On March 26, 2014, Chairwoman Edith Ramirez of the Federal Trade Commission (“FTC”) testified before the U.S. Senate Committee on Commerce, Senate, and Transportation regarding data security legislation, and the agency’s efforts to protect consumers from data breaches. The Chairwoman stated that Congress must augment the FTC’s authority over data security and breach notification laws, especially in light of the increased number of data security breaches over the past few years. The Identity Theft Resource Center estimates that between 2005 and 2014 there were more than 4,000 data breaches, resulting in the compromise of over 600 million records.
Chairwoman Ramirez used her testimony to highlight the FTC’s enforcement of data security and breach notification violations under the current legal regimes (i.e., the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act, and Section 5 of the FTC Act). Specifically, the Chairwoman informed the Committee of the FTC’s success in settling 20 cases where a company’s failure to reasonably safeguard consumer information was considered an unfair business practice under Section 5 of the FTC Act, as well as the Commission’s 50 other settlements with businesses that failed to provide adequate consumer data protection under other data security laws.
The Chairwoman cited the 2008 settlement with TJX Companies, Inc., and the 2013 settlement with GMR Transcription Services, Inc. as exemplary of the FTC’s efforts in enforcing data security laws. In the settlement with TJX, the FTC found that the company’s failure to implement reasonable security measures resulted in the release of roughly 455,000 consumers’ personal financial information. The Chairwoman cited this case as indicative of the process-based approach employed by the FTC in reviewing data security breaches: “The Commission looks to see whether companies have a general framework in place to develop, implement, and maintain appropriate safeguards that is reasonable and appropriate in light of the sensitivity and volume of the data it holds, the size and complexity of its data operations, and the cost of available tools.” Chairwoman Ramirez mentioned the GMR case to demonstrate the types of conditions the FTC imposes on entities that violate data security laws. In that case, GMR’s failure to implement adequate security measures, and ensure that their clients did as well, led to roughly 15,000 consumer records being available to anyone on the Internet. The FTC responded by requiring GMR to implement a comprehensive data security program, and undergo audits for the next 20 years.
Despite the agency’s recent success, the Chairwoman cautioned the Committee that the current data security laws limited the success of the FTC in mitigating the harm of data breaches to consumers. Specifically, Chairwoman Ramirez proposed legislation in three key areas to bolster the FTC’s ability to investigate and prosecute data security violations. First, Congress must consolidate data breach notification laws on the federal level in order to streamline compliance while still protecting all consumers. Second, Congress must grant the FTC authority to seek civil penalties against all data security and breach violators, including non-profit entities. Such authority would ensure that all entities that collect and maintain sensitive information about consumers are within the agency’s jurisdiction. Finally, Congress must grant the FTC rulemaking authority under the Administrative Procedure Act to implement new data security regulations in order for the agency to keep up with technological innovation.
The Chairwoman’s comments should put businesses on notice that the scope of the FTC’s authority over data security and breach notifications may broaden. Currently, FTC settlements, cases, and decrees provide industry-wide guidance as to best practices, although they do not have the force and effect of binding rules and regulations. Regardless, the Chairwoman’s testimony may signal even more active investigation and enforcement under the current regime. Thus, businesses that collect personal information from their customers must keep in mind their responsibilities in protecting that data. Businesses must also ensure that their vendors are appropriately safeguarding consumer information, as they can be liable for any breaches that they cause. If Congress passes sweeping legislation that consolidates the administration of data security and breach notification laws in the FTC, businesses not previously subject to any data security obligations will be subject to a potentially more stringent and robust regulatory regime on the federal level.
Our firm will continue to monitor developments in data security law. If you have any questions or concerns regarding this Advisory, or are interested in filing comments or monitoring replies related to this docket, please do not hesitate to contact Linda McReynolds, Certified Information Privacy Professional (CIPP/US), at firstname.lastname@example.org.