News to me–the FTC was required by Congress to adjust civil penalties so that they catch up with inflation. The new maximum is $40,000 per day/per violation (up from $16,000). Interestingly, if fully adjusted for inflation, the maximum would have gone up to $52k for violations of orders, but alas, Congress capped the increase to 150% of the current max.
Jeremy Snow of Fedscoop reports that the FTC closes approximately 70% of investigations into information security violations. The figure comes from a speech by Commissioner Maureen Ohlhausen. Ohlhausen emphasized that the FTC’s approach overall emphasizes reasonableness. This means that, as Snow reports, “If a company’s security is ‘reasonable, or even good,’ Ohlhausen said, and solves the problem quickly, the commission could close the investigation even if there is a single major specific failure. What matters most is the overall security of the program.”
Could Commissioner Ohlhausen be correct? It’s hard to be certain. When investigations become official, they are enrolled in a system at the FTC. They thus become countable by the leadership of the Agency. But my interviews with privacy attorneys indicated that the lawyers keep many “investigations” off the books. They may be screening a score of companies, looking for a case that would be interesting because it would set new policy, because it was egregious, because of the size of the defendant, and so on. Thus, Commissioner Ohlhausen’s estimate could be low, in the sense that the more informal inquiries go unpursued and uncounted (but are seen as real investigations by the companies that have to answer them!).
Leafing through pages and pages of historical records on the FTC, one is frustrated by both its volume, and by what it is missing. For much of the FTC’s history the agency quietly settled matters with companies using assurances of voluntary compliance (“AVCs”). One result is that there are very interesting docket entries in the FTC history but almost no information about the alleged wrongdoing.
Here’s an example—a 1937 investigation against a company operating as “National Census Bureau.” We do not get to learn who the et al. were or the subject matter of the investigation. The respondent’s name is perfect for deceptive information collection—could this be the FTC’s first information privacy case? We’ll never know.
The law firm Bryan Cave offers some good advice for companies about consumer complaints to the FTC:
…a massive database of consumer complaints known as “Consumer Sentinel” … is used by the FTC and other consumer protection regulators to identify and investigate enforcement targets.[…]
the FTC also creates a “Top Violator” report and a “Surge” report that track those organizations that the FTC believes may have a suspicious pattern of consumer complaints. The end result is that the vast majority of FTC enforcement actions target companies identified within the FTC’s database.
Presumably, you could hire Bryan Cave to monitor these violator and surge reports and get on top of these complaints before the FTC opens a case. I think it is absolutely the case that some divisions use these reports. But different divisions of the FTC choose cases differently. A 2014 Inspector General Report noted the use of five different rationales among the BCP divisions in case selection. These included consumer harm; whether related matters were being litigated; the volume of sales made by a respondent; whether the respondent was a repeat offender; and whether the behavior was egregious.
From my interviews with FTC staff, the privacy cases are not complaint-driven. A large number–perhaps most–are brought to the Commission’s attention by competitors. And if you think about it, consumers cannot make privacy complaints because they cannot know about companies’ uses of information. Just consider important cases such as Nomi (consumer tracking through their wireless phones) or the secret software installed on “rent-to-own” computers in Aaron’s. I found that instead of looking at complaints to find targets, the FTC’s privacy attorneys were reading the newspapers, going to industry conferences, and scanning the class action litigation landscape to identify defendants.
And it gets worse for companies: FTC attorneys engage in undercover investigation by making test accounts on websites and other services, and the attorneys even engage in “test shopping” (for instance, buying information from investigatory targets). As early as the 1990s, the FTC developed consumer aliases (complete with credit card accounts) to make purchases from websites in the course of an investigation. These test activities always occur before voluntary or compulsory processes have been sent. You won’t see them coming, because the agency uses a privacy-protecting VPN to mask its IP address.FTC Office of Inspector General, Evaluation of the Federal Trade Commission’s Bureau of Consumer Protection Resources, OIG Evaluation Report No. 14-003, October 2, 2014.
Some complain that the FTC’s cases are never litigated and thus are not law. Why are not more FTC cases litigated? The class action suit against Trump University demonstrates one reason. In that case, discovery has turned up calling scripts and the like that portray the organization negatively.
Modern businesses, in order to swindle big, need employees and infrastructure. Managing those employees and infrastructure requires recordkeeping, and that paperwork is enough to prove the FTC’s case. So defendants often roll over because their own documents offer a roadmap of its deceptive/unfair practices.
