Archives For data security

Last week, the FTC announced its complaint and consent decree with Nomi Technologies for failing to allow consumers to opt-out of cell phone tracking while shopping in retail stores. Whatever one thinks about Nomi itself, the FTC’s enforcement action represents another step in the dubious application of its enforcement authority against deceptive statements.

In response, Geoffrey Manne, Ben Sperry, and Berin Szoka have written a new ICLE White Paper, titled, In the Matter of Nomi, Technologies, Inc.: The Dark Side of the FTC’s Latest Feel-Good Case.

Nomi Technologies offers retailers an innovative way to observe how customers move through their stores, how often they return, what products they browse and for how long (among other things) by tracking the Wi-Fi addresses broadcast by customers’ mobile phones. This allows stores to do what websites do all the time: tweak their configuration, pricing, purchasing and the like in response to real-time analytics — instead of just eyeballing what works. Nomi anonymized the data it collected so that retailers couldn’t track specific individuals. Recognizing that some customers might still object, even to “anonymized” tracking, Nomi allowed anyone to opt-out of all Nomi tracking on its website.

The FTC, though, seized upon a promise made within Nomi’s privacy policy to provide an additional, in-store opt out and argued that Nomi’s failure to make good on this promise — and/or notify customers of which stores used the technology — made its privacy policy deceptive. Commissioner Wright dissented, noting that the majority failed to consider evidence that showed the promise was not material, arguing that the inaccurate statement was not important enough to actually affect consumers’ behavior because they could opt-out on the website anyway. Both Commissioners Wright’s and Commissioner Ohlhausen’s dissents argued that the FTC majority’s enforcement decision in Nomi amounted to prosecutorial overreach, imposing an overly stringent standard of review without any actual indication of consumer harm.

The FTC’s deception authority is supposed to provide the agency with the authority to remedy consumer harms not effectively handled by common law torts and contracts — but it’s not a blank check. The 1983 Deception Policy Statement requires the FTC to demonstrate:

  1. There is a representation, omission or practice that is likely to mislead the consumer;
  2. A consumer’s interpretation of the representation, omission, or practice is considered reasonable under the circumstances; and
  3. The misleading representation, omission, or practice is material (meaning the inaccurate statement was important enough to actually affect consumers’ behavior).

Under the DPS, certain types of claims are treated as presumptively material, although the FTC is always supposed to “consider relevant and competent evidence offered to rebut presumptions of materiality.” The Nomi majority failed to do exactly that in its analysis of the company’s claims, as Commissioner Wright noted in his dissent:

the Commission failed to discharge its commitment to duly consider relevant and competent evidence that squarely rebuts the presumption that Nomi’s failure to implement an additional, retail-level opt out was material to consumers. In other words, the Commission neglects to take into account evidence demonstrating consumers would not “have chosen differently” but for the allegedly deceptive representation.

As we discuss in detail in the white paper, we believe that the Commission committed several additional legal errors in its application of the Deception Policy Statement in Nomi, over and above its failure to adequately weigh exculpatory evidence. Exceeding the legal constraints of the DPS isn’t just a legal problem: in this case, it’s led the FTC to bring an enforcement action that will likely have the very opposite of its intended result, discouraging rather than encouraging further disclosure.

Moreover, as we write in the white paper:

Nomi is the latest in a long string of recent cases in which the FTC has pushed back against both legislative and self-imposed constraints on its discretion. By small increments (unadjudicated consent decrees), but consistently and with apparent purpose, the FTC seems to be reverting to the sweeping conception of its power to police deception and unfairness that led the FTC to a titanic clash with Congress back in 1980.

The Nomi case presents yet another example of the need for FTC process reforms. Those reforms could ensure the FTC focuses on cases that actually make consumers better off. But given the FTC majority’s unwavering dedication to maximizing its discretion, such reforms will likely have to come from Congress.

Find the full white paper here.

In short, all of this hand-wringing over privacy is largely a tempest in a teapot — especially when one considers the extent to which the White House and other government bodies have studiously ignored the real threat: government misuse of data à la the NSA. It’s almost as if the White House is deliberately shifting the public’s gaze from the reality of extensive government spying by directing it toward a fantasy world of nefarious corporations abusing private information….

The White House’s proposed bill is emblematic of many government “fixes” to largely non-existent privacy issues, and it exhibits the same core defects that undermine both its claims and its proposed solutions. As a result, the proposed bill vastly overemphasizes regulation to the dangerous detriment of the innovative benefits of Big Data for consumers and society at large.

