Lawyers clash over whether FTC is excessive in use of consent decrees

29 March 17. By Claude Marx.

Two industry lawyers and a former top official of the US Federal Trade Commission clashed sharply Wednesday on whether the agency uses consent decrees to set policy and is guilty of overreach in punishing companies.

Paul Rubin, who defended LabMD and Wyndham when the FTC sued them for placing customers' information at risk, said the agency does backdoor regulation through consent decrees and other means and this is "legally problematic and suboptimal."

He said during a discussion at a Washington conference* that the agency should issue more policies via regulation, rather than through consent decrees or booklets such as its "Start with Security'' publication on data breach prevention.

Thomas Zych, who works on data breach cases, praised the approach of acting FTC Chairman Maureen Ohlhausen, who has extolled the virtues of regulatory and administrative humility. He criticized the agency for the duration of its consent decrees, noting that the technology that the agency is concerned about will quickly become outdated before the decrees expire. Most consent decrees last for 20 years.

Former FTC Consumer Protection Bureau Director David Vladeck said the agency regulates by enforcement and can't issue more regulations because Congress restricted the agency's rulemaking authority in several areas in 2012, partially at the behest of groups representing some of Rubin's clients.

Vladeck said Rubin's interpretation of the agency's prerogatives in this area "are, in current Washington parlance, 'alternative facts.' "

He said the agency has to be aggressive about data breaches because for many companies, it is not economically rational to spend a lot of money on data protection. However, when breaches occur, it is consumers who are hurt. He emphasized that the agency focuses on actual and probable harm and only takes enforcement actions against companies that do not take data protection seriously.

Antitrust lawyer Elaine Ewing said consent decrees are not as big a problem in her area of the law, though sometimes companies are bound by decrees relating to other parties' actions, even if the situation isn't directly analogous to the deal at hand.