NCL on Upcoming Congressional Hearings with UnitedHealth Group CEO Andrew Witty

April 30, 2024

Media contact: National Consumers League – Melody Merin,, 202-207-2831

Washington, DC – Tomorrow, the Senate Finance Committee and House Energy and Commerce Committee will hear from UnitedHealth Group CEO on the insurance company’s cyberattack that put millions of medical records and patient privacy at risk.

The cyberattack is, of course, cause for concern, but there are also several other ways major insurance companies like UnitedHealth Group are hurting consumers. These companies have taken over the prescription drug marketplace – they are integrated with the pharmacy benefit managers (PBMs) who gatekeep our prescriptions, limiting access and increasing out-of-pocket costs.

Here are the top questions American consumers deserve answers to:

  • How will your company work to not only protect patient data going forward, but also protect patient choice and power in their healthcare decision-making?
  • Can you explain the relationships and makeup of UHG, Optum Rx, and Optum Health? How does this vertical integration give consumers a fair choice when it comes to their health when there is a clear incentive to keep patients – and thus profit – in the UHG family?
  • UnitedHealth Group’s PBM Optum Rx claims to benefit consumers by negotiating rebates with drug manufacturers – why, then, aren’t consumers experiencing lower costs at the pharmacy counter?
  • How much does Optum Rx collect each year in rebates from drug manufacturers? How much profit does the UHG corporation rake in from prescription drug purchases?
  • Is UHG aware of the significant health and financial challenges that prior authorization requirements impose on consumers and their families?

The insurance industry is riddled with poor incentives that ultimately hurt consumers. Lawmakers have an opportunity this week to shine a light on these problems. We need bipartisan reforms to give consumers more power when it comes to their prescriptions, and ultimately, their health.


About the National Consumers League (NCL)

The National Consumers League, founded in 1899, is America’s pioneer consumer organization.  Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad.  For more information, visit

Will Obama’s cybersecurity plan help consumers? – National Consumers League

It seems appropriate that the Obama Administration chose Safer Internet Day to announce its new Cybersecurity National Action Plan (CNAP). At a time when massive data breaches continue to be the norm, rather than the exception, it is heartening to see the President take comprehensive action to address ongoing threats to consumers’ data. So, what are some of the highlights of the CNAP? Will it help consumers getting pummeled by data breaches? 

Let’s take a look… 

Establishing a “Commission on Enhancing National Cybersecurity”

Bringing together cybersecurity experts to talk shop and recommend solutions is rarely a bad idea. Importantly, the CNAP is charged with delivering a report of its findings and recommendations to the President on December 1, 2016, which should make for interesting reading by data security geeks like yours truly. The CNAP calls for the Commission to be made up of “top strategic, business, and technical thinkers from outside of Government.” Within the Executive Order itself, the Commission membership qualifications are spelled out in greater detail as “those with knowledge about or experience in cybersecurity, the digital economy, national security and law enforcement, corporate governance, risk management, information technology (IT), privacy, identity management, Internet governance and standards, government administration, digital and social media, communications, or any other area determined by the President to be of value to the Commission.”

Notice something missing there? If you said “consumers,” give yourself a gold star. All too often, the job of protecting consumers’ data is punted on to the backs of consumers themselves. While doing things like enabling two-factor authentication, using good digital hygiene, and paying attention to credit reports is never a bad idea, it can’t be the only solution. The companies and agencies that collect and use consumers’ data must have real skin in the game when it comes to protecting that information. We hope that the new Commission will take a look at the role that data security standards, strong data breach notification requirements, and cyber insurance can play in strengthening data protections.

Empowering Americans to secure their online accounts

At NCL, we’re big fans of the great work the National Cyber Security Alliance is doing to arm consumers and businesses with the tools to enhance their own data security. By embracing two-factor authentication, the Administration is putting its imprimatur on a common-sense data security tool that all consumers should be using whenever possible. Kudos, too, for looking at ways for federal agencies to practice what they preach by looking for ways to implement stronger authentication methods and reduce the use of Social Security Numbers as an identifier for citizens. (P.S. If you use Google services and need some extra incentive to up your security game, our colleagues at Google are offering two free gigabytes of Google Drive storage to anyone who completes their Security Checkup).

