Jenna Green reports what’s on the FTC’s wish list for legislation:
… Ramirez said she favors making the FTC the sole federal agency in charge of enforcing a uniform set of national data breach notification requirements. Such requirements would compel businesses to notify consumers of a data breach promptly, and also to notify credit bureaus. The FTC has urged Congress to give the agency civil penalty authority against companies that fail to maintain reasonable security.
Ramirez also said she supported making the federal rules supersede state requirements—and to make the rules enforceable by both the FTC and state attorneys general. Further, she said a violation of data breach requirements should be deemed an unfair or deceptive act in commerce, and thus subject to FTC authority under the FTC Act.
Read more on Law.com, as there’s much more to their wish list but I’m just focusing on breach notification in this post.
Of course, some of the proposed federal data breach notification laws did make the FTC the responsible federal agency for enforcement, but not all of them do. And as I’ve argued repeatedly for lo, these many years, a federal data breach notification law that supercedes the patchwork of state laws is a great idea – but only if it is as strong as the strongest existing state law so that consumers do not lose protections they currently have. The federal law would also need to encompass data in all formats and clarify who has the responsibility to notify consumers when the data loss or breach occurs at a contractor or vendor. And of course, it needs to have some safe harbor provisions that would encourage entities to implement rigorous security.
And while we’re on the subject, see Adam Greenberg’s report on why breach notification laws are likely to remain state-by-state.