FTC Testifies on Data Security Legislation
The Federal Trade Commission yesterday told a Senate Subcommittee that it supports proposed legislation that would require many companies to use reasonable data security policies and procedures and require those companies to notify consumers when there is a security breach.
In testimony before the Committee on Science, Commerce, and Transportation Subcommittee on Consumer Protection, Product Safety and Insurance, Maneesha Mithal, associate director for privacy and identity protection at the FTC told the Subcommittee that problems with data security and breaches affect a wide array of both businesses and nonprofit organizations. "Requiring reasonable security policies and procedures of this broad array of entities is a goal that the Commission strongly supports."
The testimony says that as the nation's consumer protection agency, the FTC has a history of protecting consumer privacy and promoting data security in the private sector. "Data security is of critical importance to consumers. If companies do not protect the personal information that they collect and store, that information could fall into the wrong hands, resulting in fraud and other harm. . . . Accordingly, the Commission has undertaken substantial efforts to promote data security in the private sector through law enforcement, education, and policy initiatives."
According to the testimony, since 2001, the Commission has brought 29 cases against businesses that allegedly failed to protect consumers' personal information. The cases provide key lessons in the data security area. They include:
- Businesses that make claims about data security should be sure that they are accurate.
- Businesses should protect against well-known, common technology threats.
- Businesses must know with whom they are sharing customers' sensitive information.
- Businesses should not retain sensitive consumer information that they do not need.
- Businesses should dispose of sensitive consumer information properly.
The testimony notes that the FTC promotes better data security practices through extensive consumer and business education. It maintains a website, OnGuard Online, to educate consumers about computer security, and more than 10 million copies of two publications for victims of identity theft have been distributed. In addition, the U.S. Postal Service in cooperation with the FTC has sent copies of the Commission's identity theft consumer education materials to more than 146 million residences and businesses.
The FTC also has taken up data security as a policy matter. Over the past several months, it has convened three public roundtables to explore consumer privacy. Panelists at the roundtables repeatedly noted the importance of data security in protecting privacy, the testimony states. The agency expects to issue a report later this year on privacy. "Among other things, the report will encourage companies to incorporate sound data security and data retention practices into their business models in a reasonable and cost-effective way," the testimony states.
The Commission vote to approve the testimony was 5-0.
The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them.