Companies, Consumers Need National Data Security Standard, Ohlhausen Says
Data security is “one of the most important and timely issues before the FTC today,” Commissioner Maureen Ohlhausen said during a Google event Wednesday night. She outlined the three ways the agency combats data security issues, and Google Director of Security Engineering Mayank Upadhyay discussed ways in which the company is trying to increase data security.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Data security requirements that vary from state to state can be problematic for businesses, Ohlhausen said. “This lack of uniformity in laws means that companies must comply with all the different state laws,” she said. It would be better for there to be “a single standard to create uniform procedures,” she continued. A national standard would have to examine what is a reasonable precaution “without proposing undue costs that are not justified by the consumer benefits,” she said. Ohlhausen said the idea of Congress adding a data security provision to a cybersecurity bill would be “an interesting approach, and we'll keep an eye on it.”
Ohlhausen said the area of facial recognition technology will have major data security implications. “There are some challenges with data security because a face is a unique identifier,” she said. “You can’t easily change your face.”
The FTC takes a three-pronged approach to data security, which “allows the agency to maximize its impact,” Ohlhausen said. The first part is enforcement actions under its authority to prosecute against unfair and deceptive practices granted in Section 5 of the FTC Act, she said. Ohlhausen pointed to last year’s case against Wyndham Hotels for allegedly failing to protect consumer data. The company engaged in deceptive practices because its “privacy policies misrepresented the security measures that the company and its subsidiaries took” to protect data, she said.
The agency also engages in policy research in the realm of data security, Ohlhausen said, pointing to queries the agency recently sent to nine data brokers. The agency will “use that information to decide how we should best proceed in this area,” she said. Finally, it engages in “extensive use of consumer and business education,” she continued, pointing to the agency’s OnGuard Online website, which she said has received 20 million visits since its launch in 2005.
Google is developing two-step verification technology that would require users to have a physical token as well as a digital password to access an account, Upadhyay said: “I'm hoping that with something like that, we can bring the usability to be as simple as an ATM card.” The physical token would likely have to be built into users’ phones, he said. The system could be set up to grant access to all of a user’s online accounts once he entered the physical token and a digital password, such as a four-digit pin number.