FTC Testifies on Data Security and Identity Theft
June 16, 2005
The FTC today told Congress it should consider extending security protections for sensitive consumer data and requiring that companies that possess such data notify consumers when they are victims of security breaches that could result in identity theft. In testimony on data breaches and identity theft to the Senate Committee on Commerce, Science and Transportation, FTC Chairman Deborah Platt Majoras said that recent security breaches of data brokers and other companies that collect or maintain sensitive personal information are prompting the Commission and Congress to assess the need for new legal requirements for those who possess sensitive data.
The testimony notes that laws and regulations are in place that address the security of, and access to, sensitive information maintained by credit bureaus, those who use credit reports, and businesses that engage in certain financial-related activities. “The Commission’s Safeguards Rule requires financial institutions to implement reasonable physical, technical, and procedural safeguards to protect customer information. . . . It does not cover many other entities that may also collect, maintain and transfer or sell sensitive consumer information,” the testimony states.
“The Commission recommends that Congress consider whether companies that hold sensitive consumer data, for whatever purpose, should be required to take reasonable measures to ensure its safety. Such a requirement would extend the FTC’s existing GLBA Safeguards Rule to companies that are not financial institutions. Further, the Commission recommends that Congress consider requiring companies to notify consumers when the security of this information has been breached in a manner that creates a significant risk of identity theft,” the testimony said.
The testimony also notes that “many have raised concerns about misuse of Social Security numbers. It is critical to remember that Social Security numbers are vital to current information flows in the granting and use of credit and provision of financial services.” The Commission stated that “Ultimately, what is required is to distinguish between legitimate and illegitimate collection, uses, and transfers of Social Security numbers.”
The testimony notes that globalization of the marketplace has had the effect of increasing the amount of sensitive consumer information that goes to offshore databases. “Accordingly, the Commission needs new tools to investigate whether companies are complying with U.S. legal requirements to maintain the security of this information, and cross-border fraud legislation. would give the Commission these tools,” the testimony says. Cross-border fraud legislation also would ease restrictions on U.S. law enforcers investigating foreign businesses. “For example, if the FTC and a foreign consumer protection agency are investigating a foreign business for conduct that violates both U.S. law and the foreign country’s law, current law does not authorize the Commission to share investigative information with the foreign consumer protection agency, even if such sharing would further our own investigation.” The agency urged Congress to enact the cross-border fraud legislation.
“As the recent focus on information security has demonstrated, Americans take their privacy seriously, and we must ensure that the many benefits of the modern information age are not diminished by these threats to consumers’ security,” the testimony says.
The Commission vote to approve the testimony was 5-0.