Former FTC Commissioner Brill on data security, privacy protections

The rise of Big Data, mobile connectivity, apps and internet-connected devices has helped reshape the focus of the Federal Trade Commission over the years.  The list of its efforts is a lengthy one: charging that Snapchat deceived consumers with promises about the disappearing nature of messages sent through the service; settlements with Google, Amazon, and others over in-app charges that were made by children without their parents’ consent; and turning a watchful eye to the “Internet of Things” and broadband-connected cars, wearable tech, and home appliances.

For the past six years Julie Brill was among the FTC’s most influential commissioners and an important voice on internet privacy and data security issues. In April, she left public service to join the law firm Hogan Lovells as a partner and co-director of its privacy and cyber-security practice.

We spoke to her about her career change, her time at the FTC, and the ever-evolving topic of data security and privacy.

What are your thoughts as you join the private sector?

I’ve been in public service for 28 years and six years as an FTC commissioner. I loved every minute of public service, but I felt it was time to start working with companies and other stakeholders to implement many of the things I was talking about at the FTC and help them understand the regulatory process and what the rules and best practices are.

The FTC took a giant step forward during your time there. By focusing on data and privacy issues, it has to be mentioned in the same breath as the Securities and Exchange Commission, Consumer financial Protection Bureau, and Federal Communications Commission for a lot of companies. What do you see as your greatest accomplishment at the agency?

Some of it was outward facing, and my discussions with European and other international regulators, government officials, and stakeholders. I think I played a big part in demonstrating that the U.S. privacy framework is effective and that, while it is complicated, it does a good job protecting consumer’s personal information. I also talked about the need for improvement in respect to most privacy frameworks and I think that had a very important role to play in that international discussion.

Domestically, one of my other accomplishments was pushing the dialog forward on some of the key areas facing consumers in the privacy realm that involved data that is being collected and used behind the scenes by third parties. Whether I was focused on data brokers or ad networks, I was really trying to hone in on the pervasive and very important data collection use that goes on by third parties and other behind-the-scenes players that I think, up to that point, had been much less a part of the conversation because they are not consumer-facing. There are lots of issues around transparency and providing consumers with appropriate information about what those third party collectors are doing.

Another accomplishment I am very proud of is my emphasis on the need for the FTC to embrace the work of our sister regulators, whether they are at the federal or state level. I very much believe in cooperation and rallying different regulatory entities to bring the tools that they have to the table for whatever issue needs to be addressed. Cooperation is a much better approach than antagonism.

The issue of privacy is an immensely complicated one. Consumers love their privacy, but they also give their privacy away by being addicted to social media. Even the government’s own views on data privacy have become increasingly murky, as we saw with Edward Snowden and Apple’s battle with the Department of Justice. Nevertheless, the FTC has a pretty clear-cut vision of what data privacy means and that it needs to be protected. Is that easier said than done?

Regarding the apparent dichotomy between consumers wanting privacy but also wanting to engage with apps and share information, the way to frame it is to look at what’s really going on with most consumers. They want to share, but they want control over who they share with and they want to know where that information is flowing and how it is being used. They want assurances that it is all happening in a trusted environment.

A FOCUS ON PRIVACY

Julie Brill, now a partner at law firm Hogan Lovells, was sworn in as a Commissioner of the Federal Trade Commission on April 6, 2010. On the Commission, she worked actively on issues of importance to consumers, including protecting consumers’ privacy, encouraging appropriate advertising substantiation, guarding consumers from financial fraud, and maintaining competition in industries involving health care and high-tech.
During her tenure Brill was been named “the Commission’s most important voice on Internet privacy and data security issues,” a “key player in U.S. and global regulations,” “one of the top minds in online privacy,” one of the top four U.S. government players “leading the data privacy debate,” “one of the top 50 influencers on big data,” and a “game-changer.” In 2014, she received the Privacy Leader of the Year Award from the International Association of Privacy Professionals.
Prior to becoming an FTC commissioner, Brill was the senior deputy attorney general and chief of consumer protection and anti-trust for the North Carolina Department of Justice. She has also been a lecturer-in-law at Columbia University’s School of Law. She was also assistant attorney general for consumer protection and anti-trust for the State of Vermont for more than 20 years.
She graduated, magna cum laude, from Princeton University, and from New York University School of Law.
Source: Federal Trade Commission

A lot of concepts are being packed into the word privacy and it is more expansive than it used to be. A big part of that expansion is focused on the notion of control, as well as creating a trusted environment for the kind of sharing that consumers do want to engage in.

