On the Front Lines: The FTC’s Role in Data Security – Keynote Address at the Center for Strategic and International Studies (CSIS) Workshop on…
Targeted News Service |
On the Front Lines: The FTC's Role in Data Security - Keynote Address at the
Thank you, Jim, for that kind introduction. And thank you to the Center for inviting me to address you this afternoon. It is a pleasure to speak with a group that has such depth and breadth in security issues.
We live in a networked world. We Americans depend on constant connections to work, relax, and toggle between the two. Communications networks synchronize our critical infrastructure, including our electricity, water, hospitals, buses and transportation systems. And we're rapidly moving toward an Internet of Things, which will put everything from our washers and dryers to our cars online. These developments hold promises small and great, from allowing us to save us a few steps to turn off the lights, to using our resources more efficiently.
<p>All of these connections bring risks along with benefits. Over the past year, it seems that we haven't gone more than a few days without hearing about a major security breach involving consumers' financial data or other sensitive information.1
Consumers expect companies to protect their information. Data security protections are increasingly like keeping the lights on. Consumers might not notice when they work, but they sure notice when they fail.7
Data security is one of our top consumer protection priorities. In our enforcement actions and policy initiatives, we focus on the harms that consumers may suffer when companies fail to keep information secure.8 Unauthorized access to data puts consumers at risk of fraud, identity theft, and even physical harm. Data can reveal information about our health conditions, financial status, or other sensitive traits. Security is also an essential part of maintaining consumers' privacy, which is another top consumer protection priority at the FTC.
I'd like to convey two main messages about our data security enforcement. First, we enforce a flexible standard of reasonable security.9 Second, the FTC is the only federal agency with the authority to enforce such a standard across broad swaths of the U.S. economy. Our reasonable security standard adapts to rapid changes in both technology and security threats, allowing us to apply this standard to both older technologies as well as technologies that are just emerging.
Putting the FTC's Data Security Enforcement in Context of other Recent Governmental Efforts
The FTC plays a unique role in the broad effort to keep computers, networks, and people secure. For more than a decade, we have used all of our tools - including law enforcement, policy initiatives, and consumer and business education - to prevent and remedy the harms that can result from personal information falling into the wrong hands. 10
Over the past few years, other governmental experts have turned their attention to answering difficult questions about the legal, economic, political, and military aspects of cybersecurity.
The core of the NIST Framework is about risk assessment and mitigation. In this regard, it is fully consistent with the FTC's enforcement framework. One of the pillars of reasonable security practices that the FTC has established through our settlements in more than 50 data security cases is that assessing and addressing security risks must be a continuous process. There is no single, right way to do these assessments; it depends on the volume and sensitivity of information the company holds, the cost of the tools that are available to address vulnerabilities, and other factors.13 By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach.14
FTC Data Security Enforcement Over a Decade in Time and Many Generations of Technology
The main legal authority that the FTC uses in the data security space is Section 5 of the FTC Act,15 which gives us the ability to stop unfair or deceptive acts or practices. We first applied Section 5 to data security issues in 2002, back in the day when, to paraphrase
The FTC's data security enforcement actions initially focused on deception. Recognizing that consumers' data was valuable to them and potentially harmful if obtained by fraudsters, identity thieves, and other malicious actors, companies began to promise to consumers that they would keep this data secure. Those promises were, and are, material to consumers' choices about whether to use a product or service. After all, who would entrust their information to a company that doesn't protect it? When companies don't live up to their promises, the FTC may step in. From the very beginning, our view has been that a promise to keep information secure has to be backed up by reasonable and appropriate processes and practices.17
Within a few years, it became clear that the FTC's ability to stop unfair practices under Section 5 would have its place alongside deception in our efforts to ensure reasonable security protections for consumer data. The key difference between unfairness and deception is that unfairness may be applicable even in the absence of a representation or omission in information presented to consumers. In 2005, we brought our first data security case under a pure unfairness theory, following a breach that exposed the sensitive personal information of thousands of consumers.18 In the language of our unfairness standard, this company's data security practices caused, or were likely to cause, a substantial injury that consumers could not reasonably avoid and were not outweighed by benefits to consumers or competition.19 These days, of course, it's not unusual to read about breaches that involve records about millions, or tens of millions, of consumers. The scale of breaches has changed, but the legal principles we seek to enforce have not.
In our settlements and guidances, the Commission has outlined reasonable security practices while emphasizing that companies need to implement these practices in a way that is appropriate for their businesses. These practices include:20
* Do a risk assessment. Companies should know what information they have, how it flows through their enterprise, what kind of access employees and third parties have to this information, and what vulnerabilities could compromise its confidentiality, integrity, or availability.
* Minimize personal information about consumers. Limiting the consumer information that companies collect and retain to what is necessary to fulfill legitimate business needs will help reduce unnecessary security risks.
* Implement technical and physical safeguards. Security measures like firewalls, strong passwords, and limiting the circumstances under which sensitive personal information may be stored on laptops are important but not sufficient. Protecting information "the old fashioned way" - by ensuring that back up tapes, CDs, external hard drives, USB thumbdrives and the like are locked up, and securely destroyed when no longer needed - is a risk reducing complement to security measures deployed on computers and networks.
