Biden Administration Tech Policy: Federal Trade Commission (FTC)

Under President Joe Biden, the FTC will face most of the same issues presently before the agency.

In a Biden Administration, the FTC may tip from three Republican Commissioners, including the chair, to a majority of Democrats if Chair Joseph Simons steps down as has been rumored for some months now, in part because of political pressure and displeasure from the Trump White House. However, it is not uncommon for chairs to stay on even if a President of a different party comes to power, and, in fact, it rarely occurs that a sitting chair resigns at the beginning of a new presidency as occurred when then Chair Edith Ramirez resigned at the beginning of the Trump Administration in 2017. However, by law, the President may not remove the FTC chair or any commissioner except for “inefficiency, neglect of duty, or malfeasance in office.”

However, the President may, and almost always does in the event the White House changes hands, designate a new chair, and either of the sitting Commissioners could become the new chair: Rebecca Kelly Slaughter or Rohit Chopra. However, the latter’s term actually ended in September 2019 and can serve until he is re-confirmed or a successor is confirmed. It is not clear whether Chopra would be re-nominated given his view on regulating is to the left of Biden’s historical position on such issues. However, Chopra has support from Senator Elizabeth Warren (D-MA), a key stakeholder a Biden White House may try to keep happy. However, Chopra’s name was floated for the head of the Consumer Financial Protection Bureau (CFPB), the agency where he served as the Deputy Director. So, it may come to pass that President-elect Joe Biden gets to appoint two Democrats to the FTC if Simons steps down and Chopra moves on to the CFPB.

Of course, the FTC will almost certainly continue as the de facto federal data protection authority (DPA) for the United States and will use its Section 5 powers to investigate and punish privacy, data security, and cybersecurity violations. The agency is one of the two federal antitrust enforcers, a recently revived area of federal law that has bipartisan interest and support, and is on the verge of filing an antitrust action against Facebook, alleging violations of antitrust law in the social messaging market, especially on account of its WhatsApp and Instagram acquisitions. Conceivably, the FTC under Democratic leadership may have a more aggressive posture towards technology companies and other swaths of the economy that have undergone increased consolidation.

Moreover, most of the privacy bills in Congress would assign the responsibility of enforcing the regime at the federal level to the FTC, a power it would share with state attorneys general as is the current case with respect to antitrust and data security enforcement. The crucial question will be whether the agency receives the resources necessary to maintain its current responsibilities while taking on new responsibilities. At present, the House is proposing a $10 million increase to the agency’s budget from $331 million to $341 million.

Another aspect of the FTC that bears watching is how federal courts construe the agency’s power because a significant portion of the FTC’s ability to use its enforcement powers will hinge on court cases and possible Congressional tweaks to the FTC Act.

A few weeks ago, the FTC recently wrote the House and Senate committees with jurisdiction over the agency, asking for language restoring the power to seek and obtain restitution for victims of those who have violated Section 5 of the FTC Act and disgorgement of ill-gotten gains. The FTC is also asking that Congress clarify that the agency may act against violators even if their conduct has stopped as it has for more than four decades. Two federal appeals courts have ruled in ways that have limited the FTC’s long used powers, and now the Supreme Court of the United States is set to rule on these issues sometime next year. The FTC is claiming, however, that defendants are playing for time in the hopes that the FTC’s authority to seek and receive monetary penalties will ultimately be limited by the United States (U.S.) highest court. Judging by language tucked into a privacy bill introduced by the chair of one of the committees, Congress may be willing to act soon.

The FTC asked the House Energy and Commerce and Senate Commerce, Science, and Transportation Committees “to take quick action to amend Section 13(b) [of the FTC Act i.e. 15 U.S.C. § 53(b)] to make clear that the Commission can bring actions in federal court under Section 13(b) even if conduct is no longer ongoing or impending when the suit is filed and can obtain monetary relief, including restitution and disgorgement, if successful.” The agency asserted “[w]ithout congressional action, the Commission’s ability to use Section 13(b) to provide refunds to consumer victims and to enjoin illegal activity is severely threatened.” All five FTC Commissioners signed the letter.