Many internet business models seem to take advantage of the confusion between online and offline contexts. Social networks make strangers and mere acquaintances your “friends.” Privacy policies borrow from offline norms of confidentiality. Websites have our “trust” yet act in ways that contravene basic principles of the pre-internet idea of trust. My most recent paper with Professor Aaron Perzanowski looks as the context confusion between physical and digital products. In What We Buy When We “Buy Now,” forthcoming in volume 165 of the Pennsylvania Law Review, and covered today by David Lazarus in the LA Times, we present data from the first-ever survey of consumer expectations in digital media products. Here are the highlights:
First, we surveyed nearly 1,300 internet users using a mock up of a website that is similar to Amazon.com where one could purchase physical books, mp3s, ebooks, and digital movies. The resulting data reveal a number of insights about how consumers understand and misunderstand digital transactions. The switch to a digital platform offers convenience but also makes consumer access more contingent. Unlike a purchase at a book store, a digital media transaction is continuous, linking buyer and seller and giving the seller post-transaction power impossible in physical markets. Although DRM technologies have had some setbacks in the music space, content control mechanisms are alive and even thriving in other contexts, such as games and movies. Yet we found that a surprisingly high percentage of consumers believe that when they “buy now,” they acquire the same sorts of rights to use and transfer digital media goods that they enjoy for physical goods.
One should expect some confusion in any marketplace. But the confusion surrounding digital media rights is a big deal–the marketplace for digital media is a 11-figure business. At least some of that business is based on the misconceptions surrounding the affordances of digital technology. In its recent White Paper on Remixes, First Sale, and Statutory Damages, the Department of Commerce noted that the “the record before
So what to do about it? Aaron, who has no training in design, created this short notice, and we tested it to see whether it could improve consumers’ understanding.
Overall, we found that the short notice was more effective in reducing consumer misperceptions of their rights. Despite just seeing the short notice once, affirmative responses to the ownership question (do you own the media?) dropped significantly for each of the three media types we tested—23% for ebooks, 20% for mp3s, and 13% for movies.
Presumably, if consumers knew of the limited bundle of rights they were acquiring, the market could drive down the price of digital media or generate competitive business models that offered a different set of rights. Respondents said that digital media rights were important to them, that they would be willing to pay more to enjoy them, and that some were willing to result to streaming services or even piracy.
Although our short notice could undoubtedly be improved through testing alternative designs, placements, and interactions, it is a remarkably low-cost intervention. And where false consumer perceptions can be avoided at little cost, we might be especially inclined to impose a legal obligation to do so.
Thus, in the final part of the paper, we turn to legal interventions such as state false advertising law, the Lanham Act, and federal unfair and deceptive trade practice law as possible remedies for digital media deception. Because of impediments to suit, including arbitration clauses and basic economic disincentives for plaintiffs, we conclude that the FTC could help align business practices with consumer perceptions. The FTC’s deep expertise in consumer disclosures, along with a series of investigations into companies that interfered with consumers’ use of media through digital rights management makes the agency a good fit for deceptions that result when we “buy now.”
A final note for the methods geeks. Aaron came up with an innovative idea that I have never seen in advertising copy testing experiments. To give more meaning to the idea of materiality, Aaron set up the survey so that the respondent got to choose among a set of popular products. The respondent chose among a bevy of books, movies, and music, and that product followed the respondent through the survey. This may be a better way to make materiality more palpable and have the respondent more engaged in the testing.
The shoes are dropping on the companies that assess PCI compliance. Our first signal comes from the LifeLock case. In LifeLock, the FTC alleged that the company “failed to establish and maintain a comprehensive information security program…” as required by a 2010 order. Lifelock settled the case for over $100M, despite the fact that the company claimed it had a clean bill of health from a reputable third party PCI assessor, and according to Commissioner Olhausen, LifeLock suffered no breach.
How could it be the case that a company that receives a clean PCI-DSS assessment could also fail to establish a security program? Several possibilities come to mind: First, the FTC could have come to the conclusion that PCI-DSS is an unreliable or too fragile standard. Second, the assessor could have done a terrible job–one so bad that even LifeLock should have realized it. Third, perhaps the FTC suspected that LifeLock gamed the assessment process. Like the restaurant that gets warning of the inspector’s arrival and quickly cleans the kitchen once, perhaps LifeLock cleaned up its act but then reverted to some bad security state. Finally, perhaps the assessor is complicit in gaming the system, by preparing two reports–one for use by the company and another for the FTC.
The second shoe dropped today–the FTC is using its broad ranging §6(b) authority to investigate PCI assessment companies, including PriceWaterhouseCoopers. Section 6(b) is not used often, but it is a powerful tool. With it, the FTC can compel private parties to complete special reports that are submitted under oath.
The order, which much be complied with in 45 days, suggests that the FTC is suspicious of several aspects of the PCI assessment process. The order is 7 pages long and it is accompanied by an 8-page-long appendix of definitions and procedures. Among the issues the FTC is probing include:
- The qualifications of assessors
- How many times the assessors refused to issue an “compliant” determination
- How much the assessors charge for their services
- How assessors scope their inquiries
- How/whether assessors choose to use testing
- Whether the assessor provides a “draft report” for the client that the client can edit
- Whether the assessor surfaces problems that the client is allowed to remediate
- Whether the assessor certifies clients as compliant based on the promise that the client will remediate a problem
The FTC does not ask questions like this and put high-profile companies through the wringer for nothing. The FTC’s cases must be arousing suspicion, or–more likely–a competitor has ratted out assessing firms that are engaging in shady practices.