TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | FTC commissioners call for more authority, federal breach law Related reading: Notes from the IAPP Publications Editor, Oct. 19, 2018

rss_feed
DPC18_Web_300x250-COPY

""

PrivacyTraining_ad300x250.Promo1-01

All three commissioners from the Federal Trade Commission appeared Tuesday in front of the Senate Commerce Committee to testify on the work and needs of the agency. In combined written testimony, FTC Chairwoman Edith Ramirez and Commissioners Maureen Ohlhausen and Terrell McSweeny said the agency’s consumer protection enforcement actions have saved consumers $717 million in the last year.

The commissioners also called for changes to the FTC Act, including civil rulemaking authority, and expressed support for a federal data breach notification law.

“Data security is the most significant challenge we face as a nation,” Ramirez testified. And though Section 5 of the FTC Act gives the agency nimble enforcement ability, she said Congress has a role to play in helping consumers. “I do believe it is necessary for Congress to take action in this area,” she said. 

The massive breach of approximately 500 million Yahoo users was on the minds of many Senators Tuesday. Sen. Richard Blumenthal, D-Conn., specifically asked the commissioners if they would support a federal bill, like legislation he has introduced, that would require companies take adequate steps to secure data and notify affected consumers within a prescribed time period.

Sen. Dan Sullivan, D-Alaska, pointed to his time as attorney general of the state and an incident involving the loss of state employees' data. "When I was AG for Alaska, we had an incident where a company lost a lot of data on state employees. We tried to make people aware of that as soon as we could." He said it was concerning that a company like Yahoo appears to not have taken a same tact on notifying consumers in a timely manner.

He then asked Ramirez if the FTC needs more authority. "The obligations of a company under Section 5 are for companies to put in reasonable security measures," she answered. "With regard to notification, there are applicable state and sectoral laws, but I believe there is a need for Congress to pass federal legislation in this area. There needs to be federal standards for security along a 'reasonable-ness' approach. It's also important for a federal requirement on breach notification." 

When pressed, said she would recommend companies notify consumers within 30 to 60 days. She assented that companies should be granted some time to assess a given breach and investigate who is affected to appropriately respond. 

The commissioners also agreed on the need to expand the agency’s enforcement scope.  Ramirez said, “It would be helpful to have federal legislation to give us authority and jurisdiction over nonprofits.”

The FTC was also asked several times throughout the hearing about its relationship with the Federal Communications Commission and that agency’s proposed privacy rules for internet service providers. Since the FCC reclassified Title II last year, the FTC lost its enforcement authority over ISPs, and FCC Commissioner Thomas Wheeler has said he hopes to finalize the rules by year’s end.

“We have commented publicly on how to improve the framework,” Ramirez said. “We do engage in regular conversations with the FCC, both at staff and senior levels, to discuss the approach we take when it comes to privacy.” She added, “They take our comments seriously.”

McSweeny said the FTC has been “very supportive” of the proposed rules and that the “FCC shares our goals of transparency, consumer choice and security” and that both agencies can “play an important role in protecting consumer privacy.”

Sen. Edward Markey, D-Mass., seemed to prompt the commissioners to assent to the FCC's authority over ISPs. "Both the FTC and FCC have clear roles to play," he said, "and now that broadband is under the common carrier exception, the FCC must act without delay to put in strong broadband privacy rules." 

Ramirez replied, "In light of the reclassification, the FCC does have jurisdiction here, and it's appropriate for them to put in place appropriate privacy rules." 

Commissioners also addressed concerns around so-called set-top boxes. "Third-party manufacturers of these boxes ought to make consumer-facing notices," Ramirez said. "By doing so, this would facilitate the FTC to enforce in this arena." She added, "I am aware of Wheeler's intent to include that in the rule." 

Ramirez trumpeted a harmonized approach among federal authorities to marketplace regulation. "We are certainly active in sharing extensive expertise. We have been looking into (privacy and data security) issues for a long time. Going forward, it will be appropriate for us to harmonize." 

Top image of FTC Chairwoman Edith Ramirez is a screen shot from Commerce Committee hearing

Comments

If you want to comment on this post, you need to login.