The FTC explained that adverse rulings by two federal appeals courts are constraining the agency from seeking relief for victims and punishment for violators of the FTC Act in federal courts below those two specific courts, but elsewhere defendants are either asking courts for a similar ruling or using delaying tactics in the hopes the Supreme Court upholds the two federal appeals courts:

  • …[C]ourts of appeals in the Third and Seventh Circuits have recently ruled that the agency cannot obtain any monetary relief under Section 13(b). Although review in the Supreme Court is pending, these lower court decisions are already inhibiting our ability to obtain monetary relief under 13(b). Not only do these decisions already prevent us from obtaining redress for consumers in the circuits where they issued, prospective defendants are routinely invoking them in refusing to settle cases with agreed-upon redress payments.
  • Moreover, defendants in our law enforcement actions pending in other circuits are seeking to expand the rulings to those circuits and taking steps to delay litigation in anticipation of a potential Supreme Court ruling that would allow them to escape liability for any monetary relief caused by their unlawful conduct. This is a significant impediment to the agency’s effectiveness, its ability to provide redress to consumer victims, and its ability to prevent entities who violate the law from profiting from their wrongdoing.

Earlier in the year, by a split vote across party lines, the Federal Trade Commission (FTC) asked a United States (U.S.) appeals court to reconsider a ruling that overturned a lower court’s ruling that Qualcomm has violated antitrust laws in the licensing of its technology and patents vital to smartphones. Republican Commissioners Noah Joshua Phillips and Christine Wilson voted against filing the brief asking for a rehearing with Chair Joseph Simons joining the two Democratic Commissioners Rohit Chopra and Rebecca Kelly Slaughter in voting to move forward with the brief. This case could have major ramifications for antitrust law and the technology sector in the U.S. and for the 5G market as Qualcomm is a major player in the development and deployment of the technology necessary for this coming upgrade in wireless communications expected to bring a host of intended and unintended improvements in communications.

In the brief, the FTC argued the (U.S.) Court Of Appeals for The Ninth Circuit (Ninth Circuit) did not disagree with the District Court’s factual findings of anticompetitive conduct and rather took issue with the lack of “a cogent theory of anticompetitive harm.” The FTC argued the case should be reconsidered on three grounds:

  • The Ninth Circuit ruled on the basis of formal labels and not economic substance contrary to established Supreme Court law
  • Facially neutral surcharges by one market participant to its rivals is, in fact, an unequal and exclusionary burden on rivals, conduct the Supreme Court has ruled violates antitrust law; and
  • Harm to customers is indeed a central focus and concern of antitrust cases and ruling that this harm is outside relevant antitrust markets is also a misreading of established law.

As noted, the Ninth Circuit reversed a U.S. District Court’s decision that Qualcomm’s licensing practices violated the Sherman Antitrust Act. Specifically, the lower court held these practices “have strangled competition in the Code Division Multiple Access (CDMA) and premium Long-Term Evolution (LTE) modem chip markets for years, and harmed rivals, original equipment manufacturers (OEMs), and end consumers in the process.” Consequently, the court found “an unreasonable restraint of trade under § 1 of the Sherman Act and exclusionary conduct under § 2 of the Sherman Act….and that Qualcomm is liable under the FTC Act, as “unfair methods of competition” under the FTC Act include “violations of the Sherman Act.”

