FTC Chronicle: “Lessons Learned” from the Agency’s Data Breach Investigations
The Federal Trade Commission (FTC) – often criticized for not providing clear guidance as to what the agency considers reasonable data security – announced on Friday that it would publish a weekly blog discussing “lessons learned” from data security investigations that were closed without a formal enforcement action.
Over the past 15 years, the agency has prosecuted more than 60 data security cases based on its broad authority under Section 5 of the FTC Act to police “unfair and deceptive” trade practices. In all but one instance, these cases have settled with the parties entering into consent decrees. Yet, the agency’s critics – and companies on the receiving end of an FTC enforcement action – have argued that the agency’s “reasonableness” standard is just too vague to provide meaningful guidance to organizations subject to the agency’s jurisdiction.
In a press release announcing the blog, FTC Acting Chairman Maureen K. Ohlhausen noted that the agency wanted “to be more transparent about the lessons learned from the FTC’s closed data security investigations and to provide additional information about practices that contribute to reasonable data security….”
The FTC makes public its administrative actions but until now, has not formally disclosed the factors it considers when deciding whether or not to pursue a data security enforcement action.
In its first blog post, the agency’s acting director for consumer protection, Thomas B. Pahl, said “we think there is more we can do to explain to other companies the general principles that informed our thinking when we decided to close investigations.”
Pahl outlined “recurring themes” common to cases that are closed without an enforcement action. Typically, the targeted companies had “effective procedures in place to train their staff, keep sensitive information secure, address vulnerabilities, and respond quickly to new threats.”
Other common themes included:
Incomplete Initial Reports. Initial reports about a data breach might pique a regulator’s interest but leave out key facts or context necessary to fully understand the risks involved. For instance, in a situation when the data affected by the breach was encrypted – which “substantially reduces the risk of consumer injury” – the agency might be inclined to pass on an enforcement action.
Resource Allocation. As with many government agencies, investigatory resources aren’t unlimited. Pahl noted that, while an organization’s practices might raise “initial concerns,” if public interest factors – such as size of the company, amount of information affected – might cause the agency to devote its resources elsewhere.
The “Right” Agency. While the FTC is the self-described “primary cop on the beat when it comes to data security,” other federal agencies share that turf including U.S. Department of Justice, the Department of Health and Human Services, and the Federal Communications Commission, to name a few. “Sometimes an alleged incident or practice is a more natural fit for another law enforcer” and is referred to a sister agency.
Real Consumer Risk. A hot button issue with both the FTC – and in class action data breach litigation – is the extent of consumer risk or harm posed by a data security incident. Pohl acknowledged, however, that not every vulnerability justified an enforcement action. In instances in which “the risk of the vulnerability being exploited to cause consumer injury is more theoretical than likely,” the agency has passed on enforcement actions.
We will keep you updated on future FTC blog posts that further open the window on the agency’s regulatory expectations.