Since When Did the FTC Start Regulating Cyber Security?

more+
less-

There’s no question that the Federal Trade Commission has the authority to prevent deceptive and unfair trade practices, such as false or misleading claims directed at consumers. Somehow, however, that authority has morphed into a much broader reach than one would have expected on the basis of common sense. We’ve written extensively about such jurisdictional overreaching by the FTC in the health food industry (see, for instance, this article). One of the latest examples of the FTC’s expansion of its powers is its recent settlement agreement with Twitter.

The FTC and Twitter entered into a settlement agreement in March to resolve claims that the company deceived consumers regarding its privacy protection practices. The FTC’s action was a result of two security breaches at Twitter in 2009 that permitted hackers to obtain unauthorized administrative control of Twitter, including access to non-public user information and tweets. The security breaches and underlying security practices at Twitter, according to the FTC, were in contravention of Twitter’s published privacy policy.

The variance between Twitter’s stated policy and its practice was the “hook” for the FTC, which alleged that Twitter thus deceived its users regarding its privacy protection measures. To address this alleged deception, the settlement agreement between the FTC and Twitter requires that Twitter not make any misrepresentations about its security measures and its protection of non-public user data. This portion of the settlement makes sense and appears to be within Commission jurisdiction, but the settlement terms are far more extensive. One troubling aspect is that the agreement outlines security measures for Twitter to follow and institutes external monitoring requirements.

So how does the FTC go from preventing deceptive trade practices to regulating cyber security? And where is the statutory authority for this power? The Commission appears to be engaging in an increasingly common practice of creating new standards and expanding its reach – outside its authority, outside the traditional rulemaking process – by developing those standards through settlement agreements with companies under investigation. These companies are likely to agree to a variety of terms in order to get the government off their back. From their perspective, it often makes sense to end a dispute with the FTC rather than to challenge its power.

Please see full article below for more information.

LOADING PDF: If there are any problems, click here to download the file.