The U.S. Federal Trade Commission, which is at the forefront of regulating the impact of information technology on consumers, is bolstering its technical resource capabilities through a new Office of Technology Research and Investigation, or OTRI.
The FTC’s significant and growing role in data security and privacy protection does not arise from any direct national security and cyberintelligence aspect of IT, more properly within the scope of the Department of Homeland Security.
Instead, the FTC is concerned about the failure of commercial entities to make adequate disclosures or to properly address data breaches and privacy issues affecting consumers. The agency’s leverage stems from its legal obligation to investigate business fraud and similar offenses.
Creation of the new technology office will “ensure that consumers enjoy the benefits of technological progress without being placed at risk of deceptive and unfair practices,” said Jessica Rich, director of FTC’s Bureau of Consumer Protection.
The OTRI will provide expert research, investigative techniques for law enforcement, and further insights on technology issues involving all facets of the FTC’s consumer protection mission — including privacy, data security, connected cars, smart homes, algorithmic transparency, emerging payment methods, big data, and the Internet of Things.
The new office succeeds and will absorb operations of the existing Mobile Technology Unit, which was set up in 2011. Kristin Cohen, the current chief of the MTU, will lead the work of the OTRI.
“This is a natural evolution for the FTC. As technology gets more complex, and matters hinge on the use and misuse of technology, the FTC needs to be able to better judge whether organizations are doing the right thing,” said Lisa Sotto, a partner at Hunton & Williams.
“Without a clear understanding of the technology that underpins the use of data, the FTC would not be able to carry out its mission effectively. Having more staff technologists will allow the FTC to better assess whether businesses are using technology in reasonable ways,” she told the E-Commerce Times.
More IT Staff
To operate the expanded office, the FTC plans to hire staffers with IT backgrounds at several levels, according to Ashkan Soltani, FTC’s chief technologist. New positions include a full-time technology policy research coordinator.
The coordinator will be responsible for monitoring IT development, setting an IT research agenda, training attorneys and investigators, and identifying hardware and software tools related to emerging technologies.
In addition, the FTC will appoint a research fellow to provide technical expertise to FTC attorneys and investigators, identify and design relevant research projects in the area of consumer technology, and develop new methods of consumer protection research.
The agency plans to continue its technology research program this summer and then expand it into semester-long externships throughout the school year.
The move to enhance the FTC’s capabilities comes at a propitious time. Both the U.S. Senate and House are considering legislation addressing current and future challenges for protecting data and personal privacy, which would enhance the role of the FTC.
However, the FTC’s initiative springs more from a realization of the need to bolster the agency’s resources to keep pace with IT than from a reaction to any pending bills, said Hunton & Williams’ Sotto.
“Regardless of new legislation, the FTC has been working hard to understand the technologies that are now ubiquitous in the private sector,” she pointed out. “The new unit is intended to assist the commission in carrying out its consumer protection mission in a more effective manner.”
Legislation Advances in House
Just days after the FTC launched the new office in March, legislation that would involve the agency advanced a step when a subcommittee of the House Energy and Commerce Committee approved a draft bill dealing with data breaches and related consumer notification standards. The full committee is likely to review the draft this month.
The draft stipulates that a violation of its provisions would constitute “an unfair and deceptive act or practice under the FTC Act,” and that “violations may be enforced by the FTC or state attorneys general.”
The bill requires entities subject to FTC authority to implement and maintain “reasonable” security measures to protect personal information, and it establishes notification obligations when a security breach occurs.
It would require entities subject to FTC authority to notify affected individuals within 30 days of taking the steps necessary to investigate the breach and restore the “integrity, security and confidentiality” of affected systems. It also provides civil penalties for parties that fail to meet requirements. The bill is designed to set a national standard to replace a patchwork of state standards.
However, House members have expressed substantial disagreement about provisions in the draft, as have their counterparts in the Senate, where a similar bill has been introduced. Nonetheless, momentum is gathering for enactment of a bill that inevitably will include enforcement responsibilities for the FTC.
However, “we hope the stars have aligned for pre-emptive data breach legislation, and we continue to work with committee staff on improving the bill,” she told the E-Commerce Times.
The Federal Buzz: Patent Contract, Security Comments
USPTO Selects Provider: The U.S. Patent and Trademark Office has awarded 12 information technology related task orders to Salient Federal Solutions through the company’s wholly owned subsidiary, List Innovative Solutions. The task orders are an expansion of current work for operations and maintenance of various mission critical applications, as well as new development tasks. The one-year awards have an estimated value of more than US$10 million.
The orders build on past work involving systems support, O&M production, and software development integration. That work includes custom Java/J2EE and .Net applications, COTS products, and open source technologies. The additional business was awarded under a blanket purchase agreement “in which we have a position,” Salient vice president Aaron Lavigne, told the E-Commerce Times.
Salient’s work with USPTO involves utilization of the Agile methodology to ensure maximum customer coordination, communication, and support. This approach decreases overlap between development teams and across the enterprise, while decreasing costs through risk management, the company said.
Federal Contractor Security: The National Institute of Standards and Technology is requesting comments on the final draft of a guidance document dealing with standards for protecting sensitive federal information residing in nonfederal organizations, including government contractors. NIST has asked interested parties to respond by May 12.
The guidance document will help implement an executive order for protecting controlled unclassified information, or CUI, that gets passed on to businesses, academic institutions and others through contracts, grants and other programs. The government plans to modify federal acquisition regulations related to CUI next year.