clock menu more-arrow no yes

FTC Chairwoman to the Valley: I Come in Peace -- And to Keep Your Company Secure

A top privacy regulator says tech companies "need to build a culture of security."

Shutterstock

Edith Ramirez wants Silicon Valley to see her agency as something more than a wrist slapper.

Last Wednesday, the Chairwoman of the Federal Trade Commission came to San Francisco to host the agency’s first “Start with Security” conference, an initiative to institute broad guidelines for consumer privacy protection — and convince tech companies to turn to the FTC for guidance.

Security specialists from Google, Dropbox, Twitter and several other companies shared the stage. (Apple had a decent excuse for being absent.) They discussed how tech companies, big public ones and particularly smaller ones, can build tight security protocols. Ramirez also detailed where companies have crossed the line: The case against Snapchat, settled in May 2014, around the startup’s disappearing messages; and a case against Fandango, the movie-booking site, and Credit Karma, a personal finance platform, for insecure mobile apps.

The FTC detailed these two cases, along with a lengthy list of best practices, in a security guideline it released for businesses. Ramirez is hosting the second “Start with Security” event in Austin on November 5.

Re/code caught up with the chairwoman, who took her position in 2013, on Friday. The interview has been edited for clarity and brevity.

Re/code: What is the FTC’s role in handling security problems from a regulatory standpoint?

Edith Ramirez: We’re the chief federal agency that’s charged with protecting consumer privacy. Broadly speaking, we have jurisdiction over the commercial sector. In terms of our enforcement program, we’ve brought a wide range of actions against a wide range of companies.

We’re trying to ensure that companies are making truthful representations about their data practices and their privacy practices. And we’re working to make sure that companies are taking reasonable actions to include security in the earliest stages of product development.

How far along are companies in the Valley on that front?

There are many companies that certainly understand the importance of security. At the same time, it is one of the most significant challenges that we as a society face going forward. The issue has gained increased attention. We’re increasingly hearing about more and more security breaches — there are few weeks that go by that we don’t hear of one.

Chairwoman Edith Ramirez, Federal Trade Commission
Chairwoman Edith Ramirez, Federal Trade Commission
Cade Martin Photography

We’re also increasingly using new forms of technology. The data that is being collected is being collected very rapidly. With these new and emerging technologies — the Internet of Things is certainly an example — the type of data is also much more sensitive. We’re letting it into our work, our homes. This is information that used to be private, but is now being collected.

There’s a lot more at stake because there’s so much more information being gathered.

Another dimension is you have a new set of players in these emerging industries who may not have experience with dealing with security issues. And that’s what we need to change. Any startup, any developer who’s coming up with a new service, needs to start thinking about security from the onset. We need to build a culture of security.

What companies have built good examples of this culture of security?

I don’t want to name specific companies. We avoid being prescriptive, because we understand that the measures that you take will vary with the size of your company, the type of data you’re collecting, how long you’re keeping it, how you’re sharing. It depends on a whole slew of factors.

We’ve made an effort to provide general guidance to companies. One point is making sure that privacy and security are part and parcel of the development process. Another is data minimization: You want to think through what [you’re gathering] on consumers. Do you really need all the information that you’re collecting? Maybe you don’t. And how are you going to secure it? It needs to be incorporated in the life cycle of any product or service.

We also recognize, of course, that bugs are going to happen. Companies need to be prepared to have an effective strategy for managing bugs when they arrive.

How does it differ at companies of different sizes? What are the most pressing security issues you see for large tech companies? For smaller ones?

It depends. The appropriate level of security of companies will vary. It’s a question that I can’t answer at the level of abstraction and generality.

Frankly, the impetus behind this current initiative has to do with outreach in terms of conveying our message for a wider set of companies. Particularly this is aimed at the small- and medium-sized companies that may not have a wealth of resources.

What are the most common types of security problems? How frequently is human error a contributing factor?

There could be a number of different factors. We’ve encountered a wide range of security issues. We recognize that security isn’t going to be perfect. And we don’t expect perfection. But we do expect companies to have these precautions in place.

When should a startup reach out to the FTC rather than other agencies?

What I want them to do is to avail themselves of the expertise that we have and the guidance that we’re putting out there. We’ve been speaking about these issues for a long time. But I also recognize that there is a wide swath of companies who may not really know the work that we do, that we can provide useful information.

We’re going to be holding more conferences around the country. This issue is going to become only more important in the future. And it’s important for us as a nation to really take stock of the issue.

For many tech companies, the FTC is associated with antitrust and competition, not privacy. Are you trying to change the calculus on that?

I’m not sure who you’re talking to on that. We do both. We protect competition and we also protect consumers.

I talk to Google mostly.

Google has dealt with us on multiple fronts.

Okay. What about Federal legislation — where does that stand? (Ed. note: Congress has raised a bill on data security, but, like most things in Congress, it is stalled.)

So far, Congress has not yet acted. My hope is that we’ll eventually see data security legislation. I really firmly believe that this is one of the most significant challenges we have, the need to protect consumers. My hope is that there will be action that’s taken. Ultimately, you do need Congress to elevate the issue.

Representatives from the European Data Protection Supervisor are coming to Silicon Valley this week. Europe has also pushed stricter privacy standards and regulations, which frequently worry Silicon Valley tech companies. How does the FTC strategy differ from Europe’s?

In Europe, they take a different approach to privacy. Here, obviously, we have a sectoral approach to it. [The approach deals with particular sectors, like health information, independently.]

The broad objectives are the same — we want consumers to be able to trust the marketplace that the information they’re providing to companies, to get access to all these new innovative products and services, should be protected. That consumers should have control. The objectives are the same; we go about them in different ways.

What about the EU antitrust case against Google? How do you think it is being handled?

I’m not going to comment on that. They have a different set of legal standards to apply, and they have different facts in Europe. I’ll have to defer to [EU Competition] Commissioner Margrethe Vestager on that.

This article originally appeared on Recode.net.