FTC on Cybersecurity: Protect and Defend

Molly Crawford, agency’s privacy chief of staff, on safeguarding data in challenging times

Why This Matters

The Federal Trade Commission will be on cyberecurity’s front lines if the FCC reclassifies broadband ISPs.

The federal trade commission is on the front lines of cybersecurity and will likely face a new front in that war if (or when) the Federal Communications Commission reclassifies Internet access providers out from under Title II, which will return authority over ISP privacy issues to that agency. The FTC does not have rulemaking authority, but it can enforce prohibitions on false and deceptive conduct or failure to meet the reasonable expectations of customers, including on data security. Just last week, it settled with app-based car-hailing service Uber over allegations of deceptive data security claims, a development that FTC chair Maureen Ohlhausen said demonstrated the agency’s ongoing commitment to privacy and security.

B&C Washington bureau chief John Eggerton spoke with Molly Crawford, chief of staff of the FTC’s Division of Privacy and Identity Protection and a former policy director at the Future of Privacy Forum, about the challenges of protecting data and what the agency can do and is doing to help websites, networks and consumers protect themselves. Here’s an edited excerpt of their conversation.

What key data-security issues are you currently working on?

The FTC has been doing data-security work for years, but for 2017, our enforcement program is going to be looking at sensitive data first and foremost, including companies that are dealing with information about children, financial and health information, Social Security numbers and geolocation.

The Internet of Things is another area where we have done a lot of work, and then there are authentication and access-control issues. That means making sure that companies are protecting legitimate credentials, which are a source of a fair amount of breaches these days.

What is the FTC’s authority over cybersecurity?

We enforce a number of statutes. Our core emphasis is to make sure companies have reasonable security in place to protect consumer data. Our core authority is Section 5 of the FTC Act, which is unfair and deceptive practices.

In the context of data security, what that really means is the extent to which companies are making promises about the security that they afford consumers’ data, and then also what procedures and measures they have in place to protect sensitive information.

We also enforce statutes like the Children’s Online Protection and Privacy Act and the Fair Credit Reporting Act, which have reasonable data-security components.

While you do not now have authority over ISPs, that appears to be on the event horizon. What advice would you give to providers about protecting their sensitive information?

Don’t misrepresent the level of security that you provide. We have brought cases that challenged deceptive security claims by businesses.

For example?

We brought a case against a software company that deceptively told its clients it encrypted consumer data when it didn’t use industry standard encryption. [Editor’s note: The FTC last week also settled a complaint with Uber over allegations it had deceptively misrepresented the data security of its drivers, extracting a pledge to adopt a privacy-protection program monitored by the agency.]

The second piece of advice is to protect against foreseeable threats. We recognize there is no such thing as perfect security, but we recommend that companies take steps to protect against well-known threats.

Such as?

Our case against [hacked online affair-arranging website] Ashley Madison is a good example. In that complaint, we alleged that their security was lax. They had no written information security policy, no reasonable access controls, inadequate training of employees, no knowledge of whether third-party service providers were using reasonable security measures, and no measures to monitor the effectiveness of their system security.

So, those are some of the core takeaways.

And we do a fair amount of business education. Certainly our Start with Security initiative in 2015.

And your recent Stick with Security initiative?

Yes, that fleshes out some of the lessons from the Start with Security Initiative. Those offer some pretty practical tips and hypotheticals to help companies.

Tell us about your new small-business roundtable initiative.

We recently announced an initiative to hear directly from small businesses about the challenges that they face when implementing cyber and data security initiatives at their companies. The FTC has been a part of a number of multi-stakeholder processes related to online privacy and security.

We coordinate with a number of agencies on various privacy and data security initiatives. For example, we worked with the [Food and Drug Administration] and [the Department of Health and Human Services] to create an online tool to help developers of health-related apps. We took over the role just this year of chairing an interagency group that coordinates on data-security issues.

We work with the National Institute of Standards and Technology and the National Telecommunications & Information Administration as part of their multi-stakeholder process. And we just hosted a joint workshop with [the National Highway Traffic Safety Administration] on connected cars, which has big data security implications.

Talk a little about the Internet of Things, which, of course, includes those connected cars.

First, there are standard data security issues when you have all these objects that can connect to the Internet and receive data — smart cars, smart homes, wearables. If there is not adequate security for those devices, it not only can expose the data those devices are collecting, but also the systems and networks those devices connect to. We have seen insecure IoT devices lead to botnets that can result in denial of service attacks.

Some insecure IoT devices could involve threats to health and safety. Again, you think of connected cars or connected insulin pumps, which could lead to serious harm.

What are the principal things companies should be doing to make sure their information is secure?

Put a process in place. That means putting someone in charge of security, conducting risk assessments, addressing reasonably foreseeable vulnerabilities, overseeing service providers, and continually monitoring and updating that over time.