FTC official: Agency needs more tools against private sector data breaches


The Federal Trade Commission needs "more tools" to deter private sector consumer data breaches, said Jessica Rich, director of the agency's bureau of consumer protection, during a Feb. 3 Senate hearing.

The FTC today has authority to bring data-breach related actions only if a company engaged in deceptive or unfair practices, such as by wrongly asserting or implying high levels of data protection.

"We use our deception authority to look at not just what's stated in the privacy policy but what the company may claim in the context of its interaction with consumers, including implied claims such as a seal," Rich told a Senate Banking, Housing and Urban Affairs subcommittee.

Before bringing a case under its unfairness authority, the FTC must subject it to a three-pronged test that includes whether consumers suffered substantial injury. "It's not strict liability for breach," Rich said.

Since 2002, the FTC has brought 30 cases under its deception authority and 20 under its unfairness authority.

"That's not very many, given the number of data breaches that we've seen over the last decade," said Sen. Elizabeth Warren (D-Mass.), during the hearing.

The prerequisite for bringing deceptiveness authority to bear – that a company has engaged in deceptive practices – is "one of the reasons that we're supporting general data security legislation," Rich said.

Earlier in the hearing, Rich said a model for private sector data protection regulation can be found in the existing Gramm-Leach-Bliley Act (P.L. 106-102), which requires financial institutions to undertake formal risk assessments and implement safeguards. The act mandates processes, not technologies, allowing the government to use it as an enforcement mechanism without specifying requirements such as encryption levels, which are subject to change over time, Rich said.

For more:
- go to the hearing webpage (prepared testimony and archived webcast available)

Related Articles:
FTC slaps wrists of 12 U.S. companies for violating U.S.-EU Safe Harbor Agreement
U.S.-EU split on data privacy could upend the Internet, diplomat says