- While HHS is the primary federal agency that enforces HIPAA Security and Privacy Rules, the FTC has expanded its enforcement activities in data security and privacy, including taking on now-defunct medical testing firm LabMD over poor data security that led to PHI breaches.
The FTC was recently rebuffed by a federal appeals court in its effort to compel LabMD to overhaul its data security program.
Despite this setback, the FTC is looking for additional authority from Congress in the privacy and data security area, FTC Chairman Joseph Simons told the House Energy and Commerce Committee's digital commerce and consumer protection subcommittee on Wednesday.
Specifically, the FTC wants the ability to impose civil penalties in privacy and data security cases, authority over nonprofits and common carriers, and authority to issue implementing rules under the Administrative Procedure Act (APA). Currently, the FTC issues rules under the Magnuson-Moss Warranty Act, which is more burdensome than the APA process, Simons noted.
“Under my leadership, privacy and data security will continue to be an enforcement priority. The FTC will use every tool in its arsenal to address consumer harm,” Simons asserted.
The FTC chairman related that his agency has brought more than 60 cases alleging that companies failed to implement reasonable data security safeguards, as well as more than 50 general privacy cases.
“We have aggressively pursued privacy and data security cases in myriad areas, including financial privacy, children’s privacy, health privacy, and the Internet of Things,” he told the committee.
“We must confront the risk to our economy, our society, and national security of inadequate data security and privacy. The cost of inaction is growing,” warned FTC Commissioner Rohit Chopra.
The hearing included the FTC chairman and commissioners as witnesses. In addition to Chopra, Commissioners Maureen Ohlhausen, Noah Phillips, and Rebecca Slaughter appeared before the House panel.
Chopra cited an industry study which found that more than 15 million Americans were a victim of identity theft in 2016, resulting in $16 billion in losses. Many of these victims had their records accessed in a data breach years before they suffered identity theft.
“Large-scale breaches of unencrypted data are increasing these risks, and we must do more to secure personal data from falling into the wrong hands,” Chopra told the House panel.
Chopra agreed with Simons that the FTC needs greater authority in the privacy and data security area. He urged Congress to give the agency the ability to impose financial penalties and develop “sensible safeguards that can evolve with the marketplace.”
“I’m confident that if Congress entrusts the Federal Trade Commission with the authority and resources to do more to protect families and businesses [in the area of privacy], we will deploy them efficiently and effectively while continuing to promote a dynamic digital economy that truly benefits all of us,” Chopra said.
Subcommittee Chairman Bob Latta (R-OH) asked Simons about the recent LabMD court case and the FTC’s enforcement approach.
“Our mantra is vigorous enforcement,” Simons said. The FTC has relied on enforcement, rather than rulemaking, as the means to exercise its privacy and data security authority. Simons said he would prefer that the FTC had both means to act in this area.
During the hearing, Rep. Janice Schakowsky (D-IL), ranking Democrat on the subcommittee, noted that she has introduced a bill to expand the authority of the FTC in privacy and data security.
The bill, Secure and Protect Americans’ Data Act (HR 3896), would give the FTC rulemaking authority and the ability to levy civil penalties on companies for data breach notification.
“It is my belief that on data security, this committee and Congress should be giving the FTC the tools it needs to do more,” she said.
“With the FTC as our partner, we in Congress must work to strengthen the agency to face 21st century challenges,” she said.
In addition to giving the FTC additional authority, the bill would require companies and other entities that collect personal data to put in place strong security measures, including systems that prevent intrusion and actively monitor for breaches.
The bill would require stronger protections for health information, personally identifiable information, account information, biometric data, geolocation, and nonpublic user created content such as communications, photos, and videos.
HR 3896 would also mandate prompt notification to law enforcement officials and breach victims and ensure that victims have access to free credit monitoring.
Schakowsky said her bill would give the FTC authority to write rules on data security and breach notification using the APA rulemaking procedures and asked the FTC chairman and commissioners whether they would support that measure. All replied that they would support it.
The bill was referred to the subcommittee on October 6 of last year. So far, no action has been taken on the legislation.