The Federal Trade Commission today told a Senate Subcommittee that it supports proposed legislation that would require many companies to use reasonable data security policies and procedures and require those companies to notify consumers when there is a security breach.
In testimony before the Committee on Science, Commerce, and Transportation Subcommittee on Consumer Protection, Product Safety and Insurance, Maneesha Mithal, Associate Director for Privacy and Identity Protection at the FTC told the Subcommittee that problems with data security and breaches affect a wide array of both businesses and nonprofit organizations. “Requiring reasonable security policies and procedures of this broad array of entities is a goal that the Commission strongly supports.”
“The Commission believes that notification in appropriate circumstances can be beneficial,” the testimony notes. Many states have passed notification laws that have increased public awareness of the harm breaches can cause. “Breach notification at the federal level would extend notification nationwide and accomplish similar goals.”
The testimony states that the agency suggests three additional measures that could be included in the proposed legislation to protect consumers. First, the provision that requires that companies notify consumers in the event of an information security breach should not be limited to entities that possess data in electronic form; second, the proposed requirements should be extended so that they apply to telephone companies; and third, the Commission suggests that the bill grant the agency rulemaking authority to determine circumstances under which providing free credit reports or credit monitoring may not be warranted.
Source: FTC (full press release here)
Related: Text of the Commission Testimony