White House, FTC Call for Data Security Legislation

The White House and the Federal Trade Commission are pressuring Congress to pass legislation that would require companies to implement data security measures and to provide breach notification.

The Obama Administration sent a cyber security legislative proposal to Congress, in response to request for assistance in addressing U.S. cyber-security in May, including a measure for data security and breach notification. To some degree, the FTC is pushing for legislation that would align with its enforcement policies that are already in place.

The FTC testified before Congress last month. The Commission supports “legislation that would require companies to implement reasonable security policies and procedures and, in the appropriate circumstances, provide notification to consumers when there is a security breach,” said David Vladeck, director of the agency's Bureau of Consumer Protection.

In the wake of recent high-profile data security breaches like those at Sony—three times—and Epsilon, there is increasing support for such legislation.  “The White House proposal is very significant, and the FTC has been advocating for this for the last several years. There certainly is a push to get some sort of federal legislation related to security breaches,” says Deborah Lodge, a partner at the law firm Patton Boggs. “The proposal from the White House has specific draft legislation language for the data breach notification point.” The White House proposal is also much more comprehensive than just the data breach issue, also dealing with many facets of cyber security. It's possible that different pieces of the White House proposal will find their way into different legislative proposals. There could be many bills proposed by members of Congress or one omnibus cyber-security plus data breach notification bill, says Lodge.

In fact, a number of bills addressing these issues have already been floating around Congress, but have failed to move forward at this point “It's obviously positive that the White House has weighed in, but we've had several years now of cyber security and data security proposals, and it's a complicated legislative process that touches on a number of different committees,” says David Fagan, a partner at the law firm Covington & Burling. “Cases like Sony certainly make this a high-profile issue, but it's not like there weren't high-profile breaches in the past.”

Complicating the issue is the fact that the area of data, security, and risk involves several aspects of government regulation: cyber security, law enforcement, compliance, and data privacy. These are related, but they remain separate problems, says Fagan. “Either you pick which issue moves first or you're going to have an omnibus proposal with all of them—that makes it very complicated for legislation,” he says.

Even without new law, the FTC has stepped up enforcement efforts in the area, focusing on compliance measures. “It's fair to say that the Commission has been more active in enforcing a range of claims around privacy, including data security and privacy, within the last 24 months,” says Fagan.

More recently, the FTC has taken action against what it considers to be unreasonable data security programs. This became a target of the agency's enforcement division in 2005 after the PJ's Wholesale Club, Inc. data breach case, according to Fagan. At that point there was a shift establishing the agency's expectation that companies would have reasonable security measures in place that if they don't, that that constitutes a lack of compliance and is enforceable. For example, the Commission announced enforcement actions against Ceridian Corporation and Lookout Service in May, based on the lack of reasonable data security programs.

“It's fair to say that the Commission has been more active in enforcing a range of claims around privacy, including data security and privacy, within the last 24 months.”

—David Fagan,

Partner,

Covington & Burling

What's in it for Companies?

Federal data security legislation wouldn't be all bad for companies, since it would probably pre-empt state laws, which are in place in 46 states, in addition to the District of Columbia. Massachusetts' data privacy law, the most far-reaching regulation in the United States, went into effect in March. “From the perspective of a nation-wide business, if there is preemption, then that assists in uniformity of review and compliance,” says Lodge. “If there is not general pre-emption, then it is more difficult for businesses to figure out the slalom of compliance and to address any issues.” States that do not want to see their laws overridden, however, are holding up the legislative process because of it—turning pre-emption into a highly divisive issue.

Despite hold-ups, the FTC's testimony before Congress indicates that legislation could be forthcoming. The agency, in fact, has been working with government to draft legislation that would be in harmony with their existing enforcement policies. For example, the FTC's chief privacy officer Mark Groman was on loan for over a year to Congress, working on federal legislation on data security.

FTC ON MOBILE DEVICE PROTECTION

The following statement was issued by the Federal Trade Commission in regard to Consumers' Privacy on Mobile Devices:

In Commission testimony before the Senate Judiciary Committee Subcommittee for Privacy, Technology and the Law, Jessica Rich, Deputy Director in the FTC's Bureau of Consumer Protection said the FTC has been examining mobile and wireless issues since 2000, when the agency hosted a workshop on emerging wireless Internet and data technologies and the privacy, security, and consumer protection issues they raise. The FTC also hosted a technology forum in 2006 that featured mobile issues, two Town Halls to explore the use of radio frequency identification technology and its integration into mobile devices, and a forum in 2008 examining consumer protection issues in the mobile sphere ...

The Commission has “a number of active investigations into privacy issues associated with mobile devices, including children's privacy,” the testimony notes.

According to the testimony the “rapid growth of mobile technologies has led to the development of many new business models involving mobile services.” The innovations offer benefits to both businesses and consumers. “On the other hand, they facilitate unprecedented levels of data collection, which are often invisible to consumers.”

In 2009 and 2010, the Commission held a series of three roundtables “to examine how changes in the marketplace have affected consumer privacy and whether current privacy laws and frameworks have kept pace with these changes,” the testimony states.

The data that emerged from those roundtable discussions formed the basis of a preliminary staff report which has recommended:

that companies should adopt a ‘privacy by design' approach by building privacy protections into their everyday business practices, such as not collecting or retaining more data than they need to provide a requested service or transaction;

that privacy options offered to consumers should be simplified and easily accessible on small screens such as those on smartphones; and

steps companies should take to make their data collection and sharing practices more transparent to consumers.

The FTC staff is now reviewing more than 450 comments received in response to the preliminary report, according to the testimony, including many that address mobile device privacy issues. The comments received will inform the final staff report, which will be released later this year.

Source: Federal Trade Commission, May 5, 2011.

“The FTC wants to make sure that if legislation moves forward, that it is aligned with the FTC's enforcement efforts to date,” says Alysa Hutnik, a partner at the law firm Kelley Drye. “The language in the various bills does reflect that they're aligned with what the FTC is doing.” The bonus factor, she adds, is that if any of this legislation were enacted, it would give the FTC the ability to level civil penalties on the first violation, as opposed to having to get them under a settlement order first.

With the push for new legislation, the reality of increased enforcement activity, and the FTC targeting flawed or failed compliance programs—not to mention what appears to be in increase is hacking efforts—companies should take necessary steps to make sure they have effective data security policies in place and that employees are following them. “A company that handles personal information should have administrative, technical and physical safeguards to protect that data,” says Boris Segalis, a partner with InfoLaw Group. “A risk assessment, a robust vendor management program, access controls, technical protections—current and regularly updated, and data encryption, are some of the elements.”

The potential for new legislation also puts a focus on what third-party services providers are doing. There is a bit of a head wind here created by the advent of cloud computing, Segalis says. “All these things are more difficult to accomplish when a business outsources IT or data handling,” he says. “You are trusting someone else to handle your data, but you just as well need to make sure that you are protected because you are ultimately responsible for the data.”

The FTC and the Commerce Department published a proposed privacy framework in December, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” which expressed the agency's views on how businesses should protect customer data. The Commerce Department said at the time that it might consider more specific proposals in a future white paper.