In congressional testimony, the Federal Trade Commission’s Chairwoman, Edith Ramirez, recently reiterated the FTC’s call for stronger data security laws, while federal legislation concerning data security and breach notification remains in limbo.

Although the FTC is the nation’s leading privacy enforcement agency, it derives enforcement authority from a hodgepodge of statutes, many of which lack adequate remedies to compel compliance with data security and breach notification requirements.

Those laws include:

• The FTC’s Safeguards Rule, which implements the Gramm-Leach-Bliley Act and provides data security requirements for non-bank financial institutions (16 C.F.R. Part 314, implementing 15 U.S.C. § 6801(b));
• The Fair Credit Reporting Act (FCRA), which covers consumer reporting agencies (15 U.S.C. §§ 1681e, 1681w and 16 C.F.R. Part 682);
• The Children’s Online Privacy Protection Act (COPPA), which requires security for children’s information collected online (15 U.S.C. §§ 6501-06 and 16 C.F.R. Part 312); and
• Section 5 of the FTC Act, which gives the FTC authority to prohibit deceptive or unfair practices (15 U.S.C. § 45(a)).

The FTC’s need to resort to multiple statutes results in uneven enforcement authority. Only the FCRA and COPPA allow the FTC to seek civil penalties for data security violations. To obtain a civil penalty for unfair or deceptive practices under the FTC Act, the agency must show that company violated a prior administrative order.

In her remarks, Chairwoman Ramirez stressed the need for uniform national standards for data security and breach notifications, stronger civil remedies, and expanded rulemaking authority under the Administrative Procedure Act enabling the FTC to respond effectively to changes in technology.

Ramirez’s statements echoed bipartisan calls for national data security standards. Despite widespread support for such standards, proponents have not been able to amass enough votes to pass a comprehensive data security law.  

There are competing proposals in the Senate – the Personal Data Privacy and Security Act, which Sen. Patrick Leahy, D-Vt., introduced for the fifth time in January 2014, and the Data Security Act, which Sen. Tom Carper, D-Del., and Roy Blunt, R-Mo. re-introduced that same month.

In June 2013, Sen. Pat Toomey, R-Pa, sponsored more limited legislation that addressed only breach notification requirements.

All proposals would create national standards that preempt contrary state laws and regulations. None of the proposals would create private rights of action. 

The bills differ primarily with respect to remedies.  Leahy’s bill provides for civil penalties and allows for enhanced fines for concealing data breaches or other intentional misconduct. The bill also specifies that any remedies would be cumulative and not affect any rights or remedies available under other laws. 

By contrast, Carper and Blunt’s Data Security Act would not create any civil penalties for data security violations. The proposed law also would prohibit lawsuits in state court or under state law that relate to “any act or practice governed under the Act.” The intended scope of this preemption is unclear; but as written, the law could be construed to prohibit consumers from suing for damages resulting from data security breaches.

As Chairwoman Ramirez pointed out, national standards for data security would enhance regulatory oversight and help prevent data breaches. But it remains to be seen whether federal lawmakers can reach a compromise that strikes an appropriate balance between the desire for uniform standards and the need for effective civil remedies.