CRS sheds light on enforcement authority in data breach notification legislation

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.fiercegovernmentit.com/story/crs-sheds-light-enforcement-authority-data-breach-notification-legislation/2016-01-05

As lawmakers return to the Hill, several data security and breach
notification bills remain up for consideration in the 114th Congress. Among
the major legal issues members of Congress must consider in proposed
legislation is the existing jurisdiction and enforcement authority of the
Federal Trade Commission and the Federal Communications Commission,
reported the Congressional Research Service.

Most of the bills would task FTC with most of the enforcement duties, said
a recent CRS report (pdf), but the legislation differs on whether the FCC
should retain its existing enforcement authority over data security and
breach notification for telecommunication providers. The transparency group
Federation of American Scientists obtained the report and made it publicly
available.

The FTC's enforcement authority comes from its "unfair or deceptive acts or
practices" oversight – which excludes companies the FCC classified as
"common carriers." Meanwhile, the FCC is allowed enforcement actions
against common carriers as authorized by its rules for protecting customer
proprietary network information and Communications Act requirements that
"charges, practices, classifications, and regulations" be just and
reasonable, said the report.

Some bills, such as Rep. Marsha Blackburn's (R-Tenn.) H.R. 1770, would
expand the FTC's jurisdiction and eliminate some or all of the FCC's
ability to enforce its existing data security rules. With the exception of
regulations covering 911 calls, all common carrier data breach security and
notice enforcement would come from the FTC, said CRS.

"Removing the FCC's authority in this area may reduce the types of data
that are subject to security and breach notification requirements, as
compared with a proposal that imposes new requirements while maintaining
the FCC's authority," said the report.

CRS added that the bill's supporters "have emphasized the benefits of
imposing a uniform, predictable standard across all covered entities,"
while opponents argue that "restricting FCC authority weakens consumer
protection by eliminating clear, predictable rules with which companies are
accustomed to complying."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.