HH: This hour, though, I’m starting with Maureen Ohlhausen. Now you may not know that name right away unless you happen to know something about the Federal Trade Commission. But she is a member of the FTC, and in that position, is vitally important to the future of commerce in America. And they had a hearing yesterday before the Senate Judiciary Committee about these data breaches and what happens after a company like Target or Neiman Marcus gets hacked. And I’m so pleased that Commissioner Ohlhausen agreed to talk to me today about this. Commissioner, welcome, it’s great to have you on the Hugh Hewitt Show.
MO: Thank you very much, Hugh, I’m very glad to join you and to give some additional perspectives on the FTC’s approach to data security.
HH: And that’s where I want to start. The trial lawyers in California are raining lawsuits down on anyone who gets hacked, because the data’s gone and they’re claiming under California law that this is going to, you know, cost consumers money, et cetera. This is an enormous burden on private sector. What’s the FTC doing to try and put the target back on the hackers, not on the companies?
MO: So the FTC takes a multi-pronged approach to trying to protect consumers, because that’s what we’re really focused on, is protecting consumers in this situation. So one of the important things, we do enforcement, and we certainly try to bring cases against companies that haven’t taken reasonable precautions to protect consumer data. But that’s not the only thing we do. We also provide extensive business guidance to try to explain to companies what are the basic steps and reasonable steps that they should take to try to prevent these breaches from happening in the first place. And then we also give information to consumers to explain to them what steps they can take to help protect themselves in the event of a data breach.
HH: Now those standards that you give them, do they create, and I wrote about this over at www.hughhewitt.com a couple of days ago. We need a safe harbor for companies. We need companies that adopt best practices to be protected if they’re really investing in protecting their consumer. Does the FTC have such a safe harbor created?
MO: We don’t have what would strictly be called a safe harbor, but we certainly have a similar approach where we focus on requiring companies to take reasonable precautions. So what’s reasonable is based on the sensitivity and the volume of consumer information that the company holds, the size and complexity of the business, and the cost of the tools available to improve security and reduce vulnerabilities. So if a company has taken appropriate and reasonable steps, that doesn’t mean that they would be liable if a hacker happened to overcome those reasonable and appropriate steps. So it’s not a per se liability kind of issue. If a company has taken appropriate precautions, we would not say that they had violated the FTC Act.
HH: Now last week, I was in D.C. I was broadcasting from Heritage, and I sat down with one of the K Street wizards in this area, and the dire situation facing companies are these class action lawsuits that follow a breach. They don’t actually get anything for the consumer, but they make plaintiffs lawyers rich. Do you think Congress ought to move to preempt this field to empower the FTC to set up best practices, and if they’re complied with, protect both the company and the consumer?
MO: So we’ve asked Congress to give us additional authority in the area of data security, to have new legislation that would provide, kind of boost the authority we already have on data security and breach notification so that we can have a uniform standard, which I think could really benefit both businesses, so they have a single standard to adhere to, a single national standard, and as well as for consumers, so they have a uniform protect, and also they would understand when they were getting notices and under what conditions they were getting notices that their data had been breached. So I think that there are benefits for consumers and for business of having a single federal standard.
HH: I’m talking with Commissioner Maureen Ohlhausen of the Federal Trade Commission. She’s been on the Commission since April of 2012. She’s going to be there for another four-plus years. It could go a long time. And so obviously, you’re going to live this thing. But you know what I’m saying very specifically when I talk about preemption. What’s your view on preemption, getting the states out of this and letting the FTC set a standard?
MO: So my view on preemption is that if we adopt a strong, federal standard, I think that would be useful to have a single standard. But I see the states also as a partner in this so that they could enforce the federal standard that is ultimately adopted.
HH: Yeah, but you know, every general counsel driving around right now, or every business owner small or large, they’re thinking to themselves, that doesn’t help me at all. You know, I hire Systemic, I hire a data security company, they come in, these hackers from abroad come in and get me, I’ve lost my data, and I’m still getting sued by 18 different lawyers up and down the state of California. And I live in California. I know this business. And I know what they’re after, and you know what they’re after. Can’t we help these businesses both protect their data, protect their consumers, but also keep them safe from pillaging trial lawyers?
