12/13/18 Update: Here is the video from the session described below.
On Wednesday, December 12, 2018, I’ll be speaking at the Data Security hearing, part of the FTC Hearings on Competition and Consumer Protection in the 21st Century. My panel begins at 1:00 PM:
The U.S. Approach to Consumer Data Security
Wednesday, December 12, 2018 from 1:00 PM to 2:30 PM
Center for Democracy & Technology
Daniel J. Solove
George Washington University Law School
University of Pittsburgh
Perkins Coie LLP
Lisa J. Sotto
Hunton Andrews Kurth LLP
Moderator: James Cooper
Federal Trade Commission, Bureau of Consumer Protection
I previously spoke at an earlier hearing in this series back in September on a panel about consumer privacy protection (video / transcript). The upcoming hearing focuses on data security.
Co-Authored by Prof. Woodrow Hartzog
On Wednesday, the U.S. Court of Appeals for the 11th Circuit issued its long-awaited decision in LabMD’s challenge to an FTC enforcement action: LabMD, Inc. v. Federal Trade Commission (11th Cir. June 6, 2018). While there is some concern that the opinion will undermine the FTC’s power to enforce Section 5 for privacy and security issues, the opinion actually is quite narrow and is far from crippling.
While the LabMD opinion likely does have important implications for how the FTC will go about enforcing reasonable data security requirements, we think the opinion still allows the FTC to continue to build upon a coherent body of privacy and security complaints in an incremental way similar to how the common law develops. See Solove and Hartzog, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 584 (2014).
Co-authored by Professor Woodrow Hartzog
The Federal Trade Commission is the most important federal agency regulating privacy and security. Its actions and guidance play a significant role in setting the privacy agenda for the entire country. With the Trump Administration about to take control, and three of the five Commissioner seats open, including the Chairperson, a lot could change at the FTC. But dramatic change is not common at the agency. What will likely happen with the FTC’s privacy and security enforcement over the next four years?
The Federal Trade Commission (FTC) has become the leading federal agency to regulate privacy and data security. The scope of its power is vast – it covers the majority of commercial activity – and it has been enforcing these issues for decades. An FTC civil investigative demand (CID) will send shivers down the spine of even the largest of companies, as the FTC requires a 20-year period of assessments to settle the score. Continue Reading
I am pleased to announce the publication of my article, The Scope and Potential of FTC Data Protection., 83 George Washington Law Review 2230 (2015). I wrote the article with Professor Woodrow Hartzog.
The article addresses the scope of FTC authority in the areas of privacy and data security (which together we refer to as “data protection”). We argue that the FTC not only has the authority to regulate data protection to the extent it has been doing, but that its granted jurisdiction can expand its reach much more. Normatively, we argue that the FTC’s current scope of data protection authority is essential to the United States data protection regime and should be fully embraced to respond to the privacy harms unaddressed by existing remedies available in tort or contract, or by various statutes. In contrast to the legal theories underlying these other claims of action, the FTC can regulate with a much different and more flexible understanding of harm than one focused on monetary or physical injury.
We contend that the FTC can and should push the development of norms a little more (though not in an extreme or aggressive way). We discuss why the FTC should act with greater transparency and more nuanced sanctioning and auditing.
The article was part of a great symposium organized by the George Washington University Law Review: The FTC at 100.
Here is a table of contents of the issue, along with links to where you can access each essay and article.
Recently, the FTC issued a short guide to what organizations can do to protect data security. It is called Start with Security (HTML) — a PDF version is here. This document provides a very clear and straightforward discussion of 10 good information security measures. It uses examples from FTC cases.
Over at Fierce IT Security, Professor Woodrow Hartzog and I have a new essay, 5 Things the FTC Should Do to Improve Data Security in the Wake of Wyndham. The piece discusses some enforcement strategies we believe the FTC should use to maximize its effectiveness in improving data security. Our suggestions include:
- Do more proactive enforcement
- Take on more data security cases
- Push companies toward improved authentication – moving beyond mere passwords
- Restrict the use of Social Security numbers for authentication purposes
- Develop a theory of data stewardship for third parties
Please check out our essay for our explanation of the above agenda and a lot more detail.
by Daniel J. Solove
The U.S. Court of Appeals for the 3rd Circuit just affirmed the district court decision in FTC v. Wyndham Worldwide Corp., No. 14-3514 (3rd. Cir. Aug. 24, 2015). The case involves a challenge by Wyndham to an Federal Trade Commission (FTC) enforcement action emerging out of data breaches at the Wyndham.
Since the mid-1990s, the FTC has been enforcing Section 5 of the FTC Act, 15 U.S.C. § 45, in instances involving privacy and data security. Section 5 prohibits “unfair or deceptive acts or practices in or affecting commerce.” Deception and unfairness are two independent bases for FTC enforcement. During the past 15-20 years, the FTC has brought about 180 enforcement actions, the vast majority of which have settled. Wyndham was one of the exceptions; instead of settling, it challenged the FTC’s authority to enforce to protect data security as an unfair trade practice.
Among the arguments made by Wyndham, three are most worth focusing on:
(1) Because Congress enacted data security laws to regulate specific industries, Congress didn’t intend for the FTC to be able to regulate data security under the FTC Act.
(2) The FTC is not providing fair notice about the security practices it deems as “unfair” because it is enforcing on a case-by-case basis rather than promulgating a set of specific practices it deems as unfair.
(3) The FTC failed to establish “substantial injury to consumers” as required to enforce for unfairness.
The district court rejected all three of these arguments, and so did the 3rd Circuit Court of Appeals. Here is a very brief overview of the 3rd Circuit’s reasoning.
Co-authored by Professor Woodrow Hartzog.
Authentication presents one of the greatest security challenges organizations face. How do we accurately ensure that people seeking access to accounts or data are actually whom they say they are? People need to be able to access accounts and data conveniently, and access must often be provided remotely, without being able to see or hear the person seeking access.
by Daniel J. Solove
I recently held a webinar about the Federal Trade Commission (FTC) for TRUSTe called Understanding the FTC on Privacy and Security. The webinar is free and is archived at TRUSTe’s site.
Here is a brief synopsis of the webinar:
For the past nearly two decades, the FTC has risen to become the leading federal agency that regulates privacy and data security. In this webinar, Professor Daniel J. Solove will discuss how the Federal Trade Commission (FTC) is enforcing privacy and data security. What are the standards that the FTC is developing for privacy and data security? What sources does the FTC use for the standards it develops?
A common misconception is that the FTC’s jurisprudence has been rather thin, merely focuses on enforcing promises made in privacy policies. To the contrary, a deeper look the FTC’s jurisprudence demonstrates that it is quite thick and has extended far beyond policing promises. The FTC has codified certain norms and best practices and has developed some baseline privacy and security protections. The FTC has laid the foundation for an even more robust law of privacy and data security. Professor Solove will discuss some of the potential ways this body of regulation could develop in the future.
My webinar was written up at the Wall Street Journal. If you’re interested in seeing it, it’s free and available here. Below is some background about the FTC as well as some of my writings about the FTC that may be of interest if you want a deeper dive.