On November 13, 2015, the Federal Trade Commission and the Federal Communications Commission entered into a Memorandum of Understanding to address coordination of consumer protection actions by each agency. Following a wave of what observers perceive as a turf battle between the FTC and FCC (namely the reclassification of broadband internet access services as a common carrier service outside the FTC’s jurisdiction), and a dramatic increase in FCC data security regulatory enforcement actions, the MOU suggests that the FTC and FCC are in fact serious about cooperation and collaboration, especially on data security issues. Although organizations have better transparency and predictability in the enforcement landscape, they should also anticipate more sophisticated investigations based on richer data and improved investigative techniques.
By way of background, both the FTC and the FCC have responsibility for data security oversight. The FCC’s power emerges from the Federal Communications Act, which requires cable operators, satellite carriers, telecommunications carriers, and providers of Voice over Internet Protocol (VoIP) services to protect their security and privacy of their subscriber’s data. The FTC’s power emanates from the Federal Trade Commission Act, which granted it broad powers to prevent unfair or deceptive trade practices, which was recently affirmed by the Third Circuit. Although the FTC’s jurisdiction is definitely broader than the FCC, there are many organizations that fall under the jurisdiction of both agencies, creating challenges and the potential for inconsistencies. Recently, there has been a growing perception that the FTC and the FCC have been engaged in an arms race aimed at “one-upping” the other in data security enforcement actions. This could be one reason why agency heads orally affirmed their commitment to cooperation at the “Privacy. Security. Risk.” IAPP conference in Las Vegas this past October, which featured FTC’s Enforcement Bureau Chief Travis LeBlanc’s now famous statement, “There is no Batman vs. Superman in the FTC and the FCC. We are the Justice League.”
What should you expect?
More coordination. Acknowledging the public’s interest in avoiding duplicative, redundant, and inconsistent oversight and enforcement, the FTC and FCC agreed to coordinate agency initiatives and consult on investigations that implicate the other’s jurisdiction, going so far as to committing to consider joint enforcement actions. Key is that the agencies articulated how such coordination would be operationalized, including through regular meetings to review marketplace evolution and practices and the other agency’s work on matters of common interest, by coordinating on press and public statements related to joint enforcement actions, and by designating formal liaison officers to be the primary contact for inter-agency coordination efforts.
More collaboration. The agencies will now share investigative techniques and tools, intelligence, technical and legal expertise, best practices, and on consumer/industry outreach. This is, perhaps, the key development, as all organizations will need to re-double their efforts as the two most sophisticated data security regulators in the United States are now poised to improve their ability to investigate and prosecute data security violations.
More information sharing. In a “practice-what-you-preach” move, the FTC and FCC agreed to share consumer complaints and related information. Going forward, the FCC will begin contributing consumer complaints to the FTC’s Consumer Sentinel Network, an online database that gives law enforcement access to millions of consumer complaints submitted directly to the FTC, as well as over 40 other data contributors. The result will be to give both agencies, especially the FCC, access to richer data of consumer complaints that can be used to better prioritize agency initiatives and gather better data from consumers to be used in enforcement proceedings.