On the last Friday of the Obama presidency, the Federal Trade Commission (FTC) issued a press release stating that Chairwoman Edith Ramirez has announced her resignation, effective February 10, 2017.
Provided that no new commissioners are appointed in the next month, upon her resignation, the five-member Commission will be down to just two commissioners—Maureen K. Ohlhausen (a Republican) and Terrell McSweeny (a Democrat). While incoming President Donald Trump will therefore be tasked with appointing three new commissioners, no more than three out of the five total can be of the same political party. It is thus highly likely that the Commission will become majority Republican in the near future (and that would have been the case even if Chairwoman Ramirez had remained).
The Chairwoman made a substantial mark on privacy and data security policy and enforcement during her tenure. For instance, she established the FTC’s Office of Technology Research and Investigation, and she launched initiatives to provide companies with data security guidance and resources. Chairwoman Ramirez also led the FTC’s efforts to explore the privacy and data security implications of a wide array of developing areas of law and technology, including drones, the Internet of Things, and “big data.” We expect that the Commission will continue its work in these areas under a new Chairperson.
On the other hand, a new Commission’s enforcement approach to data security may stray somewhat from the current course. Chairwoman Ramirez will likely depart with the FTC’s long-running data security dispute with LabMD unresolved. The company, a clinical testing laboratory, saw its victory before an FTC Administrative Law Judge overturned last July by the Commission, which ruled that LabMD’s data security practices were unfair, in violation of Section 5 of the FTC Act, even with no evidence of actual tangible injury to consumers. The case is now on appeal in the Eleventh Circuit. Earlier this month, the FTC filed a similar case against D-Link, a connected device manufacturer, for allegedly leaving consumer data vulnerable to hackers but not exposed and, thus (as with LabMD), with no allegation of actual consumer harm. D-Link becomes just the third company (LabMD was the second) to challenge the Commission’s authority to bring a data security claim under Section 5’s unfairness prong. Some view the FTC as having overstepped its unfairness authority in bringing data security actions where there has been no tangible harm to consumers. A new, Republican-majority Commission might be more inclined than the current Commission to side with them.