Privacy & Consumer Protection: What to Expect in 2010Interview with Lydia Parnes, Former Director of the FTC's Bureau of Consumer Protection
Now a partner in the Washington, D.C. office of Wilson Sonsini Goodrich & Rosati, Parnes works with organizations to ensure their privacy and security policies. In an exclusive interview, Parnes discusses:
Parnes' current practice focuses on privacy, data security, Internet advertising, and general advertising and marketing practices.
The former director of the Bureau of Consumer Protection (BCP) at the Federal Trade Commission (FTC), she is a highly regarded expert in the field of consumer protection. As director of the BCP, one of the FTC's two law-enforcement bureaus and the nation's only federal consumer-protection agency, Parnes oversaw the enforcement of a wide range of laws designed to prevent fraud and deception in the commercial marketplace, safeguard consumer privacy, and provide consumers with important information about the goods and services they purchase. She also represented the bureau in international settings and on Capitol Hill in connection with such high-profile issues as information security and privacy, Internet advertising, and identity theft. In addition, Lydia has extensive experience with the application of consumer-protection principles to the technology market. In 2006, she served as the deputy executive director of the President's Task Force on Identity Theft, coordinating the efforts of 17 federal agencies in developing a national strategic plan to combat identity theft in both the private and public sectors.
TOM FIELD: What are some of the top trends in consumer regulatory and privacy in 2010? Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today with Lydia Parnes ,who is a partner with the Washington, D.C. office of the law firm of Wilson, Sonsini, Goodrich & Rosati.
Lydia, thanks so much for joining me today.
LYDIA PARNES: Oh, it's a pleasure, Tom.
FIELD: Just to get us started here, why don't you tell us a little bit about yourself and your background, particularly with the FTC and then your firm and what you are doing now?
PARNES: Sure. So this firm actually is kind of a good place to start. The firm is, as many of your listeners may know, headquartered in Silicon Valley, and it has nine offices in financial and technology hubs in the U.S. and in Asia, and it has an extensive technology practice. It represents many of the leading technology companies in the country, and it has a very strong regulatory government practice as well.
And that is really where I come in. I joined Wilson Sonsini in early 2009 from the Federal Trade Commission. I had a 27-year career at the Commission. Almost all of my time there was in the Bureau of Consumer Protection, dealing with just a wide variety of consumer issues. You know, the kinds of questions like when is a company responsible for claims made by bloggers; when can you say that your products are made in the U.S.A.; what type of support do you need to make an environmentally friendly claim? And my last four and half years at the Commission, I was the Director at the Bureau of Consumer Protection, and I spent a considerable amount of my personal time on issues involving consumer privacy and data security.
FIELD: Lydia, what are some of the biggest issues you find yourself involved with now at Wilson Sonsini?
PARNES: I would say probably the biggest issue, or certainly one of the biggest issues, is online behavioral advertising. So as you know, online advertising is driven largely by the ability to target ads to consumers based on their interests, and to target effectively, to get the right ad to the right consumers, companies collect and use data on consumers as they shop and explore online. Well, advocates and government regulators, and some consumers also, are expressing concern about the privacy implications of this data collection and use.
Last year the FTC issued a set of baseline principles that it believes should apply to online advertising. The industry ran with those principles and turned them into a set of self- regulatory guidelines. And I am spending a lot of my time counseling companies on those principles; how to engage in online advertising; how to do it the right way, make sure that they understand the lay of the land in Washington and that they are in compliance with these guidelines.
But another big issue is social media. It raises some tough issues for companies. Almost everyone is involved in some form of social media. Companies need to decide what responsibility--they need to deal with what responsibility they have, for example for statements that may be made by their employees on Twitter or on FaceBook, and how these statements could impact your brand. And then, what kind of responsibility does a company have just when somebody is out there blogging about the product and maybe endorsing the product, and it could be that they got a sample of the product from the company. So what kind of rules should apply in that situation?
