Com. Mcsweeney the ftc is the primary Consumer Protection authority in the federal government so we have a very broad jurisdiction but we work closely with the fcc when it telecommunications issues. For a number of years, we shared some areas of Consumer Protection jurisdiction primarily. The ftc prevents us from having too much jurisdiction in this space and im sure we will get to that in our conversation because it exempts common carriers. Peter commissioner ohlhausen, one of the issues semisettled is the Net Neutrality issue, something the ftc had been involved in. How has your work changed, how has your role changed since the fcc decided on Net Neutrality . Com. Ohlhausen you are a true optimist if you think it is semisettled. I think theres still more to go in that story. The issue isnt the common carrier exemption. Now that the fcc has reclassified Broadband Internet service as title ii service, it is common carrier service. It creates a hurdle for the ftc to bring some of our traditional Consumer Protection enforcement into this space. It is a hurdle to our antitrust authority and you have the antitrust division that does not run into the problem. I am very concerned that we may not be able to continue to protect consumers as well online because of the reclassification. Peter commissioner mcsweeney, do share that concern . Com. Mcsweeney i do. We really do view the common carriers as an when it was past, the idea was to protect common carriers who are regulated by the icc from dual government authorities or conflicting government authorities. The icc no longer exists. We are not talking about locally regulated monopolies. I think it is an inaccurate. Ronism. H peter joining our conversation this week is Brent Kendall from wall street journal. Brent kendall while we are on Net Neutrality in the world we are now can you talk briefly , about what this, carrier exemption and where the ftcs authority has been displaced . Are there gray areas where it is not entirely clear if ftc has a role or mostly fcc . Com. Ohlhausen we have litigation ongoing right now against at t, alleging it made misrepresentations and engaged in unfair practices involving unlimited wireless broadband service. We are able to continue our litigation because that activity took place before the fcc was reclassified. Down the road should we have problems like this again with another provider, there would be a serious question that provider the defense would be we are a common carrier and your authority is closed. Com. Mcsweeney i think if you are engaged in the activity of providing a broadband or telecommunications service, thats very likely outside of where our jurisdiction lies. If it is a different activity by you are classified as a common carrier, we may still have jurisdiction. For example, we brought cases and worked closely with the fcc to combat cramming which is a practice of putting unauthorized charges on mobile phone bills. My view is we would continue to have jurisdiction with that kind of area. Brent kendall when you are engaged in activity not related to common carrier, the ftc in theory would still have a role to play . Com. Mcsweeney i would argue that, yes. The fcc also uses the status of versus activitybased classification when it is making decisions about its own act. I think we would do the same way. Com. Ohlhausen i would have a concern the fcc in the order reclassified left open the possibility it could reach out to edge providers who have traditionally not been considered common carrier. So if the fcc ins of interpreting ends up interpreting its Authority Even more broadly, it could impinge more on the ftcs authority. Peter how does all of this affect the consumer . Behind the scenes turf war or does it have real impact . Com. Ohlhausen i think it has real impact in two ways. The ftc is primarily Law Enforcement agency and not a regulator. We have brought more than 100 Data Security and privacy cases. Of cramming, billing issues, the ftc has been active in trying to protect consumers in the internet space. I would be concerned they may lose some of the protections because of the fcc has not traditionally played the type of Consumer Protection enforcement role that the ftc has. The concern is consumers may not really understand that there are two different regulatory schemes and they may think their activities are protected in the same way when they are dealing with an isp or dealing with an edge provider. Ultimately, they may not be protected in the same way and i am not sure they will be able to understand that. Com. Mcsweeney there are some differences between the ftcs authority and fccs authority. As maureen pointed out, we are primarily in Consumer Protection enforcement agency. We protect consumers from deceptive acts and practices. And we can get redress if they are harmed. And that is a very important way we protect consumers. We have a long history of working closely with the fcc and working well with the fcc. I do not view this in a situation in which there is a turf war on one agency or the other ought to have authority. I think consumers are best all do you when we can our jobs. Brent kendall you mentioned Data Security and the ftc won an important test case in philadelphia involving windham. The commissions brought several dozen cases against Companies Involved in data breaches on the theory they did not do basic things they should do to protect consumer data. Windham the hotel chain challenged the ftcs authority and said the commission is going after victims of hacking instead of the hackers themselves. The Appeals Court rejected the argument and said you had Clear Authority in this