FTC Weighs In
This shouldn't really be a surprise, but even reps from the FTC feel current privacy laws aren't effective: The existing constellation of privacy laws, which relies heavily on disclosure of data collection and use practices and on informed consumer choice, "in some very basic sense isn't working," said Kathryn Ratte, a senior attorney in the FTC's consumer protection bureau. "We've put too much burden on the consumers to understand these policies," Ratte said here at an event organized by Canada's privacy commissioner. "To compare the privacy policies of two companies is an almost impossible task." These sentiments are likely to be reflected in a widely anticipated report that the agency plans to publish later this year. The report is expected to offer to Congress recommendations on new laws and may state that the FTC intends to expand its current authority around policing "deceptive" practices to address more Internet-related business practices. I'm very curious as to how this will all play out. Particularly because it seems that certain steps are taken, but then the follow through stalls: Last year, the U.S. House of Representatives approved H.R. 2221, a data breach notification bill, but the Senate has not acted. The measure states that anyone who "possesses data in electronic form containing personal information shall, following the discovery of a breach of security...notify each individual" who was affected by the security breach. (California already has such a law.) Key to the end of that last paragraph is "California already has such a law." It seems the most effective measures are being taken at the individual state level: The Massachusetts Privacy Law, which went into effect January 1, 2010, is expected to become a model law followed by other states. This law, which was enacted because of the continued high rate of identity theft caused by corporate data breaches, requires companies to use encryption when personally identifiable information (PII) is taken outside of a company's internal systems. One state has gone further than any other state: Nevada. The Silver State has taken a leadership position in regards to data security with two laws. The first, called the Nevada Electronic Transmission Encryption Law, went into effect October 1, 2008, and requires the use of encryption for all PII that is transmitted electronically (except for fax). A second Nevada law, which went into effect January 1, 2010, requires all companies in Nevada to comply with the provisions of the Payment Card Industry (PCI) Data Security Standard (DSS), when it comes to card transactions. I will definitely be on the lookout for the new FTC report.