Washington, DC - In testimony before Congress today, the Federal Trade Commission provided feedback on proposed data security legislation pending before the Subcommittee on Commerce, Manufacturing and Trade of the House Energy and Commerce Committee.
Testifying on behalf of the Commission before the Subcommittee, FTC Consumer Protection Director Jessica Rich highlighted the Commission’s support for data security legislation overall, as well as noting elements of the proposed bill supported by the Commission and areas where members of the Commission see room for improvement.
“The need for companies to implement strong data security measures is clear: if sensitive information falls into the wrong hands, the results can be devastating,” said the testimony. “Consumers face the risk of fraud, identity theft, and other harm.”
In the testimony, the Commission expresses support for the legislation’s goals of establishing broadly applicable data security requirements for companies and requiring them to notify consumers, in certain circumstances, of the breach of their data – both issues that the proposed legislation addresses. The Commission also support’s the proposed bill’s inclusion of FTC enforcement authority over both common carriers and non-profit entities related to data security and breach notification.
In addition, the testimony highlights the Commission’s support for the civil penalty authority contained in the legislation for violations of the proposed bill.
The testimony also highlights concerns related to particular aspects of the proposed legislation. Among the concerns are a need to expand the bill’s definition of personal information to include data like consumers’ geolocation and health data, as well as a need to address the entire data ecosystem, including Internet-connected devices. Other concerns include the need for Administrative Procedures Act rulemaking authority to ensure that the law’s requirements keep up with quickly evolving technology, and the need to expand the bill’s breach notification trigger to cover more fully the types of harm that can result from a data breach. Commissioner Joshua Wright did not concur to the extent that the Commission recommended expanding the proposed legislation beyond its current economic and financial scope.
The testimony also provided a summary of the Commission’s existing authority related to data security under the FTC Act, including its enforcement cases, extensive policy work, and business and consumer education efforts.
The Commission vote approving the testimony and its inclusion in the formal record was 5-0.