Slaughter, Ohlhausen Agree on Need for More FTC Data Security Authority
FTC Commissioner Rebecca Kelly Slaughter and former Commissioner Maureen Ohlhausen agreed Tuesday the agency needs more data security authority, though they largely offered competing views. At an Atlantic magazine event, Slaughter spoke of the agency’s inability to deter bad actors because of its lack of civil penalty and rulemaking authority.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Ohlhausen defended the agency’s current framework, which relies on consent decrees for levying penalties. She said the FTC has limited authority because the agency is governed by a very broad statute. A company may not know right away what’s unfair or a violation of the FTC Act, Ohlhausen said, and fining authority shouldn’t be exercised until the boundaries are clear.
Declining to address the recent Facebook hack directly (see 1810010032), Slaughter said it’s “a fact that these breaches” keep occurring: “I’m certainly not going to say that our ability to go back after the fact and investigate is an effective deterrent to keeping data safe and secure.” Commissioners from both parties have supported the FTC’s need for more rulemaking and civil penalty authority, she said. Sen. Brian Schatz, D-Hawaii, made a similar argument at a recent Senate Commerce Committee hearing on legislative solutions to data privacy (see 1809260050).
The FTC declined to say whether it's investigating Facebook’s latest breach. Chairman Joe Simons said Tuesday in a statement: “Privacy and data security are top priorities for the agency, and we are committed to holding companies accountable if their practices violate the law.” Ohlhausen said the agency went against normal practice in disclosing probes of Equifax and Facebook previously because they drew “white-hot” public attention.
The agency’s focus on regressive, specific harm is important, Slaughter said, but it limits the FTC’s ability to “carry a very big stick and deter bad action.” Consumer protection is a focal point of the agency’s ongoing policy hearings (see 1809210056 and 1810020061).
“There’s something to be said about giving companies clear rules of the road about how to protect data, which gives a hook for bigger fines,” Slaughter said. Ohlhausen agreed the FTC needs additional authority on data security and breach notification. The agency is hamstrung by a lack of resources, Slaughter said, noting the commission, which has an annual budget of about $300 million, can return $500 million to consumers through enforcement action in a day.
Slaughter said the U.S. can learn from the EU’s general data protection regulation, but she asked if it’s having all intended impacts if users are simply clicking through data consent permissions. Ohlhausen said it’s too early to say whether the GDPR has been successful, warning against the possibility it created a regime allowing only the larger companies to compete.
Rep. Ryan Costello, R-Pa., agreed data privacy legislation is needed. Congress will end up with legislation somewhere between the GDPR and California’s new privacy law, he said, calling the GDPR too “far-reaching.” If policymakers aren’t empowering regulatory agencies to be “somewhat prescriptive,” the U.S. won’t get it right, he said. On Facebook, he said people shouldn’t expect any company to be bulletproof, arguing thousands, if not hundreds of thousands, of malicious efforts take place daily. Getting something signed into law in one congressional session would be “remarkable,” he said.
Industry supports U.S. federal privacy legislation, but it doesn't support adopting the GDPR here, Information Technology Industry Council CEO Dean Garfield said. If the U.S. gets its federal law correct, it could be the international benchmark, he said, calling the FTC the strongest privacy enforcer in the world.
Asked about the recent Facebook hack, Garfield said companies get recognized only for mistakes. “We tend not to over-index on the fact that our devices work, and we aren’t breached continually,” he said. “We focus on the fact that … 50 million people’s security is breached.” It’s an appropriate attitude, he said. “But I think there is no doubt the transition has been made by most, if not all, of our tech companies to integrate both privacy and cyber at the inception, the development design.”
Told Rep. Will Hurd, R-Texas, recently graded his congressional colleagues 4 out of 10 on tech competence, Garfield declined to offer a specific rating: “I have to work with the people on the Hill on a day-to-day basis so I’ll stay away from [rating] them. There’s room for growth.” Like the FTC, Congress would benefit from having staff with deep tech skills, he said.
There's “very little tech expertise” within Congress or enforcement agencies, said Center for Democracy and Technology President Nuala O’Connor. She noted CDT received calls from state legislator offices in 12 different states asking how to replicate privacy mandates in California.