Investing $19 billion+ for cybersecurity as part of the President’s Fiscal Year (FY) 2017 Budget

This is the part of the CNAP that’s getting the most press and, frankly, will probably be the toughest part of the plan to get over the finish line, given election year politics in Washington. However, given the cybersecurity skills gap, it’s heartening to see the President’s budget proposing a package of student loan forgiveness, increased cybersecurity hiring, small business training, and technology modernization initiatives. Last year’s OPM data breach made the consequences of relying on out-of-date technology painfully clear. And for goodness sakes, it’s time for every federal agency to get off Windows XP, already!

There’s lots more to dig into in the CNAP, but overall, it’s got a lot to like from a consumer point of view. As the Plan correctly recognizes, “there is no silver bullet to fully guarantee our data security.” The fight for better data security is going to take lots of hands, and we applaud the President for proposing ways for us all to get in the trenches.

Groups send letter to FCC calling for action on broadband privacy and data security – National Consumers League

January 20, 2016

Tom Wheeler
Federal Communications Commission
445 12th St., SW
Washington, D.C. 20554

Re: Broadband Privacy Rulemaking

Dear Chairman Wheeler: 

The undersigned organizations urge you to commence a rulemaking as soon as possible to protect the privacy of broadband consumers. As Commissioner Julie Brill of the Federal Trade Commission (FTC) stated in a recent speech on broadband and privacy, the Federal Communications Commission’s (FCC) reclassification of broadband as a Title II common carrier service adds it as “a brawnier cop on the beat” on privacy issues. She welcomed the opportunity for the two agencies to work in cooperation to create “strong consumer privacy and data security [that] are key ingredients of our data-intensive economy, including the practices of broadband providers.”

Providers of broadband Internet access service, including fixed and mobile telephone, cable, and satellite television providers, have a unique role in the online ecosystem. Their position as Internet gatekeepers gives them a comprehensive view of consumer behavior and until now privacy protections for consumers using those services have been unclear. Nor is there any way for consumers to avoid data collection by the entities that provide Internet access service. As the role of the Internet in the daily lives of consumers increases, this means an increased potential for surveillance. This can create a chilling effect on speech and increase the potential for discriminatory practices derived from data use. By contrast, commonsense protections may lead to a broader adoption and use of the Internet, as individuals gain confidence in conducting everyday business and exploring new services online.

With the recently signed Memorandum of Understanding on Consumer Protection between the FCC and FTC outlining continuing interagency cooperation on privacy, the FCC is now well positioned to take its place as that “brawnier cop on the beat” focusing on broadband providers. We therefore strongly urge that the FCC move forward as quickly as possible on a Notice of Proposed Rulemaking proposing strong rules to protect consumers from having their personal data collected and shared by their broadband provider without affirmative consent, or for purposes other than providing broadband Internet access service. The proposed rules should also provide for notice of data breaches, and hold broadband providers accountable for any failure to take suitable precautions to protect personal data collected from users. In addition, the rules should require broadband providers to clearly disclose their data collection practices to subscribers, and allow subscribers to ascertain to whom their data is disclosed.

We thank you for your continuing commitment to consumer privacy protection. In addition to the Commission’s important decision last year to retain authority to protect consumer privacy on broadband telecommunications services, the FCC has worked diligently under your administration to enforce existing privacy protections for voice communication, and to require greater transparency for broadband provider service practices. We look forward to working with you to modernize these existing rules to clarify crucially important protections for consumers online.



