Yesterday, the FTC testified before a Senate Subcommittee and recommended that proposed data security legislation introduced by Senators Pryor (D., AR) and Rockefeller (D., WV) (The Data Security and Breach Notification Act of 2010, S.3742) be modified so that its requirements and the FTC’s enforcement authority thereunder be extended to telecommunications common carriers.
The FTC’s testimony – available here – is the latest in a series of FTC actions signaling the agency’s concern regarding the amount of personal information telecom common carriers handle and the FTC's ability – or inability – to take enforcement action against such carriers.
The proposed legislation is one of several pieces of proposed data security legislation in play on the Hill. It would require a broad array of commercial and nonprofit entities to (a) implement reasonable data security policies and procedures, and (b) notify consumers of a security breach involving electronic records. It also would require covered entities to offer credit reports and monitoring services to consumers impacted by a data breach. The proposed legislation also would give general concurrent enforcement authority to the FTC and state attorneys general.
At yesterday’s hearing, subcommittee members and hearing witnesses discussed the proposed legislation’s “exemption” provision and the manner in which it might address potential redundancy with other federal data protection statutes such as the HIPPA, FCRA and the Gramm-Leach-Bliley Act. The FTC proposed the following revision:
Second, as the proposed legislation is currently drafted, its requirements do not apply to telecommunications common carriers, many of which maintain significant quantities of highly personal information. The Commission believes that the legislation should cover these entities and that the Commission should have authority to enforce the legislation as to them.
Notably, in making its recommendation to extend the reach of the proposed legislation to telecommunications common carriers, the FTC made no mention of Section 222 of the Communications Act and the FCC’s related CPNI rules which require such entities to comply with a complex data security requirements and also require breach notification to consumers, as well as to the FBI and Secret Service.
For more information on the scope of FTC jurisdiction over broadband service providers, see this earlier post on broadband provider privacy obligations.