At a recent hearing before the Subcommittee on Commerce, Manufacturing, and Trade of the House Committee on Energy and Commerce, FTC Commissioner Edith Ramirez testified on both the role the FTC currently plays and hopes to play in the future protecting consumer data security. Ramirez, in addressing FTC’s current function in enforcing consumer data security, said that the FTC has undertaken “substantial efforts” to promote data security in the private sector, namely through law enforcement, education and policy initiatives.
Pertaining to law enforcement, Ramirez told Congress that, since 2001, the FTC has brought 34 cases against companies that allegedly failed to sufficiently protect consumers’ personal information. Many of these cases resulted in consent orders where the charged companies agreed to cease misrepresenting their data security capabilities, implement wide-ranging information security systems and policies, and undergo bi-yearly security audits for the next two decades.
Ramirez also stressed that the FTC has education and policy initiatives to mitigate the effects of consumer data-security breaches. Relative to education, Ramirez told Congress that the FTC sponsored many online consumer self-help guides including OnGuard Online, which instructs consumers about “basic” computer security, the Identity Theft Primer, and the Victim Recovery Guide. Regarding policy initiatives, Ramirez highlighted FTC-sponsored roundtables, which discussed and analyzed consumer privacy, the FTC Staff’s Preliminary Privacy Report issued in December 2010, and the Child Identify Theft Forum.
Relating to the data-protection role that the FTC wants to play in the future, Ramirez advocated for enhanced FTC authority in order to protect consumer data security. Ramirez stated that the FTC expressed support for key concepts in the discussion draft of Chairman Bono Mack’s proposed data security bill because it would provide the FTC with additional rule-making authority to ensure that both for-profit and non-profit companies “implement reasonable data security policies and procedures and, in the appropriate circumstances, provide notification to consumers when there is a security breach.” Just as importantly, Ramirez said that the FTC “appreciates” that the bill would authorize the FTC to use the APA notice and comment procedures for rulemaking rather than the current rule-making procedures enumerated in Section 18 of the FTC Act (AKA Magnuson-Moss ruling making), a change that FTC officials have been arguing for since last year. Additionally, the bill also proposes that the FTC be able to obtain civil remedies for data-security violations, which would significantly expand the enforcement power of the Commission that is now limited to “traditional equitable remedies” such as consumer restitution and disgorgement.
Although it is too early to accurately gauge support for the discussion draft of Bono Mack’s proposed data-security legislation, it appears likely that the FTC’s appreciation of key principles in the legislation will be influential. If this or a similar bill is passed, the ever-growing spectrum of companies possessing consumer data can expect more FTC-enforced regulations on the requirements for securing such information.
- Ronald Lee and Kevin O'Doherty