area. Just ask more generally given , that data breaches occur in corporations every week it seems like these days how does the , commission begin to decide where it gets involved . Where do you look, where the staff look . The kind of breach where a victim through no fault of his its own or you say the company should have done more . Com. Ohlhausen in the wyndham case which has not been decided on the merit, using our Data Security by the ftc act to require reasonable Data Security requirements was upheld by the Third Circuit. And i think our requirements have been companies undertake reasonable precaution. If they have sensitive data, important consumer data, data who was released could harm through medical information, things like that, companies have an obligation to safeguarding that. The Third Circuit itself mentioned the idea as a provider, as a business, if you leave a lot of risks around that could harm consumers you might , be liable. That is what we are requiring. A Company Needs to take reasonable precaution. But i think people do not necessarily understand when there is a data breach, is not necessarily the fact that the ftc said there will be a violation. We look at many, many data breaches. We close about 1 2 to 2 3 of our investigations without taking any action against the company. Brent kendall when it is a major corporation, is it an automatic thing . When i read about a big one, is the commission at that point looking to see if the company have done the basic steps you would expect companies to take in protecting consumer data . Com. Mcsweeney there are gaps in our jurisdiction. We have talked about common carriers and nonprofit are a gap. Yes, do we take very seriously largescale breaches that affect millions of consumers . I think we do. As maureen pointed out, our standard is the company practicing security by design and the best practices in this area and security guidance in all of our 50 cases. We rely on technical Security Experts to evaluate the security and procedures in place and making Law Enforcement decisions. Brent kendall are these internal people who work for the commission . Com. Mcsweeney they are both. We have taken steps to expand our technical resources. We are expanding to understand highly technical issues. We use outside experts. Brent kendall before we move on, one interesting fact of the wyndham case was that they had been hacked multiple times and the court said surely by the time they were hacked multiple times, they should have realize there was a problem. Which left open the question if you have been hacked just one time, conceivably could you get in hot water with the commission for having some security not up to snuff . Com. Ohlhausen yes, if you do not take reasonable precaution and led to a hack and even a single hack sometimes being quite extensive then you might be liable. For example, some of the things the ftc has brought actions against companies that failed to have a firewall and the password was password. These are very basic things. They have not trained their staff. Com. Mcsweeney if youre storing your passwords in a folder marked password. And not undertaking basic security hygiene. Brent kendall have you found it has happened in sizable u. S. Companies . Com. Mcsweeney yes, it has. Peter is the ftc the leading federal agency when theres hacking . Com. Mcsweeney were in a very important Consumer Agency and a number of places you might touch the federal government if you are dealing with a hack. You might have a dhs doj, might , be criminal components to it. We are the Consumer Protection enforcement certainly that you would encounter at the federal level. Com. Ohlhausen i think that is right. Terrell mentioned some of the carveouts we have from our authority. Insurance is another one. Some of the biggest hacks have been against insurance companies. The ftc would not been to investigate. Peter why . Com. Ohlhausen Congress Said we do not have authority over insurance. Peter why is there only one republican commissioner and three democrats . Com. Ohlhausen well, the commission is a bipartisan agency, no more than three can be from the same Political Party and the Current Administration or the administration chooses the commissioners. You are always always going to have more of the sitting partys commissioners than the other. But my fellow ftc commissioner joshua wright, my fellow republican recently resigned , from the commission to return to academia. Peter do you perceive getting another republican on the Commission Soon . Com. Ohlhausen well, eventually, congress has a lot on its plate as were all over all aware. I would hope they would bring somebody on board soon. I understand they have a lot of priorities. Brent kendall we have talked about Data Security and the commissions privacy agenda and a close cousin of that. A chairwoman in introductory remarks she gave at a security conference described the ftc as the nations key privacy agency. I wanted to ask you how we got to this point. I know the ftc has authority over unfair practices. Is it entirely where the authority is derived from . We are in a world where the ftc is preparing to hold major privacy conferences. You go out and meet with computer programmers and hackers as you advise businesses on Building Security into their applications and products. How did we get to where we are . Com. Ohlhausen the first privacy cases came out of deception authority in the late 1990s when the internet first became a consumer experience. The first case was in 1999. I happened to work at the ftc at the time. I think it is a great example of the bipartisan continuity we have at the ftc that this