Regulating Cybersecurity: Talking with FTC Commissioner Terrell McSweeny

Hilary Tuttle


October 1, 2015

terrell mcsweeny FTC cyber risk

One of the clearest—and for many companies, most worrisome—consequences of a data breach or other information security incident is the threat of regulatory action, whether in the form of extensive investigation, fines or federal lawsuit. This risk comes from a range of state and federal agencies that enforce the nation’s myriad privacy regulations, such as HIPAA and the Gramm-Leach-Bliley Act. With its mandate to protect consumers from deception and unfair practices, the Federal Trade Commission has long been a key player in regulating issues of data privacy. In recent years, the commission has become increasingly active in investigating and bringing cases against organizations that fail to adequately protect consumers online.

Commissioner Terrell McSweeny is one of five commissioners who oversee these investigations and decide what cases to bring under the agency’s authority. At this summer’s Black Hat conference, she and the agency’s chief technologist, Ashkan Soltani, talked about the growing role of information security experts and hackers in aiding the FTC’s mission, and urged the infosec community to get more involved in informing regulation. McSweeny also sat down with Risk Management to share her insight on how the FTC approaches and encourages corporate security, shed light on her personal process for reviewing and pursuing cases, and looked ahead at some of the most important emerging risks to personal privacy and data security.

RM: What factors determine the cases the FTC considers?

There are two main authorities for us. We address deception and unfairness, so if you are marketing something as secure when you’re not undertaking reasonable security, for example, that’s deception, and we could bring a case. We also have unfairness authority. If you’re not undertaking reasonable security practices, then we can say you didn’t reasonably secure consumers’ data, that exposed them to injury or potential injury, and we can bring a case.

RM: How do you evaluate the security practices you see in place in the field?

The standard for the FTC is not perfect security, it is reasonable security. We recognize there is no such thing as perfect security, and I think that is really important to be clear about—we’re talking about best practices. Those are the types of things that are included in the Start with Security handbook, which includes examples of cases we have brought to offer a sense of the practices we have been most active on to date. We are talking about industry standards—the kinds of things that anybody in information security would consider ridiculous that a company did not do.

RM: Where do you see the disconnect between having these policies and enforcing them to the degree that consumers—and regulators—expect?

What really matters is, within the organization, how is security being prioritized? For example, if you are identifying well-known vulnerabilities that require patches, what do you do with that information? Do you do the patch? Good, that is reasonable. Do you leave it for months despite knowing about it? That might not be reasonable.

We often see that companies may have a security officer, but whether they are listening to their security program, adequately training their employees—in other words, really having a security program—is where the problems generally arise. My recommendation would be, when the security officer says, “This is really important, this needs to be a priority,” people heed that warning.

RM: What do you look for when evaluating which cases to pursue?

For me, personally, it is very fact-specific. I like to really understand how something is working or not working. I spend a lot of time with our technologists and the experts we hire to help us understand what is reasonable as a security practice and what is not. I try to look at the whole thing and understand how a hack occurred, and I look very carefully at what the experts are telling me. It is also based on, in our investigation, what activity the company’s documents reflect. The circumstances of each case are different, and if you are tracking the kinds of things we say are the good, reasonable steps and something went wrong anyway, that is less likely to be a situation where I’m going to think we should bring a case. But if you’re not, and there are some obvious problems, especially that I as a non-expert can understand are a problem, that is a situation where I’m going to be more inclined to bring a case.

RM: As more breaches expose different types of information, how is the perception of what is considered sensitive information changing?

Historically, we have had a sector-based approach to privacy, and that has been acknowledged for a fairly long time: People are generally very sensitive about their financial information, their health information and their children’s information. Those categories of information are not new, and those are things people get—they feel and know and worry about them already. That’s why we already have things like COPPA [Children’s Online Privacy Protection Act] and different authorities around kids under 13. What’s interesting are some of the gaps. I think we’re going to have a very active conversation around facial recognition and geo-location, for example. Geo-location is information that, on the one hand, is helpful for people to share in mapping apps and all kinds of great uses, but it comes down to how much we know about what we’re sharing, what choice we have, and if we are being actively misled about it.

