FTC wants Congress to punish companies for being hacked

[Wilikon]

Above: Daniel Kaufman , deputy director of the Bureau of Consumer Protection at the Federal Trade Commission.


Daniel Kaufman, FTC deputy director, wants to penalize companies that experience major security breaches.

The Federal Trade Commission is tasked with protecting American consumers, a major piece of which involves safeguarding their data. That also means history’s least productive Congress must try to keep up with one of the most rapidly changing industries so the FTC has relevant regulations to enforce.

But there’s reason to be optimistic, according to Daniel Kaufman, who serves as deputy director of the agency’s bureau of consumer protection.

The FTC is headed by five commissioners from both political parties who have “unanimously supported data security for some time now,” said Kaufman in conversation with GigaOM writer Jeff Roberts at the Structure Data conference today.

There’s reason to believe that bipartisan support is reflected in Congress, he added.

“Particularly data security is an area [where] we are seeing a little more traction as an issue Congress might do something [about],” said Kaufman. ”Recent breaches have highlighted the issue big-time.”

One item on Kaufman’s wishlist is civil penalties for companies that experience substantial data breaches. If the agency could dole out civil penalties to data security offenders, he reasons, they would be more inclined to have an effective data security framework upfront, making large-scale data breaches less likely.

But the FTC is not wholly reliant on Congress. Although the FTC is primarily a law enforcement agency, it also conducts investigations and studies. Right now, for instance, it’s nearly done with a study of data brokers — business-facing entities that collect enormous amounts of consumer data. The report should provide some insight on how they’re getting the data, who they’re sharing it with, restrictions on the data’s use, and so on. Hypothetically, these actions can help inform lawmakers and help them pass productive legislation.

“[The data broker study is] a way to shed some light on this industry that has enormous effect on consumers but very little transparency,” he said. “The commission has been very supportive of legislation that would increase the transparency of data brokers.”

Kaufman also highlighted how imperative self-regulation and transparency are in an American industry that stands to lose business to foreign companies in this age of (justified) privacy skepticism. We need short, meaningful consumer disclosures, he said, not endless pages of legalese. Academics and trade associations can help draft and implement a uniform set of disclosure guidelines for tech companies, he added.

Although the FTC tends to focus on the negative side of big data, Kaufman admitted, there is huge innovation in the $50 billion global industry that has the capacity to dramatically improve lives.

“We are very focused on making sure we are not stifling innovation,” he said. “We want to make sure there’s privacy out there, but we are aware there are huge benefits.”

http://venturebeat.com/2014/03/19/ftc-wants-congress-to-punish-companies-for-being-hacked/


----------------------------------------------------------------------------------------------

Can the FTC punish Government for being "hacked" or private companies only? What happen when the hacker is the CIA?

[1714813163]

1714813163

[1714813163]

1714813163

[1714813163]

1714813163

[1714813163]

1714813163

[mexxer]

it's a maybe good idea, to scare them to increase and improve security.

[Lethn]

I find Bitcoins' approach a lot better, they get hacked, they lose all their money and customers never do business with them again, also, anything that has an internet connection is capable of being hacked, so suggesting something like this is really just punishing the victim of a crime.

[compro01]

customers never do business with them again

You wish.  All you'll get is a DBA dance with companies constantly changing their name.

[Swordsoffreedom]

customers never do business with them again

You wish.  All you'll get is a DBA dance with companies constantly changing their name.

I agree you can put lipstick on a pig but it's still a pig
I do agree they should try to put up better security but the NSA leaks show that their security encryption choices may have certain bias/hacks built into their standard

[Wilikon]

I find Bitcoins' approach a lot better, they get hacked, they lose all their money and customers never do business with them again, also, anything that has an internet connection is capable of being hacked, so suggesting something like this is really just punishing the victim of a crime.

Not only that, not too long ago they've found a critical flaw in Linux. I am sure it will or is already being patched already. Now you are a business betting your company and the safety of your clients on the "vision of open source". A hacker knew about the flaw and screwed you. who's to be blamed? You? the open source community at large or the dude called "1337AwSome", responsible for coding those critical lines?

