FCC tests the data security enforcement waters

Tools

As we reported in this issue of FierceITSecurity, the Federal Communications Commission (FCC) has joined the Federal Trade Commission (FTC) in doling out fines for poor data security practices.

The FCC said it plans to fine TerraCom and YourTel America $10 million for storing customers' personal data, including Social Security numbers, unencrypted on a publicly accessible server.

In an announcement of the FCC's intention, Travis LeBlanc, chief of the agency's Enforcement Bureau, said: "Consumers trust that when phone companies ask for their Social Security number, driver's license, and other personal information, these companies will not put that information on the Internet or otherwise expose it to the world. When carriers break that trust, the Commission will take action to ensure that they are held accountable for unjust and unreasonable data security practices."

The FCC's data breach authority is limited to companies that engage communications and other activities under its legal purview.

However, the Federal Trade Commission has cast a wide data security enforcement net, bringing dozens of enforcement actions against companies from many industries for mishandling consumer data.

The FTC argues that companies that say they protect customer data and then fail to take adequate steps to do so violate the FTC Act because such representations are unfair and deceptive.

One such action was a settlement with Snapchat earlier this year over allegations it failed to adequately protect customer data, which lead to the breach of 4.6 million Snapchat accounts.

However, hotel chain Wyndham, one of the targets of the FTC for poor data security practices, has challenged the authority of the commission to take such action. In 2012, the FTC sued Wyndham for failing to take basic security measures to protect guests' financial information, a failure that resulted in three data breaches over two years.

Earlier this year, Wyndham failed in its effort to have the FTC's charges dismissed. Since then, Wyndham has gained the support of the U.S. Chamber of Commerce, the American Hotel and Lodging Association, and the National Federation of Independent Business in its legal effort against the FTC.

As I have argued before, the U.S. needs a national law that requires companies to take adequate steps to protect customers' data or face fines for failure to take those steps. In addition, the legislation should include a mandatory data breach notification requirement that sets a hard deadline for reporting.

Without such legislation, we have a hodgepodge of state laws and federal agencies trying to use their statutory authority fashioned before the Internet to impose data security rules. The recent slew of major data breaches attest to the inadequacy of the current system and the need for a national, comprehensive data security law. --Fred