FTC Commissioner Julie Brill to step down at end of March

FTC Commissioner Julie BrillOn March 31, 2016, FTC Commissioner Julie Brill will step down from her post at the FTC, the FTC has said in a press release.  FTC Commissioner Brill joins FTC Commissioner Joshua Wright as the second recent departure from the FTC.  Brill has said that as of April 1, 2016, she will be joining the Hogan Lovells law firm as a partner and co-director of the firm’s privacy and cybersecurity practice.  “This is five months earlier than when my commission is actually up, so not much earlier than it would have been anyway,” Brill remarked.

FTC Chair Lauds FTC Commissioner Brill’s Work While at FTC

“Commissioner Brill has been an unwavering advocate for consumers and competition during her six-year tenure at the Federal Trade Commission,” FTC Chairwoman Edith Ramirez said.  “Commissioner Brill’s expertise in consumer protection, privacy, and antitrust has been an asset to the agency, and we are sorry to see her leave.  We wish her well on her next steps.”

Brill, a Democrat, was appointed by President Barack Obama and sworn in on April 6, 2010.  Prior to joining the FTC, FTC Commissioner Brill was the Senior Deputy Attorney General and Chief of Consumer Protection and Antitrust for the North Carolina Department of Justice.  Before that, she served as an Assistant Attorney General for Consumer Protection and Antitrust for the State of Vermont for over 20 years.

FTC Commissioner Brill’s Work Has Focused on Privacy and Personal Data

In her time at the FTC, FTC Commissioner Brill has been one of the FTC’s foremost vocal proponents of the need for companies and organizations to collect and use sensitive consumer data in a responsible way, and to handle it with care to prevent unauthorized access by hackers.  She has touted the FTC’s use of its broad consumer protection authority to bring enforcement actions in this area against companies including Facebook, Twitter, and Google.

As it relates to antitrust matters, FTC Commissioner Brill has dissented on occasions when the FTC didn’t attempt to block certain proposed mergers.  For example, she objected when the FTC cleared the merger of rival pharmacy-benefit managers Express Scripts Inc. and Medco Health Solutions Inc., and when the FTC allowed Reynolds American Inc. to acquire rival cigarette maker Lorillard Inc.

Brill’s Future Plans

In commenting on her future plans, FTC Commissioner Brill has said:

I’m looking forward helping companies navigate an increasingly complicated regulatory and legal environment when it comes to privacy and cybersecurity.  Helping companies and other stakeholders understand what they need to do to follow the law and engage in best practices that goes beyond what the law calls for.

FTC Commissioner Brill’s Thoughts on the IoT, the Differences between the FTC and FCC, and where the Ad Tech Industry Can Imporove

In a recent interview with AdExchanger, Brill was asked about the Internet of Things (IoT), the differences between the FTC and FCC, and where the ad tech industry needs to improve when it comes to respecting consumer privacy.  In response to a question about consumer responsibility, Brill said:

Consumers do have responsibility to understand their data and to protect it the best way they can.  But the data collection and use that consumers face online, on their mobile apps and with connected devices, will be much too complicated for them to navigate on their own. And once we get to the world where the Internet disappears and where all of our devices will automatically connect, it’ll be harder for consumers to deal with this.  Companies need to proactively help consumers.  Consumers’ attention is a precious resource and needs to be engaged when truly necessary: Like when there’s going to be data shared with an unexpected third party, or for a use beyond the ways consumers would expect given who they’re interacting with.  There’s a real problem when it comes to third-party data collectors like ad networks. Advertisers and ad networks really need to step up to the plate to provide more usable tools for consumers, so they can understand who these third parties are that are collecting this information.

When asked about the differences between the FTC and FCC, Brill replied:

The FCC will only be involved with certain types of companies, for example, telcos or ISPs. The FTC does not have jurisdiction over common carriers. When the FCC declared ISPs to be common carriers, it took away our jurisdiction over ISPs. Not that we’ve done a whole lot involving ISPs, but we’ve brought a few important cases, including one still pending.  The FTC has long been involved with privacy and data security. The FTC uses the deception and unfairness authority under the FTC Act, where we proceed against companies engaged in deceptive or unfair acts. We have the authority to enforce various statues like COPPA (Children’s Online Privacy Protection Act), the FCRA (Fair Credit Reporting Act), certain aspects of the Gramm-Leach-Bliley Act and other laws that touch on privacy, like CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing Act) and aspects of aspects of HIPAA HITECH (Health Information Technology for Economic and Clinical Health Act). We also have very broad, remedial authority to use the unfair and deceptive acts and practices authority.  The FTC has the authority to obtain redress and to place companies under orders for a long period of time if we so choose. The most important authority we have that the FCC doesn’t is the ability to get redress for consumers.  On the other hand, the FCC has the authority to write rules and seek penalties. We have some penalty authority under the FCRA and COPPA, but we don’t have general civil penalty authority, which the FCC does.  You can see why I’ve said it’s an increasingly complicated landscape.

FTC Commissioner Brill Admits to Being Victim of Email Phishing Scam

Even though Brill has been a top privacy watchdog while at the FTC, she recently recounted a story where she herself was the victim of an email phishing scam.  While most people, including FTC Commissioners, would not want the public to know they fell victim to an email phishing scam, this is not true of Brill.  In fact, Brill has been quite candid regarding her encounter with the email phishing scam.

“These are not the prince-from-Nigeria types of attacks of the past that we’re used to,” Brill said in a recent interview.  “These are deeply sophisticated.”  According to Brill, a business colleague of hers, Gene Kimmelman, president of the consumer group Public Knowledge, sent her an email with an innocuous-looking Google Drive attachment.  However, after clicking on the link and entering some of her personal information on the resulting landing page, Brill quickly realized that she was not sent to a Google page at all.

Rather, the page Brill was sent to was the product of online criminals who had pried their way into Kimmelman’s email account and began sending fake emails in his name to everyone in his contact list.  Brill said, “”I was busy, I saw an email from this person, I opened it, tried to interface with it.  And I pretty soon realized this was a false email from [someone] who was trying to get my data.”

Fortunately for Brill, even though she entered some of her personal information in the fake Google site, she made sure the criminals could not hijack her own email accounts.  Brill had taken advantage of two-factor authentication, a security measure that prevents someone from logging into a website unless they can also reproduce a special code sent to a separate device such as your mobile phone. Two-factor or two-step verification has been adopted by Google, Amazon and other major websites to combat the rise of digital fraud.

The loss of information took place on Brill’s personal computer, so nothing in the FTC’s systems was affected, she said. But she did consult with the agency’s IT managers.  “Once they found out I had two-factor authentication and I had changed some passwords, they were comforted that I had done all that I could do,” said Brill. “If it had been an attack on our systems, they would have jumped into high gear right away.”

So, the question is how did the hackers break into Kimmelman’s address book in the first place?  That is anyone’s guess, and is a mystery that may never be solved.  “It was either a random hack, or someone . . . knew those on my contact list would expect me to have secret documents to share,” Kimmelman joked in an email.  “If not a random hack, my reputation may be ruined!”  Kimmelman has since switched email accounts.

* Photo Cred.: law.columbia.edu