FTC Commissioners Skeptical of ‘Floor’ Provision for Data-Breach Notification

Sen. Smith (R-Ore.), who chaired the hearing, said sensitive personal data has “important commercial and public functions.” He blamed “sloppy record keeping” and hackers for breaches. Sen. Burns (R-Mont.) warned “we could throw the baby out with the bath water” if Congress restricts “positive uses” of sensitive data.

Sen. Schumer (D-N.Y.) testified on his Comprehensive Identity Theft Prevention Act (S-768), co-sponsored with Commerce member Sen. Bill Nelson (D-Fla.). The bill, offered in April (WID April 14 p1), would: (1) Create an FTC Office of ID Theft, a “one-stop shop” for victims to get help, he testified. (2) Require data brokers to register with the FTC, as credit bureaus do, and institute safeguards against unauthorized access. (3) Give consumers access to reports showing which brokers have their data. (4) Require companies to tell customers, before they supply information, whether their personal data will be transferred to another party. The bill “makes prevention a centerpiece” of ID theft efforts, Schumer said in prepared remarks.

The FTC should “encourage” companies to use encryption with sensitive data, although firms wouldn’t be penalized for not encrypting, Schumer told reporters earlier. But in disagreeing with some other proposals, Schumer said a company’s encryption of data should not exempt it from disclosing breaches.

Schumer and Bill Nelson announced a new provision in the bill that would require higher security standards for physically transporting data. Schumer testified that companies now can ship such information no differently than oranges. Companies using “special tracking procedures” along the travel route to ensure the shipment’s integrity would probably be safe, Nelson told reporters.

Sen. Feinstein (D-Cal.) said she’s still working on a 2nd version of her bill. S-571 would notify consumers when personal data -- including Social Security number (SSN), drivers license number (DLN), bank account and credit card information -- is breached. No exceptions would be made for “low-risk” breaches or encrypted data. Consumers also could put themselves on a 7-year fraud alert. Items still under discussion for the revised bill include: (1) Whether a federal notification standard should be a “floor” that states can build on, or a “ceiling” that limits additional state-by-state provisions. (2) What should trigger notification. (3) Whether the law should have a safe harbor provision, which consumers groups oppose and business favors. Feinstein said banks and insurance companies that supported Cal.’s pioneering data- breach law -- passed before the latest spate of breaches - - now oppose a federal version.

States need flexibility to add provisions to any federal ID theft bill, Vt. Attorney Gen. William Sorrell testified. Sorrell, also National Assoc. of Attorneys Gen. pres., said “the Vt. economy has not suffered” since the state implemented an opt-in provision for transfer of data to 3rd parties. State attorneys general want to ensure “what is done federally remains a floor, not a ceiling” to limit opt-in and other provisions, he said. Burns asked Sorrell if data brokers should be treated the same as credit bureaus. Sorrell said registering all brokers would be difficult and the economic impact would need study. He dismissed the difficulty in complying with 50 different state laws, saying companies can program their systems to serve “niche, niche, niche markets” based on zip codes.

FTC comrs. were cool to Schumer’s proposed ID theft office to counsel victims. Chmn. Deborah Majoras, originally a backer (WID April 14 p1), said the agency already gives victims guidelines for repairing their identities, but can’t deal with all 10 million estimated victims. Comr. Orson Swindle said the agency received 250,000 ID theft complaints in the past 12 months. Assuming 1/2 were legitimate, and each took a month -- the FTC’s estimate -- to fix, the agency would need 1,000 more staffers for that office alone, he said. It “would become a transformed agency” without time to address antitrust or other duties. Noting Schumer’s bill proposes $60 million for the office, Comr. Jon Leibowitz said: “You'd probably have to add one more zero after that.” The comrs. supported Bill Nelson’s proposal for a blue-ribbon panel of industry and private citizens to create data-brokerage best practices. Swindle was especially adamant that “security begins with people” and must become a concern for CEOs, not IT administrators.

Commissioners clashed with Sorrell on a federal notification standard being a “floor” on which states would build. Though no one likes state preemption, Majoras said she is “not sure why you'd spend time imposing [a federal standard] at all” if states could pile on requirements. As a practical matter, companies will adopt a single security procedure based on the state with the most requirements, she said. Leibowitz said states should remain free to experiment with provisions beyond notification standards such as when consumers can put a credit freeze on accounts. Comr. Pamela Harbour emphasized the leading role of state attorneys general in enforcing national standards.

Burns grilled commissioners on how they monitor companies holding sensitive personal data. Majoras said the agency asks companies under investigation how their security works and has experts to test those systems. But she said the FTC doesn’t have “an ongoing dialogue” with regulated industries to monitor their security the way banking agencies do. Companies don’t need to have a breach for the agency to investigate them, Majoras said. Burns said he isn’t seeking expansion of FTC authority for preemptive investigation of firms not under suspicion: “The industry has to drive this” push for secure systems. But he allowed that to stifle ID theft all data brokers may have to be regulated as credit bureaus. Majoras earlier turned down Nelson’s idea for data brokers to register with the FTC.

Definitions repeatedly came up as a problem. When Smith asked Majoras what she means by “significant risk” for purposes of breach notification, she said the agency needs more investigation. She added that Cal.’s data breach law, considered the broadest nationwide, has a sizable list of exemptions for breaches considered low- risk.

Comrs. agreed federal and local agencies should discourage use of SSNs when not necessary to identify or track individuals. In response to Sen. Ben Nelson (D- Neb.), Comr. Thomas Leary added the FTC doesn’t have “free roaming authority” to restrict SSN sale itself, only for deceptive uses of those data. And he warned that regardless of commercial rules, SSNs still would be available in unsecured public records nationwide.

Given the authority, the FTC would extend the safeguards rule in the finance-oriented Gramm-Leach-Bliley Act (GLBA) to all data brokers, Majoras said. The Commission used a different standard for a settlement Thurs. with BJ’s Wholesale Club -- one that required harm to occur before charging a company, she added. Sen. Allen (R-Va.) asked if any breaches could have been avoided with such authority. Majoras said she wasn’t sure. Leary added that company lawyers quickly would ensure clients were in compliance if the safeguards rule were extended to data brokers. The FTC also would like more power to work with other countries’ trade and law enforcement agencies on cross-border fraud, Leibowitz said. Harbour added the ChoicePoint breach, which involved a Nigerian scam artist, might have been stopped with such authority in place.

Smith brought up a relatively rare concern for ID theft: inadvertent access through peer-to-peer (P2) sharing. Majoras said the Commission has worked with P2P firms, of which “almost none” had made disclosures about the risk a few years ago. That “has changed a great deal,” with inadvertent sharing declining in FTC estimates, Harbour added. The agency will finish its current work with the industry before asking for more authority, Majoras said.