This month's featured debate informs whether the FTC should have the right to penalize companies for poor data security/privacy practices.

FOR

Craig Spiezle, executive director & president, Online Trust Alliance


While there is no silver bullet to guarantee data protection, companies must take reasonable steps to secure consumer data. Last year, the number of breaches increased 34 percent, yet more than 90 percent of these were avoidable. Although these businesses have to deal with remediation expenses, compliance with state statutes and the impact on trust of their brand, it is just as important that businesses be held accountable to the impact on their customers.

 Under section five of the Consumer Protection Act, businesses have the obligation to safeguard consumer data. The Federal Trade Commission (FTC) has increasingly exercised settlements with some of the worst offenders, yet does not have the power to fine a company directly. Many industry observers have suggested that the FTC be directly empowered to levy fines to increase accountability. As a data-driven economy, business leaders need to increase the stewardship of the data they collect. Those that fail to take reasonable steps need to be held accountable.

CON

Brian Gay, owner, Think Forward Consulting

The FTC should not have the right to penalize companies for poor data security and privacy practices. If the FTC attempts to penalize companies for poor security, there will be several issues. The first is around poor practices. How will the FTC measure poor data security and privacy practices? Will the FTC compare programs by industry? Without clear guidelines the penalties will not be enforceable.  

The next concern is that increasing cyber security oversight will create a decrease in transparency. Currently, companies are very reluctant to admit security hacks and data losses. If the FTC were allowed to penalize companies, there would no incentive to publicly admit data security issues and share best practices. This will negatively impact data and privacy as a whole.   

It would be better for the FTC to provide positive incentive. How about if the FTC were to reward companies for high-performing cyber security practices instead?