The government is facing increased pressure to institute data security protections after the high-profile breaches of Target and social networking app Snapchat.
While some argue that the companies’ security standards are ripe for an investigation from the Federal Trade Commission (FTC) — which has brought data security cases as part of its mission to protect consumers from deceptive business practices — the agency’s ability to intervene is anything but certain.
{mosads}Cases currently making their way through the court system could settle whether the FTC has the authority to get involved, but many hope that Congress will step in to clarify the commission’s powers once and for all.
Sen. Richard Blumenthal (D-Conn.) warned of the “incalculable harm to consumers” that can come from the types of data breaches like the one suffered by Target late last year.{mosads}
After the Target breach was made public, Blumenthal urged the FTC to investigate the company’s security practices.
“Customers of companies have a right to expect that their private information will be properly safeguarded and secured,” he told The Hill on Friday. “The failure to take those steps is not only a violation of trust but also potentially of law.”
Over the last decade, the FTC has brought dozens of cases against companies for failing to safeguard consumers’ data.
According to the commission, companies have a responsibility to live up to their promises about data security. Allowing firms to be hacked, regulators have said, is a breach of trust and a violation of companies’ pledges.
But not everyone agrees that the FTC is in the right.
The hotel and resort company Wyndham Worldwide and medical testing company LabMD are both suing the agency, challenging its authority to bring data security cases.
Reed Rubinstein, senior vice president at Cause of Action, which is representing LabMD in its case against the agency, said that the FTC does not have the legal authority to penalize companies who have suffered data breaches.
Section 5 of the FTC Act — which the agency cites when defending its authority in this area — “is absolutely silent on data security,” he said. “It’s very hard to understand how the FTC lawfully gives itself this authority.”
If the FTC wants the authority to bring data breach penalties, he said it needs to give better guidance on what companies should do to protect consumer data.
Critics say that the FTC’s practice amounts to penalizing companies that are themselves victims.
“Should the primary function of the U.S. government to be to come in and attack Target, which was the victim of this hack, or should the primary function of the U.S. government to be to turn around and ask the question of where the hack came from?” said Jeffrey Eisenach, a former FTC official who is now a visiting scholar at the American Enterprise Institute.
“What is it we’re doing with all of the resources available to us to stop Target from being hacked and the next Target and the next Target and the next Target in the future?”
Some privacy advocates say Congress needs to get involved to clear up any ambiguity about the FTC’s power to hold companies to high cybersecurity standards.
Blumenthal said that he would “consider drafting and introducing new legislative authority to keep pace with advancing technology, even though I believe that consumers have a right under existing law to expect companies to safeguard their data.”
In a statement, Sen. Ed Markey (D-Mass.) called on Congress to act in the wake of breaches that have “put millions of consumers at risk for identity theft and damaging fraud.”
He said Congress should “hold hearings on these serious breaches to determine what companies are doing to fix their security weaknesses exploited by data thieves and the steps consumers can take to protect their sensitive information.”
Democratic Sens. Robert Menendez (N.J.), Chuck Schumer (N.Y.) and Mark Warner (Va.) have also called for a hearing on the Target breach.
FTC Commissioner Maureen Ohlhausen said the recent high-profile breaches could fuel a national conversation.
“Any time that there is a data breach from a well-known company that impacts a lot of consumers, it brings more attention and more energy to the issue,” the Republican commissioner said.
“With Target being so well known and the number of consumers that can possibly be affected [being so high], it certainly has gotten lots of attention, including Congressional attention.”
Data security “seems to have the level of bipartisan interest that would help” get a bill passed in Congress, she added.
Ohlhausen supports a federal data breach and notification law — especially if the FTC loses either of the cases challenging its authority — but defends the agency’s authority to bring cases against companies that fail to protect their users’ data.
“A uniform federal law for data security and breach notification would make sense” to give consumers consistent protection and to give businesses one set of guidance “rather than a patchwork of state laws,” she said, speaking broadly about data security and not about specific pending litigation.
High-profile breaches like Target’s mean that “everyone is going to feel this,” according to Ross Schulman, public policy and regulatory counsel at the Computer and Communications Industry Association. That can help move the ball forward in the ongoing debate.
Schulman’s group — which includes Google, Facebook and Microsoft — recently released polling data which found that 75 percent of Internet users are worried about their information being stolen through security breaches, and 74 percent think the federal government should do more to protect against identity theft made possibly by those breaches.
Ohlhausen defended the FTC against critics who say the agency hasn’t provided guidance on data security requirements.
The agency has provided “a fair amount of guidance in this area through our enforcement and our educational efforts,” she said, pointing to published guides and past data security actions brought by the FTC.
“Everybody is better off … if we give a clear idea of where the lines are and let companies know.”
Analysts on both sides of the issue agree that government officials should be chasing hackers and that companies should have some base level of responsibility to safeguard consumers.
But privacy advocates say the FTC has a responsibility to act where it can.
“They can’t go after the Nigerian spammer or the hacker in Eastern Europe who did this,” said Justin Brookman, head of consumer privacy at the Center for Democracy and Technology. “On behalf of consumers, they’re saying that failure to use reasonable security practices is unfair. It’s bad for consumers.”