This week, the United States came just 230 data breaches away from an “all-time high,” according to Identity Theft Resource Center Chief Operating Officer James Lee, but data security requirements either within a federal privacy law or a standalone regulation “would substantially improve data protection” and bring “stronger protections and greater clarity to the marketplace,” Kelley Drye Of Counsel Jessica Rich said.

With 446 reported data breaches from July through September, “we’re in for raising the bar substantially,” said Lee, who shared the statistics with the U.S. Senate Committee on Commerce, Science, and Transportation Wednesday. “Behind all these numbers are people,” he said. “They’re victims.”

The committee held its second privacy hearing in two weeks, with former members of the Federal Trade Commission

Witnesses who spoke Wednesday also support enhanced authority and resources for the FTC and Rich, the former director of the FTC’s bureau of consumer protection, said current law does not set clear standards for data security or provide remedies for consumers. While there are “sector-specific laws with a data security component” and some states have enacted data security laws, “it’s a messy and confusing patchwork,” she said.

Federal data security requirements, whether as part of a broader privacy law or on their own, should “provide comprehensive protections,” implement a “scalable” approach to cover different types and sizes of companies and the volume and sensitivity of data they collect, and include incentives for data minimization. If a law is strong enough and fully enforceable by the FTC and state attorneys general, Rich added she doesn’t believe pre-empting state laws or forgoing a private right of action would “weaken protections.”

Kate Tummarello, executive director of Engine, a nonprofit that works with startups to support innovation and entrepreneurship, also noted a federal data security policy should recognize that being a responsible data steward will look different for every company. A framework could allow flexibility while providing “startups the certainty they need.”

“The FTC could issue a menu of options where organizations can decide what makes the most sense for them knowing they are meeting some minimum standard set by the FTC,” Tummarello said. “Startups just want to do the right thing and would appreciate guidance on what the right thing is.”

Security of biometrics data is an area where enhanced standards are needed, witnesses said, due to the sensitivity and privacy issues surrounding it.

“If your biometric data is somehow compromised, you can’t change your biometrics, you can’t change your fingerprints, you can’t change your face, your retina scan, your voiceprint, so we need to be very careful about how we protect that kind of data. We have to have very specific ways of protecting people when that data is compromised,” Lee said. “We don’t really have a good framework for that today.”

Senators asked how to hold companies more accountable, how to incentivize companies to implement cybersecurity practices, and what resources the FTC needs if Congress were to expand its authority on data security.

Former FTC chief technologist and Princeton University Robert E. Kahn Professor of Computer Science and Public Affairs Edward Felten said the bar needs to be higher for companies “because the threat is higher.” He supports penalties for first-time violations, saying a current lack “makes the FTC a weak deterrent,” and said the agency needs additional technologists on staff to address issues.

“It requires staff, it requires especially a sophisticated and strategic approach to managing these systems and it requires consistent execution,” he said. “What the community has learned over and over is that a single failure to patch one thing or to upgrade something when it needs to be there to make sure some digital door is locked can lead to a future breach.”

With the rise and sophistication of data breaches today, Lee said it’s not if an organization will be impacted, but “how many times.”

“The practical reality is the private sector and government agencies are in the only position to be able to provide security and to prevent the kinds of instances we’re seeing that impact people, that create victims, so we have to have a partnership between all the parties beginning with government setting enforceable standards that the private sector can implement,” he said. “If we have that system we will reduce the number of cyber incidents, reduce the number of data breaches and reduce the number of identity theft victims.”

Photo by Alejandro Barba on Unsplash