And I think finally that the third big issue that I see is information security. It just continues to be a real big issue facing most companies. Many U.S. companies made substantial investments in time and money to comply with Sarbanes-Oxley a few years ago, and I think that they are just facing similar issues in the security area. Last year the FTC issued a rule, the Red Flags Rule, addressing security and identity theft prevention issues. For the first it time required companies to not only develop plans to ensure that they are alert to identity theft issues, but to have those plans reviewed and approved by their board of directors. So I think that this is a push to get data security and information management into the boardroom.
FIELD: Well, Lydia, that is a great overview, and it sounds like your work now really is an extension of what you started doing at the FTC.
PARNES: Yes, very much so. And it is very interesting to be able to kind of see these issues from the other side. I think I am able to bring the kind of regulatory perspective to the clients that I am working with and I am learning a lot from them as well.
FIELD: Oh, I bet. Well, that is exactly the perspective that I want because you have been in the regulatory agency and now you are out in the front with these companies. Given that, what doyou see as the current trends when you look at privacy, data security and consumer protection?
PARNES: Well, in privacy I think that the trend is a really interesting one. For more than a decade now, companies that deal with customer information have been operating in a pretty well-defined framework, so as a general matter the privacy framework has applied to information they have that is personally identifiable; maybe it is a name, email address, address, financial information, credit card information. And again, as a general matter, companies have understood that they have to give their customers notice of how that information will be used and obtain their consent to use it in that fashion. And you know there is a general proposition that notice and consent has been obtained through privacy policies. That landscape is absolutely changing.
In its report that was issued last year on online advertising, the FTC suggested that there really shouldn't be a distinction between personally identifiable information and non-personally identifiable information. That any line that has existed they felt was really starting to disappear and that you could, particularly, because of the ability to identify specific individuals using non-personally identifiable information. The new Director of the Bureau of Consumer Protection has expressed real concerned with notice in privacy policies, and he suggested that we are moving toward what he calls a "post-notice world."
So, I think that these two issues, which have really defined privacy in the past, are changing, and we will hear more about those changes in the coming year. So in data security, I think as I mentioned earlier, I think it is becoming much more of a corporate governance issue. I mentioned the Red Flags Rule; I think that was the first time that the agency required a kind of sign-off by board of directors on data protection issues. Now there was a lot of pushback by the industry on this particular rule, and in fact the agency delayed implementation a number of times, but I do think that we are likely to see other rules in this area that include similar provisions requiring board of director approval, and I think the reason is pretty straightforward. Data security is important, it is an important corporate governance issue, and one way of getting it into the boardroom is by requiring this type of signoff.
And finally, on consumer protection more generally, I think that companies will see a more aggressive Federal Trade Commission. I think cases are more likely to push the envelope, and I think that the agency will be much more willing to litigate cases if it can't obtain the relief that it is seeking through consent negotiations.
FIELD: Well, again that is a great overview. Now that you are out and dealing with the various industries, what do you see to be some of the unique issues that might be facing industries that we deal with including financial institutions, government agencies and healthcare organizations?
PARNES: Well, financial institutions, boy, they are certainly facing incredible regulatory challenges. One in particular is this proposal to create a new financial regulatory agency, the Consumer Financial Protection Agency, and this agency would essentially pull the consumer regulatory piece out of all of the other financial regulators, including to some extent, from the Federal Trade Commission and put it in one agency. The CFPA would have the authority to regulate actually the types of credit products that could be offered to consumers, or it could.
This is really an area that is fast moving. I read just this morning that Senator Dodd is considering in the whole financial regulatory package just kind of dropping the idea of a new agency, so there will certainly be more that we will hear on the Hill on this issue.
In healthcare, the HIPAA amendments that were included in the High Tech Act, I think, really signal increased enforcement and increased penalties for vendors and suppliers of healthcare providers. And so I certainly think we will see more enforcement from HHS. I also think that we are likely to see more joint enforcement with HHS and the FTC. They did bring a case together early last year against CVS for data security violations that involved sensitive healthcare information and fell within the jurisdiction of both agencies. As I said, I think we will see more of that. And I think there will be additional data security issues with the movement towards personal health records.
