The Federal Trade Commission, in testimony before the House Committee on Energy and Commerce, on Wednesday, recommended that Congress pass legislation requiring companies to implement "reasonable security policies and procedures" and to notify consumers when there is a security breach.
"Data security is of critical importance," testified David Vladeck, director of the FTC’s Bureau of Consumer Protection. "If companies do not protect the personal information they collect and store, that information could fall into the wrong hands, resulting in fraud and other harm, and consumers could lose confidence in the marketplace."
The FTC, according to testimony, has a three-pronged effort to promote data security - involving law enforcement, consumer education and data collection and analysis. The agency since 2001 has brought 34 cases against businesses that allegedly failed to protect consumers’ personal information. Vladeck noted two new FTC cases in this area.
The first case involves Ceridian Corp., a human resource services and payroll processing company that allegedly failed to protect highly sensitive payroll information (
In 2009, an intruder was able to hack into one of Ceridian’s payroll processing systems, compromising the personal data – including Social Security numbers and financial account numbers – of employees of Ceridian’s small business customers.
The FTC also announced a case involving Lookout Services Inc. The agency alleged numerous security failings left Lookout’s entire customer database of Social Security numbers, passport numbers, military identification numbers and dates of birth vulnerable, and that in the fall of 2009 an employee of one of its customers twice obtained unauthorized access to that database.
Both companies agreed to settlement orders with the FTC.
The FTC further testified that it promotes better data security practices through extensive consumer and business education. The agency sponsors OnGuard Online and its Spanish-language counterpart Alerta en Linea, which educate consumers about basic computer security. It provides print and online publications such as FTC’s Identity Theft Primer, a Victim Recovery Guide, and a business guide on data security for businesses.
The FTC, according to testimony, also engages in policy-based efforts related to data security. For example, FTC staff held a series of public roundtables that explored consumer privacy, and issued a preliminary staff report that endorsed key data security principles, based on the roundtables and public comments.
The FTC also will hold a Child Identity Theft Forum on July 12 in conjunction with the Office for Victims of Crime, Office for Justice Programs, U.S. Dept. of Justice.
“The goal of this forum is to develop ways to effectively advise parents on how to avoid child identity theft, how to protect children’s personal data, and how to help parents and young adults who are victimized as children recover from the crime,” the testimony states.
