FTC considers strengthening its consent decree security hammer

Recent cybersecurity incidents at Uber and Twitter have called into question the FTC's effectiveness in forcing companies to take security seriously.

The big picture: The country's lead data security regulator is starting to get creative in order to grab the attention of a private sector that has increasingly flaunted government mandates.

How it works: When a company faces a major data breach or gets caught abusing its users’ privacy, the FTC is required by law to reach an agreement with the violating company — known as a consent decree — to upgrade its privacy and security practices.

• Historically, the agency has simply required companies to establish privacy and security programs and hire third-party auditors to assess the changes.
• If a company violates that decree, usually with another major security incident, the FTC then has the power to fine that company.

Driving the news: FTC Chair Lina Khan told the Senate Judiciary Committee last week that the agency is examining ways to prevent companies from "treating FTC orders as suggestions."

• Khan said future consent decrees could name individual executives responsible for following the decrees or enhance assessments of a company's security practices.
• In his complaint, Twitter whistleblower Peiter "Mudge" Zatko alleged the company didn't take its 2011 FTC consent decree seriously, which was reached after hackers sent tweets from nine accounts, including then-President-elect Barack Obama's.
• Uber faced a massive security breach earlier this month despite conducting audits and establishing a privacy program following its own 2018 FTC consent decree, after it failed to disclose a 2016 breach of drivers' and riders' data.

Catch up quick: The FTC has already started including tighter security requirements in consent decrees.

• The agency required online retailer CafePress in an agreement this year to upgrade its multifactor authentication methods, encrypt Social Security numbers and minimize data collection practices.
• Last year, the FTC required at least two companies to delete any algorithms that were built on inappropriately collected data.

The intrigue: Consumer protection and privacy advocates argue the FTC can make wider systemic changes, even with its limited powers and resources, experts tell Axios.

• The FTC could write its own rules establishing security standards for all companies in the absence of congressional action on federal privacy legislation.
• Khan's idea to start naming executives as responsible parties in consent decrees could force the C-suite to take FTC orders seriously, since they could face individual fines, says John Davisson, senior counsel at the Electronic Privacy Information Center.

Yes, but: Without proper resources from Congress, the agency could have a hard time making a lasting impact.

• Because consent decrees are negotiated with individual companies, they require a lot of work and time for the FTC to monitor.
• David Vladeck, head of the FTC’s consumer protection bureau from 2009 to 2012, tells Axios the part of the bureau who worked on privacy never had more than 40 employees, leaving them to get creative with their resources.
• "The FTC has been resource starved since 1980, and I was like a triage nurse," Vladeck tells Axios. "We would've brought a lot more cases, and we would have done a lot more enforcement of consent decrees, if we simply had the resources to do it."

What's next: Experts aren't ruling out the possibility that lawmakers will pass federal privacy legislation this year — which could set security standards for companies and give the FTC more powers to enforce them.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Editor’s note: This story has been corrected to state that it was the consumer protection bureau’s privacy department which never had more than 40 employees during Vladeck’s tenure, not the whole of the bureau.