Rate this:

Continue Reading...

Recently I highlighted problems with the FTC’s enforcement actions targeting companies’ data security protection policies, and recommended that the FTC adopt a cost-benefit approach to regulation in this area.  Yesterday the Heritage Foundation released a more detailed paper by me on this topic, replete with recommendations for new FTC guidance and specific reforms aimed at maintaining appropriate FTC oversight while reducing excessive burdens.  Happy reading!

The U.S. Federal Trade Commission (FTC) continues to expand its presence in online data regulation.  On August 13 the FTC announced a forthcoming workshop to explore appropriate policies toward “big data,” a term used to refer to advancing technologies that are dramatically expanding the commercial collection, analysis, use, and storage of data.  This initiative follows on the heels of the FTC’s May 2014 data broker report, which recommended that Congress impose a variety of requirements on companies that legally collect and sell consumers’ personal information.  (Among other requirements, companies would be required to create consumer data “portals” and implement business procedures that allow consumers to edit and suppress use of their data.)  The FTC also is calling for legislation that would enhance its authority over data security standards and empower it to issue rules requiring companies to inform consumers of security breaches.

These recent regulatory initiatives are in addition to the Commission’s active consumer data enforcement efforts.  Some of these efforts are pursuant to three targeted statutory authorizations – the FTC’s Safeguards Rule (promulgated pursuant to the Gramm-Leach-Bliley Act and directed at non-bank financial institutions), the Fair Credit Reporting Act (directed at consumer protecting agencies), and the Children’s Online Privacy Protection Act (directed at children’s information collected online).

The bulk of the FTC’s enforcement efforts, however, stem from its general authority to proscribe unfair or deceptive practices under Section 5(a)(1) of the FTC ActSince 2002, pursuant to its Section 5 powers, the FTC has filed and settled over 50 cases alleging that private companies used deceptive or ineffective (and thus unfair) practices in storing their data.  (Twitter, LexisNexis, ChoicePoint, GMR Transcription Services, GeneLink, Inc., and mobile device provider HTC are just a few of the firms that have agreed to settle.)  Settlements have involved consent decrees under which the company in question agreed to take a wide variety of “corrective measures” to avoid future harm.

As a matter of first principles, one may question the desirability of FTC data security investigations under Section 5.  Firms have every incentive to avoid data protection breaches that harm their customers, in order to avoid the harm to reputation and business values that stem from such lapses.  At the same time, firms must weigh the costs of alternative data protection systems in determining what the appropriate degree of protection should be.  Economic logic indicates that the optimal business policy is not one that focuses solely on implementing the strongest data protection system program without regard to cost.  Rather, the optimal policy is to invest in enhancing corporate data security up to the point where the marginal benefits of additional security equal the marginal costs, and no further.  Although individual businesses can only roughly approximate this outcome, one may expect that market forces will tend toward the optimal result, as firms that underinvest in data security lose customers and firms that overinvest in security find themselves priced out of the market.  There is no obvious “market failure” that suggests the market should not work adequately in the data security area.  Indeed, there is a large (and growing) amount of information on security systems available to business, and a thriving labor market for IT security specialists to whom companies can turn in designing their security programs.   Nevertheless, it would be naive in the extreme to believe that the FTC will choose to abandon its efforts to apply Section 5 to this area.  With that in mind, let us examine more closely the problems with existing FTC Section 5 data security settlements, with an eye to determining what improvements the Commission might beneficially make if it is so inclined.

The HTC settlement illustrates the breadth of decree-specific obligations the FTC has imposed.  HTC was required to “establish a comprehensive security program, undergo independent security assessments for 20 years, and develop and release software patches to fix security vulnerabilities.”  HTC also agreed to detailed security protocols that would be monitored by a third party.  The FTC did not cite specific harmful security breaches to justify these sanctions; HTC was merely charged with a failure to “take reasonable steps” to secure smartphone software.  Nor did the FTC explain what specific steps short of the decree requirements would have been deemed “reasonable.”

The HTC settlement exemplifies the FTC’s “security by design” approach to data security, under which the agency informs firms after the fact what they should have done, without exploring what they might have done to pass muster.  Although some academics view the FTC settlements as contributing usefully to a developing “common law” of data privacy, supporters of this approach ignore its inherent ex ante vagueness and the costs decree-specific mandates impose on companies.

