The Federal Trade Commission yesterday told a Senate Subcommittee that it supports proposed legislation that would require many companies to use reasonable data security policies and procedures and require those companies to notify consumers when there is a security breach.
In testimony before the Committee on Science, Commerce, and Transportation Subcommittee on Consumer Protection, Product Safety and Insurance, Maneesha Mithal, associate director for privacy and identity protection at the FTC told the Subcommittee that problems with data security and breaches affect a wide array of both businesses and nonprofit organizations. "Requiring reasonable security policies and procedures of this broad array of entities is a goal that the Commission strongly supports."
"The Commission believes that notification in appropriate circumstances can be beneficial," the testimony notes. Many states have passed notification laws that have increased public awareness of the harm breaches can cause. "Breach notification at the federal level would extend notification nationwide and accomplish similar goals."
The testimony states that the agency suggests three additional measures that could be included in the proposed legislation to protect consumers. First, the provision that requires that companies notify consumers in the event of an information security breach should not be limited to entities that possess data in electronic form; second, the proposed requirements should be extended so that they apply to telephone companies; and third, the Commission suggests that the bill grant the agency rulemaking authority to determine circumstances under which providing free credit reports or credit monitoring may not be warranted.
The testimony says that as the nation's consumer protection agency, the FTC has a history of protecting consumer privacy and promoting data security in the private sector. "Data security is of critical importance to consumers. If companies do not protect the personal information that they collect and store, that information could fall into the wrong hands, resulting in fraud and other harm. . . . Accordingly, the Commission has undertaken substantial efforts to promote data security in the private sector through law enforcement, education, and policy initiatives."
According to the testimony, since 2001, the Commission has brought 29 cases against businesses that allegedly failed to protect consumers' personal information. The cases provide key lessons in the data security area. They include:
- Businesses that make claims about data security should be sure that they are accurate.
- Businesses should protect against well-known, common technology threats.
- Businesses must know with whom they are sharing customers' sensitive information.
- Businesses should not retain sensitive consumer information that they do not need.
- Businesses should dispose of sensitive consumer information properly.
The testimony notes that the FTC promotes better data security practices through extensive consumer and business education. It maintains a website, OnGuard Online, to educate consumers about computer security, and more than 10 million copies of two publications for victims of identity theft have been distributed. In addition, the U.S. Postal Service in cooperation with the FTC has sent copies of the Commission's identity theft consumer education materials to more than 146 million residences and businesses.
The FTC also has taken up data security as a policy matter. Over the past several months, it has convened three public roundtables to explore consumer privacy. Panelists at the roundtables repeatedly noted the importance of data security in protecting privacy, the testimony states. The agency expects to issue a report later this year on privacy. "Among other things, the report will encourage companies to incorporate sound data security and data retention practices into their business models in a reasonable and cost-effective way," the testimony states.
The Commission vote to approve the testimony was 5-0.
The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them.