Jessica Rich, director of the Federal Trade Commission's Bureau of Consumer Protection, told Congress Wednesday that the FCC's decision to reclassify ISPs under Title II had made it harder to protect consumers.
That came in a House hearing on new data breach and security legislation in the House Commerce, Manufacturing, and Trade Subcommittee.
Rich said the FTC has taken no position on the reclassification, but she said it has had the effect of removing broadband service from the FTC's purview over data privacy and security. That, she said, meant the FTC can do less to protect consumers under Title II reclassification than it was able to do before.
She made it clear that the FTC was not opposing reclassification, but was seeking to insure its authority as lead agency over data breach and security issues was restored.
The proposed bill would restore the FTC authority over ISPs, which it loses when they are reclassified as common carriers. That would mean that the FCC and FTC would share jurisdiction over security, breach and privacy issues since the bill leaves privacy protections under the FCC, though not enough of them to suit the current FCC cybersecurity chief counsel.
Rich said a majority of FCC commissioners supported sharing authority and that the FTC and FCC had worked together in the past.
Rep. Peter Welch (D-Vt.), the bill's co-sponsor, said that if the legislation got it right and divided the authority, it might not be both agencies’ preference, but the consumer might benefit.
FCC chief counsel for cybersecurity Clete Johnson countered that he did not think privacy and cybersecurity oversight could be split since they were essentially one and the same.
Johnson said the way the bill divided up accountability and narrowly defined what information could be protected, the FCC would lose the authority over protecting cable and satellite viewing history information, including the shows they watch and the movies they order.
"While the draft bill attempts to maintain the protections of the Communications Act for purposes other than data security, the FCC’s experience implementing privacy and security requirements for consumer data reveals that there is no simple distinction between the two interrelated concepts. In short, whether a company (either by human error or technical glitch) mistakenly fails to secure customer data or deliberately divulges or uses information in ways that violate a customer’s privacy rights regarding that data, the transgression is at once a privacy violation and a security breach."