However, the Ninth Circuit disagreed, overturned the district court and summarized its decision:

  • [We] began by examining the district court’s conclusion that Qualcomm had an antitrust duty to license its standard essential patents (SEPs) to its direct competitors in the modern chip markets pursuant to the exception outlined in Aspen Skiing Co. v. Aspen Highlands Skiing Corp., 472 U.S. 585 (1985). [We] held that none of the required elements for the Aspen Skiing exception were present, and the district court erred in holding that Qualcomm was under an antitrust duty to license rival chip manufacturers. [We] held that Qualcomm’s OEM-level licensing policy, however novel, was not an anticompetitive violation of the Sherman Act.
  • [We] rejected the FTC’s contention that even though Qualcomm was not subject to an antitrust duty to deal under Aspen Skiing, Qualcomm nevertheless engaged in anticompetitive conduct in violation of § 2 of the Sherman Act. [We] held that the FTC did not satisfactorily explain how Qualcomm’s alleged breach of its contractual commitment itself impaired the opportunities of rivals. Because the FTC did not meet its initial burden under the rule of reason framework, [We were] less critical of Qualcomm’s procompetitive justifications for its OEM-level licensing policy—which, in any case, appeared to be reasonable and consistent with current industry practice. [We] concluded that to the extent Qualcomm breached any of its fair, reasonable, and nondiscriminatory (FRAND) commitments, the remedy for such a breach was in contract or tort law.

The FTC has a number of significant outstanding rulemakings.

In early 2019, the FTC released notices of proposed rulemaking (NPRM) for two of the data security regulations with which some financial services companies must comply:

The reassessment of the Safeguards Rule began in 2016 when the FTC asked for comments. The proposed Safeguards Rule demonstrates the agency’s thinking on what data security regulations should look like, which is important because the FTC is the agency most likely to become the enforcer and writer of any new data security or privacy regulations. Notably, the new Safeguards regulation would require the use of certain best practices such as encrypting data in transit or at rest or requiring the use of multi-factor authentication “for any individual accessing customer information.” Moreover, the other financial services agencies charged with implementing the section of Gramm-Leach-Bliley (GLB) that requires financial services companies to safeguard customers’ information may follow suit (e.g. the Federal Reserve Board or the Comptroller of the Currency.)

In the proposed rule, the FTC noted that its changes to the Safeguards Rule would “include more detailed requirements for the development and establishment of the information security program required under the Rule…[and] [t]hese amendments are based primarily on the cybersecurity regulations issued by the New York Department of Financial Services, 23 NYCRR 500 (“Cybersecurity Regulations”), and the insurance data security model law issued by the National Association of Insurance Commissioners (“Model Law”).”

In the Safeguards Rule proposal, the FTC explained “[t]he proposal contains five main modifications to the existing Rule.”

  • First, it adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption.
  • Second, it adds provisions designed to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies.
  • Third, it exempts small businesses from certain requirements.
  • Fourth, it expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. Such a change would add “finders”–companies that bring together buyers and sellers of a product or service–within the scope of the Rule.
  • Finally, the Commission proposes to include the definition of “financial institution” and related examples in the Rule itself rather than incorporate them by reference from a related FTC rule, the Privacy of Consumer Financial Information Rule.

The FTC’s Safeguards Rule applies to the following and other entities:

[M]ortgage lenders, “pay day” lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non- federally insured credit unions, investment advisors that are not required to register with the Securities and Exchange Commission, and entities acting as finders.

The FTC explained that it “is proposing to expand the definition of “financial institution” in both the Privacy Rule and the Safeguards Rule to specifically include so-called “finders,” those who charge a fee to connect consumers who are looking for a loan to a lender…[because] [t]his proposed change would bring the Commission’s Rule in line with other agencies’ interpretation of the Gramm Leach Bliley Act.”

As part of its regular review of its regulations, the FTC released asked for input on its Health Breach Notification Rule (HBN Rule) promulgated in 2010 per direction in the “American Recovery and Reinvestment Act” (ARRA) (P.L. 111-5). When enacted, Congress expected this regulation to be temporary as policymakers thought a national breach notification statute would shortly be enacted that would make the FTC’s regulations superfluous, but that has obviously not happened. And, hence the FTC continues to have regulations governing breach notification and security of some health information for entities not subject to the “Health Insurance Portability and Accountability Act” (HIPAA)/“Health Information Technology for Economic and Clinical Health Act” (HITECH Act) regulations, which are generally healthcare providers and their business associates. Incidentally, it is possible the FTC’s HBN Rule would govern breaches arising from breaches of vendors involved with COVID-19 contact tracing.

