Government

Former FTC lawyer: Expect fewer data breach and privacy cases under Ohlhausen

The Federal Trade Commission's new chairwoman will focus the agency on economic harm to consumers, meaning there will be fewer cybersecurity and privacy enforcement actions, a former FTC official says.

By Shaun Waterman

July 31, 2017

Maureen Ohlhausen (Gage Skidmore / Flickr)

The Federal Trade Commission’s new chairwoman will focus the agency on economic harm to consumers, meaning there will be fewer cybersecurity and privacy enforcement actions, a former FTC official says.

“I think you’ll see a drop off in cases,” former FTC attorney Whitney Merrill told CyberScoop after a presentation she co-hosted at the DEF CON hacker convention in Las Vegas last week. “We can’t deny that’s true.”

New Chairwoman Maureen Ohlhausen, a Republican, told a lawyers at conference earlier this year that under her leadership the agency will focus on “objective, concrete harms such as monetary injury” and eschew “speculative injury, or … subjective types of harm.” Most data breaches fall into that latter category. The agency pursues those cases as part of its mission to fight identity theft.

“It’s hard to show economic harm,” in data security and privacy breaches, and there hasn’t been much research into it, said Merrill, now an attorney for video game publishers Electronic Arts.

Defenders of a more aggressive FTC policy on cybersecurity and privacy point to the July 2015 breach of the Ashley Madison website. The FTC pursued the case even though there was no demonstrable economic harm.

The site facilitates extramarital affairs between its members. A hacker collective called “The Impact Team” broke into the company’s network and stole data, including complete personal information — names, email addresses and sexual preferences — for all of the company’s customers.

The hackers threatened to release the data unless the website shut down. A month later they made good on their threat, dumping 25 gigabytes of data on the web. It included data on all the current and — because there was no way for departing users to delete their profile — former customers of the company.

The FTC pursued the case, eventually winning a settlement from the company. There was no mention of economic harm. Merrill and FTC Commissioner Terrell McSweeney told the DEF CON audience there were suicides and divorces. But the FTC’s action focused on the way the company’s appallingly lax security procedures enabled the breach — and meant they were deceiving their customers.

Former FTC lawyer: Expect fewer data breach and privacy cases under Ohlhausen

More Like This

House passes bill to limit personal data purchases by law enforcement, intelligence agencies

With a mysterious surveillance target identified, calls for Congress to change course

Congressional privacy bill looks to rein in data brokers

Top Stories

Mandiant: Notorious Russian hacking unit linked to breach of Texas water facility

‘Large volume’ of data stolen from UN agency after ransomware attack

More Scoops

FTC nominees urge Congress to pass federal data privacy law

FTC accuses genetic testing company of exposing sensitive health data

GoodRx will settle claim it shared sensitive health data with advertisers

LastPass breach exposes how US breach notification laws can leave consumers in the lurch

Senate Democrats call on FTC to investigate Twitter’s data security

Privacy advocates want the FTC to take on invasive daycare apps

FTC sues data broker over selling location data that can reveal abortion clinic visits

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics