. 1306); The FTC’s
Consumer Protection Agenda: Strategies for the Present and Future, Remarks
of Chairman Deborah Platt Majoras, Jan. 30, 2007 (FTC production, p. 1259)
(“None of [the FTC’s data security enforcement actions in the prior two years]
has been a close call”). One more recent presentation puts it slightly
differently. After providing a list of
eight “common data security failures,” the speaker notes say:
Lets start with data security
enforcement-some of the types of failures we have found in prior cases. Not only is this list not exclusive but
things are added to it. These mistakes
still occur. Company might have multiple
failures. Early on in our program we
might pursue a case where a company said they had encrypted your data but did
not, but this doesn’t happen as much anymore.
Now our cases typically allege that there were several things a company
failed to do. (on its own, one might not
be enough to say that practices were unreasonable, but taken together, we
believe there was a law violation). Data Security, Identity Theft, and
Health Privacy – the FTC Perspective (FTC Production, p. 1609).
These two ways of looking at the problem, (1) looking at
when a company acts “unreasonably” and (2) recommending things a company can do
to prevent a problem, come together when the produced documents describe how a
data security case is evaluated for possible prosecution. One joint presentation involving both an FTC
employee and a private lawyer identifies four principles on evaluating a data
security case: “- Did the company have effective security measures in place to protect
personal information? - If not, could the information have been protected at as
reasonable cost? - Were the security vulnerabilities at issue well-known within
the information technology industry? - Were simple, readily-available low cost
measures available to prevent them?” Emerging
Trends in FTC Enforcement, Presentation by Katrina Blodgett and Tim Tobin,
January 25, 2011 (FTC production, p. 551).
An FTC only presentation says much the same thing but in different
words: “Typical Questions from the FTC –
Were the security vulnerabilities at issue well-known in the information
technology industry? – Did the company have effective security measures in
place to protect personal information? – If not, could the information have
been protected at a reasonable cost, or were fixes readily-available?” Privacy at the Federal Trade Commission,
Presentation, Undated (FTC Production, p. 284).
Self-Regulation
Another way to work to comply with FTC mandates is to adopt
a self-regulatory regime. The FTC documents
are very supportive of self-regulation, especially with backstop enforcement by
government. However, compliance with a
self-regulatory regime is no guarantee that the FTC will not take action – for
example PCI compliance does not mean that your cybersecurity practices across
your entire business were fair. Protect your Customers, Protect Yourself:
FTC Law and Practical Advice for Safeguarding Customer Information, Presentation,
Oct. 30, 2007 (FTC production, p. 508). See
also Data Security and Privacy: Legal, Policy, and Enterprise Issues,
Presentation, Winter 2012 (FTC production, p. 978) (self-regulatory
organizations can be particularly helpful but the FTC always retains backstop
enforcement powers).
Avoiding an Investigation in the First Place
Also of interest is how a target may come to the interest of
the FTC. The ways are much what you
would expect, including press reports.
One interesting note is FTC has represented it doesn’t have the
resources to investigate a single consumer complaint, but congressional
inquiries can trigger an investigation (as can consumer or business “complaints,”
probably more than one). Specific
Privacy Issues for Consideration, Presentation, May 2011 (FTC production,
pp. 59-60). In addition, the FTC likes
to make an example of companies and looks to bring cases where there is likely
to be a large risk of injury to consumers or that may affect what consumers buy
(hitting companies in the pocket), because “such enforcement actions typically
have ripple effects through the entire industry by sending a clear message”
about non-compliance with the law as the FTC defines it. Data Security and Privacy: Legal, Policy,
and Enterprise Issues, FTC production, p. 977).
Conclusion
To conclude, nine years ago, then FTC Chairman Majoras noted
“The FTC’s 2006 Chairman’s Annual Report states that uncertainty ‘is the
primary enemy of efficiency in law enforcement.’ The FTC has worked to increase
the clarity of our legal standards and that will continue.” Protecting Consumer Information in the 21st
Century: The FTC’s Principled Approach (FTC production, p. 1140). I will leave it to you and others to judge
how successful the FTC has been at informing businesses what is expected in
order to avoid a law enforcement investigation and significant penalties.
Acknowledgement: I would like to thank Steptoe and Johnson,
and its lawyers Stewart Baker, Kaitlin Cassel, John Casciano, and Michael
Baratz for representing me in the litigation with the FTC, and for obtaining
the documents that I used to write this analysis.
No comments:
Post a Comment