In an effort to provide insight into the Federal Trade Commission’s data security principles, the agency pledged to each week share a new blog post with lessons for businesses.
Building on the agency’s “Start with Security” guidance, the “Stick with Security” initiative is designed to help companies ensure that they are taking reasonable steps to protect and secure consumer data, the agency explained. The posts will draw on FTC complaints and orders, litigated cases and settlements, closed enforcement actions, questions submitted by businesses, and hypothetical examples.
In its first post, the FTC offered four explanations as to why an investigation into a breach—even one that makes headlines—may not always result in agency law enforcement.
A news report may not tell the entire story, according to Thomas B. Pahl, acting director of the FTC’s Bureau of Consumer Protection. “For example, a news report might call attention to a breach, but not focus on the fact that the data was encrypted—a factor that substantially reduces the risk of consumer injury,” he wrote. “Or perhaps a purported insider asserts that a company doesn’t securely dispose of old consumer data, but the company provided us with credible evidence that it does. So in some instances, there may have been smoke, but further investigation revealed no fire.”
Pahl also noted that the FTC must remain cognizant of its limited resources. In some instances, a company’s data security practices may raise concerns, but further action would not be worth the use of taxpayer dollars (such as a situation in which a small business may have collected only small amounts of nonsensitive information).
While the FTC has broad jurisdiction over most commercial practices and characterizes itself as “the primary cop on the beat when it comes to data security,” there are some cases where other agencies are better suited to take action, the FTC acknowledged. The other cops on the beat—including the Department of Justice, the Federal Communications Commission, the Consumer Financial Protection Bureau and the National Highway Traffic Safety Administration, to name just a few—may have a “more natural fit” given the circumstances.
Finally, Pahl explained that the FTC will think twice before taking action unless there’s a demonstrated risk of actual consumer injury. While the FTC keeps track of research and studies focused on privacy and security issues, “Sometimes when researchers bring practices creating vulnerabilities to our attention, the risk of the vulnerability being exploited to cause consumer injury is more theoretical than likely,” according to the blog post. “For example, there may be a vulnerability in a mobile device that would take highly sophisticated tools to exploit, and even then, data could be compromised only if the hacker had the consumer’s phone in hand. If that’s the case, we’re more likely to pass on an investigation than proceed.”
To read the first post in the Stick with Security series, click here.
Why it matters: With the new series of blog posts—one each week focusing on each of the 10 Start with Security guidance principles—the FTC intends to “offer easy-to-apply tips to help your company not just start with security, but stick with security to bolster your defenses.” Next in the series: the initial steps necessary to start with security.