On Monday, February 27, 2017 the IAPP hosted a DC KnowledgeNet chapter meeting at the offices of Reed Smith LLP. The meeting included a panel discussion featuring federal and state regulators on emerging 2017 policy and legal trends in the area of data privacy and security.
Panel participants were:
- Maneesha Mithal, Associate Director, Bureau of Consumer Protection, FTC
- Ellen Rosenblum, Attorney General, Oregon
- Divonne Smoyer, CIPP/US, Partner, Reed Smith
Outlined below are five key takeaways for NAI members:
1. Enforcement priorities at the state and federal level include connected devices, sensitive data, and deception
Panelist Maneesha Mithal outlined three major enforcement priorities for the FTC. First, she noted that the FTC has devoted increased attention to the privacy practices of connected devices over the past year through initiatives such as their smart TV and drones workshops. Mithal said that she expects this trend to continue, with a possible workshop examining connected cars to be held in 2017. Secondly, Mithal predicted that the protection of consumers’ sensitive data, as highlighted by the recent Vizio case, is likely to be a continued focus area. Finally, Mithal suggested energy and focus will be directed toward preventing deceptive privacy practices, such as false claims of self-regulatory regime membership. Deceptive practices are seen by the FTC as both a consumer protection and fair competition issue.
Panelist Ellen Rosenblum added that she believes there needs to be a greater focus on the criminal aspects of cybercrime. For instance, she proposed that data breaches should result in a greater level of scrutiny being placed on those stealing the information. Rosenblum stressed the importance of preventing data privacy and security issues from occurring, something she suggested could be achieved through initiatives such as education programs for senior citizens. Finally, Rosenblum explained that, given the pace of technological change experienced today, it is critical to review existing regulations to ensure they are still adequate. For example, Oregon recently sought to update regulations by amending its data breach notification law.
2. Little change to legislative and enforcement regimes is expected under the Trump administration
Neither Mithal nor Rosenblum seemed to expect drastic changes to their respective regulatory and enforcement regimes under the Trump administration. Both speakers noted that issues of data protection and privacy receive bipartisan support, with Mithal calling particular attention to the low proportion of the FTC’s cases in this policy area that have seen a commissioner dissent.
3. No significant changes expected at the FTC on “sensitive data” definition or enforcement based on consumer harm
Mithal stated that she does not believe that the FTC will be drastically reassessing its definition of “sensitive data,” despite Acting Chairwoman Ohlhausen’s recent concurring statement in the Vizio case indicating that she sees scope for a reevaluation. Mithal pointed to broad consensus within the agency about the core concepts of the definition. As a result, she said that she anticipates any reevaluation would only occur on the peripheral concepts of the term. Mithal also indicated that the the privacy division of the FTC already assesses consumer harm in its enforcement actions. Consequently, she does not believe that the Acting Chairwoman’s recent suggestions that the FTC should adopt an enforcement regime more closely linked to consumer harm will have a significant impact on privacy enforcement.
4. Enforcement priorities at the state and federal level are determined through consumer complaints and media sources
Rosenblum stated that consumer complaints play a significant role in determining the Oregon Attorney General office’s enforcement priorities. The office has set up a formal procedure for handling consumer complaints.
Meanwhile, Mithal suggested that the FTC listens to consumer complaints, but pays closer attention to informants and media sources such as tech blogs.
5. Cooperation between federal agencies and state attorneys general is influenced by available enforcement tools and subject matter expertise
Mithal reported that there is no firm rule on when the FTC will partner with state A.G.s in an enforcement proceeding. She explained that cooperation is most likely when the state’s A.G. can assist in getting relief under state law. Mithal also indicated that she believes there will be ongoing support for the memorandum of understanding that currently exists between the FTC and FCC.
Rosenblum stated that her office works predominately with the FTC (as opposed other federal agencies) on privacy issues. She also added that the Oregon A.G.’s office looks to collaborate with other state attorneys general where they may have particular areas of expertise.