Time for Data Security Law is Now

August 13, 2014

Data security is an increasingly important issue for advertisers around the globe.  On a virtually weekly basis, there are media reports telling of new instances of hackers stealing important consumer information from vulnerable companies and government agencies.  These hacking attacks have been the largest in history.  The attack on Target, for example, affected 40 million credit cards and over 70 million records were stolen.  Just last week, a private security company issued a report stating that Russian hackers collected roughly 1.2 billion online usernames and passwords.  And on top of this, the ability of typical passwords to provide a strong baseline of security has come into question.

This ongoing theft of valuable private information has raised many important issues about how to better secure this information and protect consumers.  It also poses the question of who is to blame.  In a recent push, the FTC is looking to place that blame squarely on the company which leaves the information available to theft.  The FTC already has brought 50 major data security cases and is currently in the process of suing Wyndham Hotels and Resorts LLC for data security breaches that led to more than $10.6 million in payment card fraud losses.  

The FTC claims that firewalls, data encryption, or other “reasonable” security measures to protect consumers' financial information were not used by Wyndham.  Earlier this year, a U.S. District Court Judge ruled that the FTC has enforcement authority in the realm of data security and that the agency could proceed with the lawsuit.  In her ruling, Judge Esther Salas stated that the FTC has authority under the unfairness prong of Section 5 of the FTC Act to bring data security enforcement action, and that the FTC doesn’t need express authority from Congress to take that action under the FTC Act nor does it need to promulgate prior data security regulations.

At the end of July, the Third Circuit Court of Appeals granted a hearing of Wyndham’s appeal to dismiss the FTC data security enforcement action.  Members of the business community across the country are carefully watching for the decision in this case.  

At the same time, the Department of Health and Human Services (HHS) is expected to issue a rule in the near future regarding the compensation owed to individuals who have had their health information stolen.  Currently the precedent is that, unless a victim can show that material harm resulted from the theft of their data, no monetary compensation is rewarded.  However, HHS is considering whether a loss of privacy itself is a sufficient harm to award patients a portion of penalty settlements paid by health care providers who violate the Health Insurance Portability and Accountability Act (HIPAA).  This decision could have far reaching precedential impacts.  If the loss of any personal information alone can trigger the need for individual monetary settlements, even if the data is never used to take money from or otherwise harm the individual, all collectors of data including advertisers will be facing far greater financial risks.   

In May, ANA joined with fifteen other industry groups to call for Congress to pass federal data breach legislation this year.  ANA firmly believes the time for Congressional action is now.  A unified, federal law that preempts the patchwork of 47 inconsistent state laws would help businesses better comply with data breach standards and ensure the safety of customer data.  Advertisers are fully on board with complying with a well-crafted federal standard.  However, the government must be careful to avoid consumers being bombarded by insignificant breach notifications by assuring that the standard focuses only on significant breaches that can cause real harm to consumers.

You must be logged in to submit a comment.