Energy & Commerce Subcommittee Holds Hearing on Data Security and Breach Notification; FTC Releases “Internet of Things” Report

Jan 27, 2015

Reading Time : 3 min

By: Francine E. Friedman, Anthony T. Pierce, Natasha G. Kohne, Mathew C. Thomas (Senior Public Policy Specialist)

On the Democratic side, Ranking Member Janice Schakowsky (D-IL) also called for a single federal standard for breach notification and data security, but cautioned that any legislation should not weaken current state protections.  She also said that state attorneys general should retain the power to enforce state consumer protection laws that may apply in the event of a breach.  Full committee Ranking Member Frank Pallone (D-NJ) echoed her sentiments and stated that he would not support any bill that is weaker than the strongest state law in place.

The overarching theme of the hearing was whether federal standards for data security and breach notification should preempt existing state laws.  Almost all committee members present indicated that they would support strong federal preemption, with Democrats adding small caveats that any federal standard should not weaken existing state protections.  Among the witnesses, three-fourths supported federal preemption when coupled with a risk-based trigger for notification, while the fourth (Mr. Woodrow Hartzog, an associate professor at Cumberland School of Law) argued against preemption if it would weaken state protections; prohibit state enforcement, as well as federal enforcement; and be tied to a risk-based trigger for notification.

Among the first three witnesses, recommendations to the committee were generally the same:

  • Enact a federal data security and breach notification standard that preempts the existing patchwork of state laws.
  • Notification should be required only when personally identifiable information (PII) is actually accessed or acquired, and there is a reasonable potential for harm.
  • If Personally Identifiable Information (PII) is encrypted or otherwise rendered unusable, no notification should be required.
  • There should be a comprehensive definition of what constitutes PII.
  • Legislation should be flexible and technology-neutral.
  • There should be no private right of action against any company for compliance with data security and breach notification standards.
  • There should be a reasonable, flexible deadline for breach notification.
  • Civil penalties should be reasonable, tied to actual harm and capped.

Mr. Hartzog cautioned the subcommittee against preempting state laws, arguing that doing so could weaken protections already in place and could create gaps in protection for certain types of information.  He instead argued for the status quo of state regulation, along with additional rulemaking authority for the Federal Trade Commission (FTC) to develop stricter data security requirements.  While opposed to federal preemption, he did state that, if Congress does decide to preempt state laws, it should be minimal and should not be tied to a harm-based trigger for notification.

Separately, the FTC released a staff report today entitled “The Internet of Things:  Privacy & Security in a Connected World.”  The report follows a workshop the FTC held on November 19, 2013, to address growing privacy and security concerns with respect to the increasing use of devices connected to the Internet, and outlines the benefits and risks of the Internet of Things (IoT) and the comments received at and following the workshop, as well as FTC recommendations for the ideas and concerns expressed.  The FTC vote to issue the staff report was 4-1, with Commissioner Wright voting no.  In his dissent, Wright said that the FTC should not have released the report, because its recommendations are based on a single workshop.

The FTC, and participants in the workshop, identified a number of benefits and risks that the IoT poses.  Examples of benefits include “smart health” technology (allowing patients and medical practitioners to gather data and communicate more effectively), smart metering and smart appliances that help to control home energy use, home automation systems, and connected vehicles.  Despite these many and varied benefits, the Commission separates risks into two key areas: 1) security risks and 2) privacy risks.

During the workshop, participants also discussed how the longstanding Fair Information Practice Principles (FIPPs) of notice, choice, access, accuracy, data minimization (limiting the amount of data collected), security, and accountability should apply to the IoT space.  The Commission states that discussion centered on four FIPPs in particular:  data security, data minimization, notice, and choice.  While participants were agreed on the need for manufacturers of IoT devices to incorporate reasonable security measures, they were more divided on the applicability of data minimization, notice, and choice.  On minimization, participants expressed concern that limiting data collection could hamper innovation and the potential benefits of the IoT.  On notice and choice, some participants expressed concern about the feasibility of giving consumers notice of and the option to control what data is collected.  Another concern was the lack of graphic interfaces on many IoT devices, which makes delivering notice through the device difficult.

Recommendations by the Commission include encouraging manufacturers of IoT devices to incorporate security by design practices, train employees in proper security practices, minimizing data collection and de-identifying data collected, and provide consumers with multiple ways to learn about and control the ways data may be collected.

With respect to the need for federal legislation, the Commission declined to call for legislation to regulate the IoT, but again reiterated its position that data security, breach notification, and privacy standard legislation is necessary.

