What does the Federal Trade Commission think about the latest piece of privacy legislation to hit Congress?
Testifying before the House Subcommittee on Commerce, Manufacturing, and Trade, the agency’s director of Consumer Protection, Jessica Rich, expressed concern that the Data Security and Breach Notification Act does “not provide the strong protections that are needed to combat data breaches, identity theft, and other substantial consumer harms.”
After highlighting the recent data breaches that have impacted millions of Americans—and explaining the FTC’s three-prong data security approach of law enforcement, policy initiatives, and business guidance and consumer education—Rich focused on the bill recently introduced by Reps. Peter Welch (D-Vt.) and Marsha Blackburn (R-Tenn.).
The bill covers entities that “acquire, maintain, store, sell or otherwise use personal information in electronic form” and requires them to maintain “reasonable security measures and practices” as appropriate for the size and complexity of the business. Covered data includes an individual’s first and last name combined with a driver’s license number, home address or telephone number, mother’s maiden name, birthdate, financial account credentials, full Social Security number, or unique biometric data.
A breach of such information would mandate “a reasonable and prompt investigation” to determine the economic loss, economic harm, or financial harm that consumers would suffer as a result of identity theft. If the investigation finds consumer harm, the company has 30 days to notify consumers of the breach.
The Act would preempt all state and federal data security laws currently in place, with enforcement power granted to state attorneys general as well as the FTC. No private cause of action would be created, and companies already subject to federal data security and notification regimes would be exempt.
Rich also emphasized the FTC’s long-standing support for a federal data security and breach notification law. “Although most states have breach notification laws in place, having a strong and consistent national requirement could simplify compliance by businesses while ensuring that all consumers are protected,” she said.
Certain elements in the Act met the agency’s approval, such as a provision that requires companies to implement reasonable data security standards, a provision that grants the FTC’s jurisdiction over common carriers and nonprofits, and a section that permits the Commission’s ability to seek civil penalties, “an important tool to deter unlawful conduct.”
However, Rich expressed four concerns about the Act. First, the agency felt the bill “does not strike the right balance,” and needs stronger protections such as adding precise geolocation and health data to the list of information covered by the legislation. Second, the Commission believes that the law “should apply to all key parts of the data ecosystem, including to devices that collect data, such as some Internet-enabled devices, as bad actors could target such devices to cause physical harm even if they do not steal any data.”
Third, rulemaking authority under the Administrative Procedures Act should be added to the FTC’s powers so the agency can keep pace with evolving technology, she suggested. “Rulemaking authority would allow the Commission to ensure that even as technology changes and the risks from the use of certain types of information evolve, companies are required to appropriately protect such data.”
Fourth, the trigger for notification also requires an adjustment, Rich said. Consumers need to protect themselves when their data is at risk without facing “over-notification,” which causes them to ignore the notices or become confused. The Act’s standard of notice, “Unless there is no reasonable risk that the breach has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud,” is too lenient, she said.
Instead, “The Commission supports an approach that requires notice unless a company can establish that there is no reasonable likelihood of economic, physical, or other substantial harm,” Rich told lawmakers.
To read the Data Security and Breach Notification Act, click here.
To read Director Rich’s prepared remarks, click here.
Why it matters: Rich was not alone in expressing her concerns about the Data Security and Breach Notification Act. Of the seven panelists at the hearing, just one spoke out in support of the bill. The others—including the assistant attorney general for the state of Massachusetts and a representative from the National Retail Federation—criticized the legislation for a variety of reasons, from the failure to include geolocation as a covered class of data to the loss of stronger state protections. “It would be better for privacy to pass no bill than to pass this bill as currently drafted,” Laura Moy of the New America Foundation’s Open Technology Institute testified at the hearing.