Consumer Protection

One former FTC member weighs in on the need for a national disclosure law and FTC penalties for companies that fail to protect consumer information

Orson Swindle has emerged as one of the nation's most prominent and cogent advocates of the notion that industry self-regulation is the best way for American businesses to improve information security and privacy. A Republican appointee to the Federal Trade Commission by President Clinton in 1997, Swindle used his seven-year term to promote the creation of a "culture of security" in which the government, businesses and consumers work together to improve security. Swindle, 69, is now a distinguished fellow at the Progress & Freedom Foundation, where he directs a project that aims to improve security on the Internet by creating a set of voluntary regulations for private industry. Swindle is also chairman of Security Initiatives for the Center for Information Policy Leadership at the law firm Hunton & Williams. Swindle spoke with Senior Editor Sarah D. Scalet about the challenges of improving information security and privacy.

CSO: What's your perception of the state of information security today, and how close are we to creating this "culture of security" that you've envisioned?

Orson Swindle: The state of information security is a complex issue. We do have problems. I don't think the problems are nearly as bad as they are perceived, and part of that has to do with how the media covers things. This past year we've had probably in excess of 100 disclosed breaches, but the jump from disclosed breaches to grievous harm having occurred is a huge one. You'll hear "40 million credit cards compromised," but it's a much smaller number than thata very low numberwhere harm has actually occurred. Oftentimes a disclosure is an emotional thing. It causes people to overreact. But that is not to say we don't have a problem.

It's understandable that people would be upset when they hear about these huge disclosures of information that's really out of a private citizen's hands.

Absolutely. I think there is reason to be concerned. I think consumers need to be always diligent in how they handle their own information, and perhaps of greater significance, those who are in the business of handling the information have to wake up to the reality. The old paradigm was that when you talked about information security, it was taking care of your own stuff. The new paradigm is, if you're using information, you have to take care of it, no matter whose information it is.

How do we follow the path from when information is stolen, to the point maybe six or nine months from now when that breach results in identity theft or fraud on someone's account?

It is hard. Say a laptop with a lot of sensitive information on it disappears. Should the company immediately inform all those whose information was present on the lost laptop, when four days later the lost laptop was found and nothing's been done to it? Do we want to cry wolf and scare people, or do we want to evaluate the whole sequence and determine if there is a real harm factor involved with this irresponsibility?

Do you think the law leaves enough room for the company that gets that laptop back to do computer forensics on the hard drive, see that files weren't accessed in the past four days and not do a disclosure?

I can't be that specific. Sometimes the information is, in effectI'll put quotes around it"compromised," yet it has no use because it is encrypted. On the other hand, if a database is hacked into because of lousy security, and the person was doing it for a reason, that's very different. There's a management decision to be made involving risk management and risk assessmenttrying to come up with the criteria by which you will implement certain reactive types of programs.

This fall, I attended a meeting where some businesses said, look, we're not going to invest in enhanced information security because it's expensive; it has a low return on investment. I said, really? Tell me how you crank in the risk to your reputation if you have a security breach. What about the cost or the liability of the lawsuits that are coming your way? The collateral damage is just enormous. Avoiding that cost, what does that do for your return on investment?

The marketplace has a way of working. Whether or not it works fast enough to avoid major calamities in the future, I don't know. But I know this. More burdensome regulationand certainly more burdensome regulation driven by an emotional circumstance or perceived crisisoften gets us laws with unintended consequences.

"One of the troubling things about the FTC: It's a civil law enforcement agency. It has a hard time enforcing criminal-like penalties."

- Orson Swindle

It's been about a year and a half since the first disclosure law took effect in California, and similar laws have passed or are being considered in many states. Do you classify these disclosure laws as burdensome regulations?

I'm sure some would argue that they're burdensome, but I think they're obligatory. Now we come into that inevitable problem in our federalist system: Do we want to have a standard rather than 50 different ways of doing it? What you get with 50 different ways is, the marketplace will decide which is the most onerous and adopt it and all the others under it.

Are you suggesting that there's a need for a national disclosure law that's less strict than California's?

I wouldn't begin to characterize it as less strict. Having each state be its own little laboratory is useful in some things, and in some things it creates chaos. I'm saying that there needs to be uniformity. Maybe a national disclosure law would be a mirror image of California. Maybe we combine two or three of the laws and come up with something that everybody says, "Well, that makes sense, let's do it that way." I don't know.

What else do you predict for this legislative year?

