Yesterday, the FTC testified before a Senate Subcommittee and recommended that proposed data security legislation introduced by Senators Pryor (D., AR) and Rockefeller (D., WV) be modified so that its requirements and the FTC’s enforcement authority there under be extended to telecommunications common carriers. See my recent article discussing FCC and FTC jurisdiction over broadband providers – which may or may not make telecom common carriers exempt from the FTC Act.
S.3742, The Data Security and Breach Notification Act of 2010 (one of several pieces of proposed data security legislation in play on the Hill), would require a broad array of commercial and nonprofit entities to (a) implement reasonable data security policies and procedures, and (b) notify consumers of a security breach involving electronic records. It also would require covered entities to offer credit reports and monitoring services to consumers impacted by a data breach. The proposed legislation, which would preempt state law, also would give general concurrent enforcement authority to the FTC and state attorneys general.
At yesterday’s hearing, subcommittee members and hearing witnesses discussed the proposed legislation’s “exemption” provision and the manner in which it might address potential redundancy with other federal data protection statutes such as HIPPA, FCRA and the Gramm-Leach-Bliley Act. Notably, in making its recommendation to extend the reach of the proposed legislation to telecommunications common carriers, the FTC made no mention of Section 222 of the Communications Act and the FCC’s related CPNI rules which require such entities to comply with complex data security requirements and also require breach notification to consumers, as well as to the FBI and Secret Service.
The FTC’s testimony is the latest in a series of FTC actions signaling the agency’s concern regarding the amount of personal information telecom common carriers handle and its ability – or inability – to take enforcement action against such carriers.