In a hearing yesterday, Rep. Darrell Issa of the House Committee on Oversight and Government Reform questioned FTC Chairwoman Edith Ramirez about standards for data security enforcement. And although I often disagree with Rep. Issa, I do agree that entities need to know what they need to do to have safe harbor from an FTC enforcement action in the event of a breach. Simply saying “reasonable security measures in place to protect consumer information” is inadequate. Saying “go read 50 consent decrees” is disgraceful. The commission should be able to articulate some type of baseline or minimal security safeguards that entities can look to for self-assessment and to trust that if they comply, they will not face a lengthy FTC action in the event of a breach.
Watch:
Man has a point.