On June 15, 2011, the Federal Trade Commission told Congress that to minimize the risk of identity theft or other harm, companies should employ reasonable safeguards to protect consumer information, collect only information for which they have a legitimate business need, and retain data only as long as necessary to fulfill the business purposes for which it was collected. The FTC also reiterated its recommendation that Congress pass legislation that would require companies to implement reasonable security practices and to notify consumers when there is a data security breach.
“If companies do not protect the personal information they collect and store, that information could fall into the wrong hands, resulting in fraud and other harm, and consumers could lose confidence in the marketplace,” FTC Commissioner Edith Ramirez said in delivering the Commission’s testimony before the House Committee on Energy and Commerce, Subcommittee on Commerce, Manufacturing, and Trade.
The Commission expressed its support for federal legislation that would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The testimony notes that the Committee’s “Discussion Draft” of data security legislation accomplishes these key goals. The testimony highlights several other elements of the Discussion Draft, which gives the Commission authority to use the standard APA notice and comment procedures for rulemaking in connection with the legislation, provides for civil penalties for violations, and requires non-profit entities to adhere to the same data security and breach notification standards as for-profit entities. The Commission also noted that the December 2010 preliminary FTC staff report on privacy takes the same position as the Discussion Draft that data minimization is an important component of data security.
For more information, visit the FTC website.