The FTC Supports Increased Security in the “Cloud” for the FCC’s Broadband Plan

The Federal Trade Commission (FTC) recently filed a series of comment letters with the Federal Communications Commission (FCC) supporting that agency’s consideration of privacy and data security in the development of its Broadband Plan. The first of these letters,[1] dated December 9, 2009, highlights the extent to which federal agencies, including the FTC and FCC, are focusing their resources on privacy and data security issues in response to the rapid expansion in recent years of Internet-based software and data services (commonly referred to as “cloud computing”), and the growing dependence by businesses on authentication and credentialing (what the FTC terms “identity management”).

By way of background, the FCC’s National Broadband Plan[2] sets various goals aimed at providing affordable broadband coverage to areas of the U.S. that go underserved in the current market, including homes, schools, hospitals and local government. The plan also focuses on improving public safety, both through expanding or enhancing broadband services, and promoting cybersecurity and the protection of critical broadband infrastructure. In this respect, the plan makes a number the recommendations, including the creation by the FCC of a “cybersecurity certification regime” and (in conjunction with the Department of Homeland Security) “a cybersecurity information reporting system.” The depth and breadth of these recommendations appears to move the FCC closer to the regulation of data security, an area where activity at the federal level, at least with respect to consumers, has generally fallen under either the Justice Department through criminal investigations, or the FTC via enforcement actions and various other initiatives.

The letter goes on to emphasize some of the FTC’s more significant efforts in this regard, including a 2007 workshop on customer authentication technology and policy, followed by a 2008 report on the same topic, and most notably, the Commission’s enforcement action and $15 million settlement against ChoicePoint for failure to follow reasonable data protection procedures ,— the largest civil money penalty in FTC history. The letter also mentions some of the Commission’s more recent efforts to address privacy challenges surrounding cloud computing, including three roundtable forums on privacy in the age of cloud computing and social networking, the last of which took place in March of 2010.

The letter concludes by recommending that the FCC’s Broadband Plan recognize the FTC’s continued devotion of substantial resources to privacy and data security. Whether the letter will enhance cooperation between these agencies remains to be seen. The efficacy of the FCC’s effort to expand its authority over Internet regulation was further complicated after a federal court held in March that the agency lacked the ability to punish Comcast for violating open-Internet guidelines. Furthermore, under a provision in the financial reform legislation currently before Congress, the FTC would gain the power to issue rules and impose civil penalties on companies that harm consumers on the Internet. Regardless, an increased focus by the federal government on privacy and data security, not to mention broadband infrastructure, is worth noting given the current patchwork of laws and regulations, both state and federal, that make privacy compliance an on-going challenge for many companies.

For more information visit