Access Humboldt
Access Sonoma Broadband
American Association of Law Libraries
American Civil Liberties Union
Appalshop, Inc.
Ashbury Senior Computer Community Center
Benton Foundation
Broadband Alliance of Mendocino County
California Center for Rural Policy
Campaign for Commercial-Free Childhood
Caney Fork Headwaters Association
Center for Democracy & Technology
Center for Digital Democracy
Center for Rural Strategies
Center for Science in the Public Interest
Chicago Consumer Coalition
Children Now
Common Sense Kids Action
Consumer Action
Consumer Assistance Council of Cape Cod and the Islands of Massachusetts
Consumer Federation of America
Consumer Federation of California
Consumer Watchdog
Cornucopia Network NJ/TN Chapter
Cumberland Countians for Ecojustice
Electronic Frontier Foundation
Free Press
Institute for Local Self-Reliance
Kentucky Equal Justice Center
Maryland Consumer Rights Coalition
Massachusetts Consumer Council
Maui County Community Television
Mountain Area Information Network
National Association of Consumer Advocates
National Consumer Law Center (on behalf of its low income clients)
National Consumers League
National Digital Inclusion Alliance
National Hispanic Media Coalition
Network for Environmental & Economic Responsibility of United Church of Christ
North Carolina Consumers Council
Oklahoma Policy Institute
Open Library
Open Technology Institute at New America
Oregon Consumer League
Privacy Rights Clearinghouse
Privacy Times
Public Citizen
Public Health Advocacy Institute at Northeastern University School of Law
Public Knowledge
Rudd Center for Food Policy & Obesity, University of Connecticut
Schools, Health & Libraries Broadband Coalition (SHLB Coalition)
Southern California Tribal Digital Village
Texas Legal Services Center
United Church of Christ, OC Inc.
World Privacy Forum

NCL calls on Senate to oppose Cyber Information Sharing Act – National Consumers League

October 22, 2015

Privacy and consumer advocates say CISA is not the answer to cybercrime

Contact: Cindy Hoang, National Consumers League, or (202) 207-2832

Washington, DC—Calling it “the wrong solution to the problem of cybercrime,” the National Consumers League (NCL), today joined six other privacy and consumer advocacy organizations to urge the Senate to reject the Cyber Information Sharing Act (CISA). In a letter to Senate Majority Leader Mitch McConnell (R-KY), the groups called the bill “fatally flawed,” and urged Senators to oppose the bill unless it is significantly improved through the amendment process.

CISA, which is currently pending before the full Senate, would significantly expand the ability of intelligence agencies such as the National Security Agency to collect information about American citizens in the name of improving cybersecurity. Advocates at NCL believe that there are significantly better ways to improve consumers data security protections, including a comprehensive national data security standard and a strong national data breach notification law.

“CISA seeks to combat a real problem: the continuous and serious incidence of data breaches that raise the risk of identity theft and other fraud for millions of consumers,” said John Breyault, NCL vice president of public policy, telecommunications and fraud. “Unfortunately, in CISA’s case, the cure is worse than the disease. The bill, as proposed, would allow for even greater collection of consumers’ personal data without adequate safeguards against abuse by intelligence and law enforcement agencies.”

The letter cited an amendment offered by Sen. Ron Wyden (D-OR) as one way to address advocates’ concerns. That amendment (#2621) would require, to the extent feasible, that all entities remove personally identifiable information not necessary to describe or identify a cybersecurity threat before sharing cybersecurity threat information under the bill.

In addition to NCL, organizations represented in the letter included the Center for Democracy & Technology, the Center for Digital Democracy, Consumer Action, the Consumer Federation of America, Consumer Watchdog, and Privacy Rights Clearinghouse. The full text of the letter is available here.


About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit

NCL #DataInsecurity Project – National Consumers League

databreach.jpgNCL recently debuted the first issue of The #DataInsecurity Digest, a twice monthly publication curated by NCL’s own, John Breyault, to deliver important consumer-focused data security news, policy and news analysis, and information about upcoming events directly to your inbox. Click here to subscribe.

In 2013, there were 614 data breaches that led to more than 550 million identities compromised. New data breaches means more identity theft and other fraud, and more consumers facing financial loss, great inconvenience, and a loss of trust in the marketplace. That is why NCL is working on the #DataInsecurity Project — to raise awareness about the need for reforms aimed at better protecting consumer data.

Data breaches impact consumers, credit unions, banks, and retailers. Last December, the retail giant Target suffered a massive data breach that made national headlines. In the breach, as many as 110 million identities were compromised.

