The Federal Trade Commission testified before Congress Tuesday on the agencys ongoing efforts to promote data security, and reiterated its support for enactment of a strong federal data security and breach notification law.
FTC Chairwoman Edith Ramirez outlined the agency's efforts to promote data security through civil law enforcement, education, and policy initiatives. The testimony, before the Senate Judiciary Committee, notes that businesses are collecting more personal information about consumers than ever before, and that rising reports of data breaches show that these systems are susceptible to being compromised.
Never has the need for legislation been greater. With reports of data breaches on the rise, and with a significant number of Americans suffering from identity theft, Congress needs to act, the testimony states.
The testimony points out that, according to estimates by the Bureau of Justice Statistics, 16.6 million persons or 7 percent of all U.S. residents ages 16 and older were victims of identity theft in 2012.
The testimony explains that, to promote data security, the FTC enforces several statutes and rules that impose obligations upon businesses that collect and maintain consumer data. These include the proscription against unfair or deceptive acts or practices in Section 5 of the FTC Act; the Gramm-Leach-Bliley Act; the Fair Credit Reporting Act; and the Childrens Online Privacy Protection Act.
The testimony stresses the FTCs bipartisan support for data security legislation that would enhance existing laws and strengthen the agencys existing authority. The FTC supports legislation, for example, that would give the FTC the ability to seek civil penalties to help ensure FTC enforcement actions have an appropriate deterrent effect.
Under current laws, the FTC only has the authority to seek civil penalties for data security violations involving companies that fail to protect childrens information provided online in violation of the COPPA Rule or credit report information in violation of the FCRA. The FTC also recommends data security legislation that would provide the agency with jurisdiction over non-profits, which have been the source of a substantial number of breaches
The FTC also recommends that Congress enact a federal law that would require companies, in appropriate circumstances, to notify consumers when there is a security breach, the testimony states. This would help consumers mitigate likely harm from the misuse of their data. Although most states have breach notification laws, a strong and consistent, national requirement would ensure that all consumers are protected.
In addition, the FTC promotes better data security practices through consumer education and business guidance, the testimony notes. On the consumer education front, the FTC recently posted information for consumers who may have been affected by the recent Target and other breaches, providing steps they should take to protect themselves.
It also widely disseminates a business guide on data security, along with an online tutorial, that are designed to provide diverse businesses and especially small businesses with practical, concrete advice as they develop data security programs and plans for their companies.