Another serious problem stems from the enormous investigative and litigation costs associated with challenging an FTC complaint in this area – costs that incentivize most firms to quickly accede to consent decree terms even if they are onerous.  The sad case of LabMD, a small cancer detection lab, serves as warning to businesses that choose to engage in long-term administrative litigation against the FTC.  Due to the cost burden of the FTC’s multi-year litigation against it (which is still ongoing as of this writing), LabMD was forced to wind down its operations, and it stopped accepting new patients in January 2014.

The LabMD case suggests that FTC data security initiatives, carried out without regard to the scale or resources of the affected companies, have the potential to harm competition.  Relatively large companies are much better able to absorb FTC litigation and investigation costs.  Thus, it may be in the large firms’ interests to encourage the FTC to support intrusive and burdensome new FTC data security initiatives, as part of a “raising rivals’ costs” strategy to cripple or eliminate smaller rivals.  As a competition and consumer welfare watchdog, the FTC should keep this risk in mind when weighing the merits of expanding data security regulations or launching new data security investigations.

A common thread runs through the FTC’s myriad activities in data privacy “space” – the FTC’s failure to address whether its actions are cost-beneficial.  There is little doubt that the FTC’s enforcement actions impose substantial costs, both on businesses subject to decree and investigation, and on other firms possessing data that must contemplate business system redesigns to forestall potential future liability.  As a result, business innovation suffers.  Furthermore, those costs are passed on at least in part to consumers, in the form of higher prices and a reduction in the quality and quantity of new products and services.  The FTC should, consistent with its consumer welfare mandate, carefully weigh these costs against the presumed benefits flowing from a reduction in future data breaches.  A failure to carry out a cost-benefit appraisal, even a rudimentary one, makes it impossible to determine whether the FTC’s much touted data privacy projects are enhancing or reducing consumer welfare.

FTC Commissioner Josh Wright recently gave voice to the importance of cost benefit analysis in commenting on the FTC’s data brokerage report – a comment that applies equally well to all of the FTC’s data protection and privacy initiatives:

“I would . . . like to see evidence of the incidence and scope of consumer harms rather than just speculative hypotheticals about how consumers might be harmed before regulation aimed at reducing those harms is implemented.  Accordingly, the FTC would need to quantify more definitively the incidence or value of data broker practices to consumers before taking or endorsing regulatory or legislative action. . . .  We have no idea what the costs for businesses would be to implement consumer control over any and all data shared by data brokers and to what extent these costs would ultimately be passed on to consumers.  Once again, a critical safeguard to insure against the risk that our recommendations and actions do more harm than good for consumers is to require appropriate and thorough cost-benefit analysis before acting.  This failure could be especially important where the costs to businesses from complying with any recommendations are high, but where the ultimate benefit generated for consumers is minimal. . . .  If consumers have minimal concerns about the sharing of certain types of information – perhaps information that is already publicly available – I think we should know that before requiring data brokers to alter their practices and expend resources and incur costs that will be passed on to consumers.”

The FTC could take several actions to improve its data enforcement policies.  First and foremost, it could issue Data Security Guidelines that (1) clarify the FTC’s enforcement actions regarding data security will be rooted in cost-benefit analysis, and (2) will take into account investigative costs as well as (3) reasonable industry self-regulatory efforts.  (Such Guidelines should be framed solely as limiting principles that tie the FTC’s hands to avoid enforcement excesses.  They should studiously avoid dictating to industry the data security principles that firms should adopt.)  Second, it could establish an FTC website portal that features continuously updated information on the Guidelines and other sources of guidance on data security. Third, it could employ cost-benefit analysis before pursuing any new regulatory initiatives, legislative recommendations, or investigations related to other areas of data protection.  Fourth, it could urge its foreign counterpart agencies to adopt similar cost-benefit approaches to data security regulation.

Congress could also improve the situation by enacting a narrowly tailored statute that preempts all state regulation related to data protection.  Forty-seven states now have legislation in this area, which adds additional burdens to those already imposed by federal law.  Furthermore, differences among state laws render the data protection efforts of merchants who may have to safeguard data from across the country enormously complex and onerous.  Given the inherently interstate nature of electronic commerce and associated data breaches, preemption of state regulation in this area would comport with federalism principles.  (Consistent with public choice realities, there is always the risk, of course, that Congress might be tempted to go beyond narrow preemption and create new and unnecessary federal powers in this area.  I believe, however, that such a risk is worth running, given the potential magnitude of excessive regulatory burdens, and the ability to articulate a persuasive public policy case for narrow preemptive legislation.)

Stay tuned for a more fulsome discussion of these issues by me.