FTC Calls Again for Nationwide Data Breach Legislation and Heightened Enforcement Powers

Published On April 3, 2014 | By Melissa Maalouf | Data Security, FTC & State AG, General
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

On Tuesday, FTC Chairwoman Ramirez testified before the Senate Committee on Homeland Security and Government Affairs, explaining the FTC’s view that continued data breaches underscore the need for national data breach and security legislation. Ramirez testified that consumers’ data continues to be “at risk,” particularly as hackers and others increasingly become more sophisticated in their techniques. Joining in the testimony were a pair of retail and banking industry groups.

Ramirez highlighted the FTC’s efforts to protect the security of consumer data by bringing enforcement actions under the FTC Act and a variety of specific statutes against companies with what the FTC views to be inadequate security procedures. The FTC has settled more than 50 data security cases, including recent settlements with Fandango and Credit Karma. The FTC has also held a number of workshops, seminars, and reports on a wide variety of consumer data protection topics. However, Ramirez stated that congressional action is necessary given that companies still are not investing adequately in data security, and to fill in the gaps the FTC’s authority cannot currently address.

Specifically, as part of such legislation, the FTC seeks the ability to obtain civil penalties for data security lapses, rulemaking authority under the Administrative Procedures Act, and jurisdiction over non-profits. The FTC also wants Congress to require companies in certain circumstances to notify consumers affected by a data breach, as is the case under state laws. The call for civil penalties was met with some resistance, with Committee Ranking Member Tom Coburn (R-OK) arguing that the focus should be on imposing criminal penalties on bad actors, not on fining companies that are the target of attacks. Moreover, an occasional criticism of the FTC is that it often regards security practices that fall below what the FTC itself regards as appropriate to be “unfair” – even where no demonstrable harm or actual security breach has occurred.

Photo by r2hox from Flickr 

About The Author

Melissa Maalouf’s practice focuses on advising a broad range of clients, from start-ups to established companies, on both U.S. and international data privacy and security issues. Melissa assists clients in drafting appropriate website disclosures, implementing legally-compliant e-commerce flows, responding to FTC Section 5 and state AG enforcement actions, analyzing advertising claims, and children’s online privacy and safety issues. She also regularly helps clients obtain certification under the EU-US Safe Harbor and navigate compliance with divergent international privacy laws.

Leave a Reply

Your email address will not be published. Required fields are marked *