focus on privacy, Consumer Privacy on the internet started back then. And each chair of the Committee Commission has continued to make it the focus of his or her enforcement. And our Consumer Education and Business Education so that we have established a greater baseline of information of knowledge, of expertise in this area that both republicans and democrats have continued to build on. Brent kendall would you have conceived of the commission evolving in this way where you are the de facto Government Agency liaison with the Tech Community . Com. Ohlhausen well, its always hard to foresee but i understand that the current, the leadership of the agency at the time really saw the potential here and were very wise and invested a lot of resources to get out in front of that and continues to pay dividends. Com. Mcsweeney just to backup, the security plays an incredible valuable role and even more valuable one as we are increasingly digitizing our lives and connecting more and more things to the internet and each other and carry vast amounts of information on our smartphones and connecting appliances and things like that. It is important to remember that a the u. S. We have sectorbased approach to privacy. We have laws that protect childrens information if they are under 13. Laws that protect financial information, Health Information. We have laws that protect educational records, administered by the department of education. We have had a sectorbased approach where the ftc steps in and all of this unregulated space that is evolving very rapidly, where huge innovation is occurring that impacts directly consumers, their privacy and information. That is where we use our Deceptive Authority to make sure consumers are getting Accurate Information about how their data is handled and how it is secured. Peter is the unfairness issue, is it clearly defined . Com. Mcsweeney i think it is clearly defined by the ftc cases. Peter what would you like to see congress do when it comes to privacy . Com. Mcsweeney a great question. I would say a few things. I would like to see Congress Really clarify data breach in and Data Security legislation. I think comprehensive security legislation would be very, very helpful. I will not speak for my colleague and i would love to hear what is on her list as well. There have been really interesting debates specifically in the privacy space around student data and if it should be one federal approach to that as well. Right now, there are 21 different state laws. Weve had in the background this discussion about a privacy bill of rights ongoing for a number of years. There it is a policy that is meant to really codify what rights consumers have in their information is being collected. Peter one of the issues that europe is currently dealing with and some of the American Companies that deal with europe as well do not remember on the , internet. Do you agree with that . Com. Mcsweeney i think it presents a really interesting challenges in the u. S. Because we have a very vibrant history around the First Amendment and this is an issue of what kind of, primarily what kind of search results should be presented to people . And what your rights ought to be if you want to take down certain information. I like to think about how we would approach of this if something was reported in a newspaper. Would we then allow that to be erased from the Public Record . And i think we have a very different set of values in the u. S. Around the question. Peter Maureen Ohlhausen, the same general questions about privacy, etc. Com. Ohlhausen taking your first question about congressional action, i agree the ftc has had a unanimous, bipartisan recommendation that congress adopt legislation. I continue to support that. I think theres a patchwork of state obligations that are problematic for consumers and businesses and i would like to see a uniform standard applied because i think it would have wide ranging benefits. I would like to see a clarification of our authority one of the things of the bills , considered earlier by congress and clarified the ftc would continue to have authority and in some of these areas and now put into question by the ftcs classification. Regarding the right to be forgotten, i have grave concerns about that. We have freedom of the press in the u. S. I would be more interested in seeing what uses information can be put to that might be harmful to consumers. Rather than try to restrict peoples ability to know things or no information know information that has been out in the Public Record such as it would come up in a search area i would be more interested in saying, how can companies or other entities use that to harm consumers . We have the fair credit reporting act and that has been in a place for a long time and has worked rather well. It covers not collection of information but use of information to deny consumers or give consumers credit or housing or employment, either deny or give it to them unless favorable terms. That is an area we should be thinking more about. How do we look at harms to consumers and try to address those more directly than trying to foreclose the ability for members of the Democratic Society where we have the First Amendment to foreclose their ability to get information. Brent kendall in the privacy space, there are main principles you two fully agree on and areas where you do not. I want to explore one of those about an enforcement case against the company, company that helps retailers track customers as they come into their stores by using the wifi signals from their cell phones. Commissioner mcsweeney, you were in the majority that brought a case against