Share This Insight

Previous Entries

Deal Diary

June 27, 2024

On June 24, 2024, the U.S. Securities and Exchange Commission (SEC) published five new Form 8-K Compliance and Disclosure Interpretations (C&DIs) expanding the agency’s interpretations of cybersecurity incident disclosures pursuant to Item 1.05 of Form 8-K. In July 2023, the SEC adopted final rules with respect to cybersecurity incidents that generally require public companies to disclose (i) material cybersecurity incidents within four business days after determining the incident was material and (ii) material information regarding their cybersecurity risk management, strategy and governance on an annual basis. We wrote about the final cybersecurity disclosure rules here.

...

Read More

Deal Diary

February 12, 2024

The Securities and Exchange Commission (SEC) recently adopted final rules (available here; also see the fact sheet and press release) representing significant changes to  special purpose acquisition companies (SPACs), shell companies and the disclosure of projections. These rules aim to enhance disclosures, protect investors and align the regulatory framework for SPACs with traditional IPOs. The following summarizes the key aspects of these rules.

...

Read More

Deal Diary

October 4, 2023

On September 20, 2023, the U.S. Securities and Exchange Commission (SEC) issued a final rule amending the so-called “Names Rule” (found here) that is “designed to modernize and enhance” protections under Rule 35d-1 of the Investment Company Act of 1940. The final rule is part of the SEC’s holistic efforts to regulate environmental, social and governance (ESG) matters, and is the SEC’s latest attempt to curb greenwashing in U.S. capital markets. The amendments require registered investment funds that include ESG factors in their names to place 80% of their assets in investments corresponding to those factors, thereby extending to ESG funds the SEC’s long-standing approach of regulating the names of registered funds to ensure they are marketed to investors truthfully. Fund complexes with more than $1 billion in assets will have two years from the final rule’s effective date (60 days after publication in the Federal Register) to comply, while fund complexes with less than $1 billion in assets will be given a compliance period of 30 months.

Chair Gary Gensler said “[t]he Names Rule reflects a basic idea: A fund’s investment portfolio should match a fund’s advertised investment focus. In essence, if a fund’s name suggests an investment focus, the fund in turn needs to invest shareholders’ dollars in a manner consistent with that investment focus. Otherwise, a fund’s portfolio might be inconsistent with what fund investors desired when selecting a fund based upon its name.” The sole dissenting vote against the rule modification, Commissioner Mark Uyeda, said “[w]ith these amendments, the Commission overemphasizes the importance of a fund’s name, as if to suggest that investors and their financial professionals need not look at the prospectus disclosures.” Commissioner Uyeda also expressed concern that fund investors will bear the increased compliance costs associated with the rule change.

...

Read More

Deal Diary

May 31, 2023

As discussed in our prior publication (found here), the Securities and Exchange Commission (SEC) adopted amendments on December 14, 2022, regarding Rule 10b5-1 insider trading plans and related disclosures. On May 25, 2023, the SEC issued three new compliance and disclosure interpretations (C&DIs) relating to the Rule 10b5-1 amendments.

...

Read More

Deal Diary

May 24, 2023

On May 15, 2023, the Eastern District of California ruled that California Assembly Bill No. 979 (“AB 979”) violates the Equal Protection Clause of the U.S. Constitution’s Fourteenth Amendment and 42 U.S.C. § 1981. As enacted, California’s Board Diversity Statute, required public companies with headquarters in the state to include a minimum number of directors from “underrepresented communities” or be subject to fines for violating the statute. AB 979 defines a “director from an underrepresented community” as “an individual who self-identifies as Black, African American, Hispanic, Latino, Asian, Pacific Islander, Native American, Native Hawaiian, or Alaska Native, or who self-identifies as gay, lesbian, bisexual, or transgender.”

...

Read More

Deal Diary

May 9, 2023

Update: On October 31, 2023, the Fifth Circuit granted the US Chamber of Commerce's petition for review of the SEC's share repurchase disclosure rules, holding that the SEC acted arbitrarily and capriciously in violation of the Administrative Procedure Act. The court directed the SEC to correct the defects within 30 days of the opinion. On December 1, 2023, the SEC informed the Fifth Circuit that it was unable to correct the rule's defects within 30 days of the opinion. On December 19, 2023, the Fifth Circuit vacated the SEC’s share repurchase disclosure rules.

...

Read More

Deal Diary

April 12, 2023

We have released our 2023 ESG Survey which includes a collection of reports reflecting on significant ESG themes and trends from 2022, as well as what we believe to be key developments for 2023.

...

Read More

Deal Diary

February 6, 2023

As companies begin preparing for the 2023 proxy season, we note that Institutional Shareholder Services Inc. (ISS) and Glass Lewis, the leading providers of corporate governance solutions and proxy advisory services, issued updated benchmark policies (proxy voting guidelines), which can be found here and here, respectively. The updated proxy voting guidelines generally focus on board accountability and oversight considerations and address topics such as climate accountability, board diversity, shareholder rights, corporate governance standards, executive compensation and social issues. What follows is a summary of the proxy voting guidelines published by ISS and Glass Lewis for the 2023 proxy season.

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.