As federal officials grapple with ways to better protect the privacy and security of Internet users, participants at a Senate Commerce Committee hearing Wednesday appeared to be in broad agreement over the need for data breach laws .
But there was less agreement over online privacy laws, with lawmakers, regulators and companies debating “do not track” proposals and general privacy laws that consumers say they want but companies fear will hurt their bottom lines.
“On data security, there is broad support for a national standard . . . and certainly an issue that Congress is likely to address legislatively in the near future,”said Pat Toomey (R-Penn), ranking member of the subcommittee for consumer protection.
“On the broad issue of privacy, I’m not sure there’s a broad consensus. I’m sure no one on the committee wants to break the Internet,” Toomey said.
His support for data breach bills, introduced in the Senate by John Rockefeller (D-W.Va.) and a similar bill in the House, comes amid nearly daily hacking attacks of corporate and government databases.
The bills call for clear rules on how soon companies should inform users when their information has been breached.
Sony Networks suffered repeated attacks by the hacker group “Anonymous,” which exposed user information and forced the company to shut down its network. RSA, Lockheed and Epsilon have also been hit with attacks that have made consumers’ personal information — such as e-mail addresses and in some cases credit card numbers — vulnerable.
“If nothing else, perhaps the frequency, audacity and harmfulness of these attacks will help encourage Congress to enact new legislation to make the Internet a safer place,” Sony Network Entertainment president Tim Schaaff said at the hearing.
FTC member Julie Brill said at the hearing that the agency doesn’t have an official position on the need for privacy laws. But she said “do not track” requirements are needed — including on mobile devices. She said browser companies have come up with technologies that allow users to ask companies to stop following their activity on the Internet.
But few companies honor those requests and there is little the FTC can do to punish those firms who continue to collect information about users if they haven’t promised to honor “do not track” requests.
“There is significant progress on the part of industry. I am worried, though, that they may not get all the way there because of the way the industry is structured,” Brill said. “Advertisers and ad networks are disparate. Unless you get them to uniformly agree, I’m not sure a self -regulatory mechanism can work.”