MO: Well, I think that would be something the Congress would have to consider as it undertakes this legislation. I would say, though, that having a clear standard and further guidance to business really could be helpful, to give them a little more clarity about what are the appropriate and reasonable steps that they should be taking. But with that in mind, also realizing that those are going to change over time – the types of data, the volume of data, or some of the hacker attacks or some of the precautions that are available, all these things, they shift over time. So we have to be careful that we design a standard that’s flexible over the long term. So we want to give businesses guidance, we want to give them as much clarity as possible, but we also want to keep flexibility in mind as technology changes and as business needs change.
HH: Now Commissioner Ohlhausen, also the K Street wizard was telling me people have no idea of the number and complexity of attacks, and especially small to middle sized businesses have no way to cope with this. Is the Commission aware that the level of sophistication on the hacker side is so much bigger than that of someone who’s just trying to make widgets or dresses, or trying to sell coffee cups or whatever it is?
MO: I think that there are some very complex attacks going on, but we have brought approximately fifty cases at this point on data security. And most of them have focused on failures to take even basic precautions, even basic steps. So for example, not having a firewall, or not having a password, we’ve brought suits against companies that keep the word password as their password, or who take data…a lot of this is online, but not all of it is online, paper records with people’s prescription information or with people’s mortgage applications, and just put them out in a dumpster. So a lot of the steps that we are asking companies to take are basic and simple steps that would do a lot to help protect consumers’ personal information.
HH: Do they apply to every business? Because I’ll bet you it’s news, I’ll bet you it’s new to a lot of my audience, you know, I’m heard from Hawaii to Florida, so everyone’s driving around right now at different times of the day, and they’re saying I’ve got to do what? What do I have to do? And so what do they have to do, Maureen Ohlhausen?
MO: So they have to take reasonable steps to protect the data that they have. And the reasonableness varies based on the sensitivity of the data and the complexity of the business. But we do have guidance for business available on our website. It’s Protecting Personal Information: A Guide For Business, and we give them ideas of some of these basic steps that they should take. We do also try to do outreach. I go out and speak to organizations, many other FTC officials do so as well, to try to get this information into business’ hands, because really, consumers are better off, and businesses are better off, if they know what steps to take and they take those steps, and it prevents a breach from happening. And the FTC is better off, because then we don’t need to use our enforcement, limited enforcement resources.
HH: And that website is www.ftc.gov, and I really do think people ought to go to it, to www.ftc.gov, but then we come back to the problem. Your standard isn’t the rest of the states’ standards, right? They could have completely different standards.
MO: That’s right. There are approximately 47 different state data breach and notification laws on the books right now. And a lot of them are similar. But they’re not identical.
HH: Have you guys done a study, yet, on what this is costing American business? I just think people have no idea. It’s not just the hacker and the cost of security, it’s just compliance with 47 different regimes, 48 if we count the federal regime, and who knows about the EU for any company that’s, are you guys EU compliant? Or is the EU compliant with the FTC? There’s got to be that conversation going on.
MO: Well yes, we have actually had a lot of conversations with the EU about the safe harbor directive, and compliance with that. And actually, we’ve brought some cases recently against some companies who claimed that they were safe harbor compliant and weren’t. But certainly, data privacy, data security, are very hot topics both in the U.S. and internationally right now.
HH: All right, last question, do you see Congress doing anything this year in this area that might address some of these cost and complexity issues for businesses, because you know, the CBO put out this report on the Affordable Health Care Act today, which means they’re already getting slammed. Is Congress going to send some help pretty soon?
MO: Well, I’ve been in Washington long enough to know that I’m never going to forecast what Congress may or may not do. But I will say I think that there’s a lot of attention, and there’s a lot of interest right now. We had several hearings this week. I believe that there, these recent data breaches have kind of reenergized the debate on this topic. So I do think it will continue to be an important interest and bipartisan interest in Congress.
HH: Commissioner Ohlhausen, thanks so much for spending time with us. It is, it’s an incredibly interesting and very difficult issue, and I’m glad that a commissioner would actually come along and talk to us on the air, so thanks for taking the time.
MO: Thank you very much, Hugh, I really appreciate it.
End of interview.