Hope emerges at Senate data security hearing – but will Congress get hold of the copper ring?

On October 6, 2021, the Senate Trade Committee conducted the second in a series of hearings devoted to privacy and consumer data, this time addressing Data security. Similar to last week’s privacy hearing, witnesses and senators seemed to agree that federal data security standards – whether as part of privacy legislation or in themselves – are urgently needed. Should there be consensus around legislative principles, the hearing provides clues as to what a compromise might look like.

Statements prepared. In their opening statements, witnesses stressed the need for minimum standards governing data security.

• James E. Lee, COO of the Identity Theft Resource Center, explained that without minimum requirements, companies do not have enough incentive to strengthen their data security practices to protect consumer data. Lee also argued for more aggressive federal enforcement rather than a patchwork of state actions, which he said produce disparate impacts for the same conduct.
• Jessica rich, former director of the FTC’s Consumer Protection Bureau and lawyer at Kelley Drye, pointed out that current laws do not set clear standards for data security and accountability. She advocated for a process-based approach to prevent the law from being overtaken by changing technologies and to ensure that it adapts to the wide range of business models and data practices at hand. through the economy. Among his recommendations, Rich suggested that Congress give the FTC jurisdiction over nonprofits and common carriers and the power to seek penalties for early violations.
• Edward W. Felten, former deputy chief technology officer of the United States, former chief technologist of the FTC’s Office of Consumer Protection and current professor of computer science and public affairs at Princeton University, focused on need to strengthen the technological capabilities of the FTC, including increasing the budget to hire more technologists. Notably, Felten advocated for more prescriptive requirements in data security legislation, such as the obligation for businesses to store and transmit sensitive consumer data in encrypted form and the prohibition on businesses from knowingly ship devices with serious security vulnerabilities.
• Kate tummarello, executive director of Engine, a non-profit organization representing startups, spoke about the importance of data security for most startups. Tummarello argued for FTC standards or guidelines with flexible options. Cautioning against startup overload, Tummarello explained that new businesses take data security seriously because they don’t have the name recognition or consumer relationships that large businesses can have, and just one breach. could be extremely disruptive. Additionally, Tummarello pointed out that the patchwork of state laws provides inconsistent and unclear data security guidelines and imposes high compliance costs.

Discuss a federal data security bill

• Pre-emption. Witnesses agreed that a preventive federal law does not necessarily mean a weaker law. Rich offered common ground, supporting preemption, but stating that the law should fully empower state AGs to enforce it.
• Private right of action. Tummarello expressed concern that lawsuits across the country would contribute to the “patchwork” of laws that would increase compliance costs. However, if a private right of action were necessary, it would only support a narrow private right of action with sufficient notice and safeguards, especially to protect startups vulnerable to bad faith litigation. Lee questioned whether a private right of action was necessary, but stressed that consumers need to be protected regardless of the state they live in. Rich said that if the legislation is strong enough – with strong protections and remedies, full enforcement authority for the states, and significant resources for the FTC – it will protect consumers without the need for a tax law. private action. However, Rich also described “middle ground” that could bridge the gap.
• Sensitive data. While there were some questions about what constitutes sensitive data, witnesses agreed that biometric data and data on children should have stronger protections. Felten responded to concerns about artificial intelligence and facial recognition. Lee discussed the importance of protecting biometric data because it is permanent and cannot be changed – unlike a credit card number – if it is compromised.
• Process-based approach. Rich stressed the need for a “living” federal law that takes a process-based approach so that it does not quickly become obsolete. She added that the FTC may regularly issue more detailed guidance to highlight particular technologies and safeguards that companies should consider. In contrast, Felten supported specific safeguards the FTC would require through rule making, and Tummarello supported an FTC rule or guidelines that would give businesses a “menu” of safeguards to consider.
• Inclusion in the draft law on data protection. All witnesses supported including data security provisions in a federal privacy bill, but Rich said a data security law could prevent significant harm to consumers as a stand-alone measure. .

Role and application of the FTC.

• FTC as executor. Similar to last week’s hearing, all witnesses agreed that the FTC was the agency best equipped to oversee and enforce federal data security law.
• Resources needed. Felten noted that the FTC only has about ten technologists on staff, but it could use 50 to 60 people in technologist roles to complement its enforcement efforts. Rich added that technologists need a career path at the FTC, and the FTC should reconsider the complicated ethics rules governing what technologists can do after leaving FTC employment.
• Penalties for the first time. All witnesses agreed that the FTC should be able to seek penalties for early violations. Tummarello, however, said she only supported penalties for the first time if there were clear traffic rules.

Overall, the hearing clearly showed that there are more points of agreement than disagreement. The key questions are: (1) Can Congress resolve disputes over a private right of action, whether by ensuring strong protections without it or by compromising on a narrow private right of action? ? (2) Will Congress be prepared to pass federal data security legislation on its own? We will continue to monitor developments on this issue and provide updates as they occur.