* Train employees to handle personal information properly.
* Have a plan in place to respond to any security incidents that occur.
This is not a standard of perfect security. FTC staff investigates hundreds of breaches, and so far we have brought 53 cases under Section 5. We tend to bring an action when we find systemic failures in a company's data security practices. So the fact that there's an isolated vulnerability in a product or service that a company offers, or even the fact that a company suffers a breach, does not mean that the FTC will come calling, let alone file a lawsuit.
Some of the FTC's actions are against companies that are themselves victims of hacking or other malicious actions. But this does not and should not relieve companies of the need to provide reasonable security. After all, it is the company that decides what data to collect, how to use it, and when - if ever - to get rid of it. Holding companies accountable for their practices and the representations they make is entirely appropriate and consistent with how we apply Section 5 to other commercial activities.
Using Section 5 to Address New Data Security Challenges
Today, consumers are moving more of their activities to smartphones and connected devices. These phones and devices are producing an increasing amount of sensitive data, including user generated health information. Our recent data security cases show that Section 5 is up to the task of protecting consumers in this rapidly changing environment. Let me focus on three emerging areas that seem particularly salient in our data intensive economy, beginning with mobile.
Mobile
Mobile devices and apps provide convenience, entertainment, and a platform for us to connect to one another in new and exciting ways. But when apps fail to provide reasonable security, they can leave a broad range of sensitive personal information at risk.
For example, earlier this year, the FTC brought enforcement actions against two popular apps: Credit Karma and Fandango.21 We alleged that these apps contained flawed implementations of the Secure Sockets Layer (SSL) protocol, which is a common means for encrypting data in transit.22 Specifically, we alleged that the Credit Karma and Fandango apps were susceptible to "man in the middle attacks," in which an impostor could pose as a legitimate data recipient and collect highly sensitive information from consumers - including
The FTC also brought an action against the mobile app Snapchat, which allows consumers to send photos or videos that disappear after just a few seconds.25 Or so Snapchat told its users. The part of the FTC's complaint that seemed to draw the most attention was the allegation that, despite the company's representations, recipients were able to save "snaps" indefinitely using a few simple techniques.26 But we also alleged that the app exposed consumers' mobile phone numbers,27 and left consumers vulnerable to being impersonated by other Snapchat users.28 Thus the Snapchat case raises both significant privacy issues, and reminds us that security - which includes controls to keep information confidential - is critical to effective privacy protections.
As a group, these three cases show that the FTC's framework for holding companies to a standard of reasonable data security readily applies to the mobile environment.
Internet of Things
Let's turn to the Internet of Things. While connected devices can provide innovative services, they must do so in a way that does not violate consumer privacy or leave personal information vulnerable to exposure. Some of the data coming from connected watches, appliances, clothes, and other everyday devices could reveal a lot about our health, activities in our home, or other highly sensitive aspects of our lives.29 Protecting this information from unauthorized access and disclosure is paramount. I am concerned that some of the lessons of the recent past aren't being applied to these exciting new technologies. A recent study by HP found that 90 percent of connected devices are collecting personal information, and 70 percent of them are transmitting this data without encryption.30
The first case we brought in the Internet of Things area was against
Health Information
Finally, let me focus on health information. Our recent cases show that we're serious about enforcing protections for sensitive information. There is broad agreement that information about consumers' health and medical conditions is sensitive and that consumers suffer harm when this information is unexpectedly revealed. Companies that collect this information need to recognize its sensitivity and provide safeguards to match.
In two recent cases, the FTC had reason to believe that companies failed to provide such safeguards. Last fall, we announced a settlement with
Taking a Broader View of Data Security Through Policy Initiatives
Let me take a step back and talk about policy. Policy initiatives are another important aspect of the FTC's data security efforts. Those of you who are familiar with our work know that we are adept at identifying emerging challenges in many areas of consumer protection. Data security is no different. We recently held two public workshops that explored emerging data security issues. At our
Second, in
Finally, while the FTC's current enforcement authority and our capacity to develop policy recommendations and best practices in connection with new technologies all play a critical role in providing U.S. consumers with some assurance that companies will keep their information secure, I believe that we need more tools to protect consumers in this area. Along with my fellow Commissioners, I believe that
* * * * *
Technology has changed dramatically since the early days of the FTC's privacy and data security enforcement. The FTC's general, flexible consumer protection authority has played an important role stopping and remedying fraud, identity theft, and a broad array of privacy violations as these technological changes have been underway.
We at the FTC cannot address every data security challenge that
This document has footnotes and they may be found at the following URL: (http://www.ftc.gov/system/files/documents/public_statements/582841/140917csisspeech.pdf)
TNS 24KuanRap-140918 30FurigayJof-4865245 30FurigayJof
Copyright: | (c) 2014 Targeted News Service |
Wordcount: | 2867 |
NYS Lawmakers to Provide Insight on State Issues at Daemen Lecture
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News