With no overarching regulations or laws governing the cybersecurity practices of organizations, it can often be unclear what consumers should expect from those in possession of their data. Likewise, making sure technologies and policies adhere to the best practices of the industry can be difficult for businesses without experience in cybersecurity.
However in recent years, the Federal Trade Commission (FTC) has stepped up as an enforcement entity, holding corporations accountable when they are negligent with customer information. Now the FTC is hoping to become the official regulatory body for data security.
On Dec. 12, FTC Chairwoman Edith Ramirez requested legislation that would make the FTC’s current practice of policing data breaches one of its official duties. The FTC cites its authority to police trade practices that are “unfair” and “deceptive” to consumers as the basis for doing this, and has said that it only fines companies that repeatedly fail to secure customer information.
"I'd like to see FTC be the enforcer," Law360 quoted Ramirez as saying at a privacy event organized by the National Consumers League in Washington. "If you have FTC enforcement along with state concurrent jurisdiction to enforce, I think that would be an absolute benefit, and I think it's something we've continued to push for."
But, while the FTC has been increasingly willing to fine companies that expose consumers to cyber risk, as mentioned before, there are no truly clear rules or regulations at the federal level for companies to guide their actions.
This became clear in a recent case with Wyndham Worldwide Corp., in which the Hotelier pushed back on FTC fines.
“I'm not disputing that data security is an important issue," said Eugene Assaf, a lawyer for Wyndham said during oral arguments on the FTC suit. "My quarrel is that the FTC is actually not the agency that's supposed to be doing it."
LabMD also recently rebuffed FTC fines.
One thing is clear, regardless of whether or not the FTC becomes that body responsible for cybersecurity oversight; standards are needed to hold businesses accountable if the commission has any hope of effecting actual change in the space.
For more on cybersecurity check out these stories: