FTC Calls for National Data Security Standards as Proposed Legislation Stalls


In congressional testimony, the Federal Trade Commission’s Chairwoman, Edith Ramirez, recently reiterated the FTC’s call for stronger data security laws, while federal legislation concerning data security and breach notification remains in limbo.

Although the FTC is the nation’s leading privacy enforcement agency, it derives enforcement authority from a hodgepodge of statutes, many of which lack adequate remedies to compel compliance with data security and breach notification requirements.

Those laws include:

The FTC’s need to resort to multiple statutes results in uneven enforcement authority. Only the FCRA and COPPA allow the FTC to seek civil penalties for data security violations. To obtain a civil penalty for unfair or deceptive practices under the FTC Act, the agency must show that company violated a prior administrative order.

In her remarks, Chairwoman Ramirez stressed the need for uniform national standards for data security and breach notifications, stronger civil remedies, and expanded rulemaking authority under the Administrative Procedure Act enabling the FTC to respond effectively to changes in technology.

Ramirez’s statements echoed bipartisan calls for national data security standards. Despite widespread support for such standards, proponents have not been able to amass enough votes to pass a comprehensive data security law.  

There are competing proposals in the Senate – the Personal Data Privacy and Security Act, which Sen. Patrick Leahy, D-Vt., introduced for the fifth time in January 2014, and the Data Security Act, which Sen. Tom Carper, D-Del., and Roy Blunt, R-Mo. re-introduced that same month.

In June 2013, Sen. Pat Toomey, R-Pa, sponsored more limited legislation that addressed only breach notification requirements.

All proposals would create national standards that preempt contrary state laws and regulations. None of the proposals would create private rights of action. 

The bills differ primarily with respect to remedies.  Leahy’s bill provides for civil penalties and allows for enhanced fines for concealing data breaches or other intentional misconduct. The bill also specifies that any remedies would be cumulative and not affect any rights or remedies available under other laws. 

By contrast, Carper and Blunt’s Data Security Act would not create any civil penalties for data security violations. The proposed law also would prohibit lawsuits in state court or under state law that relate to “any act or practice governed under the Act.” The intended scope of this preemption is unclear; but as written, the law could be construed to prohibit consumers from suing for damages resulting from data security breaches.

As Chairwoman Ramirez pointed out, national standards for data security would enhance regulatory oversight and help prevent data breaches. But it remains to be seen whether federal lawmakers can reach a compromise that strikes an appropriate balance between the desire for uniform standards and the need for effective civil remedies.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hinshaw & Culbertson LLP | Attorney Advertising

Written by:


Hinshaw & Culbertson LLP on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.