Despite growing pushback from companies and powerful industry groups, the Federal Trade Commission continues to insist that it wants to be the nation's enforcer of data security standards.
The FTC, over the past years, has gone after companies that have suffered data breaches, citing the authority granted to it under a section of the FTC Act that prohibits "unfair" and "deceptive" trade practices. The FTC extracted stiff penalties from some companies by arguing that their failure to properly protect customer data represented an unfair and deceptive trade practice.
On Thursday, FTC Chairwoman Edith Ramirez called for legislation that would bestow the agency with more formal authority to go after breached entities.
"I'd like to see FTC be the enforcer," Law360 quoted Ramirez as saying at a privacy event organized by the National Consumers League in Washington. "If you have FTC enforcement along with state concurrent jurisdiction to enforce, I think that would be an absolute benefit, and I think it's something we've continued to push for."
According to Ramirez, the FTC supports a federal data-breach notification law that would also give it the authority to penalize companies for data breaches. In separate comments at the same event, FTC counsel Betsy Broder reportedly noted that the FTC's enforcement actions stem from the continuing failure of some companies to adequately protect data in their custody.
"FTC keeps bringing data security cases because companies keep neglecting to employ the most reasonable off-the-shelf, commonly available security measures for their systems," Law360 quoted Broder as saying.
An FTC spokeswoman was unable to immediately confirm the comments made by Ramirez and Broder but said the sentiments expressed in the Law360 story accurately describe the FTC's position on enforcement authority.
The comments by the senior officials come amid heightening protests against what some see as the FTC overstepping its authority by going after companies that have suffered data breaches.
Over the past several years, the agency has filed complaints against dozens of companies and extracted costly settlements from many of them for data breaches. In 2006 for instance, the FTC imposed a $10 million fine on data aggregator ChoicePoint, and more recently, online gaming company RockYou paid the agency $250,000 to settle data breach related charges.
Some companies have begun fighting back.
Wyndham Worldwide Corp and LabMD are both fighting cases in federal court challenging the FTC's attempts to penalize them for recent data breaches. Both companies argue that the FTC is trying to hold them to security standards that do not even exist, at least firmly. They have noted that neither the FTC nor the federal government has ever published a formal set of data security standards and that it is unfair for the FTC to fault them for failing to live up to those standards.
LabMD also contends that the FTC lacks jurisdiction to regulate patient information.
Several influential trade groups, including the Chamber of Commerce, TechFreedom, the American Hotel and Lodging Association, the National Federation of Independent Businesses, the International Franchise Association and Cause of Action support the positions taken by Wyndham and LabMD against the FTC.
Scott Vernick, an attorney specializing in data security with Fox Rothschild in Philadelphia, tracked the opposition to the FTC's growing tendency to charge companies with unfair trade practices over a data breach.
"If you had a national standard, you would know at a minimum what to do" to meet those requirements, Vernick said. But without such a standard, many feel that the FTC is trying to enforce its own arbitrary set of security requirements on companies. "Today, we don't know something is unfair until the FTC tells us it is unfair," he said. "A lot of the time we are guessing about what they want."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is email@example.com.
Read more about data security in Computerworld's Data Security Topic Center.