Who Is The More Active Privacy Enforcer: FTC or OCR?

Those who follow FTC privacy activities are already aware of the hype that surrounds the FTC’s enforcement actions.  For years, American businesses and the Department of Commerce have loudly touted the FTC as a privacy enforcer equivalent to EU Data Protection Authorities.  The Commission is routinely cited as providing the enforcement mechanism for commercial privacy self-regulatory activities, for the EU-US Safe Harbor Framework, and for the Department of Commerce sponsored Multistakeholder process.  American business and the Commerce Department have exhausted themselves in international privacy forums promoting the virtues of FTC privacy enforcement.

I want to put FTC privacy activities into a perspective by comparing the FTC with the Office of Civil Rights (OCR), Department of Health and Human Services.  OCR enforces health privacy and security standards based on the Health Insurance Portability and Accountability Act (HIPAA).

Let’s begin with the FTC’s statistics.  The Commission maintains a webpage with information on all of its cases since 1997.  The FTC’s website is http://business.ftc.gov/legal-resources/8/35.  I’ve found that the link provided does not work consistently or properly at times.  I can’t reach some pages to confirm everything I would like to, but I am sure enough of the basics to be able to make these comments.

The Commission reports 153 cases from 1997 through February 2013.  That’s roughly 15 years, with an average of about ten cases a year.  The number of cases for 2012, the last full year, was 24, much higher than the fifteen-year average.  The Commission clearly stepped up its privacy and security enforcement activities of late.  I haven’t reviewed the quality or significance of the cases brought, just the number.

There are some known problems with the FTC as privacy enforcer.  The Commission only has jurisdiction over some of the economy.  It has little or no privacy jurisdiction over federal, state, and local government agencies; the non-profit sector; and companies engaged in transportation, insurance, banking, and telecommunications.  The Commission also has no practical general privacy or security rulemaking authority.  We are all waiting for a decision in the Wyndham case to tell us more about just how far the Commission can go with its unfair or deceptive trade practices jurisdiction.

The Commission has specific privacy responsibilities under various statutes, including the Fair Credit Reporting Act and COPPA.  The Commission has done no more than a mediocre job with the FCRA, as the same problems at the major credit bureaus have persisted for decades with limited response from the FTC.  The Commission seems to have done better with COPPA in the last few years, however, but it is hard to tell.

Let’s turn to OCR.  My data source is a White Paper titled HIPAA/HITECH Act Enforcement: 2003-2013  The Role of Patient Complaints In Medical Privacy and Data Security.    This just-published paper is by Dennis Melamed, publisher of the Health Information Privacy/Security Alert newsletter.

OCR enforces the HIPAA privacy and security rules.  HIPAA covered entities had to comply with the privacy rule, the earliest of the HIPAA rules, in 2003 and with the security rule in 2005.  Amendments to HIPAA from the HITECH Act added security breach notification, and that change took effect in 2009.  Compliance with the most recent set of rule changes is required in September 2013.  In other words, not all of the HIPAA rules enforced by OCR were in place during the entire ten-year period.

For a variety of reasons, it may be unfair to compare enforcement actions by the FTC and OCR.  Everyone here knows how to play lawyer and tease out distinctions based on differing authority, budget, staffing, and other factors.  OCR has actual rules, but the FTC does not, except under a few specific statutes.  I know that Dan Solove and Woody Hartzog have a paper touting the FTC’s importance in establishing privacy standards through its cases.  I’m ignoring that type of analysis.  For the moment, I just want to compare numbers.

According to the Melamed White Paper, OCR investigated 19,726 complaints that revealed a violation during the ten-year period ending in April 2013.  That’s an average of almost 2000 complaints a year.  There were more investigations that did not find a violation.

The FTC, which has jurisdiction over a much larger portion of the US economy than the OCR does, managed only ten complaints a year over a fifteen-year period.  A moving average would bump the Commission’s numbers up somewhat, but the numbers are still in the low twenties at best.

On the numbers, OCR’s efforts exceed the FTC’s efforts by two orders of magnitude.  2000 versus 20 some.  I don’t need to factor in the differences in the size and number of the industries subject to FTC and OCR jurisdictions to underscore the same point.  The FTC looks wimpy enough based on raw numbers.  If we consider the denominator, the millions of companies, lines of business, and webpages that fall under the Commission’s unfair or deceptive trade practices jurisdiction, the Commission only looks worse.

