Three Questions is an occasional series where TechTank asks technology leaders to comment on policy issues in their area of expertise. The third post in the series features Jessica L. Rich, who was appointed the Director of the Federal Trade Commission’s (FTC) Bureau of Consumer Protection (BCP) by Chairwoman Edith Ramirez in 2013.
Rich oversees a dedicated staff of attorneys, investigators and technologists—including the newly formed Office of Technology Research and Investigation—working to protect consumers from deceptive and unfair practices. She first joined the FTC as a staff attorney and has since served as Deputy Director of BCP, Associate Director of the Division of Financial Practices, and as the Acting Associate Director of the Division of Privacy and Identity Protection. She is a graduate of New York University Law School (1987) and Harvard University (1983).
TechTank: What are some of the major consumer protection issues related to technology, and how has the FTC adapted to handle them?
Jessica Rich: We’re in the midst of a technology revolution that has greatly benefitted consumers but also poses big challenges for consumer protection. Data is collected about us all day long – through our smartphones, tablets, and health trackers, and in our cars and our homes. Marketing is ubiquitous. Our consumer protection program is designed to keep pace with these developments and make clear that the fundamental principles of consumer protection apply to today’s tech marketplace.
One of the most critical areas the FTC is addressing is financial technology, or FinTech – technologies that enable consumers to store, share, and spend money in new ways. Our cases in this area have addressed such issues as cramming charges on mobile phone bills, false promises of unlimited data, and fraud involving virtual currencies and crowdfunding.
We’re also very concerned about new forms of deceptive advertising and marketing. For example, we’ve brought cases against app developers that make false claims about the health benefits of apps, and against companies that pay people for seemingly “objective” online endorsements of their products.
Finally, privacy and data security issues remain at the forefront of consumers’ minds. We have a long history of acting when companies make false promises about how they collect and use consumers’ personal information, or don’t take reasonable measures to secure this data. These areas will continue to be FTC priorities as more consumer data is collected and used by a wide range of companies.
In all of these cases, we seek to put money back in the hands of injured consumers and also obtain strong court orders – not only to stop the companies we sue from committing further violations, but also to send strong messages to everyone that consumer protections matter, no matter how high-tech the environment.
TechTank: How can technology companies improve privacy and data security for their customers?
Jessica Rich: We offer a number of resources for businesses looking to improve their privacy and data security practices. This year we are emphasizing our data security educational tools and taking our message on the road with our Start with Security campaign. The campaign includes events around the country on security topics and best practices. We just completed our first conference in San Francisco, and our next conference will be in Austin on November 6. We also continue to put out new business guidance, including our latest piece on lessons learned from FTC data security cases.
But let me offer a few key suggestions here: first, companies should design their products and services with privacy and security in mind – that is, “bake it in” at the outset. Privacy and security should be a factor in the decision making in every business department: personnel, sales, accounting, and information technology. Companies should think through the implication of their data decisions.
On a related note, companies should test, test, and test again before launching a new product or service. By testing for commonly known vulnerabilities, companies can limit threats to their business and consumers’ information. For example, in more than a dozen FTC cases, businesses failed to adequately assess their applications for well-known vulnerabilities. Also, when offering privacy and security features, companies should ensure that their products live up to their advertising claims.
A company’s work isn’t done once when it launches a product. It’s important that companies put procedures in place to keep their privacy and security practices current and address vulnerabilities and changes as they arise.
TechTank: Which other government agencies does the FTC collaborate with to enforce consumer protections in the technology industry?
Jessica Rich: We’re the only federal agency with a broad consumer protection mission, and we take this role seriously. One of our key strategies is to work with other government agencies to coordinate and leverage resources.
In recent years, we’ve worked closely with state attorneys general from across the country on enforcement matters involving mobile cramming, data security, and illegal robocalls. We’ve also partnered at the federal level with the Department of Health and Human Services, the Consumer Financial Protection Bureau, and the Federal Communications Commission among many others. These relationships are very important to us, and they help us do our job more effectively.
We also work with other agencies as they develop policy on matters related to consumers and technology. We recently filed a comment with the National Highway Traffic Safety Administration on a proposed initiative that would require all cars to have a vehicle-to-vehicle communications system in place by 2019, and with the Department of Energy regarding its multi-stakeholder effort to develop a voluntary code of conduct for smart grid privacy and security. In each instance, we applaud such efforts to address privacy and security as part of the development process.