News release: “The Federal Trade Commission told Congress today during a hearing that to minimize the risk of identity theft or other harm, companies should employ reasonable safeguards to protect consumer information, collect only information for which they have a legitimate business need, and retain data only as long as necessary to fulfill the business purposes for which it was collected. The FTC also reiterated its recommendation that Congress pass legislation that would require companies to implement reasonable security practices and to notify consumers when there is a data security breach…The Commission expressed its support for federal legislation that would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The testimony notes that the Committee’s “Discussion Draft” of data security legislation accomplishes these key goals. The testimony highlights several other elements of the Discussion Draft, which gives the Commission authority to use the standard APA notice and comment procedures for rulemaking in connection with the legislation, provides for civil penalties for violations, and requires non-profit entities to adhere to the same data security and breach notification standards as for-profit entities.”