Take a look at the impact of just this single incident:

  • $200 million: the cost to credit unions and community banks for reissuing 21.8 million credit and debit cards
  • 1-3 million: the estimated number of cards stolen in the Target breach that were sold on the black market and successfully used to commit fraud
  • $18-35.70: the price per card stolen from Target and resold on the black market in the months after the breach

Shocking as these numbers are, they represent the fallout from just a single data breach. Data breaches are happening with frightening regularity.

Malicious hackers are going to continue to exploit existing weaknesses, and many businesses lack the incentive or ability to adequately protect their customer data against evolving threats. That is why NCL believes that consumers need to be proactive about protecting their own data and calling on policymakers for improvements.

The current landscape of protection for consumer data is woefully inadequate.

NCL’s #DataInsecurity Project is calling for reforms such as:

  • Creating a national data breach notification standard, modeled on strong state protections such as California’s;
  • Requiring businesses that maintain consumers’ personal data to protect that information via specific data security requirements;
  • Giving the Federal Trade Commission and state Attorneys General civil penalty authority to enforce violations of data security requirements;
  • Increasing civil and criminal penalties for malicious hacking;
  • Increasing efforts to enhance cooperation with international partners to bring overseas hackers to justice; and
  • Requiring retailers and banks to implement the highest level of security available to protect consumers’ payment data.

To promote these goals, NCL is taking its #DataInsecurity Project on the road to four states across the country, to meet with policymakers, industry experts, consumer advocates, law enforcement officials, and members of the academic and business community. The tour is designed to raise awareness about the frequency of data breaches and to encourage the adoption of comprehensive reforms so that consumers can be better protected.

As a part of the #DataInsecurity Project, NCL has also unveiled important new research by Javelin Strategy & Research investigating the impact of data breaches on consumer trust, on who consumers feel should be responsible for their data, and on current responses to data breaches. Check out NCL’s survey report.

You can get involved!

Help us send the message that the time for reform is now! Sign our petition to the White House calling on policymakers to step up and protect consumers’ data.


NCL calls on Congress to move forward on data security agenda in wake of OPM data breach – National Consumers League

June 12, 2015

Contact: Carol McKay, NCL Communications, (412) 945-3242,

Washington, DC – In response to reports that a data breach at the Office of Personnel Management (OPM) may have affected as many as 14 million current and former federal government workers and federal retirees, the National Consumers League (NCL) is urging Congress to move forward on legislation that increases data security requirements for federal agencies and the private sector alike. NCL has also released tips for those affected to remain vigilant against possible spear-phishing attacks and take steps to protect their identities.

“The OPM hack is yet another symptom of the failure of Congress to move forward on comprehensive data security legislation,” said John Breyault, NCL vice president of public policy, telecommunications and Fraud. “While Congressional legislation will not result in perfect data security protection, it can create an important baseline of consumer protection from malicious data breaches. In the face of large-scale breaches at organizations like OPM and smaller breaches as thousands of small businesses, Congress needs to act sooner, rather than later.”

While consumers wait for more robust data protections to come out of Washington, affected current, former, and retired federal workers should take steps to reduce their risk of identity theft. Such steps can include:

  • Check credit reports. Affected workers should visit to check their credit reports from the major credit reporting bureaus. Look for suspicious activity like recently-opened accounts you don’t recognize and dispute them as suspected fraud with the credit reporting bureau.

  • Beware of spear-phishing emails and phone calls. OPM has announced that it will be sending most breach notifications by email from the email address. That email will include the worker’s name and a PIN to enroll in credit monitoring and identity theft protection from identity and fraud protection firm CSID. Phone calls where the caller identifies herself as a representative of OPM are likely a scam. Consumers can also enroll directly in the CSID program online here.

  • Place fraud alerts on credit reports. Consumers should request a free 90-day fraud alert with each of the major credit reporting bureaus. A fraud alert requires businesses to verify an applicant’s identity before credit is provided to an applicant.

  • Take advantage of credit monitoring and identity theft protection. OPM is offering free credit monitoring and identity theft protection and mitigation services to affected employees via CSID. While these services won’t prevent all instances of identity theft, they can be helpful in reducing risk. More information is available here.

