Sectoral regulation of privacy and information security in the United States has created a complex system for tech innovation, because new products and services transcend the traditional sectoral boundaries and because regulators view these new products and services as creating substantial new risks in their sectors. As multiple regulators address tech innovation from their respective sectors, developers of new technology products must confront multiple layers of regulation from different agencies that resemble a “swarm,” and sometimes inconsistent regulation. This post describes the how this state of affairs arose and what it looks like today; future posts will address ways in which regulators and developers of new technology products can best deal with it.
“Swarm” regulation of technology is almost unique to the United States, as both the source of a great deal of the world’s tech innovation and one of the only jurisdictions to regulate privacy and information security through sectoral regulatory frameworks. Most of the rest of the industrialized world has adopted comprehensive data protection laws that apply across all industries and sectors in their respective jurisdictions. Such an underlying framework exists even in countries where enforcement is different for different industry sectors, such as Japan.
The Swarm of Regulation is Born
In the U.S., current privacy and information security legal frameworks were generally crafted 15-20 years ago for each industrial and professional sector. This approach allowed for tailoring of privacy and information security laws to the needs of each sector, and left “holes” in regulation in areas in which the need for regulation was viewed as lower priority or self-regulation was viewed as working. The sectoral jurisdictions of Congressional committees and administrative agencies in areas such as financial services, health and telecommunications led to divergent evolution of concepts, rules and regulatory approaches.
The technology sector, on the other hand, is not overseen by a single regulatory framework or agency. Instead, tech companies and their services and products were drawn into privacy and information security regulation at first as unregulated service contractors subject principally to contractual requirements to support the compliance of regulated customers. Thus the tech sector’s role as service contractor to financial institutions under the Gramm-Leach-Bliley Act is generally unregulated, as were – initially – its role as business associate to covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and its role as information service to common carrier telecommunications services under the Telecommunications Act of 1996.
This starting point as relatively-unregulated service contractor to highly- and inconsistently-regulated industries meant the tech sector had to grapple with complex and inconsistent requirements as the industries were transformed by technology and the regulatory frameworks expanded to include the technology. In health care, for example, Congress enacted the HITECH Act in 2009 which, among other things, brought all tech vendors serving as “business associates” under HIPAA’s direct regulatory jurisdiction. In telecommunications, the Federal Communications Commission (FCC) reclassified broadband Internet access services in its 2014 Open Internet Order from an “information service” to common carrier “telecommunications service” under the Telecommunications Act of 1996. A tech vendor providing broadband internet access services as a business associate to HIPAA-covered entities thus used to have the privacy and information security of its products and services regulated by neither agency, and now faces regulation by both.
The FTC Stirs Up the Swarm of Regulation
To this layering of federal regulations, the Federal Trade Commission’s efforts as “the nation’s top cop on the consumer privacy beat” adds another layer of regulation rather than providing a uniform foundation. In invoking its broad authority over commerce under Section 5 of the FTC Act to focus on privacy and information security in virtually all industry sectors (with exceptions such as nonprofits and insurance), the FTC construes its authority as concurrent unless Congress has expressly blocked such concurrent jurisdiction. The differences between the FTC’s limited rulemaking authority under Section 5 — by contrast to the broad rulemaking authority and other constraints on sector-specific privacy and data security regulators — has greatly increased the likelihood of inconsistency between FTC standards, established if at all so far by consent orders, and the specific regulatory requirements of sector-specific privacy and data security regulators.
The FTC’s thinking about how it should contribute to the swarm of regulation appears to be undergoing rapid evolution. Throughout its LabMD administrative action, and in keeping with its prior practice, the FTC made it clear that the security standards it was applying were entirely unrelated to the HIPAA security requirements that also applied, and made no apparent efforts to coordinate with the Department of Health & Human Services (HHS), responsible for HIPAA. In its subsequent Wyndham consent order, however, the FTC defers to Payment Card Industry Data Security Standards (PCI-DSS) for credit card security. Most recently, the FTC’s Henry Schein Practice Solutions, Inc. consent order defers to the encryption standard established (if not required) by Health & Human Services (HHS) in HIPAA, taking the opposite approach to swarming HHS-regulated entities as in LabMD.
With the FCC, the FTC executed a Memorandum of Understanding in November that established many swarming meetings, including:
- Consultation on investigations or actions that implicate the jurisdiction of the other agency,
- Regular coordination meetings to review current marketplace practices and each agency’s work on matters of common interest that impact consumers,
- Regular meetings at which the agencies will exchange their respective learning about the evolution of communications markets,
- Sharing of relevant investigative techniques and tools, intelligence, technical and legal expertise, and best practices in response to reasonable requests for such assistance, and
- Collaboration on consumer and industry outreach and education efforts, as appropriate.
For an excellent discussion of the much bigger “two-rulebook problem” that this MOU fails to resolve, and the possible negative impacts on consumers of such different rules and enforcement approaches, however, see FTC Commissioner Maureen Ohlhausen’s “FTC-FCC: When is Two a Crowd?”
Complexity & Transparency of Regulation
Such bilateral considerations and agreements barely scratch the surface of the complexity faced by tech companies in developing new products. Consider, for example, a health app that takes payments. The app may need to meet the information security and privacy regulatory requirements of the FCC, the FTC, the Consumer Financial Protection Bureau (CFPB) and HHS (potentially both HIPAA and Food & Drug Administration (FDA) regulation). If it integrates with your connected car, there is the National Highway Traffic Safety Administration (NHTSA), and if it flies, the Federal Aviation Administration (FAA). And that does not begin to contemplate the many state and some local regulatory issues, as well as common law protections. Finally, very powerful industry self-regulatory frameworks, such as PCI-DSS, have effectively filled some less-regulated areas, particularly in information security where the pace of change in the threat landscape makes notice-and-comment rulemaking insufficiently adaptive.
Sometimes this complex layering of requirements – whether through diligent efforts at coordination by regulators or by accident – results in strong and effective protection, but always at the price of complexity that can rob security safeguards and often robs privacy of one of their most important characteristics: transparency. Privacy is about trust, and security is about resilience of the individual as well as the systems surrounding the individual; for consumers to trust and protect themselves, they have to understand.
Information security can rise above the complexity of swarming regulatory standards by meeting or exceeding “high bar” regulations. Rising above high bar information security regulation is likely to continue to be a strategy of the tech sector, in part because the threat landscape will continue to change so much faster than the regulatory landscape, continuing to require adaptive security exceeding regulatory standards.
Complexity creates the biggest transparency problems in privacy, because it is hard to determine and represent a high bar when “height” is evaluated very differently in each regulatory regime. The transparency problems of our complex regulatory swarms are now coming to a head globally between the European Union and the tech industry. Clearly, the tech industry’s experience at satisfying many layers of regulatory standards reflecting different starting points and perspectives will be challenged as never before on a global stage over the next two years.