Maureen Ohlhausen’s Speech Gives Clues on FTC’s Future Enforcement in Privacy and Cybersecurity

In January, President Trump named Maureen Ohlhausen as the acting chairwoman of the Federal Trade Commission (FTC). Ohlhausen has been an FTC commissioner since 2012. Before that appointment, she was a lawyer in private practice and also worked for more than 10 years at the FTC.

In a statement released after the appointment, Ohlhausen said, “I will work to protect all consumers from fraud, deceptions and unfair practices.” In a recent speech given on February 2nd at the American Bar Association Consumer Protection Conference, Chairwoman Ohlhausen highlighted some of the ways the FTC will address cybersecurity and privacy under her leadership.

Ohlhausen’s remarks suggest that under her leadership, the FTC’s focus on cybersecurity and privacy enforcement will shift towards cases involving demonstrable consumer harm.  Ohlhausen reportedly has a reputation that disfavors government regulation and her remarks on mass data collection suggest that the FTC will take an aggressive approach on what exactly constitutes “concrete consumer injury.”  On the other hand, Ohlhausen’s comments on easing the cost of compliance should allow companies to breathe a little easier.

In her speech, Ohlhausen identified the fundamental purpose of the FTC as “seeking to ensure that consumers are better off” and highlighted three reforms that she plans to advance over the coming months: (1) re-focusing the agency on “bread-and-butter” fraud enforcement missions; (2) making sure enforcement actions address concrete consumer injury; and (3) working “to reduce unnecessary regulatory burdens and providing additional transparency to businesses.”

Ohlhausen has extensive experience in cyber matters, including a stint as the leader of the FTC’s Internet Access Task Force.  Ohlhausen’s remarks on the last two reforms suggest that the FTC will now focus on actions addressing cybersecurity and data privacy that involve “concrete consumer injury.”  As examples of “concrete consumer injury,” Ohlhausen pointed to the FTC’s recent settlement with the website Ashley Madison and an earlier case against Eli Lilly involving exposure of sensitive medical information.  Ohlhausen noted that both of these cases showed “concrete consumer injury” that arose from exposure of non-financial personal information.  Ohlhausen also highlighted her concern that the current “notice and choice” approach does not adequately protect consumers from companies that misuse “ubiquitous data collection and big data technologies,” suggesting that use of these technologies could create concrete privacy claims.  Ohlhausen recommended supplementing the notice-and-choice approach with a “harms-based approach to privacy.”

While explaining her reform to reduce unnecessary regulatory burdens and increase transparency, Ohlhausen lamented the recent trend towards generic and overbroad document and other information requests, which “impose large compliance costs on legitimate companies.”  Ohlhausen promised that under her leadership, the FTC would take these concerns seriously and work to reduce the burden on businesses.  Ohlhausen also stated that the FTC would be more transparent about proceedings and would distill key lessons from closed data security investigations in which the FTC found a company’s data security practices reasonable, “so that businesses have more information about what they should do.”