  • Mark calendars to file taxes early in 2016. The information reportedly compromised in the OPM breach can be used by cyberthieves to file fraudulent tax returns. Filing early in the tax season (instead of closer to the filing deadline) can help prevent this type of identity theft.

  • Contact banks and credit card companies. Affected workers’ banks may recommend reissuing credit and debit cards and changing checking and savings account numbers. Get in touch with these financial institutions to find out if such actions are necessary. Also, closely monitor monthly statements and dispute any suspicious charges.

  • Update passwords. Changing passwords on online accounts (mail, social media, financial services), particularly if the account is associated with an official .gov email address, can help reduce the risk of account takeover fraud. Tips on creating stronger passwords are available from


About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit

National Consumers League Statement on Data Breach – National Consumers League

May 22, 2015

Contact: Carol McKay, NCL, 412-945-3242,

Washington, DC — The National Consumers League is warning current and former users of the adult dating website to beware of blackmail attempts and phishing attacks resulting from a data breach that reportedly affected nearly 4 million accounts.

The following statement is attributable to John Breyault, NCL Vice President of Public Policy, Telecommunications and Fraud:

“The breach at AdultFriendFinder has reportedly compromised extremely sensitive data on nearly four million users, including sexual orientation, desire to engage in extramarital affairs and employer information. Email addresses, usernames, dates of birth, zip codes and IP addresses were also reportedly compromised. This type of information getting into the wrong hands could easily lead to blackmail attempts as well as sophisticated phishing attacks.”

“Congress should take note of the impact that a breach of this type of sensitive information is likely to have on victims. Numerous data breach notification bills pending in Congress contain a narrowly defined ‘harm trigger’ that rely on the likelihood of financial harm to prompt notification. What the AdultFriendFinder breach makes clear is that breached data can result in serious harm to affected consumers, even if the compromised information is not financial in nature. It is for this reason that NCL continues to oppose bills, such as Rep. Blackburn’s Data Security and Breach Notification Act of 2015 that contain harm triggers.”


About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit

How many straws until the camel’s back is broken on data breaches? – National Consumers League

John BreyaultAnother day, another data breach. The data breach roulette wheel this times landed on health insurer CareFirst. Who loses? The 1.1 million consumers whose names, birth dates, email addresses and CareFirst subscriber ID numbers are now in the hands of cyber crooks.

First things, first, what’s the risk to consumers? The mostly likely effect is that consumer affected by the breach may be on the receiving end of convincing-looking phishing emails. These attacks are designed to trick consumers into clicking on links or attachments that install malware or send users to phishing websites. The phishing emails (and possible telephone calls) are likely to reference CareFirst in some way, and may even masquerade as notifications about the breach itself.

Bottom line: If you are a CareFirst customer, the first place you should be going to get reliable information about the breach and what CareFirst is doing about it is The website has been set up by CareFirst to give affected customers up-to-date information about the breach and what steps they can take to mitigate their risk, including taking advantage of free credit monitoring and identity theft protection CareFirst is offering via Experian.

With that out of the way, there are a number of key questions that regulators, legislators and advocates should be asking in the coming days and weeks.

First, why are health insurers being targeted? CareFirst is the third major health insurer to disclose a breach in the past six months. There are troubling signs that the breaches at Anthem in February, Premera in March and now CareFirst are part of a coordinated attack on U.S. health insurers, possibly by state-sponsored hackers. Regardless of the origin of the hack, it’s clear that medical information is especially lucrative for thieves. According to cybersecurity experts, stolen medical info is worth 10-20 times more than stolen credit or debit card data goes on the cyber black market. With 2.3 million Americans falling victim to medical identity theft in 2014, it’s not hard to see why medical information presents such an attractive target to cybercriminals

Second, why did it take 10 months to notify consumers? According to CareFirst, the intrusion into their network was first detected in June 2014 and “immediate action” was taken to contain the threat. However, it was not until April 2015 that the company discovered that the crooks had exfiltrated their systems with stolen data. With nearly 10 months lead time, cybercrooks had ample time to create mischief with the stolen data before CareFirst notified consumers. Why did it take so long to find out that data was actually lost?

