Jeremy Snow of Fedscoop reports that the FTC closes approximately 70% of investigations into information security violations. The figure comes from a speech by Commissioner Maureen Ohlhausen. Ohlhausen emphasized that the FTC’s approach overall emphasizes reasonableness. This means that, as Snow reports, “If a company’s security is ‘reasonable, or even good,’ Ohlhausen said, and solves the problem quickly, the commission could close the investigation even if there is a single major specific failure. What matters most is the overall security of the program.”
Could Commissioner Ohlhausen be correct? It’s hard to be certain. When investigations become official, they are enrolled in a system at the FTC. They thus become countable by the leadership of the Agency. But my interviews with privacy attorneys indicated that the lawyers keep many “investigations” off the books. They may be screening a score of companies, looking for a case that would be interesting because it would set new policy, because it was egregious, because of the size of the defendant, and so on. Thus, Commissioner Ohlhausen’s estimate could be low, in the sense that the more informal inquiries go unpursued and uncounted (but are seen as real investigations by the companies that have to answer them!).