FTC official: Agency needs more tools against private sector data breaches
The Federal Trade Commission needs "more tools" to deter private sector consumer data breaches, said Jessica Rich, director of the agency's bureau of consumer protection, during a Feb. 3 Senate hearing.
The FTC today has authority to bring data-breach related actions only if a company engaged in deceptive or unfair practices, such as by wrongly asserting or implying high levels of data protection.
Before bringing a case under its unfairness authority, the FTC must subject it to a three-pronged test that includes whether consumers suffered substantial injury. "It's not strict liability for breach," Rich said.
Since 2002, the FTC has brought 30 cases under its deception authority and 20 under its unfairness authority.
"That's not very many, given the number of data breaches that we've seen over the last decade," said Sen. Elizabeth Warren (D-Mass.), during the hearing.
The prerequisite for bringing deceptiveness authority to bear – that a company has engaged in deceptive practices – is "one of the reasons that we're supporting general data security legislation," Rich said.
Earlier in the hearing, Rich said a model for private sector data protection regulation can be found in the existing Gramm-Leach-Bliley Act (P.L. 106-102), which requires financial institutions to undertake formal risk assessments and implement safeguards. The act mandates processes, not technologies, allowing the government to use it as an enforcement mechanism without specifying requirements such as encryption levels, which are subject to change over time, Rich said.
- go to the hearing webpage (prepared testimony and archived webcast available)