WASHINGTON (Oct. 31, 2017) – Shifting regulatory mandates have left broadband providers, websites, applications and other private actors in the internet ecosystem without clear direction on which federal agency—the Federal Trade Commission or the Federal Communications Commission—has primary jurisdiction over their cybersecurity practices, a new R Street Institute policy study finds.

While most commercial cybersecurity practices historically have been overseen by the FTC, a shift was initiated by the FCC’s 2015 decision to reclassify broadband providers as “common carriers” under Title II of the federal Communications Act. Further muddying the regulatory waters is that the FCC recently announced its intent to reverse the Open Internet Order’s Title II reclassification, a decision that could still be challenged in court.

R Street Tech Policy Manager Tom Struble, the study’s author, examines multiple options for how roles and responsibilities for commercial cybersecurity regulation could be divided between the FTC and FCC, ultimately recommending that the FCC regulate the cybersecurity of all “common-carrier services,” including emergency services, while the FTC regulates all other commercial cybersecurity practices.

“On balance, the FTC is better suited to regulate commercial cybersecurity practices, and ideally it would handle as much of that task as possible,” Struble writes. “However, given the overlap between the scope and expertise of the two agencies, the FCC also has a key role to play. For this reason, it is of the utmost importance for these roles to be clearly defined and for each agency to know precisely what responsibilities it has in order to avoid regulatory conflicts.”