Does the FTC Have Authority to Enforce Cybersecurity Measures?

In 2017, hackers accessed the personal data, including the Social Security numbers, of nearly half of the U.S. population. They stole the data from Equifax, a consumer reporting agency (CRA). The company collects data about consumers from different business, creates credit reports, and sells those reports to third parties to assist with financial decisions.

CRAs deal with large amounts of sensitive information and are constant targets of cyber-thievery. Customers have little transparency into the process CRAs use to collect information, and they have even less understanding of how well their personal data is protected. The free market cannot protect against improper use of data because consumers have little insight and choice into how these companies access their data.

On March 26, Michael Clements, the Director of Financial Markets and Community Investment from the Government Accountability Office (GAO) and Andrew Smith, the Director of the Bureau of Consumer Protection at the Federal Trade Commission (FTC) testified at a hearing of the Subcommittee on Economic and Consumer Policy. They agreed that federal regulators require more tools to improve data security at CRAs. Right now, the FTC advises that CRAs have security measures in place to protect consumer data, but they cannot implement consequences in the event that a CRA violates a rule.

The FTC’s Smith stated that the agency provides businesses with specific guidance on data security and helps educates consumers on the topic as well. Having civil penal authority for violations would benefit the situation, however, because the FTC would be equipped with “a practical enforcement tool that would benefit consumers.”

According to Smith, the FTC also supports thorough data security legislation that would give the agency three crucial capabilities:

  1. Enforcement of penalties to prevent and deal with unlawful conduct.
  2. Authority over non-profits and common carriers.
  3. Ability to release targeted rules under the Administrative Procedure Act (APA).

Smith summarized the situation: “To help ensure effective deterrence, we urge Congress to enact legislation to allow the FTC to seek civil penalties for data security violations in appropriate circumstances.

Rep. Ayanna Pressley questioned GAO’s Clements as to whether consumers explicitly give their consent for their data to be given to CRAs. They do not. Consumers have no legal right to remove their data from a CRA.

“Consumers do not voluntarily opt-in to have their information shared to the CRAs, nor can they opt-out,” Pressley stated. “Instead, businesses are providing it, whether consumers want them to or not. And once the CRAs have their information, consumers are essentially locked out, correct?”

Clements confirmed that that was correct.

Not only does this hearing bring up the question of how involved the FTC should be with regards to CRA regulations, but it also underscores a larger issue of how companies acquire and use citizen data with little transparency into their decision-making.

What do you think about these issues? Let us know in the comments below.

Leave a Comment


Leave a Reply

Avatar photo Nicole Blake Johnson

It’s crazy to process the fact that nearly half of the U.S. was affected by one breach. It will be interesting to see where this conversation leads and if the FTC will get the authorities it needs.

Avatar photo Spencer Grady-Pawl

Hopefully incidents like this one will lead to greater regulation — people have enough anxiety about credit scores as it is!