In the wake of several recent, headline-grabbing hacking attacks on big companies like Sony (NYSE: SNE) and Citibank, the issue of data security is likely to get a lot more attention from policymakers. During Congressional hearings today on data security, FTC Commissioner Edith Ramirez told a House subcommittee that Congress should pass a federal data security law.
Remarkably, today there is no general-purpose federal privacy or data security law on the books. Certain sensitive areas of information are governed by federal law-financial institutions have to follow the Gramm-Leach-Bliley Act, for instance, while health care providers have to worry about abiding by HIPAA guidelines. But when companies experience data breaches like the repeated hacking attacks against Sony, there’s no federal law to follow.
That’s not to say the companies don’t have to worry about the law at all. There are 47 different state laws a company that experiences a data breach has to worry about it. The confusion and expense of it all can be a big headache, and that’s why the FTC’s proposal may well find support in the business community.
The FTC proposal would basically mirror state laws, in that it would require companies to have “reasonable data security policies and procedures” as well as notify consumers if there’s a data breach that affects them. Allowing the FTC to bring enforcement actions against companies that don’t have “reasonable” policies would enhance the agency’s power, because right now the FTC can only bring actions against companies that violate one of the information-specific laws, or violate their own published guidelines about how they’ll handle data security. That’s similar to the online privacy area, where the FTC has been able to prosecute some cases-including one against Google-because the company launched a product that broke its own guidelines.
During its testimony, Commissioner Ramirez also noted that the FTC announced today two enforcement actions in the area of data security, against Ceridian Corp. and Lookout Services Inc. Since 2001, the FTC has brought a total of 34 actions against companies that violated data-security laws.