Analysis of FTC hearing on competition and consumer protection: Part I
Analysis of FTC hearing on competition and consumer protection: Part I
Advisen is pleased to have Goldberg Segalla provide our readers with a summary of these recent hearings. Part II of this analysis will be published in Cyber FPN on Thursday December 20
Making a Case for a Federal Privacy Regulatory Framework
Belts, forks, toasters, water filters, and thermometers that connect to the internet. Just what the world needs. There is such a fine line between something being “wired,” versus simply “weird.” It’s bad enough that product developers see fit to connect everything to the internet — now the portals to threat actors and privacy breaches run the gamut from your car to your oven to your TV set to your medical devices. So who or what becomes the guarantor of security and privacy? Alas, a national data privacy regulatory framework is no closer today than it was when Facebook assigned its first three user ID numbers (incidentally, Mark Zuckerberg wasn’t one of them).
Enter the Federal Trade Commission. On December 11 and 12, 2018, the FTC held a series of public hearings on data security at the Constitution Center Auditorium in Washington, DC. According to the Commission, the data security hearings are part of a series that includes panel discussions of research related to data breaches and data security threats. Seismic, when one considers that these types of privacy hearings haven’t been held in quite some time, particularly on a national scale.
The FTC is the only federal agency with a broad mission that includes protecting consumers, and more specifically, jurisdiction that includes protecting privacy and data security. The Commission enforces the law across a range of sectors, including high technology and emerging industries. The recent FTC public hearings explore whether broad-based changes in the economy, evolving business practices, new technologies, or international developments might require adjustments to, among other things, consumer protection law, enforcement priorities, and policy.
Of considerable note, the FTC has served as the primary federal agency charged with protecting consumer privacy, dating back to the 1970 enactment of the Fair Credit Reporting Act. As reported during the FTC’s appearance before a Senate subcommittee on November 27, 2018, the FTC has played, and continues to play, a key role in enforcing the laws that protect sensitive consumer data from disclosure to unauthorized entities. Over the course of decades, the FTC has been expanding its focus on privacy to reflect the growing collection, use, and sharing of consumer data in the commercial marketplace. Year after year, privacy and data security top the list of consumer protection priorities at the FTC. These hearings were a testament to the needs driven by an interconnected consumer base, technological advances, and the availability of information about end-users that spans the spectrum from behavioral patterns to health records to biometrics.
The first day’s panel discussions on December 11 examined incentives to invest in data security, as well as consumer demand for data security. Perhaps the most chilling footnote of the day was the occasional nod to the counterintuitive fact that perhaps people don’t put as much stock in the importance of data privacy as one would think. After all, as noted during the proceedings, how many people have ever read a product or service privacy statement from beginning to end, before clicking “I Agree,” and surrendering one’s anonymity at the virtual door? Let’s face it: Dependence on connected devices is moving much faster than the ability to secure the technology. There has yet to be a product or service developed that is bullet-proof to a hack (and even if products and services could be made bullet-proof, they would still be susceptible to missiles). Consumers want products that make their lives manageable and they want them to work. Whether or not that makes us more “identifiable” and opens us up to an intrusion into our privacy is purely incidental to ease of use.
The data collected from devices that span the spectrum of the Internet of Things — the sum of “connected” devices — is staggering. There are approximately 7.7 billion people in the world and it is estimated that there are as many as 20 billion connected devices. That’s a lot of data being assembled, especially when one considers that billions of records are compromised as a result of security incidents – data that can be used in ways that the average consumer perhaps does not expect or understand. Moreover, every connected device arguably is a pathway to more sensitive information that can be misused. The more information collected, the more information exposed.
The FTC’s privacy and data security program includes enforcement, as well as consumer and business education. The question was asked at the commencement of the hearings: Is the current state of data security and data security regulation enough? The answer is a resounding “no.” Policy development needs to keep pace with technological advancements and the argument can be made that the former is woefully behind the latter. Consider the fact that there is no national regulatory framework, throw in state landscapes that differ from one to the other, and you’ve got a recipe for inconsistency and contradiction. Take heed, because privacy and data security continue to be an enforcement priority at the Commission. The FTC’s longstanding bipartisan call for comprehensive data security legislation is worth the meaningful dialogue that it should be generating in Washington. Arguably, federal legislation needs to address the collection, use, and sharing of consumer data.
