Senate Panel Reviews FTC Data Security Enforcement Powers

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

The recent Equifax Inc. data breach prompted senators at a Sept. 26 hearing to question whether the FTC has the proper authority to effectively enforce data security standards.

How to better define the Federal Trade Commission’s authority to oversee corporate data security is a long-standing issue, and U.S. credit bureau Equifax’s breach compromising the personal data of 143 million consumers has, at least for the moment, further raised interest in the subject.

The Senate Commerce Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security heard testimony on proposals to improve the FTC’s handling of consumer protection issues, including its role in overseeing data security efforts. Subcommittee Chairman Jerry Moran (R-Kan.) said that there will be a full committee hearing on the Equifax data breach in “mid-October.”

Subcommittee Ranking Member Sen. Richard Blumenthal (D-Conn.) said that he will soon introduce legislation to allow the FTC to investigate any data breaches, exercise oversight, and issue penalties.

Companies under the FTC’s jurisdiction—from internet giants Amazon.com Inc. and Facebook Inc. to smaller businesses such as now-defunct medical testing laboratory LabMD Inc.—have struggled with what level of data security they must provide to convince the nation’s main data security and privacy enforcement agency that their efforts to protect personal data are reasonable. In the absence of direct data security statutory or regulatory authority, the FTC has relied on the FTC Act’s Section 5, a catch-all prohibition against unfair and deceptive trade practices, to carry out data security compliance actions.

Lydia Parnes, privacy and data protection partner at Wilson Sonsini Goodrich & Rosati and the former director of the FTC’s Bureau of Consumer Protection, said Congress should take care not to adopt laws or rules that are too specific. More rules or laws won’t solve the problem of having “comprehensive data security programs” and could “freeze” security systems in place, rather than encouraging them to evolve with new threats, Parnes said.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Further information on the hearing is available at http://src.bna.com/sR9.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security