I’m not arguing that OCR is perfect.  OCR was criticized for a long time in not seeking penalties against HIPAA covered entities that violated the rules.  In the first years of HIPAA, OCR was more interested in seeking compliance than penalties, a not-unreasonable approach for a new law.  Lately, however, OCR has imposed significant financial penalties measured in the millions of dollars.  I think some of that is excessive, but that’s a different set of issues.

It seems to me that it is difficult to look at the numbers and still think that the FTC’s record justifies grand claims about the role of the FTC as a general enforcer of privacy standards in the commercial sector.  At best, the FTC dabbles in privacy.  OCR shows that a government agency can do better.  Much better.

Not convinced?  Consider two additional points.  The business community has been one of the biggest cheerleaders for the Commission’s privacy enforcement activities.  Why is it that those whose privacy activities are regulated by the Commission are its biggest promoters?  Hospitals are not fans of OCR.  Banks regulated by the Consumer Finance Protection Board hate the agency and have been lobbying to undermine its legislation or to kill the Board altogether.  Why does the regulated community love the FTC but not OCR or CFPB?  I leave this question as an exercise for the reader.

Second, just recently, the telecommunications industry started a campaign to transfer telecom privacy jurisdiction away from the Federal Communications Commission and give that jurisdiction to the FTC.  That’s one of the goals of the 21st Century Privacy Coalition (no website yet as far as I can tell).  One of the leaders of the coalition is former Federal Trade Commission Chairman Jon Leibowitz.

It is interesting to observe that the FCC has actual rule making authority, but the FTC’s privacy rulemaking powers are so attenuated as to be non-existent.  I’m not prepared to evaluate the FCC’s performance on privacy, but I wonder if anyone believes that a regulated industry would hire Leibowitz and other high-priced talent in order to move from a weaker privacy regulatory regime to a stronger one.  You can buy the Coalition’s argument that it wants uniformity, but even if that argument passes the laugh test, the Coalition wants uniformity at the lowest possible end of the scale.

I don’t mean to suggest that the FTC is worthless or poorly motivated.  The Commission just doesn’t do much in the way of privacy enforcement, and I don’t see any likelihood of improvement.  Numbers matter.  I’ve said in the past that unless your privacy violation or security breach ends up on the front page of a newspaper, the chance that the FTC will come after your company are about the same as the chance of being hit by a meteorite.  That may be a rhetorical exaggeration, but it’s not much of one.

 

Robert Gellman is a privacy consultant and former Chief Counsel to the House Subcommittee on Government Information.  His website is www.bobgellman.com.

You may also like...

4 Responses

  1. Dissent says:

    Thank you for a provocative post, Bob. Some thoughts:

    As you note, there are significant differences that make interpretation of the statistics difficult. Perhaps one of the biggest ones is that entities are required to self-report breaches to HHS. They are not required to do so to FTC, so a more reasonable basis for comparison would be to compute the percent of complaints FTC receives that they investigate – not the total number of investigations.

    I’d also note that until very recently, OCR took the approach that it was obligated to investigate every complaint it received. In my conversations with HHS this past year, they informed me that that is no longer the case and that now, regional OCR directors determine which cases they will investigate. The explanation for this unadvertised change is reportedly lack of resources – something that has presumably plagued the FTC all along as well.

    Another point I’d raise is that unlike OCR, which investigates complaints against single entities, many FTC investigations have involved multiple companies or entities, which adds to the time, complexity, and cost of their investigations. Because any FTC case may involve a number of businesses, your numbers do not really accurately reflect the number of entities charged by or investigated by FTC, although I grant you that even if they did, OCR would score higher on that measure.

    But are OCR’s investigations and enforcement actions really leading to improved privacy for the public any more than the FTC’s are? If FTC tackles Facebook and gets it to implement changes, that affects many more people than an OCR investigation that results in the one entity improving privacy protections – particularly if other entities don’t hear about it. OCR’s fines and settlements are actually less effective than FTC’s, in my opinion, although both fail in that they do not require any admission of wrongdoing.

