In the span of two days, mobile device users learned of two data breaches that could compromise their personal data. In one, Experian (a credit reporting agency) reported that it was hacked, potentially putting 15 million American consumers’ data at risk. Many of those consumers were T-Mobile customers who needed to submit to a credit check before signing up for a mobile plan. T-Mobile’s CEO John Legere issued a press release, stating that he was “incredibly angry about this data breach,” and that T-Mobile takes “customer and prospective customer privacy VERY seriously.” The second, far larger breach, affects approximately one billion Android mobile devices. The “Stagefright 2.0” security flaw—so-named because of another, similar “Stagefright” vulnerability from several months ago—allows hackers to access Android devices through disguised MP3 or MP4 media files—or even through logging into the same wifi network. Google will be rolling out patches to make devices more secure, but until then, users should be wary.
T-Mobile and Google are, no doubt, concerned about lawsuits, but must also consider the potential regulatory consequences of data breaches. We have previously discussed the FTC’s role in enforcing cybersecurity, and how it will likely assert its authority in more cases than ever before in the wake of its successes in the FTC v. Wyndham case. But the FTC is not the only regulatory body with a role in enforcing data security. As the list below shows, federal (and state) agencies are expanding their reach into the realm of data, and that reach will almost certainly only grow over time.
The Federal Communications Commission has the most obvious connection to data security given that mobile devices, which are already under the FCC’s purview, are a consistent source of data breaches. Unsurprisingly, the Commission has issued guidance on best practices, counseled businesses to secure their data, and initiated enforcement actions. Notably, those actions have typically involved mobile carriers like Verizon or AT&T, but the FTC has investigated other businesses as well. The FCC is likely to remain a prominent enforcer of cybersecurity.
Although traded securities and data security may not appear related, the SEC has staked out a sphere of influence for itself when it comes to protecting PII and other sensitive information. It shouldn’t be surprising, really—the Commission has long regulated sensitive data in the form of insider information. Now, the SEC is going farther, issuing detailed guidance to investment companies and advisers, which corresponds to the growing presence of C-level infosec officers in the boardroom. The Financial Industry Regulatory Authority, which has good insight into the SEC’s activities, created a compendium of SEC actions and guidance, as well as some of its own thoughts on how to avoid an SEC enforcement tied to data insecurity. Given the rise of data breach shareholder derivative suits, publicly-traded companies would do well to familiarize themselves with the Commission’s views, as they may be the framework for future enforcement actions.
A newcomer to the data security sector, the Consumer Financial Protection Bureau has published its own approach to consumer data protection, with Director Richard Cordray saying that “we want to be sure that consumers know how to protect themselves and where to turn if they do suspect fraud.” Though the CFPB seems to be expanding its reach into more general consumer protection, its efforts so far have been somewhat stop and go, presumably because such efforts would cut into the traditional realm of the FTC’s powers. Nevertheless, because the CFPB encourages consumers to report problems related to “financial products or services companies in the financial services industry can expect to hear from the CFPB in the event of consumer reports of data security issues.
For businesses in the healthcare and health services fields, the Department of Health and Human Services has its own set of requirements. HHS carries out enforcement actions for breaches of the Health Insurance Portability and Accountability Act (“HIPAA”). The Department recently updated the data security requirements for HIPAA-covered entities, and now requires FTC-style breach notifications, submitted within 60 days of a breach. Indeed, HIPAA itself includes a variety of data security and privacy protections that merit an entirely separate blog post. Sufficient for today is the knowledge that covered entities must be aware of HHS’s power to regulate data security.
Some government agencies are more focused on the investigation and criminal enforcement aspects of data breaches, rather than regulatory oversight. For example, the FBI’s Cyber Division is the primary federal body responsible for investigating cyber crimes. The Division publishes useful notices about scams, threats, and ongoing investigations that can help keep the public informed about trends in cyber enforcement. The Department of Homeland Security—which is really more of an omnibus security agency than a defined department—pursues data breach issues through several sub-departments. The Secret Service’s Electronic Crimes Task Forces investigate and pursue cybercriminals who commit offenses within the USSS’s remit, notably banking and counterfeiting crimes.
The multiplicity of agencies with power to regulate data security is confusing, and may at some point lead to a unified data security authority, similar to what is underway in the EU. Until that time, businesses need to be aware of what agencies can exert authority over them, and why. Inside and outside counsel will need to familiarize themselves with the flurry of new InfoSec regulations published each year, and develop an understanding of how these agencies initiate enforcement actions, and why. Wading through that alphabet soup can be a difficult process, but it is yet another component of being #DataSmart.