On May 1, 2019, WSGR held an event in which regulators and experts discussed privacy developments in the U.S. and Europe. The first session featured a fireside chat with the Federal Trade Commission’s (FTC’s) Bureau of Consumer Protection Director, Andrew Smith, on “The State of Play at the FTC on Privacy.” In case you missed it, here are the key takeaways from the discussion:
- More specificity in data security orders. Director Smith noted that we should expect to see more specificity in data security orders moving forward, particularly after the Eleventh Circuit’s decision in LabMD.1 He mentioned that the FTC’s approach to post-LabMD orders is still evolving, but the next data security order entered will likely reflect the FTC’s new approach.
- Focus on compliance audits and assessments. Director Smith mentioned that the Commissioners are concerned about the effectiveness of existing audit and assessment provisions in consent orders. He explained that the FTC does not have enough visibility into companies’ interactions with their assessors and the steps taken to reach the conclusions reflected in attestations. Based on these concerns, Director Smith indicated that the FTC will be including additional safeguards in consent orders to ensure that companies are making accurate representations to their assessors, and that assessors are not simply taking companies at their word. He pointed to additional safeguards included in two recent data security orders—a provision requiring senior officers to provide certifications of compliance to the FTC, and a provision prohibiting misrepresentations to third party assessors—as just the first steps in the agency’s efforts to enhance its consent requirements.2
- Process-based data security actions. Director Smith indicated that he believes the FTC should be bringing unfairness cases against companies for failing to maintain adequate data security measures even in the absence of a data breach, although he does not know whether a majority of the current Commissioners would support this.
- Informational injuries. Director Smith said that we should not expect the FTC to provide new policy pronouncements or other guidance on informational injuries, but we should expect that the injuries identified in the FTC’s Staff Perspective (e.g., doxing, medical identity theft, revenge porn, disclosure of intimate details) will inform enforcement actions moving forward.
- Individual liability. Director Smith suggested that, while there may not be a consensus among Commissioners on imposing individual liability in FTC actions, we should expect that the FTC will focus more on individuals in the investigation process. Specifically, he noted that the FTC will likely be asking more questions about who was responsible for certain decisions and why, either through interrogatories or potentially by holding more investigative hearings.
- Takeaways from FTC hearings. Finally, Director Smith identified a theme he saw emerge from the FTC’s December 2018 data security hearings, namely, that there has been a market failure with respect to data security, and the FTC needs the authority to impose civil penalties to incentivize companies to internalize the cost of data breaches.
In sum, Director Smith was forthcoming in sharing information about the new FTC’s priorities, changes we should expect to see in the FTC’s enforcement approach, and emerging themes in the larger privacy debate.
2 U.S. v. Unixiz, Inc. d/b/a i-Dressup and Zhijun Liu and Xichen Zhang individually, No. 5:19-cv-2222 (N.D. Cal. April 24, 2019); James V. Grago, Jr. d/b/a ClixSense.com, No. 1723003 (F.T.C. April 24, 2019). .