In congressional testimony, the Federal Trade Commission’s Chairwoman, Edith Ramirez, recently reiterated the FTC’s call for stronger data security laws, while federal legislation concerning data security and breach notification remains in limbo.
Although the FTC is the nation’s leading privacy enforcement agency, it derives enforcement authority from a hodgepodge of statutes, many of which lack adequate remedies to compel compliance with data security and breach notification requirements.
Those laws include:
- The FTC’s Safeguards Rule, which implements the Gramm-Leach-Bliley Act and provides data security requirements for non-bank financial institutions (16 C.F.R. Part 314, implementing 15 U.S.C. § 6801(b));
- The Fair Credit Reporting Act (FCRA), which covers consumer reporting agencies (15 U.S.C. §§ 1681e, 1681w and 16 C.F.R. Part 682);
- The Children’s Online Privacy Protection Act (COPPA), which requires security for children’s information collected online (15 U.S.C. §§ 6501-06 and 16 C.F.R. Part 312); and
- Section 5 of the FTC Act, which gives the FTC authority to prohibit deceptive or unfair practices (15 U.S.C. § 45(a)).
The FTC’s need to resort to multiple statutes results in uneven enforcement authority. Only the FCRA and COPPA allow the FTC to seek civil penalties for data security violations. To obtain a civil penalty for unfair or deceptive practices under the FTC Act, the agency must show that company violated a prior administrative order.
In her remarks, Chairwoman Ramirez stressed the need for uniform national standards for data security and breach notifications, stronger civil remedies, and expanded rulemaking authority under the Administrative Procedure Act enabling the FTC to respond effectively to changes in technology.
Ramirez’s statements echoed bipartisan calls for national data security standards. Despite widespread support for such standards, proponents have not been able to amass enough votes to pass a comprehensive data security law.
There are competing proposals in the Senate – the Personal Data Privacy and Security Act, which Sen. Patrick Leahy, D-Vt., introduced for the fifth time in January 2014, and the Data Security Act, which Sen. Tom Carper, D-Del., and Roy Blunt, R-Mo. re-introduced that same month.Continue Reading...