Congress Should Enact Data Security and Breach Notification Law, Agency Says
The Federal Trade Commission told Congress today that to minimize the risk of identity theft or other harm, companies should employ reasonable safeguards to protect consumer information, collect only information for which they have a legitimate business need, and retain data only as long as necessary to fulfill the business purposes for which it was collected. The FTC also reiterated its recommendation that Congress pass legislation that would require companies to implement reasonable security practices and to notify consumers when there is a data security breach.
“If companies do not protect the personal information they collect and store, that information could fall into the wrong hands, resulting in fraud and other harm, and consumers could lose confidence in the marketplace,” FTC Commissioner Edith Ramirez said in delivering the Commission’s testimony before the House Committee on Energy and Commerce, Subcommittee on Commerce, Manufacturing, and Trade.
The Commission expressed its support for federal legislation that would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The testimony notes that the Committee’s “Discussion Draft” of data security legislation accomplishes these key goals. The testimony highlights several other elements of the Discussion Draft, which gives the Commission authority to use the standard APA notice and comment procedures for rulemaking in connection with the legislation, provides for civil penalties for violations, and requires non-profit entities to adhere to the same data security and breach notification standards as for-profit entities. The Commission also noted that the December 2010 preliminary FTC staff report on privacy takes the same position as the Discussion Draft that data minimization is an important component of data security.
The FTC promotes data security through law enforcement, consumer and business education, and policy initiatives. Since 2001, the agency has brought 34 cases charging businesses with failing to protect consumers’ personal information.
Ramirez noted that the FTC is today announcing finalized settlements resolving two data security law enforcement actions. The first involves Ceridian Corporation, a human resource services and payroll processing company that allegedly failed to protect highly sensitive payroll information, compromising the personal data of approximately 28,000 employees of Ceridian’s small business customers. The second settlement resolves charges against Lookout Services, Inc., which sells products that help employers comply with immigration laws. The FTC alleged that Lookout failed to protect its customer database of Social Security numbers, passport numbers, military identification numbers, and dates of birth, leaving it vulnerable to unauthorized access. Both companies are barred from future misrepresentations, must implement comprehensive information security programs, and must obtain independent security audits every other year for 20 years.
The testimony also discussed how the FTC promotes better data security practices through extensive consumer and business education. The agency sponsors OnGuard Online and its Spanish-language counterpart Alerta en Linea, which educate consumers about basic computer security. It also provides print and online publications such as FTC’s Identity Theft Primer, a Victim Recovery Guide, and a business guide on data security for businesses.
Finally, the FTC advances data security through substantial policy work. For example, FTC staff held a series of public roundtables that explored consumer privacy, and issued a preliminary staff report in December 2010 that endorsed key data security principles, based on the roundtables and public comments.
The FTC also will hold a Child Identity Theft Forum on July 12, 2011, in conjunction with the Office for Victims of Crime, Office for Justice Programs, U.S. Department of Justice. “The goal of this forum is to develop ways to effectively advise parents on how to avoid child identity theft, how to protect children’s personal data, and how to help parents and young adults who are victimized as children recover from the crime,” the testimony states.
The Commission vote to issue the testimony was 5-0.
The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook and follow us on Twitter..
Office of Public Affairs
Bureau of Consumer Protection