[Rinndaranaur]

the guy on the photo has an evil grin. I would not trust him!

[Bonam]

Doesn't make sense. Businesses should not be being punished for being the victims of a crime. It's the hackers that should be punished. However, a set of minimum standards on how certain kinds of data must be secured might not be a bad idea.

[Wilikon]

Doesn't make sense. Businesses should not be being punished for being the victims of a crime. It's the hackers that should be punished. However, a set of minimum standards on how certain kinds of data must be secured might not be a bad idea.

How about a minimum standard when a US inspector uses a portable NSA tool to test your business network. If the mothership in Utah can break into your system you get fined $50 000 for a lack of proper miminum standard + visit from the DOJ and the IRS.

Obviously telling you how to prepare yourself from an official civil servant hacker next time to protect your enterprise is government secret as you are a de facto criminal.

[Bonam]

How about a minimum standard when a US inspector uses a portable NSA tool to test your business network. If the mothership in Utah can break into your system you get fined $50 000 for a lack of proper miminum standard + visit from the DOJ and the IRS.

Obviously telling you how to prepare yourself from an official civil servant hacker next time to protect your enterprise is government secret as you are a de facto criminal.

When a business gathers and stores customer's private data, it takes on a duty to safeguard that data. Making sure that businesses perform their duties is already conducted by government agencies in many other contexts... construction standards, food safety, vehicle safety, and countless other examples. Given that this is the society we live in, I don't see how requiring minimum standards of data security is any different.

[Wilikon]

How about a minimum standard when a US inspector uses a portable NSA tool to test your business network. If the mothership in Utah can break into your system you get fined $50 000 for a lack of proper miminum standard + visit from the DOJ and the IRS.

Obviously telling you how to prepare yourself from an official civil servant hacker next time to protect your enterprise is government secret as you are a de facto criminal.

When a business gathers and stores customer's private data, it takes on a duty to safeguard that data. Making sure that businesses perform their duties is already conducted by government agencies in many other contexts... construction standards, food safety, vehicle safety, and countless other examples. Given that this is the society we live in, I don't see how requiring minimum standards of data security is any different.

So what would be that standard based on? A food standard is based on how to avoid contamination from Nature (microbes are natural after all). It is also a standard against maniacs poisoning food and water supplies or meddling with prescription bottles in a drugstore. Construction standard are based on structure lasting the life of a human being or more (but not 1000 of years like the great pyramids). Now should a building standard include a reinforcement from a direct 777 impact full of people just in case? If that happens and the building still collapses is the structure owner still responsible?

Can't a private company have the same exact data protection as a government, the one government uses as its own standard against the billions of Chinese attacks every day? That would be a start from hackers, good enough for the private sector.

[Bonam]

So what would be that standard based on?

Well, it should probably be based on a reasonable balance of the sensitivity of the data being stored with the resources/cost required to safeguard it to a certain level. A small business that retains the names and email addresses of its clients should not be encumbered with data security requirements that will cost it millions of dollars. In contrast, a large financial company with access to all of their clients financial records and personal information should be required to use some of the latest and most advanced methods in data security. The specific methods required depending on the classes of data stores would likely have to be determined by a set of technical experts drawn from the industry, and updated frequently.

Construction standard are based on structure lasting the life of a human being or more (but not 1000 of years like the great pyramids). Now should a building standard include a reinforcement from a direct 777 impact full of people just in case? If that happens and the building still collapses is the structure owner still responsible?

No, clearly the risk should be weighed against the costs to mitigate said risks. Clearly, it is not worth engineering your typical building to withstand airplane impacts, since the likelihood of the building experiencing such an event is very low, and the cost to design it to be resilient to such a scenario is very high. On the other hand, certain buildings for which it is worthwhile can and have been designed to withstand bombs and even nuclear attacks.

Can't a private company have the same exact data protection as a government, the one government uses as its own standard against the billions of Chinese attacks every day? That would be a start from hackers, good enough for the private sector.

Well, I'm sure it could, but I'm guessing that implementing the same kind of data security safeguards that the NSA/CIA/etc use on behalf of top secret US government data are very expensive and outside the reach of all but the largest corporations.

