Security news that informs and inspires

FTC Wants More Security and Privacy Authority


The new chairman of the Federal Trade Commission is angling for additional authority to go after companies that run afoul of data security and privacy regulations, including the ability to impose civil penalties for violations.

Joseph Simons, who took over as FTC chairman in May, said in testimony before the House Energy and Commerce Committee on Wednesday that the commission has been successful in pursuing investigations of companies related to data security and privacy. He cited recent settlements with both Uber and PayPal as examples and also said the FTC has been aggressive in its efforts to protect children’s privacy online. All of these enforcement actions have come under the authority of Section 5 of the FTC Act, which says "unfair or deceptive acts or practices in or affecting commerce...are...declared unlawful."

However, Simons said that while that section gives the FTC broad authority to protect consumers, it doesn’t cover everything, especially as technology continues to advance and new avenues of investigation open up. “Privacy and data security will continue to be an enforcement priority at the Commission, and it will use every tool at its disposal to redress consumer harm. Many of the FTC’s investigations and cases involve complex facts and well-financed defendants, often requiring outside experts, which can be costly. It is critical that the FTC have sufficient resources to support its investigative and litigation needs, including expert work, particularly as demands for enforcement in this area continue to grow,” Simons said.

“Section 5, however, cannot address all privacy and data security concerns in the marketplace. For example, Section 5 does not provide for civil penalties, reducing the Commission’s deterrent capability.”

Specifically, Simons said that the FTC doesn’t have any authority to investigate non-profit organizations or common carrier telecom companies. He also pointed out that the commission doesn’t have any rulemaking authority under the Administrative Procedure Act. Simons, a lawyer who was in private practice before becoming FTC chairman, also signaled his support for a federal information security law.

“The Commission continues to reiterate its longstanding bipartisan call for comprehensive data security legislation,” he said.

Congress has been reluctant to pass any broad data security legislation, instead leaving it to individual states. Most states now have data-breach notification laws and many also have other types of data security legislation in place, but many people in the security community have been urging Congress to act, as well. In the meantime, Simons said the FTC will continue to focus on security and privacy issues within its authority.

“The Commission must continue to prioritize, examine, and address privacy and data security with a fresh perspective,” he said.