As explained in the current regulation, the HBN Rule “applies to foreign and domestic vendors of personal health records (PHR), PHR related entities, and third party service providers, irrespective of any jurisdictional tests in the Federal Trade Commission (FTC) Act, that maintain information of U.S. citizens or residents.” This rule, however, “does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.”

And yet, the FTC conceded it “has not had occasion to enforce its Rule because, as the PHR market has developed over the past decade, most PHR vendors, related entities, and service providers have been HIPAA-covered entities or “business associates” subject to the Department of Health and Human Services’ (HHS) rule.” The FTC foresees utility and need for the HBN Rule “as consumers turn towards direct-to-consumer technologies for health information and services (such as mobile health applications, virtual assistants, and platforms’ health tools), more companies may be covered by the FTC’s Rule.” Accordingly, the FTC “now requests comment on the HBN Rule, including the costs and benefits of the Rule, and whether particular sections should be retained, eliminated, or modified.”

In terms of how the HBN Rule functions, the FTC explained:

  • The Recovery Act directed the FTC to issue a rule requiring these entities, and their third-party service providers, to provide notification of any breach of unsecured individually identifiable health information.
  • Accordingly, the HBN Rule requires vendors of PHRs and PHR related entities to provide: (1) Notice to consumers whose unsecured individually identifiable health information has been breached; (2) notice to the media, in many cases; and (3) notice to the Commission.
  • The Rule also requires third party service providers (i.e., those companies that provide services such as billing or data storage) to vendors of PHRs and PHR related entities to provide notification to such vendors and entities following the discovery of a breach.
  • The Rule requires notice “without unreasonable delay and in no case later than 60 calendar days” after discovery of a data breach. If the breach affects 500 or more individuals, notice to the FTC must be provided “as soon as possible and in no case later than ten business days” after discovery of the breach. The FTC makes available a standard form for companies to use to notify the Commission of a breach. The FTC posts a list of breaches involving 500 or more individuals on its website. This list only includes two breaches, because the Commission has predominantly received notices about breaches affecting fewer than 500 individuals.

Moreover, per the current regulations, the FTC may treat breaches as violations of regulation on unfair or deceptive practices, permitting the FTC to seek and possibly levy civil fines of up to $43,000 per violation.

© Michael Kans, Michael Kans Blog and, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and with appropriate and specific direction to the original content.

Image by Gerd Altmann from Pixabay

FTC Acts Against Stalking App Developer

The Federal Trade Commission (FTC) announced its first action regarding applications for smart phones that may be placed on a user’s device without their knowledge or consent (aka stalking apps). The FTC took action against the developer of stalking apps of violating both the Federal Trade Commission Act (FTC Act) and the Children’s Privacy Protection Rule (COPPA Rule). In its press release, the FTC claimed these apps “allowed purchasers to monitor the mobile devices on which they were installed, without the knowledge or permission of the device’s user.”

Retina-X Studios, LLC agreed to a consent order that permanently restrains and enjoins the company “from, or assisting others in, promoting, selling, or distributing a Monitoring Product or Service unless Respondents” meet a list of requirements, including foreswearing the circumvention of a mobile device’s operating system for installation (aka jail-breaking or rooting), eliciting affirmative agreement that users of any such app will only employ it in lawful, enumerated practices, and that whenever the app is running, there must be a clear and conspicuous icon on the device alerting the user that the run has been installed and is functional.

Like many such settlements, the FTC elicited agreement from the app developer to cease certain past practices and to engage in future practices to both avoid the offensive conduct and that are designed to lead to better data security. Failure to do so would allow the FTC to go back to the court and request an order to show cause against the entity, putting it in jeopardy of facing civil penalties of more than $42,000 per violation.

