Photo of Laura Riposo VanDruff

Email
(202) 342-8435
Bio  LinkedIn

On October 6, 2021, the Senate Commerce Committee conducted its second in a series of hearings dedicated to consumer privacy and data, this time addressing Data Security.  Similar to last week’s privacy hearing, the witnesses and Senators appeared to agree that federal data security standards – whether as part of privacy legislation or on their own – are urgently needed. If there were to be consensus around legislative principles, the hearing provides clues about what a compromise might look like.

Prepared Statements. In their opening statements, the witnesses emphasized the need for minimum standards governing data security.

  • James E. Lee, Chief Operating Officer of the Identity Theft Resource Center, explained that without minimum requirements, companies lack sufficient incentives to strengthen their data security practices to protect consumer data. Lee also advocated for more aggressive federal enforcement rather than the patchwork of state actions, which, he said, produce disparate impacts for the same conduct.
  • Jessica Rich, former Director of the FTC’s Bureau of Consumer Protection and counsel at Kelley Drye, emphasized that current laws do not establish clear standards for data security and accountability. She advocated for a process-based approach to prevent the law from being outpaced by evolving technologies and to ensure that it accommodates the wide range of business models and data practices across the economy. Among her recommendations, Rich suggested that Congress provide the FTC with jurisdiction over nonprofits and common carriers and authority to seek penalties for first-time violations.
  • Edward W. Felten, former Deputy U.S. Chief Technology Officer, former Chief Technologist of the FTC’s Bureau of Consumer Protection, and current Professor of Computer Science and Public Affairs at Princeton University, focused on the need to strengthen the FTC’s technological capabilities, including increasing the budget to hire more technologists. Notably, Felten advocated for more prescriptive requirements in data security legislation such as requiring companies to store and transmit sensitive consumer data in encrypted form and prohibiting companies from knowingly shipping devices with serious security vulnerabilities.
  • Kate Tummarello, Executive Director at Engine, a non-profit organization representing startups, addressed the importance of data security for most startups. Tummarello advocated for FTC standards or guidance with flexible options. Cautioning against overburdening startups, Tummarello explained that newer companies take data security seriously because they do not have the name recognition or relationships with consumers that larger companies may have, and a single breach could be extremely disruptive. Additionally, Tummarello highlighted that the patchwork of state laws provides inconsistent and unclear data security guidance and imposes high compliance costs.


Continue Reading Hope Emerges at Senate Data Security Hearing – But Will Congress Grab the Brass Ring?

During last month’s California Privacy Protection Agency Board (CPPA) meeting, the only substantive agenda item, addressed in closed session, was a discussion of two key appointments: the first Executive Director and a Chief Privacy Auditor, as required by CPRA’s 1798.199.30. On October 4, 2021, the five-person CPPA board announced that they appointed

Last week, we wrote about FTC Chair Khan’s memo describing her plans to transform the FTC’s approach to its work. This week, she followed up with a no-less-ambitious statement laying out her vision for data privacy and security, which she appended to an agency Report to Congress on Privacy and Security (“report”). Together, these documents outline a remarkably far-reaching plan to tackle today’s data privacy and security challenges. As noted in the dissents, however, some of the stated goals may exceed the bounds of the FTC’s current legal authority.

Continue Reading FTC Chair Khan’s Vision for Privacy – and Some Dissents

On September 29, 2021, the Senate Commerce Subcommittee held a hearing titled Protecting Consumer Privacy. The senators addressed the potential $1 billion earmarked to strengthen the FTC’s privacy work, the future of a federal privacy and data protection law, and a myriad of other privacy related topics such as children’s privacy.

Prepared Statements. In

On September 22, the California Privacy Protection Agency (CPPA) issued an invitation for public comments as part of its first “preliminary” rulemaking activities.  Established by the California Privacy Rights Act (CPRA) ballot initiative last November, the CPPA has the authority to write rules that address some of the most technical and controversial topics addressed in

In an aggressive expansion of its security and privacy enforcement programs, on September 15, 2021, the FTC issued what it characterized as a “Policy Statement” reinterpreting an old rule about personal health records.

First, some background. In 2009, Congress directed the FTC to create a rule requiring companies to provide notice when there