Former FTC lawyer: Expect fewer data breach and privacy cases under Ohlhausen
The Federal Trade Commission’s new chairwoman will focus the agency on economic harm to consumers, meaning there will be fewer cybersecurity and privacy enforcement actions, a former FTC official says.
“I think you’ll see a drop off in cases,” former FTC attorney Whitney Merrill told CyberScoop after a presentation she co-hosted at the DEF CON hacker convention in Las Vegas last week. “We can’t deny that’s true.”
New Chairwoman Maureen Ohlhausen, a Republican, told a lawyers at conference earlier this year that under her leadership the agency will focus on “objective, concrete harms such as monetary injury” and eschew “speculative injury, or … subjective types of harm.” Most data breaches fall into that latter category. The agency pursues those cases as part of its mission to fight identity theft.
“It’s hard to show economic harm,” in data security and privacy breaches, and there hasn’t been much research into it, said Merrill, now an attorney for video game publishers Electronic Arts.
Defenders of a more aggressive FTC policy on cybersecurity and privacy point to the July 2015 breach of the Ashley Madison website. The FTC pursued the case even though there was no demonstrable economic harm.
The site facilitates extramarital affairs between its members. A hacker collective called “The Impact Team” broke into the company’s network and stole data, including complete personal information — names, email addresses and sexual preferences — for all of the company’s customers.
The hackers threatened to release the data unless the website shut down. A month later they made good on their threat, dumping 25 gigabytes of data on the web. It included data on all the current and — because there was no way for departing users to delete their profile — former customers of the company.
The FTC pursued the case, eventually winning a settlement from the company. There was no mention of economic harm. Merrill and FTC Commissioner Terrell McSweeney told the DEF CON audience there were suicides and divorces. But the FTC’s action focused on the way the company’s appallingly lax security procedures enabled the breach — and meant they were deceiving their customers.