FTC Data Security Authority Probed by Senate Panel

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Sept. 27 — The three members of the Federal Trade Commission faced questions about the agency's data security enforcement actions and authority at a Senate oversight hearing Sept. 27, during which some lawmakers signaled they might favor giving the commission a more robust role.

The Commerce, Science and Transportation Committee hearing occurred amid the recent revelation of a massive data breach at Yahoo! Inc. and the Federal Communications Commission's ongoing effort to write new privacy rules for broadband Internet service providers.

To be sure, it's unlikely Congress will pass legislation any time soon to increase the FTC's data security enforcement powers. However, both the commissioners and some legislators, including Sens. Richard Blumenthal (D-Conn.) and Edward J. Markey (D-Mass.), signalled that a central data security authority, like the European model, may be the best bet to hold companies responsible.

“A key priority for the commission is protecting the privacy and security of consumer's personal data,” FTC Chairwoman Edith Ramirez said. Companies need to “keep promises they make about consumer data,” she said. Ramirez and her fellow commissioners, Maureen K. Ohlhausen and Terrell McSweeny, agreed that data security is a significant challenge the U.S. faces and that it's necessary for Congress to give additional authority to the FTC. Ramirez called for the ability to levy civil penalties and “jurisdiction over non-profits.”

Blumenthal challenged the FTC commissioners to implement better rules to help consumers after a data breach involving their sensitive data. Following the Yahoo data breach that affected over 500 million users' data (15 PVLR 1881, 9/26/16), the committee “must consider what to do so the FTC can hold businesses accountable for those breaches and make sure consumers and notified promptly and efficiently,” Blumenthal said.

National Data Breach Notification

Sen. Dan Sullivan (R-Alaska) questioned the commissioners about Yahoo's obligations to consumers after the recent data breach.

Ramirez said that Yahoo needs to make sure that it has “reasonable security measures in place.”

Ramirez also said that the Yahoo breach shows a need for a national data breach notification standard. Although there are “applicable state laws and sectoral laws that provide notification requirements,” there is still a “need for Congress to have” federal data breach notification, she said.

In January 2015, President Obama introduced his own data breach notification proposal that would require a 30-day window to those affected by the breach. However, he has been unsuccessful in trying to gain bipartisan support for the measure.

Although Ramirez didn't offer a specific proposal, she said that a federal data breach notification should have a “30- to 60-day window.” That would allow consumers to be notified of harmful data breached without being “over-notified,” she said.

FTC vs. FCC Data Security Authority

The Senate panel gauged the reactions of the FTC commissioners on a recent U.S. Court of Appeals for the Ninth Circuit opinion in FTC v. AT&T Mobility that held the agency's data security enforcement power doesn't extend to common carriers ( FTC v. AT&T Mobility LLC, 2016 BL 280680, 9th Cir., No. 15-16585, 8/29/16 ).

Under Section 5 of the FTC Act, the FTC may prevent businesses, “except … common carriers” from using unfair or deceptive acts or practices, the court said.

The Ninth Circuit adopted a status-based test which applies the overall status of the company and not the activity that is at issue in the enforcement proceeding.

Ohlhausen said that the decision “frustrates effective consumer protection with respect to a wide-array of activities.” It limits the ability to bring robocall and other telecommunications-based actions.

Ramirez said that common-carrier exemption shouldn't apply and is “outdated.” The FTC will seek a “rehearing in that matter” and if denied the commission “will explore all options for an appeal,” she said.

If the circuit court rehearing on the matter is denied, the common carrier exemption looks poised for potential U.S. Supreme Court review.

FTC Weighs in on Broadband Privacy

The FTC commissioners also weighed in on the FCC's upcoming broadband privacy rule. In 2015, the FCC re-classified internet service providers as common carriers. The FCC has proposed, but not finalized, a set of privacy rules for broadband providers under its 2015 order.

In light of the recent clarification by the Ninth Circuit, the FCC needs to adopt “appropriate privacy rules,” Chairwoman Ramirez said.

Commissioner Ohlhausen agreed with FCC Commissioner Michael O'Rielly's Sept. 21 statement that the FCC's privacy rule proposal would harm consumer choice because it would impose new mandates and burdens on broadband internet providers that other companies don't face (15 PVLR 1905, 9/26/16).

Ohlhausen said that consumers should decide whether or not to share data with a company. Some companies may offer better deals to consumers who allow their data to be shared. It is “important to keep in mind that if consumers are informed of the deal” then they should have the right to make the deal, she said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.