Of course, the FTC’s power to order entities to take certain, broadly gauged actions, such as institute a comprehensive data security program, have been called into question in LabMD v. FTC. In that 2018 case, U.S. Court of Appeals for the Eleventh Circuit ruled against the FTC and held that the agency may not direct entities to take, future, ill-defined actions. Rather, in the appeals court’s view, the FTC’s underlying statute allows the agency only to spell out the conduct that entities may not engage in whether it be in a cease and desist order issued by the FTC or a consent decree issued by a U.S. District Court. Of course, this is only the view of one circuit, and the other circuits are free to continue operating under the old understanding that the FTC may indeed direct entities to, for example and most relevantly in this case, implement a comprehensive data security regime.

In LabMD, the FTC Order that the Eleventh Circuit found faulty required:

…that the respondent shall, no later than the date this order becomes final and effective, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers by respondent or by any corporation, subsidiary, division, website, or other device or affiliate owned or controlled by respondent. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including…

A.the designation of an employee or employees to coordinate and be accountable for the information security program;

B.the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;

C.the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;

D.the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and

E.the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by Subpart C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.

However, in the instant case, the FTC is far more prescriptive than it was by directing Retina-X Studios to

Design, implement, maintain, and document safeguards that control for the internal and external risks to the security, confidentiality, or integrity of Personal Information identified in response to sub-Provision VI.D. Each safeguard shall be based on the volume and sensitivity of the Personal Information that is at risk, and the likelihood that the risk could be realized and result in the unauthorized access, collection, use, alteration, destruction, or disclosure of the Personal Information. Respondents’ safeguards shall also include:

1.Technical measures to monitor all of Respondents’ networks and all systems and assets within those networks to identify data security events, including unauthorized attempts to exfiltrate Personal Information from those networks;

2.Technical measures to secure Respondents’ web applications and mobile applications and address well-known and reasonably foreseeable vulnerabilities, such as cross-site scripting, structured query language injection, and other risks identified by Respondents through risk assessments and/or penetration testing;

3.Data access controls for all databases storing Personal Information, including by, at a minimum, (a) requiring authentication to access them, and (b) limiting employee or service provider access to what is needed to perform that employee’s job function;

4.Encryption of all Personal Information on Respondents’ computer networks; and

5.Establishing and enforcing policies and procedures to ensure that all service providers with access to Respondents’ network or access to Personal Information are adhering to Respondents’ Information Security Program.

The FTC continues by requiring:

F. Assess, at least once every twelve (12) months and promptly following a Covered Incident, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of Personal Information, and modify the Information Security Program based on the results.

G. Test and monitor the effectiveness of the safeguards at least once every twelve months and promptly following a Covered Incident, and modify the Information Security Program based on the results. Such testing shall include vulnerability testing of each of Respondents’ network(s) once every four (4) months and promptly after any Covered Incident, and penetration testing of each Covered Business’s network(s) at least once every twelve (12) months and promptly after any Covered Incident;

H. Select and retain service providers capable of safeguarding Personal Information they receive from each Covered Business, and contractually require service providers to implement and maintain safeguards for Personal Information; and

I. Evaluate and adjust the Information Security Program in light of any changes to Respondents’ operations or business arrangements, a Covered Incident, or any other circumstances that Respondents know or have reason to know may have an impact on the effectiveness of the Information Security Program. At a minimum, each Covered Business must evaluate the Information Security Program at least once every twelve (12) months and modify the Information Security Program based on the results.

Is it possible the FTC is seeking to forestall future actions based on LabMD through the use of more descriptive, prescriptive requirements for entities in establishing and running better data security programs? It absolutely could be. Some have suggested that the agency telegraphed its current thinking on what is proper data security in draft regulations earlier this year that are more detailed than the current regulations and the numerous settlements the FTC has entered into.

Possible Preview of Federal Data Security Regulations?

