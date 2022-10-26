Comment on this story Comment Gift Article Share

Welcome to The Cybersecurity 202!

There’s a debate over how aggressive the FTC should be to protect data

It’s rare for the Federal Trade Commission (FTC) to hold an individual company to account in a security breach.

But on Monday, the FTC leveled sanctions against the CEO of alcohol delivery company Drizly over a data security breach that exposed millions of consumers’ personal information.

That action didn’t deter Sen. Ron Wyden (D-Ore.) from writing a letter to the commission and the nation’s spymaster the very next day about another matter: his “serious concern” that a lack of security clearances at the FTC was preventing meaningful coordination with the intelligence community to slow Chinese theft of U.S. consumers’ data.

Advertisement

So even as FTC ramps up enforcement of data protections for consumers, it faces criticism that it’s not doing enough.

“They have done a lot of work over the years to develop a clear framework for what is expected of businesses and what can bring them under enforcement actions,” John Davisson, director of litigation and senior counsel at the Electronic Privacy Information Center, told me. But “there are limitations to the FTC enforcement powers, significant ones, and those are a problem for all of its data protection work.”

The FTC, beyond individual enforcement actions against data security laggards, has indicated plans to expand its security oversight. Congress, too, has proposed funding increases and reorganizations, although some ideas have run into opposition from industry groups.

The FTC “has made data and privacy a top priority,” spokesperson Juliana Gruenwald Henderson told me.

She touted “several recent cases that seek to hold companies accountable for failing to take reasonable steps to protect and secure personal data they collect and store,” including sending the signal to CEOs with the Drizly case that “they must make security a priority or they may find themselves personally liable if they fail.”

“At the same time, the FTC is addressing the issue more broadly by launching an initiative exploring possible rules to address commercial surveillance and lax data security practices,” she said.

FTC watchers say the commission has grown more aggressive on data security, as expected, under Chair Lina Khan, who took office in June 2021. Besides the Drizly case, the FTC also has taken action against online retailer CafePress and Twitter over allegations of lax security practices.

Those cases, though, are only one way the FTC has delved further into data security. Some prominent examples:

Advertisement

Because the FTC usually can’t punish first offenses, “companies kind of get a mulligan,” Davisson said — although they aren’t entirely off the hook with initial offenses if the FTC places them under a consent decree that spells out remediation steps, he added.

In some cases, observers believe the FTC is going too far.

“The FTC has already put companies on notice that failure to appropriately disclose a data breach or maintain reasonable security will be considered” a violation, Kristin Bryan, a lawyer and partner at Squire Patton Boggs who works on data security dispute cases, told me. “In my view, that is enough of a stick without additional rulemaking being required.”

Despite the FTC's action against Twitter, that case renewed questions about whether the FTC can be an effective enforcement agency on data security. The FTC had placed Twitter under a consent decree in 2011, but whistleblower Peiter “Mudge” Zatko said it was never in compliance. The agency has approximately 40 people monitoring compliance with consent decrees, my colleagues Cat Zakrzewski and Joseph Menn reported in September.

Advertisement

Earlier this month, Senate Majority Leader Charles E. Schumer (D-N.Y.) urged the FTC to do more to combat breaches.

House appropriators have proposed an FTC budget of $490 million for fiscal 2023, a 30 percent increase over the prior year. Senate appropriators have proposed $430 million, two figures that would need to be reconciled.

But a proposal in the Build Back Better Act to establish a privacy bureau at the FTC was left out of a final deal for the Inflation Reduction Act. The U.S. Chamber of Commerce objected to the creation of that bureau.

And a Supreme Court ruling last year curtailed one of the FTC’s enforcement tools. That in turn has thrown into doubt some of the FTC’s jurisdiction to further expand its powers absent congressional authorization, James E. Lee, chief operating officer of the Identity Theft Resource Center, told me.

Advertisement

“You’ve clearly seen the agency stepping up. They have become more aggressive under Chair Khan,” Lee said. “At the same time, there are still people in Congress who want them to be more aggressive. But it doesn’t really matter at the end of the day how aggressive they want to be and how aggressive people want them to be if they don’t have the bodies and the legislative mandate.”

DOJ accuses Ukrainian national of being key player behind ‘Raccoon’ malware

Prosecutors accused Mark Sokolovsky of being a key part of the team behind “Raccoon,” a strain of malware that has infected millions of computers since 2019 and was leased to cybercriminals for around $200 a month. Authorities took down the malware’s infrastructure in March, when Dutch authorities arrested Sokolovsky, the Justice Department said.

Advertisement

A newly unsealed grand jury indictment, which was filed in November 2021, mentions a slew of Raccoon’s victims, including ones with U.S. Army affiliations. The FBI’s Austin Cyber Task Force is investigating the case with the Army’s Criminal Investigation Division, the Justice Department said.

One of the victims’ log-in credentials were stolen from a U.S. Army computer system in June 2019 and hackers stole around $15,000 from their bank account, the indictment said.

A Texas victim’s credentials for an Army service for communicating with doctors was also stolen, the indictment said.

Sokolovsky is being held in the Netherlands, the Justice Department said. Last month, a Dutch court approved his extradition to the United States; Sokolovsky has appealed, the Justice Department said.

Google and Justice Department reach agreement over responding to warrants

The Department of Justice has announced an agreement with Google in which the search giant agreed to “upgrade” its internal processes to respond faster and more completely to subpoenas and search warrants, Gerrit De Vynck reports for The Cybersecurity 202. The agreement stemmed from a court case between Google and the government over the company’s response to a 2016 search warrant for information that Google had on a cryptocurrency exchange the government was investigating.

Advertisement

Over the past few years, Big Tech’s data troves have become a huge source of information for law enforcement agencies and government investigators, who send tens of thousands of search warrants to companies like Facebook, Google and Apple each year. Prosecutors utilize such requests to gather evidence for cybercrime and other investigations.

As part of the deal between Google and the DOJ, Google will allow a third-party representative to evaluate how it complies with the agreement.

“Google has a long track record of protecting our users’ privacy, including pushing back against overbroad government demands for user data, and this agreement in no way changes our ability or our commitment to continue doing so,” said Matt Bryant, a Google spokesperson.

Advertisement

