Data Security

FTC Calls Again for Nationwide Data Breach Legislation and Heightened Enforcement Powers

Published: Apr. 03, 2014

Updated: Oct. 05, 2020

On Tuesday, FTC Chairwoman Ramirez testified before the Senate Committee on Homeland Security and Government Affairs, explaining the FTC’s view that continued data breaches underscore the need for national data breach and security legislation. Ramirez testified that consumers’ data continues to be “at risk,” particularly as hackers and others increasingly become more sophisticated in their techniques. Joining in the testimony were a pair of retail and banking industry groups.

Ramirez highlighted the FTC’s efforts to protect the security of consumer data by bringing enforcement actions under the FTC Act and a variety of specific statutes against companies with what the FTC views to be inadequate security procedures. The FTC has settled more than 50 data security cases, including recent settlements with Fandango and Credit Karma. The FTC has also held a number of workshops, seminars, and reports on a wide variety of consumer data protection topics. However, Ramirez stated that congressional action is necessary given that companies still are not investing adequately in data security, and to fill in the gaps the FTC’s authority cannot currently address.

Specifically, as part of such legislation, the FTC seeks the ability to obtain civil penalties for data security lapses, rulemaking authority under the Administrative Procedures Act, and jurisdiction over non-profits. The FTC also wants Congress to require companies in certain circumstances to notify consumers affected by a data breach, as is the case under state laws. The call for civil penalties was met with some resistance, with Committee Ranking Member Tom Coburn (R-OK) arguing that the focus should be on imposing criminal penalties on bad actors, not on fining companies that are the target of attacks. Moreover, an occasional criticism of the FTC is that it often regards security practices that fall below what the FTC itself regards as appropriate to be “unfair” – even where no demonstrable harm or actual security breach has occurred.

Photo by r2hox from Flickr