Today the Federal Trade Commission’s (FTC) Bureau of Consumer Protection (BCP) announced the creation of the Office of Technology Research and Investigation (OTRI), a new initiative focused on consumer protection in emerging technologies.  The BCP is responsible for preventing unfair, deceptive, and fraudulent business practices by conducting investigations, bringing enforcement actions, and developing rules to facilitate a fair marketplace. 

The OTRI initiative is aimed at ensuring that “consumers enjoy the benefits of technological progress without being placed at risk of deceptive and unfair practices,” according to BCP Chief Jessica Rich.  Functioning as an extension of the Mobile Technology Unit (which was established a few years back in an effort to bring consumer protections to the mobile space), the OTRI will go beyond the operations of the Mobile Technology Unit to include “an even broader mandate” and will also be staffed with additional technologists.  Specifically, the OTRI will address a range of consumer protection technology issues, including privacy, data security, connected cars, smart homes, algorithmic transparency, emerging payment methods, big data, and the Internet of Things (IoT).

Reading between the lines, it can be expected that the FTC is planning to ramp up its enforcement authority over unfair and deceptive business practices to virtually any business that connects to the Internet.  The OTRI announcement follows the FTC’s IoT Report released in January and comes on the heels of a Congressional hearing last week, where Members of Congress as well as representatives from the FTC and the Federal Communications Commission (FCC) deliberated over a House Energy & Commerce Committee discussion draft bill, purporting to increase the FTC’s enforcement authority in the information security and data breach space.

The bill specifically outlines notice requirements where a covered entity suffers a data breach and furthermore creates a data security standard, mandating that covered entities implement and maintain “reasonable security measures and practices.”  If enacted, the bill would grant the FTC authority to enforce the Act “in the same manner, by the same means, and with the same jurisdiction, powers, and duties” as the Federal Trade Commission Act, though it stops short of granting the FTC rulemaking authority. 

The bill would also require State Attorneys General (AGs) to notify the FTC before bringing a civil action related to a violation of the Act (or immediately upon filing the action, where prior notice is not feasible).  Moreover, the bill would bar State AGs from instituting actions where the FTC has already initiated a Federal civil action.

Members of the House Energy & Commerce Committee have not yet reached a consensus regarding the statutory language, however, with the FCC testifying that the bill would eliminate consumer protections currently in place under its jurisdiction, and the FTC testifying that the Act’s protections need to be expanded to include information, such as health, geolocation, and device security data.  With particular focus on IoT devices, the FTC’s written testimony specifically highlighted risks concerning pacemakers and automobiles:

Security breach of such devices could lead to the compromise of personal information, but also raise broader safety concerns.  Accordingly, general data security legislation should address risks to both personal information and device functionality.

In the meantime, it appears that the FTC will use its current Article 5 authority to investigate and enforce unfair and deceptive security practices in the IoT realm through its newly-created OTRI.  Thus, businesses would be remiss to think they are immune from FTC enforcement over IoT-related data security issues until such authority has been explicitly prescribed in a Federal statute.

Holland & Knight built its own internal Privacy and Data Security Testing Lab specifically to address the new threat and risks associated with an Internet connected world.  Using our lab capabilities, we perform technical tests and reviews of websites, mobile apps, devices and network-aware products to identify technical privacy and security flaws.