Finally, would more stringent data security standards or data breach notification laws have reduced the risk of this breach? There is no way to make a system 100% safe from hacking. However, far too many companies only invest significant resources in protecting their customers’ data after a hack, not before. This leaves millions of consumers at risk of breach-fueled fraud as companies elect to invest elsewhere while they wait for a hack to force them to spend on data security. What kind of incentives and/or penalties should Congress and Executive Branch consider to shift the cost/benefit equation for companies towards spending on data protection before a breach? NCL’s 2015 Data Security Agenda is a good roadmap for policymakers looking for consumer-friendly answers to these important questions.

The CareFirst breach is yet another straw on the pile of reasons why consumers can’t wait on businesses to take care of the data security problem on their own. It’s time for leaders in Washington to step up and pass real data security reform before the next straw breaks the camel’s — and our — backs. In the meantime, here are tips consumers can use to reduce the risk of identity theft.

NCL warns consumers to beware of phishing attacks in wake of CareFirst Breach, offers tips for spotting and recovering from breach-related fraud – National Consumers League

May 20, 2015

Contact: Carol McKay, NCL, 412-945-3242,

Washington, DC – The National Consumers League (NCL), America’s pioneering consumer advocacy organization, is warning consumers to be on the lookout for phishing attacks in the wake of a data breach at health insurance provider CareFirst affecting 1.1 million consumers. The following statement is attributable to John Breyault, NCL vice president of public policy, telecommunications and fraud: 

“More than a million consumers have been put at heightened risk of fraud due to the data breach at CareFirst. While the breach does not appear to have compromised sensitive information, such as Social Security Numbers, passwords, or medical information, cyber crooks are no doubt busy using the information they did collect to craft convincing-looking phishing emails. These emails, which could include the CareFirst logo and look just like the real thing, may contain links or attachments that install malware or direct consumers to websites designed to steal Social Security Numbers, passwords, and other information that can be used to commit identity theft or other kinds of fraud.

“Once again, we are reminded of the consequences of lax data security at a major health insurance provider. Any investigation of CareFirst’s data security practices should examine what factors enabled this breach to take place and what steps CareFirst and other insurers can take to make their systems more secure. For example, given the known vulnerabilities of the username/password combination and the attractiveness of health care data to cybercriminals, would stronger security techniques like multi-factor authentication have prevented the breach? If the network intrusion was detected in June 2014, as the company has stated, how did the exfiltration of consumer data go unnoticed for nearly a year? Given the spate of data breaches at health insurance providers like Anthem, Primera and now CareFirst, what should Congress, the FTC and other regulators do to ensure that health insurers place a premium of robust data security?”

Tips for CareFirst customers to avoid breach-related fraud

  • CareFirst customers should beware of phishing emails that may seek to trick them in to clicking on suspicious links or attachments. These emails can look very convincing and may reference the CareFirst breach in some way. Clicking on the links or opening an attachment contained in the email can install malware that may be used to obtain additional sensitive personal information such as bank account or credit card numbers, usernames and passwords. CareFirst customers should be aware that the company will contact them via U.S. mail to notify them about further information related to the breach. More information is available from CareFirst at
  • Monitor your credit report and dispute suspicious activity that may occur after inadvertently clicking on a link or opening an attachment in a suspected phishing email. Consumers can download a free copy of their credit report from each of the three major credit-reporting bureaus (Experian, TransUnion and Equifax) at
  • If you suspect identity fraud has occurred, it is important to act quickly. Call one of the three credit reporting bureaus and request an initial fraud alert. This will place alerts on your report at all three credit-reporting bureaus. Once the alert is in place, the credit reporting bureaus will contact you when someone attempts to open credit in your name.
  • If you confirm that you have been a victim of identity fraud, contact the Federal Trade Commission to create and Identity Theft Affidavit. This affidavit can be used to file a police report with your local police department. Together, these two documents form an Identity Theft Report, which is crucial to beginning the process of recovering from identity fraud. More information on spotting, reporting and recovering from identity fraud is available at The FTC also has a useful consumer checklist that includes information and required documentation for creating the Identity Theft Affidavit and police report available online.
  • Do not reply to suspicious emails, as this may lead to additional social engineering attacks. Instead, the safest course of action is to simply delete the email. Consumers can also forward them to the United States Computer Emergency Readiness Team at
  • While the initial reports state that no passwords were compromised in the CareFirst breach, cyber thieves may attempt to test common passwords against accounts associated with your email address, including email services, ecommerce, banking and other accounts. Do not use the same username and password combination across multiple accounts. If stronger security measures such as multi-factor authentication are offered, enable them.