If privacy legislation gets passed by the Congress this year or next (although recent reports suggest a number of impasses between Republicans and Democrats), it might also contain language on data security standards. Such legislation would also likely direct the Federal Trade Commission (FTC) to conduct an Administrative Procedure Act (APA) rulemaking to promulgate regulations on privacy and data security. As most of the major bills provide that the FTC would use APA notice and comment procedure instead of the far lengthier Moss-Magnuson procedures, it is not far-fetched to envision FTC regulations on privacy and/or data security coming into effect, say, in the first year of the next Administration. However, what might FTC regulations on data security look like? Well, the FTC’s recent proposed update to the Safeguards Rule may provide a roadmap, but first a little background.

The “Financial Services Modernization Act of 1999” (P.L. 106-102) (aka Gramm-Leach-Bliley) required financial services regulators to promulgate regulations to “protect the security and confidentiality of…customers’ nonpublic personal information.” The FTC, among other regulators, were required to “establish appropriate standards for the financial institutions…relating to administrative, technical, and physical safeguards-

  • (1) to insure the security and confidentiality of customer records and information;
  • (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
  • (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.”

The current Safeguards regulations were promulgated in May 2002 and reflect the thinking of the agency in the era before big data, widespread data breaches, smartphones, and other technological developments. Consequently, the regulations those financial services companies subject to FTC regulation under Gramm-Leach-Bliley now seem vague and almost permissive in light of best practices and requirements subsequently put in place for many entities. The current Safeguards rule is open-ended and allows the regulated entity the discretion and flexibility to determine what constitutes the “information security program” it must implement based on the entity’s “size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.” Covered entities must perform risk assessments to identify and ideally remediate foreseeable internal and external risks. Subsequently, the covered entity must then “[d]esign and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.”

These regulations are not prescriptive and are more general in nature, or at least they seem so in retrospect. One would hope that any entities holding any modicum of sensitive consumer information is regularly and vigorously engaged in an ongoing practice of assessing and addressing risks. However, the repromulgation of the Safeguards rule suggest this may not be the case.

The FTC is using its very broad grant of authority under Gramm-Leach-Bliley to revisit the Safeguards Rule as part of its periodic sweep of its regulations. The FTC explained that when it issued the current Safeguards Rule in 2002 “it opted to provide general requirements and guidance for the required information security program, without providing detailed descriptions of what the information security program should contain.” The FTC claimed that“[i]t took this approach in order to provide financial institutions with the flexibility to shape the information security programs to their particular business and to allow the programs to adapt to changes in technology and threats to the security and integrity of customer information.” The FTC asserted its beliefthe new provisions “continue to provide companies with flexibility, they also attempt to provide more detailed guidance as to what an appropriate information security program entails.”

In the proposed changes to the Safeguards Rule, the FTC is calling for “more specific security requirements” that “will benefit financial institutions by providing them more guidance and certainty in developing their information security programs, while largely preserving that flexibility.” It is possible that in offering more detailed prescriptions that the FTC is responding to criticisms generally that its data security standards are vague[1]. The FTC contends that the “proposed amendments provide more detailed requirements as to the issues and threats that must be addressed by the information security program, but do not require specific solutions to those problems.” The Commission claims “the proposed amendments retain the process-based approach of the Rule, while providing a more detailed map of what information security plans must address.”

The FTC explains

These amendments are based primarily on the cybersecurity regulations issued by the New York Department of Financial Services, 23 NYCRR 500 (“Cybersecurity Regulations”), and the insurance data security model law issued by the National Association of Insurance Commissioners (“Model Law”).The Cybersecurity Regulations were issued in February 2017 after two rounds of public comment. The Model Law was issued in October 2017. The Commission believes that both the Cybersecurity Regulations and the Model Law maintain the balance between providing detailed guidance and avoiding overly prescriptive requirements for information security programs. The proposed amendments do not adopt either law wholesale, instead taking portions from each and adapting others for the purposes of the Safeguards Rule.

