Recent testimony by new Federal Trade Commission chief Joseph Simons has buoyed supporters of arming the commission with more proactive authority to protect consumer privacy and data security, but it’s still far from cause to start prepping any champagne, some of those advocates say.
In testimony before the House Energy and Commerce subcommittee on digital commerce and consumer protection earlier this month, Simons called for legislation that would give the agency rulemaking authority for privacy and data security issues.
“It's very refreshing to see a Republican think this way: that consumers need more protection, not less, and that it is essential for consumers to be protected, that there be some overarching rules,” Gigi Sohn told Inside Cybersecurity in response to Simons’ comments.
“Rules moderate bad behavior and they let consumers know what their rights are, so I find this very refreshing," said Sohn, a fellow at the Georgetown Law institute for Technology Law and Policy who was counselor to former Federal Communications Commission Chairman Tom Wheeler.
Wheeler’s FCC issued the Open Internet Order which invoked the FCC’s rulemaking authority to issue data privacy and security measures for broadband companies, classifying them as “common carriers” subject to regulation.
FCC Chairman Ajit Pai, in a prominent speech after assuming the role, said his agency should defer to the FTC on enforcement of data privacy and security based on Section 5 of the Federal Trade Commission Act, which outlaws “unfair or deceptive acts or practices” in commerce.
Simons specifically listed common carriers as one area where the FTC needs added authority to act. His comments reflect a shift in political dynamics and a rift in the Republican party that observers say is being fueled by high-profile data breach cases like those at Equifax and Facebook.
“There's a divided view in the Republican party as to whether the Federal Trade Commission's current requirement that it has to deal with everything on a case-by-case basis is the way to go or whether they need authority to create clear rules of the road in advance,” said Harold Feld, senior vice president of the digital consumer rights group Public Knowledge, in an interview with Inside Cybersecurity.
Sohn and Feld are strong supporters of rulemaking authority for both the FCC and the FTC.
The idea that the FCC shouldn’t play such a role “is ridiculous and seems driven solely by this legacy animus to the Obama administration and of 'everything that Wheeler and the Obama administration did, we hate.'”
The FCC declined to comment.
Feld added, cybersecurity extends beyond the networks, and it's important that the FTC step up as well, noting that companies like Equifax are much more in the FTC's wheelhouse than the FCC's.
“I love the idea of the FTC having rulemaking authority,” Sohn said. “To me it's not an either or proposition. I think they should both have it.”
But David Turetsky, a former chief of the FCC’s Public Safety Bureau, said the FTC having a certain amount of flexibility, such as under the agency’s reasonableness standard versus hard and fast rules, could also have advantages.
“What you tend to see is many businesses favoring the flexible enforcement approach practiced at the FTC built around the FTC’s focus on reasonableness, which can take account of reasonable risk management and varying circumstances, rather than a potentially less flexible compliance approach based on specific rules,” Turetsky said in an email to Inside Cybersecurity.
But he added, “Of course when well-resourced companies behave unreasonably, e.g., getting hacked multiple times due to the same unaddressed but readily addressable deficiency, their litigation position is to object that they didn’t know what reasonable behavior was expected of them without rules and that was the problem.”
Sohn acknowledged that there’s a tension. But she said, while bigger companies can take advantage of a lack of rules by pursuing litigation, smaller companies tend to benefit even more from rules, as long as they are not too restrictive.
“Particularly, I think for smaller companies, and again, this is assuming the rules aren't too restrictive, they want to know 'how do I color inside the lines,'” she said. “But for a bigger company that has unlimited legal power, they can go after decisions and say, 'we didn't know what the rules were and the agency acted arbitrarily.'"
But all of this may be getting way ahead of reality and action may only come under more dire circumstances, Feld said.
“We have yet to see whether there is sufficient political pressure, and pressure from the financial industry, for example, which just takes a beating from this stuff, because somebody has to pay for all the identity theft and so forth,” he said. “There are certainly industries that are pushing for more enforceable regulation, but it's not clear that we've reached the point where that overcomes the natural inertia and resistance to regulation from industry."
He said the odds of legislation being passed that expands any authority to do anything are fairly low “unless we get more dramatic cyber attacks like one that takes down the power grid.” -- Mariam Baksh (mbaksh@iwpnews.com)