    If you want to consider an alternative model, I’d look at CDPH’s monitoring and enforcement of medical privacy breaches under California’s statute. We have statistics on the number of their investigations and fines, and can see a trend where some types of breaches have decreased significantly. I’ve occasionally posted their stats on http://www.phiprivacy.net

    Overall, I’d like to see the FTC have more authority and teeth – and use them. It seems that every time they try to flex their muscle, however, members of Congress threaten to strip them of authority they do have. That needs to stop.

  2. Matt says:

    Thanks for the thoughtful post, Bob. HIPAA and HITECH impose substantive standards for privacy and data security. The FTC Act does not. Until it does, the FTC will be a lousy and sloppy enforcer.

    The FTC’s enforcement power in this area is limited because privacy (on which it really has not enforced) and data security (on which it has) do not fit well into “unfair” or “deceptive” acts or practices. There are two separate issues: the privacy problem is that companies are not doing enough to avoid collecting, using, and distributing information that they do not need and that consumers do not want collected; the data security problem is that companies are vulnerable to unintentional or ultra vires leaks of the information they collect.

    The problem is that the FTC Act is a poor place to house enforcement power for either of these problems. Data overreach may fully comply with a privacy notice (and therefore not be deceptive) and still be a poor practice and harmful. The hubbub over Wyndham is proof of the FTC’s weak mandate to fold data security practices (which are at least somewhat well-researched and available to businesses,) let alone privacy practices, into its unfairness authority. Laws mandating FIPPs and bringing enforcement under the FTC are regularly proposed, and consistently killed.

    If there is a government role for privacy enforcement, much more must be done to create and arm an enforcer.

  3. Bob Gellman says:

    I thought I would respond to the two comments. Dissent and Matt make good points, and we all seem to be in agreement that the FTC either needs more authority or we need some one else to do it. That’s surely the bigger issue.

    I don’t object to a more powerful FTC being an enforcer, but I’d rather have someone else doing privacy policy. See my article “A Better Way to Approach Privacy Policy in the United States: Establish a Non-Regulatory Privacy Protection Board,: 54 Hastings Law Journal 1183 (2003),http://bobgellman.com/rg-docs/Gellman-Hastings-03.pdf.

    One quibble. Dissent has a point that some FTC cases affect more people than many OCR cases. But some OCR cases involve large hospitals or health care companies and may have broader conseqences. Also, it’s not all that clear that the targets of FTC cases always do what they said they would do or that it makes any real difference. I don’t know that Google and FB have changed their stripes in any meaningful way.

    Some companies that have been the target of FTC actions got dinged a second time for not complying with consent decrees. That gives the FTC two cases, when there was only one real enforcement action. I’m thinking of an Experian case, but I haven’t looked for more.

    There’s more (on all sides) that could be quibbled about, but one quibble is enough. Thanks for the thoughtful comments.

  4. OCR said on Sept. 6 that it has not changed its policy regarding responding to every patient complaint it receives. However, as my recent white paper suggests, the majority of complaints OCR receives are outside its HIPAA privacy and security rule jurisdiction or were not timely. OCR is not going to investigate complaints outside its HIPAA jurisdiction.

    For many years, I’ve felt that OCR could do a better job of referring many of these other complaints to agencies with the jurisdiction, such as the FTC. But that has not happened in any formal way I can detect.

    In 2009, I wrote a column for iHealthBeat, How to Consolidate the Patch work of Health Information Confidentiality Law, that explores this issue in greater depth. http://www.melamedia.com/IHealthBeat0209.Column.pdf

    OCR’s position regarding HITECH Act breaches is different. The agency decided not to investigate every breach report. As of July 2013, it has received more than 81,000 self-reported breaches. Most of these affected fewer than 500 patients and thus are not considered major breaches.

    OCR says it simply does not have the resources to pursue every breach report.

    This is a confusing environment because the vast number of self-reported breaches are HIPAA security or privacy rule violations. But they are not the subject of patient complaints.

    One of the interesting things about this is that patients must be notified of a breach and the organization’s response to it.

    So since September 2009, patients have learned about HIPAA violations through HITECH. However, we have not seen a significant increase in patient complaints because of the breach notifications.

    The white paper, which Bob so graciously cited in his blog, goes into greater detail on the possible reasons for this.