The Most Comprehensive Data Protection Solution
Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.
First and Only Solution to Converge:
- Data Loss Prevention
- Endpoint Detection and Response
- User and Entity Behavior Analytics
The FTC told Congress last week that if a national privacy law gets passed, it wants more resources and greater authority to impose penalties under it.
While there are a myriad of bills circulating in D.C. currently, if a new federal privacy law is ever put in place, the Federal Trade Commission made it clear it wants to be able to steer the ship.
The FTC went on the record with its stance in a testimony at a House Energy and Commerce Subcommittee on Consumer Protection and Commerce last week.
Joseph Simons, the agency's chairman, pressed Congress to enact privacy and data security legislation, with the stipulation that legislation can be enforced by the FTC, during the hearing, which was on strengthening protections for Americans’ privacy and data security on Wednesday.
The agency has a narrow scope as to how it can impose penalties currently. Right now the FTC can only do so when an organization is caught violating Section 5 of the FTC Act, something which forbids companies from engaging in "unfair or deceptive acts or practices.”
Simons was joined by not one but four additional FTC commissioners - Noah Joshua Phillips, Rohit Chopra, Rebecca Kelly Slaughter, and Christine S. Wilson - to hammer home their point: There are drawbacks to how things currently operate with regards to imposing monetary penalties.
Section 5 doesn’t allow the FTC to seek civil penalties for a first-time offense, nor does it subject non-profits or common carriers to its guidelines. The FTC, furthermore, can only levy a fine if the company in question agrees to a settlement or if the FTC wins in court. If the FTC had civil penalty authority under Section 5 - and this is an example the agency gives repeatedly - it could have required Uber to pay one in the first instance of the company's violation, way back in 2014 when a hacker gained access to personal information about Uber drivers.
In addition to being able to enforce it, with the adoption of any new data privacy legislation, the FTC is seeking civil penalty authority, along with targeted APA rulemaking authority, and jurisdiction over non-profits and common carriers. In the eyes of the FTC, in order to deter companies from breaking the law, the FTC needs to be able to impose substantial fines on companies the first time around, not the second.
If legislation goes into effect, the agency is also hoping that it can increase its staff to better handle its needs.
“It is critical that the FTC have sufficient resources to support its investigative and litigation needs, including expert work, particularly as demands for enforcement in this area continue to grow,” Simons said in his testimony. (.PDF)
Currently, the FTC only has about 40 fulltime staff dedicated to privacy and data security matters, a figure that stunned Rep. Jan Schakowsky (D-Ill.) during Wednesday’s hearing.
"I find that pretty shocking. The American people deserve more and better,” Schakowsky, chairwoman of the subcommittee, said.
The U.K. authority has 500 employees dedicated to privacy, and even the Irish authority has about 140,” Simons said, “So us starting at 40 and then trying to enforce something similar to what they’re enforcing with their authority, obviously, shows a gap.”
Simons didn't have to work too hard to further demonstrate the FTC's value when it comes to data security. Simons told the subcommittee that the FTC has brought more than 65 data security cases and 60 general privacy cases.
That said, the subcommittee wasn't unilateral in its support of the concept of extending the FTC’s jurisdiction when it comes to enforcement.
One Republican, Rep. Cathy McMorris Rodgers (Wash.) said during the hearing she was leery of any law that would change the FTC "from a law enforcement agency to a massive rulemaking regime.” Simons shot down the classification and instead asked the subcommittee to consider giving the FTC "targeted rulemaking authority," in reality a narrower scope of jurisdiction that would allow it to follow the rules of a data privacy bill and assess fines against those that break the law.
It's not the first time the FTC has gone on record about the need for more comprehensive data security legislation. In a House Energy and Commerce Subcommittee testimony last summer, the agency reiterated its support for data security legislation and said its in favor of any legislation that can maximize its resources.
“In my view, we need more authority. I support data security legislation that would give us three things: (1) the ability to seek civil penalties to effectively deter unlawful conduct, (2) jurisdiction over non-profits and common carriers, and (3) the authority to issue implementing rules under the Administrative Procedure Act. And we should consider additional privacy authority as well,” Simons said in oral remarks before the subcommittee at the time.
The hearing came at a pivotal time for the FTC. The agency is readying a potentially mammoth fine against Facebook for privacy violations. The company, which is in settlement talks with the agency, said last month it expects to be fined up to $5 million in fines following last year's Cambridge Analytica scandal.