[Wilikon]

So what would be that standard based on?

Well, it should probably be based on a reasonable balance of the sensitivity of the data being stored with the resources/cost required to safeguard it to a certain level. A small business that retains the names and email addresses of its clients should not be encumbered with data security requirements that will cost it millions of dollars. In contrast, a large financial company with access to all of their clients financial records and personal information should be required to use some of the latest and most advanced methods in data security. The specific methods required depending on the classes of data stores would likely have to be determined by a set of technical experts drawn from the industry, and updated frequently.

Construction standard are based on structure lasting the life of a human being or more (but not 1000 of years like the great pyramids). Now should a building standard include a reinforcement from a direct 777 impact full of people just in case? If that happens and the building still collapses is the structure owner still responsible?

No, clearly the risk should be weighed against the costs to mitigate said risks. Clearly, it is not worth engineering your typical building to withstand airplane impacts, since the likelihood of the building experiencing such an event is very low, and the cost to design it to be resilient to such a scenario is very high. On the other hand, certain buildings for which it is worthwhile can and have been designed to withstand bombs and even nuclear attacks.

Can't a private company have the same exact data protection as a government, the one government uses as its own standard against the billions of Chinese attacks every day? That would be a start from hackers, good enough for the private sector.

Well, I'm sure it could, but I'm guessing that implementing the same kind of data security safeguards that the NSA/CIA/etc use on behalf of top secret US government data are very expensive and outside the reach of all but the largest corporations.

So based on all your answers what should a private company do facing the eventuality of being hacked one day getting a virus from an email? They spent the money trusting Norton, trained all their employees not to open funny cat gifs, not to pick up a flash drive somebody "forgot" in the elevator, etc. Yet they get hacked.
They should still be criminalized because they did not put enough money in firewall? If a company did everything in their knowledge to protect their customers using the tools they had at their disposal, why should they be the criminals and not the hackers?

[Bonam]

So based on all your answers what should a private company do facing the eventuality of being hacked one day getting a virus from an email? They spent the money trusting Norton, trained all their employees not to open funny cat gifs, not to pick up a flash drive somebody "forgot" in the elevator, etc. Yet they get hacked.
They should still be criminalized because they did not put enough money in firewall? If a company did everything in their knowledge to protect their customers using the tools they had at their disposal, why should they be the criminals and not the hackers?

If you read my first post, it is precisely avoiding punishing companies that are the victims of companies that I'm after. It is indeed the hackers that should be punished. However, requiring a certain set of standards for companies to keep data secure is not unreasonable. These standards should be clearly spelled out as well. If the standard says that company X must: "trust Norton, train employees to not open funny cat gifs, and not pick up flash drives lying in elevators", and company X complies with the rules as in your example above, they should indeed not face any punishment, even if they get hacked.

Like I said, the standards/requirements should not be odious or cumbersome, but should be reasonable, and scaled appropriately so that they are not an undue burden on small businesses.

But at the same time... I know accountants out there that just keep all their client's data unencrypted saved on their personal laptop, which isn't even password protected to log into. Such people may be good accountants, but know nothing about data security. Given that they are clueless about data security and have no tools at their disposal... they are indeed using all zero tools at their disposal to protect their customers. Should an accountant that has access to the detailed financial information of a hundred clients be required to secure their data in some way? You know, maybe require a password to log into their laptop? Maybe have a fingerprint reader on it? Maybe keep the files encrypted in some way? 

[Warning__3]

Why do i always think people mean feathercoin when they are talking about FTC..

[Wilikon]

Why do i always think people mean feathercoin when they are talking about FTC..

Because your lexicon is what it is? 

[Warning__3]

Why do i always think people mean feathercoin when they are talking about FTC..

Because your lexicon is what it is? 

True! The mind sees what it wanna see xD

[Swordsoffreedom]

Why do i always think people mean feathercoin when they are talking about FTC..

That made me grin a little  Feathercoin wants Congress to punish companies for being hacked

[Xterry]

“We want to make sure there’s privacy out there, but we are aware there are huge benefits.” What huge benefits is he speaking about?