Testifying before the Senate Committee on Commerce, Science, and Transportation, FTC Chairwoman Edith Ramirez encouraged lawmakers to enact data security legislation, particularly in light of recent breaches at major retailers.
“Never has the need for legislation been greater,” she said. “Consumers’ data is at risk.”
Although Ramirez documented the agency’s efforts in the realm of data security – noting 50 cases the Commission has settled on the issue – she also suggested that Congress should “strengthen” the FTC’s authority regarding data security. Currently, the agency bases its data security claims on select statutes such as the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and COPPA, as well as the prohibition on unfair or deceptive acts in violation of Section 5 of the FTC Act. The FTC only has the authority to seek civil penalties under COPPA or the FCRA.
But a definitive grant of authority to the agency to regulate data security and breach notification would provide greater protections for consumers, Ramirez said.
Federal legislation covering data security and breach notification “should give the FTC the ability to seek civil penalties to help deter unlawful conduct, jurisdiction over non-profits, and rulemaking authority under the Administrative Procedure Act,” she testified. “To help ensure effective deterrence, we urge Congress to allow the FTC to seek civil penalties for all data security and breach notice violations in appropriate circumstances. Likewise, enabling the FTC to bring cases against non-profits would help ensure that whenever personal information is collected from consumers, entities that maintain such data adequately protect it.” Although nonprofits are generally outside the FTC’s jurisdiction, a substantial number of data breaches have included nonprofit universities and health systems.
Rulemaking authority under the APA “would enable the FTC in implementing the legislation to respond to changes in technology,” Ramirez added, and “allow the Commission to ensure that as technology changes and the risks from the use of certain types of information evolve, companies would be required to give adequate protection to such data.”
To read the Chairwoman’s prepared remarks, click here.
Why it matters: “With reports of data breaches on the rise, and with a significant number of Americans suffering from identity theft, Congress must act,” Ramirez told the Committee. Several data security and breach notification bills are currently pending in Congress, but have made little progress through the legislature to date. It will be interesting to see whether the FTC can expand the scope of its enforcement authority in this area or whether future legislation will usher a new sheriff into town.