The Federal Trade Commission (FTC) has been a critically important regulator of cybersecurity practices in the US, using its authority under Section 5 of the FTC Act to bring enforcement actions against companies for failing to protect their consumers’ private data. This past January, Trump appointed Republican Maureen Ohlhausen as the Commission’s new acting chairwoman. Here’s what you need to know about her approach to data security.
She agrees with the new cybersecurity executive order. At Georgetown Law’s Cybersecurity Institute this Wednesday, Ohlhausen said that Trump’s new cyber EO is “very consistent” with the FTC’s currently operative cybersecurity advice to businesses. The order—which commissioned a slew of reports from federal agencies—focuses on (1) IT modernization within federal agencies, (2) securing critical US infrastructure, like electrical grids, and (3) protecting Americans from cyber threats. Ohlhausen characterizes the EO as taking a “process-based” approach to data security (as opposed to a one-size-fits-all solution), and says the EO reiterates the same points made in the FTC’s data security guidance to businesses.
She’s not a fan of aggressive CIDs. At the IAPP Global Privacy Summit in April, Ohlhausen said that the FTC should focus its enforcement actions on cyber breaches that have caused or are likely to cause injury. She made similar comments in a speech to the American Bar Association’s Consumer Protection Conference in February, arguing that the FTC should concentrate on cases with “objective, concrete harms such as monetary injury and unwarranted health and safety risks,” not on those involving “speculative injury.” (As we have noted, the FTC has in the past taken an expansive view of its enforcement authority.) Ohlhausen also has a history of dissenting with some of the FTC’s more aggressive actions, like the $100 million contempt finding against LifeLock, Inc., which she took issue with based on the lack of evidence that any LifeLock subscriber data was stolen.
Ohlhausen has also hinted that she has broader concerns about the burden civil investigative demands, or CIDs, impose on companies. CIDs are how the FTC (and other law enforcement entities) collects information about companies it believes might be engaging in deceptive or unreasonable acts. Once a company receives a CID, it only has 14 days to respond.
“Are our requests for information more burdensome than they need to be?” Ohlhausen asked at the IAPP Summit. “We want to protect consumers and we want to maintain competition, but we also have to be sensitive to burdens on legitimate business.” She noted that when it comes to data security, the FTC closes most of its cases before enforcement action becomes necessary, and asked whether there was something to be learned from those cases that could prevent them from being opened in the first place.
This would be a marked change from the FTC’s approach under the Obama administration, when the agency proved ready and willing to flex its data security regulatory muscles. In the case of Wyndham and LabMD, the FTC went so far as to engage in protracted legal battles to establish its regulatory authority over data breaches.
The FTC’s definition of cyber injury might be shifting. While Ohlhausen might be taking a more conservative approach to the number of cyber-related CIDs, the kinds data breaches that can land a company in hot water might be getting broader.
At Georgetown Law’s Cybersecurity Institute, Ohlhausen indicated that the FTC would be expanding the definition of what constitutes a “substantial” injury to consumers. Ohlhausen said that the FTC has previously focused primarily on companies’ data security failures that caused direct financial harm to consumers, but would now be pursuing other harms, like health and safety risks. She gave the example of real-time and highly accurate location data, which if breached can leave consumers vulnerable to stalking or other crimes.
“We need to think about this more fully,” she said, referring specifically to new and emerging harms the hyper-connected “internet of things” poses to consumers and competition. She also noted that the FTC’s limited resources mean it must prioritize the enforcement actions that will have the most impact.
However, Ohlhausen emphasized that a company’s safeguards need not be perfect. “We are looking for if a company has taken reasonable protections,” she said. What is reasonable depends on the size and complexity of the company, as well as the nature and sensitivity of the consumer data at issue.