Two members of the FTC espoused the passage of federal data security and privacy legislation in separate speaking engagements recently.
Speaking at Carnegie Mellon University, Commissioner Julie Brill discussed her support of President Obama’s proposed Consumer Privacy Bill of Rights and data breach notification bills and reiterated the agency’s recommendations about consumer privacy and data security in its report on the Internet of Things.
“Part of the solution to these data security issues will be enacting new laws,” Brill told attendees. “President Obama visited the FTC just two weeks ago, and, while there, called on Congress to enact strong, flexible, and technology-neutral federal legislation to strengthen the FTC’s existing data security enforcement tools, and to provide notification to consumers when there is a security breach.”
“General data security legislation, including the authority to issue rules and seek civil penalties from companies that violate the law, should protect against unauthorized access to personal information, and should also protect device functionality itself,” she added. “The latter could become an issue if, for example, a device like a pacemaker is hacked, a case in which both health information could be compromised and the person wearing the device could be seriously harmed.”
While legislation is important, Brill said businesses are really the first line of defense and should think creatively about providing transparency and control to consumers, particularly with respect to connected devices.
During a panel discussion after her remarks, Brill acknowledged, “there’s a place for industry self-regulation,” but also noted that it has proven insufficient to date.
A few days later, Commissioner Maureen Ohlhausen voiced her support for the data breach notification bill and a measure establishing data security standards at the Online Trust Alliance’s Data Privacy and Protection Town Hall.
“What I would like to see particularly on the data security side is more of a processed-based approach,” she told attendees, given the difficulty of trying to establish a permanent standard for ever-evolving technology. “If we were to try to write some standard for data security, it would be out of date before the ink dried.”
She also added that the Commissioners “really see eye-to-eye” in the area of data security enforcement. “The staff has done a good job of identifying and investigating cases that involve failure to use reasonable precautions,” Ohlhausen said. “I haven’t felt that we’re even close to the line between what is reasonable and not reasonable precautions.”
To read Commissioner Brill’s prepared remarks, click here.
Why it matters: The prospect of federal privacy and data security legislation has been floated around for years, but seems to be gaining traction with the attention surrounding the Internet of Things economy. Commissioner Ohlhausen has a positive outlook: “I do see in Congress, there is serious engagement on data security issues,” she said. “I think over the next year we are going to see some very serious negotiations in Congress toward getting that data security legislation,” adding that “the devil is always going to be in the detail.” Commissioner Brill agreed. “I do think that they are reasonably close, that data security can be passed this year. I do think there’s a lot of interest in Congress,” she said, cautioning with regard to the data breach notification bill, “I don’t want to preempt the states unless we have a good, robust federal law.”