At the National Consumers League Conference on identity theft, held on December 12, 2013 in Washington, D.C., Federal Trade Commission (“FTC”) Chairwoman Edith Ramirez pushed for a federal data breach law featuring the FTC as the “enforcer.” Chairwoman Ramirez engaged in a keynote discussion with former FTC Chairwoman Deborah Platt Majoras and made her position clear that a federal data breach notification law that complements existing state laws would benefit consumers. The keynote can be viewed in its entirety here (the discussion related to a national data breach notification law begins at 21:35).
As it stands, 46 U.S. states, the District of Columbia, and 3 U.S. territories have enacted data breach notification laws requiring that companies notify affected individuals, and in some cases the state Attorney General, of “data breaches” involving “personal information,” as those terms are defined in each statute. In most states or territories, the Attorney General’s office or other regulator may bring civil actions against companies based on those breaches, with some states allowing for private causes of action as well. Chairwoman Ramirez envisions a system where there is “FTC enforcement along with state concurrent jurisdiction to enforce” data breach notification laws. That FTC power would include “civil penalty authority.”
The FTC currently takes action on data breaches by bringing suits against companies under § 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45. Such actions typically allege that a company’s failure to have adequate data security measures in place to protect consumer’s personal information constitutes an “unfair” or “deceptive” trade practice. The FTC’s authority to bring these cases is being challenged in FTC v. Wyndham. (See here for more information on Wyndham). Should the FTC be stripped of its claimed authority under § 5, the FTC will likely re-double its efforts for added enforcement authority under a new federal data breach law.
Written by Louis Dennig, Associate, Privacy & Data Security | Alston & Bird LLP