Earlier this year I filed a FOIA case against the FTC for its failure to produce any documents in response to my request for the standards it uses in deciding whether to open an unfair trade practice investigation, or bring an unfair trade practice legal action, regarding cybersecurity under section 5 of the Federal Trade Commission Act. On Christmas Eve last year, the FTC denied my request, saying, “We have located responsive records, all of which are exempt from the FOIA’s disclosure requirements[.]” The FTC produced no documents, not even in redacted form. After I filed an administrative appeal, which was denied, I filed suit in order to better inform the public about what standards are used by the FTC when deciding whether to bring a case. On July 21, 2015, in the course of the litigation, the FTC produced over 2,000 pages of documents, consisting almost exclusively of presentations, testimony, and other public communications. Here are some observations from these documents. You can find a more detailed analysis, with citations, here.
You can also listen to an interview I did with Federal News Radio about my experience here:
Under FTC “standards,” there is reason to believe that the FTC could bring an action against a company in the case of any significant breach. To be an “unfair trade practice,” the practice must be “unfair.” The FTC has consistently stuck by its definition of what is “unfair,” a definition drawn from statute. Whether this definition limits FTC action in the case of an actual breach is open to question. Two of the factors – substantial and unavoidable harm to consumers – will likely be met in any significant breach. The other factor is whether the harm is outweighed by countervailing benefits, but it may be the rare case where an after-the-fact analysis does not disclose a cost-effective step that could have been taken to prevent the breach, given the after-the-fact knowledge of how the breach occurred. In one candid set of speaker notes on a presentation, the FTC appears to admit this.
The FTC has consistently said it uses the standard of “reasonableness” in determining if a company has taken sufficient steps to protect personal information. The documents describe how the FTC determines reasonableness, which has varied a bit over time, at least at the margins, but kept the same substance: a company’s data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. Of course, to borrow the words of Chevy Chase, reasonableness is both a floor wax and a dessert topping, usable to punish mistakes in many unrelated fact patterns, and the subjects of FTC investigations confirm this. Nevertheless, there is one overarching recommendation that is clear across these materials: have an information security program/enterprise security program based on risk.
Turning from the definition of reasonableness, the FTC also offers reams of advice for preventing a problem through good security. Until recently, the FTC commonly provided advice on prevention using the rubric of its “Protecting Personal Information: A Guide for Business,” first published in 2007 and updated in 2011. This document offers recommendations under five principles – principles that appear at many places in the produced documents: 1) Take stock; 2) Scale down; 3) Lock it; 4) Pitch it; and 5) Plan ahead. However, by 2014, in one exposition these recommendations had morphed, in two ways. “Take stock” had evolved from a recommendation to have a personal information inventory or data map to a recommendation to conduct a personal information risk assessment, with the need to also look at vulnerabilities in systems handling personal information. And “Pitch it” disappeared, replaced with “Train employees to handle personal information properly.” Software developers and cloud providers take note – make sure you have a Security Development Lifecycle (SDL) and a vulnerability reporting portal and process, because, for example, the FTC recommends testing and review of software, and taking user feedback on vulnerabilities.
Also of interest is how and when the FTC chooses to exercise its authority. The reasons are much what you would expect, including press reports. One interesting note is that the FTC has represented it doesn’t have the resources to investigate a single consumer complaint, but that congressional inquiries can trigger an investigation (as can consumer or business “complaints,” probably more than one). In addition, the FTC likes to make an example of companies, seeking to bring cases where there is likely to be a large risk of injury to consumers or that may affect what consumers buy (hitting companies in the pocket), because “such enforcement actions typically have ripple effects through the entire industry by sending a clear message” about non-compliance with the law as the FTC defines it.
I will close with what was not produced. The FTC has not yet produced any documents from its investigative files – that is a subject of continuing discussion in my FOIA case – and the FTC recently said that it could not even represent that its search was complete for non-investigative documents. So the above is at best a partial report. In addition, the FTC withheld as a deliberative document (and as law-enforcement privileged) a single, three-page document. The document was called “Data Security investigation considerations,” which sounds like it might include the standards and criteria that would be useful to the public, but the document was withheld by the FTC, in part because it might “inaccurately reflect the views of the Agency[.]” The FTC also asserted that providing this document – although a draft that does not reflect the views of the FTC – “might increase the risk that a person or business will violate the law by engaging in a particular types of unfair or deceptive data security practices that the FTC is less likely to investigate.”
To summarize, so far the FTC has identified only one document that may provide more details about enforcement decisions than the general “standards” it uses. It has not produced that document, both because it may be inaccurate and because if it is accurate, knowing what standards the FTC uses might enable people to comply and avoid an investigation. That is, the FTC intends vagueness in order to obtain in terrorem effects. Of particular interest, the subject of the transmittal email for this “deliberative” document was “my vague piece.” Given that the FTC has been accused of having no standards or vague standards, the irony is palpable.
I would like to thank Steptoe and Johnson, and its lawyers Stewart Baker, Kaitlin Cassel, John Casciano, and Michael Baratz for representing me in the litigation with the FTC, and for obtaining the documents that I used to write this analysis.