We're going to probably see a broadening or extension of the safeguard rule in the Gramm-Leach-Bliley Act to cover a significant number of organizations that handle sensitive information but that aren't financial services institutions. There is a new awareness that personal information is very valuable and it needs to be protected whether we're talking about a financial institution or a university or a shoe store.

You've said in the past that we are not knowledgeable enough to begin regulating. Do you think we're getting close?

The act of regulating is always moving by its very nature. It is debate; it is compromise; it is learning. Usually the way legislators learn is through lobbying, and the little guys just get stepped on in this process. I remember the debate back seven or eight years ago we were having on taxing the Internet. I don't like the idea, and how would you do it? One study said that for a huge firm it might cost 13 cents to collect a dollar in taxes, whereas a little firm would probably have to spend 87 cents to collect that dollar. It just shows you the inequity of legislation. Again, that's not a product of evil intent. It's usually the product of number 1, a complex problem, number 2, influence on the way the legislation is shaped, and lastly, just not understanding and thinking through to the end, what's going to be the effect of all this? Does it make sense? That's why I have been consistently saying, let's not rush in and start legislating. We don't fully understand this, and even if we did fully understand it right now, six months down the road the situation will have changed.

FTC enforcement of existing laws is certainly an alternative to new legislation. In your time as a commissioner, how effective do you think your attempts at enforcement were?

We were moving. The case with the BJ's Wholesale Club was an example. That was a settlement stemming from a case presented back in May of 2005. [The FTC charged that BJ's did not reasonably protect sensitive customer information, leading to fraudulent purchases made with counterfeit copies of credit and debit cards.] The FTC's Unfairness Doctrine relates to conduct that a firm might engage in that has the consumer at a critical disadvantage. Either the consumer doesn't know anything about it or can't do anything to correct it, and there's no countervailing greater good that comes from the conduct. Using the Unfairness Doctrine, the FTC basically said that BJ's Wholesale Club, by collecting sensitive and critical information and not taking adequate steps to protect it, had committed an "unfair" act against the consumers. A subsequent case for the FTC was DSW. [The FTC charged that hackers gained access to account information of 1.4 million customers of the shoe discounter.] The FTC nailed them on the same Unfairness Doctrine.

But here's one of the troubling things about the FTC. It's a civil law enforcement agency. It has a hard time enforcing criminal-like penalties. To do that, it has to go to the Justice Department, and of course, their plate is just a wee bit full. The FTC can only do so much in the way of punishing, as a famous man in town would say, "the evildoers." I often out of frustration would say, our punishment amounts only to a small line item on this guy's financial statement: penalties paid to the FTC for this. You just wonder about the effectiveness of the penalty structure.

Does that mean the penalty structure needs to be changed?

We need to think about changing it in the context of what we're dealing with today, as opposed to what we were dealing with 30 years ago. Back then, if I had an important document that I kept in my office, and you wanted to do harm to me, you could break into my office and find it and steal it. That's a major crime. Today that document might exist in a digital format. It is within information systems that you can break into to steal the document. I'm not sure we think of that in the same way we did that physical thing. We need to rethink the nature of this type of crime and how it stacks up with those things we considered to be grievous crimes in the past.

Do you think the FTC needs criminal enforcement powers?

It's a controversial thing because the Justice Department is considered our criminal law enforcement. That's a very hot political potato. I don't want to get into that. I've often been known to say we need criminal authority over at the FTC. What we did as a compromise, perhaps not often enough, was we let some of our attorneys who worked on cases be deputized, in a sense, for the Justice Department.

The FTC recently announced its largest civil penalty to datea $10 million fine against data broker ChoicePoint, along with $5 million for consumer redress. [Editor's note: Hunton & Williams, the law firm where Swindle works, has represented ChoicePoint.] Are you surprised that the largest civil penalty in the FTC's history now involves privacy and information security?

No. This is serious business. And I think that Chairman [Deborah Platt] Majoras is doing a terrific job of getting that message across. The DSW and BJ's settlements said similar things, but as I recall there were no dollar figures associated with those settlements. With the ChoicePoint case, there were a number of different violations, including the Fair Credit Reporting Act, thus the penalty criteria is quite different from the "unfairness" nature of BJ's and DSW. The case involving ChoicePoint is pretty well laid out, and the violation was grievous. The FTC held firm, which I'm proud of.

Copyright © 2006 IDG Communications, Inc.

The 10 most powerful cybersecurity companies