A lot of different issues arise when looking at data privacy. How does a regulator balance all sorts of competing voices and interests, whether it is a European viewpoint on data privacy or a Silicon Valley perspective on innovation?

One of the most important things an agency can do is spend a lot of time getting input from a wide variety of stakeholders, assessing that information, and trying to ensure that it is up to date. You also need to ensure you are iterating on your policies. The fact you said notice is important, or you can’t lie in your privacy clauses, isn’t enough. You need to continually evaluate how effective that kind of regulatory approach is.

I think the FTC is particularly good at that. It is known for holding workshops on cutting-edge technological issues and business models and trying to incorporate the learning that comes from having a wide variety of stakeholders talk about emerging issues. The agency folds that into its thinking on how to approach some of the tough challenges.

For example, the FTC held a workshop on the “Internet of Things” over a year ago, as the curve was moving, and we then issued a report on how the ways in which data sharing principles should be applied in the context of connected devices. There were also workshops on cross-device tracking, retail mobile locations, GPS tracking, and lots of other cutting edge issues that then led to guidance, blogs, or other communications with industry.

Beyond data privacy, data security was, and is, a big focus for the FTC.

They absolutely go hand-in-hand. If you look at the Internet of Things report, probably two-thirds, if not more, of it is focused on not only the security of the data from connected devices, but also the security of the devices themselves. The connected nature of these devices can lead to hacks into them. There have been studies and proof-of-concept projects about connected cars, insulin pumps, and other connected devices being taken over. It is something industry really needs to focus on.

It is not just a technological issue; it is also a business model issue. As more and more companies get involved in producing connected devices, the question is do they have not just the technical wherewithal, but also the economic means to patch vulnerabilities, send those patches out to consumers, and communicate with them. Consumers need to know if they can still trust that connected light bulb, or if it has a vulnerability that needs to be patched. These are the kinds of things that the FTC thought about, wrote about, and over a year ago was advising companies, very directly, that they need to focus on the data security concerns related to connected devices.

Data security is a tricky area. Nothing is ever completely secure. The FTC’s approach has focused on how a company presents its security measures and ensuing consumers are not misled about how secure their data is.

When the FTC started focusing on data security, it very much used its deception authority. It would look at what companies said about their security systems and how securely they were handling consumers’ data. If there were misrepresentations, it would proceed with an action. Many years ago, before I joined the agency, it also began to look at its unfairness jurisdiction, saying that the failure to have reasonable security would also amount to a violation of the FTC Act.

The ability of the FTC to use both its deception and unfairness jurisdictions was affirmed by the U.S. Court of Appeals for the Third Circuit in the FTC V. Wyndham Worldwide case. The court said it was not inappropriate for the FTC to use its unfairness jurisdiction when it believes the data security systems that were being deployed by a company were not reasonable.

That gets to what the FTC is looking for. It focuses on reasonable security, not perfect security. The agency has examined hundreds of data breaches and brought approximately 60 cases in the last 10 years or so. The agency recognizes, quite appropriately, and I recognized, as a commissioner, that things happen. Companies can have very good systems in place, precisely the kinds of systems the FTC is looking for, and still suffer from zero-day vulnerabilities or human error that leads to a major problem.

What the agency is looking for is having a system in place that is appropriate for the data, the size of the company, and the resources available to deal with the data collection and use at hand. It is looking for a process that is put in place, operationalized, and has an appropriate feedback loop. It wants to be assured there is a reasonable system in place to deal with data vulnerabilities.