The recent large scale data breaches that Target, Neiman Marcus, Michael’s, and multiple hotel chains have suffered has brought a great deal of media attention. Given the number of potential victims – perhaps as many as 110 million in the Target breach – Congressional attention was inevitable. Earlier this week, the Senate Judiciary Committee held a hearing on these data breaches and the need for federal legislation. The need for reform in this area has been long debated, but we think that the most promising proposal came from Edith Ramirez, the Chairwoman of the Federal Trade Commission, who called for stronger FTC regulatory and enforcement powers.
Top executives from Target and Neiman Marcus were questioned at length about the breaches, their companies’ security standards, and how they could have prevented the attacks. Unsurprisingly, much attention was paid to possible legislation and regulations that could reduce the risk of future data breaches, and the tradeoff between increased costs to companies and benefits to consumers. Many of the legislative reforms that the hearing touched on have been previously proposed – Senator Dianne Feinstein (D-CA) referred to a data breach notification bill she first introduced more than a decade ago. We at CDT have been somewhat skeptical of a federal data breach law, as most states require breach notification, and a federal law could just preempt existing state law and provide weaker. But the hearing highlighted some broader proposals, such as expanding the Federal Trade Commission’s current authority, that would reform how consumer data is protected in the U.S. CDT supports broad FTC regulatory and enforcement powers in the area of data protection, though we would prefer a baseline consumer privacy bill that provides comprehensive data protection.
The hearing provoked a clear sense of déjà vu – Congress has debated the need for federal data breach legislation many times in the last few years, and CDT’s Consumer Privacy Director, Justin Brookman, testified in the House on the issue in 2011. The recent data breaches are notable for the number of compromised accounts, but they don’t raise novel issues. Data breach notification is a tricky issue: if notices are sent out with haste before a company knows the scale of a breach, they may not communicate accurate, useful information to consumers. And a deluge of notifications could easily inure users to the serious consequences of major breaches. For those reasons, CDT supports a standard that requires companies to inform consumers of a breach “as soon as reasonably possible.” This allows companies to determine the scale and scope of a breach before communicating to users what has happened and what preventative steps they can be taking.
The debate over whether the federal government should mandate data security standards is also a perennial question, as the hearing emphasized. Breach notification is important, but it isn’t enough. Consumers must be confident that companies are implementing strong security standards, which should take the form of government mandates. Fears about requiring companies to use specific technologies are certainly warranted; CDT has long preferred to focus on best practices and strong privacy and security standards based in large part on Fair Information Practice Principles. As a result, the hearing’s focus on whether the chip-and-pin security technology, which is currently widely used in Europe but not in the United States, seems misplaced. It’s not clear that the widespread use of chip-and-pin would have helped avoid the data breaches that the Judiciary Committee discussed. Requiring companies to adopt reasonable security standards – such as the creation, auditing, and maintenance of a comprehensive and robust security program – rather than specific technologies, would better protect consumers without relying upon a single technology to serves as a panacea.
In her testimony, FTC Chairwoman Ramirez called upon Congress to expand the FTC’s authority in three important ways. First, her testimony noted that the FTC currently lacks the authority to set regulations under the FTC Act. On the most basic level, that means that it cannot set regulations prohibiting “unfair and deceptive trade practices” (the key phrase from the law that established the FTC). Giving the FTC that authority would allows it to affirmatively set data security standards, rather than merely indicating what practices it finds objectionable when it seeks a judgment against a company for bad security practices. Second, Chairwoman Ramirez called for jurisdiction over non-profit entities, which it currently lacks, as several reported breaches have involved not-for-profit universities and health systems. CDT has not taken a stance on whether this is necessary to protect consumers against breaches. Finally, according to Chairwoman Ramirez, the FTC’s inability to seek civil penalties for initial violations of the FTC Act should be changed. If the FTC had the ability to levy civil fines, companies would be incentivized to more carefully protect consumer data and avoid data breaches. Moreover, the FTC’s ability to enforce against bad security practices is currently under attack by Wyndham Hotels in federal court. We think the FTC has a strong case, and the recent data breaches indicate how crucial it is that the agency can enforce against poor security practices.
Taken together, Chairwoman Ramirez’s suggestions for reform would more effectively protect consumer data from breaches by giving the FTC the ability to set guidelines for companies – and ensure that they pay an appropriate penalty when they fail to comply with those guidelines. However, such reforms can only be considered an initial step on the path to passing baseline privacy legislation at the federal level. Only with comprehensive privacy reform can consumers be confident that American companies are taking meaningful steps to protect data with strong security standards.