However, the FTC does not merely lift provisions from each but rather uses these as guidelines in drafting its own regulations, and the agency picks, chooses, modifies and discards from the regulations. Going over the three sets of data security requirements and providing a detailed analysis is outside the scope of this article. Rather, I would like to hit some of the high points by way of illustrating both the FTC’s reliance on the two predecessor schemes and also to show how the agency’s thinking on what constitutes adequate data security has evolved since 2002.

The FTC’s proposed Safeguards rule would generally require covered entities to encrypt consumer’s personal information when at rest and in transit on external systems. Similarly, the use of multi-factor authentication would be required in most circumstances, and covered entities would need to engage in regular penetration testing.

As a threshold matter, the Commission defines what a “security event” is and how regulated entities must gear their data security to preventing or reducing the risk that a “security event” occurs. Under the currently effective regulations, there is no definition. The agency proposes that a “security event” will mean “an event resulting in unauthorized access to, or disruption or misuse of, an information system or information stored on such information system.” In the Federal Register notice, the FTC explained that “[t]his term is used in proposed provisions requiring financial institutions to establish written incident response plans designed to respond to security events and to implement audit trails to detect and respond to security events.”

The FTC would generally require “covered entities” to encrypt consumer information at rest or in transit subject to a significant exception. The agency’s reasoning seems to be that encryption would be used for sensitive consumer information and when it is not prohibitively difficult or expensive to do so. However, The NAIC model statute charges regulated entities to “[d]etermine which security measures…are appropriate and implement such security measures” including encryption whereas the NYDFS would require the use of encryption of nonpublic information at rest or transmitted by covered entities unless it has been determined doing either would be “infeasible,” a decision that the entity’s CISO may agree with. The FTC followed the NYDFS in substantial part and the language on the exemption to the requirement that encryption must be used follows word for word: “[t]o the extent you determine that encryption of customer information, either in transit over external networks or at rest, is infeasible, you may instead secure such customer information using effective alternative compensating controls reviewed and approved by your CISO.” It is not clear, moreover, under this loophole what would stop organizations regulated by the FTC to make this determination, for it appears the agency would have limited recourse in questioning the covered entity’s decision not to encrypt customer data. It is unclear if the FTC will keep this provision in the final regulation. In contrast, the NYDFS requires the CISO to revisit such decisions annually.

Tellingly, however, the FTC opted against the safe harbors the NAIC model statute offers if entities have encrypted the exfiltrated or accessed data and the encryption, process or key has not also been breached. The NYDFS also does not have such a safe harbor to what constitutes a security event that triggers the reporting and notification requirements. Nonetheless, the FTC lifts its definition for encryption almost word-for-word from the NAIC model statute.

Another new requirement for covered entities is the use of multi-factor authentication. The FTC’s draft regulations provide that “[i]n order to develop, implement, and maintain your information security program, you shall…[d]esign and implement safeguards to control the risks you identity through risk assessment, including…multi-factor authentication.” The agency defines multi-factor authentication as “authentication through verification of at least two of the following types of authentication factors:

  • (1) Knowledge factors, such as a password;
  • (2) Possession factors, such as a token; or
  • (3) Inherence factors, such as biometric characteristics.”

The FTC explained that it “views multi-factor authentication as a minimum standard to allowing access to customer information for most financial institutions…[and] believes that the definition of multi-factor authentication is sufficiently flexible to allow most financial institutions to develop a system that is suited to their needs.” Nonetheless, “[t]he Commission seeks comment on whether this definition is sufficiently flexible, while still requiring the elements of meaningful multi-factor authentication.”

Like the NYDFS and NAIC standards, the FTC would require “information systems under the Rule to include audit trails designed to detect and respond to security events.” The agency uses a National Institute of Standards and Technology (NIST) definition of audit trail: “chronological logs that show who has accessed an information system and what activities the user engaged in during a given period.” The FTC noted that this standard will “not require any specific type of audit trail, nor does it require that every transaction be recorded in its entirety,” but, crucially, “the audit trail must be designed to allow the financial institution to detect when the system has been compromised or when an attempt to compromise has been made.” Also, the FTC will not require that audit trails be retained for any set period of time; rather, covered entities must hold them for a “reasonable” period of time. What should be the FTC’s expectations on maintaining audit trails that date back to “security event” that first occurred two years before it was discovered? Is two years a reasonable period of time to store audit rail materials?

