On May 5, 2009, the Federal Trade Commission’s ("FTC’s") Acting Director of the Bureau of Consumer Protection, Eileen Harrington, testified before the House Energy and Commerce Committee Subcommittee on Commerce, Trade and Consumer Protection in support of the proposed federal Data Accountability and Trust Act (H.R. 2221). The Act would require companies to implement reasonable data security policies and procedures to protect personal information. It would also mandate security breach notifications for consumers affected by data security breaches.
Ms. Harrington stated that the FTC views lax data security as a threat to the marketplace and, therefore, strongly supports the proposed legislation. The legislation is limited in scope to address only electronic data, but the FTC advocated expanding that scope to include hard copy data. The FTC also supported provisions in the proposed statute that give consumers rights to access and dispute the accuracy of information held by data brokers, but sought assurances that such rights would be compatible with and not displace the existing protections afforded to consumers under the Fair Credit Reporting Act.
In the FTC’s opinion, a key provision of the legislation grants the Commission authority to impose civil penalties for violations. Ms. Harrington contrasted this proposed authority with the FTC’s current data security enforcement mechanism that is generally limited to injunctive relief the agency seeks when alleging that information security practices are unfair or deceptive under Section 5 of the FTC Act. The proposed legislation, on the other hand, would allow the FTC to undertake enforcement actions against practices it deems harmful to consumers, irrespective of whether such practices could be construed as unfair or deceptive. In addition, the rulemaking authority the legislation provides would enable the FTC to promulgate enforceable regulations establishing standards for data security.
Statements and testimony of Ms. Harrington and other witnesses are available here.