Recently, the U.S. Court of Appeals for the 9th Circuit issued a decision with profound implications for consumer privacy protection law. In FTC v. AT&T Mobility (9th Cir. Aug. 29, 2016), a 3-judge panel of the 9th Circuit held that the Federal Trade Commission (FTC) lacks jurisdiction over companies that engage in common carrier activity. The result is that there is now a gaping hole in consumer privacy protection law.
The Federal Trade Commission (FTC) has become the leading federal agency to regulate privacy and data security. The scope of its power is vast – it covers the majority of commercial activity – and it has been enforcing these issues for decades. An FTC civil investigative demand (CID) will send shivers down the spine of even the largest of companies, as the FTC requires a 20-year period of assessments to settle the score.Continue Reading
I am pleased to announce the publication of my article, The Scope and Potential of FTC Data Protection., 83 George Washington Law Review 2230 (2015). I wrote the article with Professor Woodrow Hartzog.
The article addresses the scope of FTC authority in the areas of privacy and data security (which together we refer to as “data protection”). We argue that the FTC not only has the authority to regulate data protection to the extent it has been doing, but that its granted jurisdiction can expand its reach much more. Normatively, we argue that the FTC’s current scope of data protection authority is essential to the United States data protection regime and should be fully embraced to respond to the privacy harms unaddressed by existing remedies available in tort or contract, or by various statutes. In contrast to the legal theories underlying these other claims of action, the FTC can regulate with a much different and more flexible understanding of harm than one focused on monetary or physical injury.
We contend that the FTC can and should push the development of norms a little more (though not in an extreme or aggressive way). We discuss why the FTC should act with greater transparency and more nuanced sanctioning and auditing.
The article was part of a great symposium organized by the George Washington University Law Review: The FTC at 100.
Here is a table of contents of the issue, along with links to where you can access each essay and article.
Recently, the FTC issued a short guide to what organizations can do to protect data security. It is called Start with Security (HTML) — a PDF version is here. This document provides a very clear and straightforward discussion of 10 good information security measures. It uses examples from FTC cases.
Over at Fierce IT Security, Professor Woodrow Hartzog and I have a new essay, 5 Things the FTC Should Do to Improve Data Security in the Wake of Wyndham. The piece discusses some enforcement strategies we believe the FTC should use to maximize its effectiveness in improving data security. Our suggestions include:
- Do more proactive enforcement
- Take on more data security cases
- Push companies toward improved authentication – moving beyond mere passwords
- Restrict the use of Social Security numbers for authentication purposes
- Develop a theory of data stewardship for third parties
Please check out our essay for our explanation of the above agenda and a lot more detail.