Similarly, the draft Safeguards rule would “require financial institutions to take steps to monitor those users and their activities related to customer information in a manner adapted to the financial institution’s particular operations and needs.” The FTC noted that “[t]he monitoring should allow financial institutions to identify inappropriate use of customer information by authorized users, such as transferring large amounts of data or accessing information for which the user has no legitimate use.”

The FTC would bolster the current mandate that covered financial institutions “[r]egularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems.” The agency calls for “either ‘continuous monitoring’ or ‘periodic penetration testing and vulnerability assessments.’” However, in lieu of continuous monitoring, the FTC is willing to accept annual penetration testing and biannual vulnerability testing “reasonably designed to identify publicly known security vulnerabilities in your information systems based on the risk assessment.”

Finally, the FTC is proposing to carve out very small institutions that would otherwise fall within the scope of the rule because they “maintain relatively small amounts of customer information.” As a result, the draft Safeguards rule would exempt small covered entities from needing to:

  • 314.4(b)(1), requiring a written risk assessment;
  • 314.4(d)(2), requiring continuous monitoring or annual penetration testing and biannual vulnerability assessment;
  • 314.4(h), requiring a written incident response plan; and
  • 314.4(i), requiring an annual written report by the CISO.

The FTC articulated its belief that these are the requirements most likely “to cause undue burden on smaller financial institutions.”

The FTC seems to be balancing the expense imposed on these smaller institutions with presumably less resources for compliance against the mandate of Gramm-Leach-Bliley to safeguard customer records and information. But, on its face, the underlying statute does not seem to delegate authority to the FTC to exempt small entities unless the directive to “establish appropriate standards” can be read as a grant of discretion in how the agency meets this Congressional mandate (emphasis added).

And yet, putting aside that issue for the moment, one wonders why the agency drew the line at those institutions that “maintain customer information concerning fewer than five thousand consumers.” Is there a quantitative difference between the resources available to businesses of this size and those “maiantain[ing]” the consumer records and information of 7,500 or 10,000 or 20,000 consumers? Also, how exactly will maintain be construed? Will it be an annual average of the consumer information held by an institution? A monthly average? A threshold that an entity clears once and then the Safeguards’ requirements attach? The agency did not explain its thinking on this point.

Incidentally, the FTC actually split on the proposed Safeguards regulation with Commissioners Noah Joshua Phillips and Christine S. Wilson issuing a dissenting statement, in which they extol the virtues of the current rule and assert the proposed regulation “trades flexibility for a more prescriptive approach, potentially handicapping smaller players or newer entrants.” This may suggest a future FTC may not propose a similarly prescriptive approach for privacy and/or data security regulations under to be enacted legislation.

And yet, regardless of whether the FTC does proceed in this fashion, might the agency’s thinking on what constitutes acceptable data security under the powers granted by Section 5 of the FTC Act begin to resemble the more directive regime under the Safeguards rule? Given that the agency has not exactly spelled out what is “reasonable” data security, the general requirements for encryption, multi-factor authentication, and penetration testing could well get folded into what the FTC considers the sorts of practices entities will need to use in order not to violate the ban on deceptive and unfair practices.

[1] In LabMD, Inc. vs. FTC, the Eleventh Circuit ruled against the FTC’s use of its Section 5 powers to enter into settlements requiring private entities to establish and maintain remedial, “reasonable” data security practices. The court held that such settlements are contrary to the FTC Act because they do not enjoin specific acts or practices and rather command entities to institute data security practices. The court also found that such settlements are ultimately unenforceable because they are vague as to what is a reasonable data security regime.