U.S. Senators want to empower the Federal Trade Commission to become a stronger protector and enforcer of consumer data privacy and security.
During the second in a series of hearings focused on the importance of federal standards for data privacy and security, the U.S. Senate Committee on Commerce, Science and Transportation listened to experts who recommended development of a data security standard for businesses that’s enforced by the FTC. The first hearing explored the creation of a federal data privacy law as well as creation of a data privacy bureau within the FTC.
The call for federal data privacy and security standards follows attacks on critical infrastructure companies, including the 2021 attack on Colonial Pipeline. That attack, which caused fuel shortages, was cited by committee chair Sen. Maria Cantwell, D-Wash., as a reason necessitating federal standards.
Cantwell and Sen. Roger Wicker, R-Miss., have introduced two separate bills that would set U.S. privacy and security standards for businesses: the Consumer Online Privacy Rights Act and the Setting an American Framework to Ensure Data Access, Transparency and Accountability (Safe Data) Act. The legislation would also give the FTC and state attorneys general the ability to enforce the standards.
“We believe that these companies don’t invest enough for the fact that they have oversight of our precious data and information,” Cantwell said. “We know that a stronger FTC will help, but we need to give the FTC the resources they need to do their job.”
Experts make data security standard recommendations
James Lee, chief operating officer at San Diego-based nonprofit Identity Theft Resource Center, echoed Cantwell’s concern that the U.S. needs a federal data security standard and to better outline national cybersecurity best practices.
Lee said a federal data security standard should require companies to address small but preventable flaws that lead to data breaches, such as unpatched software, as well as minimize consumer data that can be collected and stored by companies. Additionally, Lee said stronger enforcement measures would be necessary for companies that fail to meet the data security standard.
“Without enforceable minimal standards, there are no broad incentives beyond trying to avoid headlines or post-breach litigation to get people to actually make broad organizational changes,” Lee said.
“We need better enforcement,” he said. The FTC is “best equipped to be that enforcement agency.”
Indeed, Jessica Rich, of counsel at law firm Kelley Drye and Warren LLP and former director of the FTC Bureau of Consumer Protection, said current law fails to set clear standards for data security or provide adequate remedies.
“Most of the FTC’s data security efforts are based on the FTC Act, a law that leaves wide gaps in protection and doesn’t authorize penalties for first time violations,” she said. “While there are sector-specific laws with a data security component, and half the states now have their own data security laws, it’s a messy and confusing patchwork.”
Rich recommended a standard that’s scalable to different types and sizes of companies and the volume and sensitivity of the data they collect. Otherwise the law could impose requirements ill-suited and unattainable for small business, she said. Rich also supported data minimization incentives or requirements.
Rich said to ensure accountability and deterrence, the data security standard should authorize strong remedies such as civil penalties and redress to businesses that fail to meet the data security standard.
Edward Felten, Robert E. Kahn professor of computer science and public affairs at Princeton University and former chief technologist at the FTC, said the FTC currently doesn’t have the tools it needs to address today’s data security enforcement challenges.
To further empower the FTC, Felten voiced support for allowing civil penalties for first-time violations of certain statutes within the FTC Act, such as Section 5, which states that unfair or deceptive practices affecting commerce are unlawful. The lack of first-time penalties makes the FTC Act a “weak deterrent,” he said.
Additionally, Felten said Congress could authorize data security rulemaking so the FTC can clarify what is expected of companies, as well as funnel additional resources to the FTC for data security and technology initiatives.
“The successful FTC of the future is one that has stronger authority, increased resources and greater technological capability,” Felten said.
Also this week
- Facebook’s outage earlier this week was caused by configuration changes on backbone routers coordinating traffic between the company’s data centers, according to a news release. The changes interrupted communication between the data centers, which brought services across Facebook platforms including Instagram, WhatsApp and Oculus to a halt for hours Monday. Facebook claims malicious activity was not to blame for the outage and said no data was compromised during the downtime.
- Prompted by concerns from advertising and publishing partners, Google will prohibit ads for content spreading misinformation regarding climate change. According to a news release, Google will block content that “contradicts well-established scientific consensus around the existence of climate change,” including content that calls climate change a hoax or scam.
Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget, she was a general reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.