This is the third in a series of posts about particular proposals in the recent US cybersecurity report.
In this post, we discuss Action Item 3.1.3, concerning a cybersecurity bill of rights and responsibilities. This Action Item recommends that the FTC “convene consumer organizations and industry stakeholders in an initiative to develop a standard template for documents that inform consumers of their cybersecurity roles and responsibilities as citizens in the digital economy.” The Commission notes that “current disclosures, if they exist, vary by product, service, and manufacturer,” and are written in “legal language that most consumers cannot understand,” but a standard template would “make them much more knowledgeable about what security measures their products and services employ and what technology vendors and providers are legally allowed to do with their information.” Relatedly, this Action Item also recommends that the FTC work with consumer organizations and industry to create a standard “cybersecurity bill of rights and responsibilities” that would educate consumers before making digital decisions.
Our first set of questions concerns legal liability for companies: Would use of these templates pre-empt or otherwise modify a company’s cybersecurity liability? And would failure to use or conform to a standard template give rise to liability? Would relying on non-standard documents be an “unfair or deceptive trade practice,” subject to regulatory action by the FTC?
There’s an even more interesting wrinkle on the flip side: Could such a template be drafted to provide companies with civil recourse against customers who misuse their services? For example, could content distributors pursue copyright infringers, password-sharers, or deceptive advertisers more aggressively, since such consumers could no longer complain that they didn’t know the rules?
And of course, there are the questions about the templates and bill of rights themselves: What would be the relationship between the template disclosures and the more global bill of rights and responsibilities? Is it really a problem that current disclosures “vary by product, service, and manufacturer” — and would a one-size-fits-all policy really be better? What would become of privacy disclosures that are already required by laws such as Gramm-Leach-Bailey and HIPAA? And how would these documents change over time to reflect changing circumstances?