RM: What do companies need to prioritize to stay compliant with evolving regulation?

We at FTC emphasize two kinds of programs that we think are really important. One is privacy by design: to the extent that you are handling consumer data and creating new products using consumer data, ensuring that people who are thinking about the privacy implications of that are engaged from the beginning of the process and thinking about those issues and what might arise.

We also emphasize security by design, by which we mean having a meaningful security program—one that is looking at vulnerabilities, testing for vulnerabilities, and addressing the ones that need to be addressed. That is what we’re really trying to push out as best practices for securing systems and data.

RM: Hackers are now targeting many different types of data that can create a wide range of potential consequences for consumers. Is there a resulting change in your sense of what is an actionable threat or harm to consumers?

The FTC’s standard is injury or likely injury. In some of our privacy cases and security cases, that can be intrusion into your personal space, like with our TRENDnet or DesignerWare cases, where someone is taking pictures of you in your home—that’s an injury for us. Then, of course, there are other kinds of injury in our cases that involve, for example, creating a security flaw that makes your sensitive information, your email or your financial information vulnerable. That’s what we have looked at and that will continue to be the way in which we regard injury to consumers.

RM: Do you make a distinction between an imminent threat and the abstract idea of exposure—having your information out there and accessible?

For us, the injury occurs when the intrusion into the consumer’s life occurs. For the FTC to use our authority to bring a case, we don’t need the consumer to actually have been harmed if they are now exposed in some way. That exposure is harm. But we are not bringing a case in every situation—we are looking at whether the security practices were reasonable, and then we’re looking at what has been exposed and how a consumer is injured or is likely to be injured.

RM: Many companies debate the issue of disclosing a breach, particularly given concerns about both negative publicity and potential regulatory scrutiny or fines. What do you advise?

I support breach notification. I think it is important for consumers to get information that their data has been compromised and they really need it in a timely way. The commission itself has also unanimously supported, on a federal level, breach notification legislation so that we have one set of rules that everyone is playing by.

RM: How do you think consumers’ perceptions of security and privacy are changing?

Some people refer to 2014 as the “Year of the Hack.” When you look at people’s awareness of these issues in a variety of different industries, there really has been a big change in the last two years. As we connect more things and as the Internet of Things connects us all in new ways and transforms the internet and our interconnectedness, and our businesses, we are going to need to continue to have security and related issues feature in those conversations, including in many industries that did not, historically, have to think about them that much.

RM: Do you believe that 2014 really was the “Year of the Hack?”

I don’t know that there is any good metric to evaluate if more people were exposed last year—there were some pretty high-profile hacks that exposed a lot of people’s information, but in 2015, we have had some huge ones too. I think 2014 is a time after which almost every American consumer understands that there is some vulnerability, and that idea has permeated in a different way. I think that is what that term means.

RM: Looking back, what were some of the biggest lessons learned from those hacks, both for consumers and the industries that serve them?

When you think about the significance of the Sony hack in the context of public understanding, it also heightened people’s awareness that you can be in an industry that has not historically been thinking like that—it is not the retail sector collecting credit card information, for example. I’m sure they were thinking about security to some degree, but all of a sudden, you see how much other sectors really need to be thinking about these things, too. Further, that has heightened the sense that you can also have a reputational harm outside of liability that can be significant.

RM: The FTC has demonstrated an increased focus on the Internet of Things. What are you the most cautious about with the emergence of this technology, and where do you believe the biggest vulnerabilities lie?

I believe the biggest vulnerability is in the wide range of security practices around these consumer-facing connected products. Some products are coming out from companies that are very sophisticated about this and are doing security by design and have been in software for years and they know it. But then you have some products coming from companies that are new to this area and haven’t previously had a lot of connected things, and they really need to think about what security by design means for them.

The FTC has studied the Internet of Things space and will continue to do so, and we have brought some cases in that space already. We also put out an IoT report earlier in the year. It talks about, of course, the transformation in how consumer data will be gathered as IoT becomes part of our daily lives, and that is a very important issue as well. Then it also highlights these security issues, and finds a wide range of security practices out there. For me, the security process is a very important piece we need to see universally addressed.

Hilary Tuttle is managing editor of Risk Management.