About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit

Bravo! FTC’s “Start With Security” initiative announces seminar on data security – National Consumers League

Federal Trade Commission Chairwoman Edith Ramirez this morning announced the next step in the FTC’s efforts to craft data security guidelines for businesses. As part of its “Start with Security” program, originally unveiled in March, the Commission will hold an initiative at the University of California on September 9. This follows on the heels of the February 13 Summit on Cybersecurity and Consumer Protection at Stanford University.NCL has long advocated for the FTC to take a leadership role in the federal government on data security and is very pleased about this announcement. We applaud the FTC for taking this step to improve data security and help businesses protect consumers.

While details of the September meeting aren’t yet fully known, we do know a few things about the Commission’s “Start with Security” program. At the IAPP summit in March, FTC Bureau of Consumer Protection Director said that the program’s goal is to provide businesses with resources, education and guidance on data security. Chairwoman Ramirez (who NCL will be honoring in October, incidentally) elaborated on this theme, stating that the initiative will be aimed at bringing together experts on data security to share best practices, particularly for small and medium-sized businesses.

The focus on data security at small-to-medium sized businesses is a logical choice for the agency. Its ongoing legal tussle with Atlanta-based LabMD illustrates challenges the Commission faces as it seeks to enforce data security obligations on small businesses. Such entities are often ill-equipped to adequately protect the growing amounts of sensitive personal information they are collecting.  This is an incredibly important issue. As NCL’s #DataInsecurity Report found, nearly 6 in 10 data breach victims indicated that their trust in retailers decreased following a breach. For a small business struggling to stay afloat, losing the confidence of customers due to a data breach can mean the difference between keeping the lights on and a “closed” sign on the front door.

So what can the Commission hope to accomplish at its September meeting? In the interests of promoting consumer data security, we propose that the meeting agenda cover some basic data security policy topics, such as:

  • Is there a sufficient flow of information and best practices on breach trends, emerging threats from hackers, etc. being shared by the FTC with business that are entrusted to store consumer data? If not, how can this improve?
  • The Online Trust Alliance estimated that 90% of data breaches in 2014 could have been prevented if basic security measures had been taken. With this in mind, how can businesses be incentivized to make sure they are taking the basic steps to protect their data?
  • Small and medium-sized businesses often lack the budget and/or expertise to craft robust data security protections, yet they are increasingly collecting large amounts of sensitive data about their customers. What requirements should be placed on a pizza parlor, for example, when it comes to data security?
  • We often hear that it’s not “if,” it’s “when” when it comes to data breaches at businesses. However, it seems that businesses, particularly small-to-medium sized businesses, aren’t prepared to protest against the data breach threat. Is this accurate? If so, what can the FTC do to change that mindset?
  • Government data security mandates can only do so much to create a climate where data security is taken seriously by business. What flexible, market-based incentives exist to promote data security? Is cyber-insurance the answer?
  • There is no shortage of cybersecurity firms offering high-priced solutions to small-to-medium sized businesses. Are there free or low-cost solutions that businesses can take today that will measurably reduce their data security risks (e.g. enable multi-factor authentication, create stronger passwords, encrypt sensitive data)?

The “Start With Security” initiative is a good opportunity for the FTC to promote solutions that businesses can take to reduce their data security risk. However, absent reforms in Congress to tackle tough issues like data breach notification and a comprehensive data security standard, education can only do so much. We hope that the Commission will use the September 9 forum to highlight the impact that breaches continue to have on consumers and businesses and to push Congress to pass real data security reforms.