The hearings on December 11 included a panel presentation on data breaches that began with the age-old proposition: The motive behind most breaches is—you guessed it—money. Personal information, payment card information, and banking information (among other things) can be monetized. According to Verizon’s most recent Data Breach Investigations Report, ransomware events doubled between 2017 and 2018 and had seen similar gains in the prior year-over-year comparison. Eighty-five percent of all malware is in the health care space. Email continues to be the predominant means of inserting malware into networks. Social engineering, including financial pre-texting, continues to thrive. Unfortunately, these things aren’t going away. Quite the contrary.
The session’s Presentation on Data Breaches highlighted the resilience of business enterprises that suffer a breach. A fascinating analysis demonstrated that businesses that have suffered a security incident strategically package news reports to offset the negative effects of a privacy breach disclosure. The upshot is that a company that has had a breach that exposed consumers’ personally identifiable information may rebound from the event far sooner that those whose sensitive information has been compromised. That is, businesses counterbalance the effect of a privacy breach disclosure by bundling bad news with other good news. Why not? Game the disclosure timing and public relations machine to soften the blow of having compromised the credit card information of a few million people. Of note, a privacy breach tends to be a short-term crisis for a company, but likely a longer term proposition for an individual. As evidenced during the panel’s analysis, 2017 was a record year for fraud, and personally identifiable information was compromised as never before. The effect on the consumer psyche is profound, and victims spent more of their own time and money resolving cases of identity swindles.
Although consumer anxiety over fraud is growing, there is a complacency when it comes to consumer appetite for privacy protection, suggesting a disconnect between concern and the necessary bias for action to do something about it. As one of the panelists so eloquently put it, “the complete identity of anyone basically can be accessed online.” Not a week goes by without another headline about a breach. Some are certainly more compelling than others, and the unreported are out there somewhere, too. Consumer indifference and cynicism to breach notifications, as well as a lack of confidence in organizational responsiveness affectionately referred to as “breach fatigue,” is catchy, but quite alarming. Personally identifiable information goes beyond name, rank and serial number (enter biometric data). The Internet of Things makes it all exponentially more available.
There is a battlefield term of art referred to as “maneuvering with artillery.” It refers to the “big guns” used to assist with an advance. A virtual moving wall of fire is now needed in order to advance data security and protection, and that tactical pivot needs to include a shift in the regulatory environment. Disclosure laws need to be streamlined, and the ability to monetize data needs to be checked. Perhaps the federal government can lead the way. While this conversation thread was being advanced at the Constitution Center, across town Google Chief Executive Officer Sundar Pichai backed privacy legislation and described user privacy as a “central part” of Google’s mission. With that kind of support, the time to legislate is now.
*Part II of this analysis will be published in Cyber FPN on Thursday December 20
About the authors: Todd D. Kremin is a partner in Goldberg Segalla's Global Insurance Services Practice Group and Cybersecurity and Data Privacy Practice Group. He maintains a focus on claims management, insurance coverage disputes, and other corporate and individual exposure arising from a wide variety of risk, including securities disputes, cyber risks, business combinations, employment practices, and professional errors and omissions. His practice also includes reinsurance disputes, insurance regulatory matters, and defense of insurance agents and brokers and securities broker-dealers and registered representatives in connection with alleged errors and omissions. Robert F. McCarthy, a trial and appellate lawyer with over 25 years of experience, is a partner in Goldberg Segalla's Global Insurance Services Practice Group and Cybersecurity and Data Privacy Practice Group. He is a Certified Litigation Management Professional (CLMP) and a Certified Claims Professional (CCP) in Cyber Claims, and, among other industry leadership positions, is a member of DRI's Data Management and Security Committee. He maintains a particular focus on complex and high-exposure litigation involving commercial, excess and surplus, and specialty lines of insurance. Before joining Goldberg Segalla, Bob spent two decades in-house at Nationwide, first as a trial attorney, and eventually with national responsibility for large-loss, complex commercial and construction defect litigation.