Consumer Security

GOVERNMENT IT REPORT

FTC Upgrades IT to Protect Consumer Privacy, Data Security

The FTC, which is at the forefront of regulating the impact of information technology on consumers, is bolstering its technical resource capabilities through a new Office of Technology Research and Investigation. The FTC is concerned about the failure of commercial entities to make adequate disclosures or to properly address data breaches and privacy issues.

The U.S. Federal Trade Commission, which is at the forefront of regulating the impact of information technology on consumers, is bolstering its technical resource capabilities through a new Office of Technology Research and Investigation, or OTRI.

The FTC’s significant and growing role in data security and privacy protection does not arise from any direct national security and cyberintelligence aspect of IT, more properly within the scope of the Department of Homeland Security.

Instead, the FTC is concerned about the failure of commercial entities to make adequate disclosures or to properly address data breaches and privacy issues affecting consumers. The agency’s leverage stems from its legal obligation to investigate business fraud and similar offenses.

Creation of the new technology office will “ensure that consumers enjoy the benefits of technological progress without being placed at risk of deceptive and unfair practices,” said Jessica Rich, director of FTC’s Bureau of Consumer Protection.

The OTRI will provide expert research, investigative techniques for law enforcement, and further insights on technology issues involving all facets of the FTC’s consumer protection mission — including privacy, data security, connected cars, smart homes, algorithmic transparency, emerging payment methods, big data, and the Internet of Things.

The new office succeeds and will absorb operations of the existing Mobile Technology Unit, which was set up in 2011. Kristin Cohen, the current chief of the MTU, will lead the work of the OTRI.

“This is a natural evolution for the FTC. As technology gets more complex, and matters hinge on the use and misuse of technology, the FTC needs to be able to better judge whether organizations are doing the right thing,” said Lisa Sotto, a partner at Hunton & Williams.

“Without a clear understanding of the technology that underpins the use of data, the FTC would not be able to carry out its mission effectively. Having more staff technologists will allow the FTC to better assess whether businesses are using technology in reasonable ways,” she told the E-Commerce Times.

More IT Staff

To operate the expanded office, the FTC plans to hire staffers with IT backgrounds at several levels, according to Ashkan Soltani, FTC’s chief technologist. New positions include a full-time technology policy research coordinator.

The coordinator will be responsible for monitoring IT development, setting an IT research agenda, training attorneys and investigators, and identifying hardware and software tools related to emerging technologies.

In addition, the FTC will appoint a research fellow to provide technical expertise to FTC attorneys and investigators, identify and design relevant research projects in the area of consumer technology, and develop new methods of consumer protection research.

The agency plans to continue its technology research program this summer and then expand it into semester-long externships throughout the school year.

The move to enhance the FTC’s capabilities comes at a propitious time. Both the U.S. Senate and House are considering legislation addressing current and future challenges for protecting data and personal privacy, which would enhance the role of the FTC.

However, the FTC’s initiative springs more from a realization of the need to bolster the agency’s resources to keep pace with IT than from a reaction to any pending bills, said Hunton & Williams’ Sotto.

“Regardless of new legislation, the FTC has been working hard to understand the technologies that are now ubiquitous in the private sector,” she pointed out. “The new unit is intended to assist the commission in carrying out its consumer protection mission in a more effective manner.”

Legislation Advances in House

Just days after the FTC launched the new office in March, legislation that would involve the agency advanced a step when a subcommittee of the House Energy and Commerce Committee approved a draft bill dealing with data breaches and related consumer notification standards. The full committee is likely to review the draft this month.

The draft stipulates that a violation of its provisions would constitute “an unfair and deceptive act or practice under the FTC Act,” and that “violations may be enforced by the FTC or state attorneys general.”

The bill requires entities subject to FTC authority to implement and maintain “reasonable” security measures to protect personal information, and it establishes notification obligations when a security breach occurs.

It would require entities subject to FTC authority to notify affected individuals within 30 days of taking the steps necessary to investigate the breach and restore the “integrity, security and confidentiality” of affected systems. It also provides civil penalties for parties that fail to meet requirements. The bill is designed to set a national standard to replace a patchwork of state standards.

However, House members have expressed substantial disagreement about provisions in the draft, as have their counterparts in the Senate, where a similar bill has been introduced. Nonetheless, momentum is gathering for enactment of a bill that inevitably will include enforcement responsibilities for the FTC.

“There are parts of the bill that we would like to see improved for clarity and functionality,” said Yael Weinman,vice president for global privacy policy and general counsel at the Information Technology Industry Council.

However, “we hope the stars have aligned for pre-emptive data breach legislation, and we continue to work with committee staff on improving the bill,” she told the E-Commerce Times.

The Federal Buzz: Patent Contract, Security Comments

USPTO Selects Provider: The U.S. Patent and Trademark Office has awarded 12 information technology related task orders to Salient Federal Solutions through the company’s wholly owned subsidiary, List Innovative Solutions. The task orders are an expansion of current work for operations and maintenance of various mission critical applications, as well as new development tasks. The one-year awards have an estimated value of more than US$10 million.

The orders build on past work involving systems support, O&M production, and software development integration. That work includes custom Java/J2EE and .Net applications, COTS products, and open source technologies. The additional business was awarded under a blanket purchase agreement “in which we have a position,” Salient vice president Aaron Lavigne, told the E-Commerce Times.

Salient’s work with USPTO involves utilization of the Agile methodology to ensure maximum customer coordination, communication, and support. This approach decreases overlap between development teams and across the enterprise, while decreasing costs through risk management, the company said.

Federal Contractor Security: The National Institute of Standards and Technology is requesting comments on the final draft of a guidance document dealing with standards for protecting sensitive federal information residing in nonfederal organizations, including government contractors. NIST has asked interested parties to respond by May 12.

The guidance document will help implement an executive order for protecting controlled unclassified information, or CUI, that gets passed on to businesses, academic institutions and others through contracts, grants and other programs. The government plans to modify federal acquisition regulations related to CUI next year.

John K. Higgins is a career business writer, with broad experience for a major publisher in a wide range of topics including energy, finance, environment and government policy. In his current freelance role, he reports mainly on government information technology issues for ECT News Network.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John K. Higgins
More in Consumer Security

E-Commerce Times Channels