On government agencies, boy, that is a very interesting issue. There is certainly a movement in the Obama Administration towards greater openness in government, and I think there are certainly tradeoffs between openness in government and data security issues. I think at the same time, for many government agencies there will be a balancing act between security in a different sense; security of our citizens versus privacy issues. And I think that will be a very tough issue to balance as well. Certainly, we all want our government to ensure our security; at the same time there are legitimate security issues there that are being raised.
FIELD: Lydia, you made some interesting points here -- one is certainly the regulatory compliance issues that are piling up on organizations. But you also talked about social media and how organizations are dealing with that, and it seems like in many cases companies are already out there active in social networks, and then they are taking a step back and saying 'How should we police this?' When you look at organizations and the myriad of issues that they are dealing here, what do you find to be the biggest challenges for the companies themselves that are charged with ensuring the privacy and data security and consumer protection within their groups?
PARNES: That is a great question, Tom, and I think almost the biggest challenge is trying to stay abreast of all the developments in the area. Privacy and data security is not this kind of clean area where there is one federal statute and you can kind of follow that one federal statute and any amendments to it and one federal regulator. It is not just that simple. There is a lot happening. There are a lot of different agencies that are involved in the issues, and the laws and regulations and requirements vary depending upon the nature of your business. So I think that is one big common challenge that companies face.
But another common theme that I have seen in my almost one year in private practice is the challenge that is faced by U.S. companies in complying with international privacy and data security laws. You know, U.S. companies do business all over the world, and for many of those companies it means moving customer data around the world and complying with privacy laws in many different countries. I would have to say it makes compliance with laws in the 50 states seem like a piece of cake.
FIELD: I bet. Now you have talked a couple of times about the roles of different government agencies and how you have seen more collaboration among agencies. What role would you say the government is going to play in the areas of data security and privacy and consumer protection in 2010?
PARNES: Well, you know I think it is fair to say that the federal government is going to be a key actor in this area. As a general matter, I think there is a lot of agreement among many, not everyone, but many people, reacting to the financial crisis that hit the country by thinking that the government, the regulators, just weren't paying enough attention, and they really were not an effective cop on the beat. And so I think that is one thing that is really changing in terms of the government's role. I think the government is very willing to step in and regulate, whether it is in the financial area or in other areas.
The Federal Trade Commission for one is re-examining its approach to privacy. The agency is hosting three privacy roundtables and expects to issue a report sometime this summer on a new analytical framework to consider privacy issues. At the same time, the FCC is looking at broadband issues and how privacy fits in there, so I think there will be a lot of activity among the agencies, and I do think that there will be a good deal of coordination among agencies who are kind of seeking to regulate or engage in enforcement in overlapping areas.
FIELD: So a final question for you. You have got your first year under your belt now with a private firm. Given your experience and what you have seen, what advice would you give to information security leaders tackling some of these issues we have talked about this year?
PARNES: I think that my overarching advice is to be prepared. So you know, prepare for what? I think a couple of things; first, to make the case for an investment in data security and privacy at the highest levels of your company. And I think that data security and privacy costs companies, and there is certainly some reluctance in this economic climate to make additional investments that you may not see revenues from. So I think while you are making that case you also need to be prepared to address accountability concerns for IT governance; to be able to articulate the value that data security and privacy bring to your company so that everyone understands it is important until you ask for $2 million dollars to implement a new system. So be able to articulate why it is important.
I think information security leaders need to be prepared to be flexible. Security is becoming increasingly an interdisciplinary issue. To the extent that at one point it was really the domain of IT people, it is much more likely now to include your legal folks, your audit people, your marketing people. You know, good privacy is something that you want to market to your customers, and also to the extent that you have some kind of an incident you have public relations folks. And I think that the last issue I would say is be prepared to understand what is coming down the pike, what new you will have to deal with. And I think in 2010 that issue is very likely going to be cloud computing, what it means generally and what it could mean to your company.
FIELD: Very good, Lydia. I appreciate your time and your insight today.
PARNES: Terrific ... well, great questions.
FIELD: We have been talking with Lydia Parnes with the office of Wilson, Sonsini, Goodrich & Rosati.
For Information Security Media Group, I'm Tom Field. Thank you very much.