ms. mithal? >> yes. i think there are concerns that, although the bill prescribes requirements to be placed in privacy policies, it may not require companies to follow them, or may not have enforcement mechanisms. >> it's my understanding under the draft bill, the auto maker will receive protection from civil penalties and enforcements by providing nhtsa with the privacy policy that addresses the items in the draft. such as whether or not the auto maker collects, uses or shares data, and if the consumer has any choice of the use or collection. it will not matter how a given company chooses to address the items though. as i read section 301, a car maker can hypothetically submit a privacy policy to nhtsa, violate the policy and still be protected from enforcement. a car maker can make promises to consumers about collecting the data and suffer no consequences under the act if they break that. ms. mithal, is that your understanding of how this system is set up under the draft legislation? >> that is our und

ms. mithal? >> yes, i think there are concerns that although the bill prescribes certain requirements be placed in privacy policies, it may not require the companies to follow them or enforcement mechanisms to require the companies to follow those guidelines. >> it's my understanding under the draft bill, an ought he o maker will receive protection from civil penalties simply by providing nhtsa with required items in the draft, such as whether or not the automaker collects, uses and shares data and whether the consumer has any choice in the collection or use. it will not matter how a given company chooses to address those items, though. so as i read section 301, they can submit the policy, violate the policy and still be protected from ftc enforcement that means that a car maker can make prom sises, break those prom ses and have no consequences. is that your understanding of how this is set up under the draft legislation? >> that is our understanding and a real concern. >> do you think it, if we

ms. mithal? yes, i think there are concerns that although the bill prescribes certain requirements be placed in privacy policies, it may not require companies to follow the admin a provide enforcement mechanisms. >> that's what we're going. under the draft bill automakers will receive protection from civil penalties and ftc enforcement simply by providing nhtsa with a privacy policy that addresses the required items and address. such as whether or not the automaker collects, uses or shares of david and whether the consumers a choice regarding what the collection or use. it will not matter how a given company chooses to address those items. as i read section 31 a cardigan of consummate a privacy policy can mr. trump violate the policy is to be protected from ftc enforcement to that means a carmaker to make promises about protecting their data, break those promises and suffer no consequences under section five of ftc act. so ms. mithal is such understanding of how the system is set up? >> that is o

ms. mithal, you are recognized for five minutes. >> dr. burgess, ranking member schakowsky and members of the subcommittee i am maneesha mithal from the federal trade commission to i appreciate the opportunity to present the commission's testimony on the privacy and security related provisions of the discussion draft to provide greater transparency, accountability and safety authority for nhtsa. the ftc has served as a primary federal agency charged with protecting consumer privacy and security for the past 45 years. we have brought hundreds of privacy in cases targeting violations of federal trade commission act and other laws. in addition to enforcing a wide range of privacy and security laws the ftc educate consumers and businesses. most recently the ftc launched its start with security business education initiative that includes new guidance for businesses as well as a series of conferences across the country designed to educate small businesses on security. the next conference will take place on november 5 in austin, texas. on the pol

ms. mithal, you are recognized for your opening statement. >> thank you. dr. burgess, ranking member schakowsky and members of the subcommittee, i am maneesha mithal. i appreciate the opportunity to present the commission's testimony on the privacy and security related provisions of the discussion draft to provide greater transparency, accountability and safety authority for nhtsa. we are the -- we are the primary federal agency charged with protecting consumer privacy and security of the past 45 years. we have brought hundreds of privacy and data security cases targeting violations of federal trade commission act and other laws. in addition to enforcing a wide range of privacy and security laws, the ftc educate consumers and businesses. most recently the ftc launched a start with security business education initiative that includes new guidance for businesses as well as a series of conferences across the country designed to educate small businesses on security. the next conference will take place on november 5 in austin, texas. on the policy front we conducted

ms. mithal, how many data security cases has the ftc brought against car companies in the last five years? any idea? >> we've not brought any car cases. we've brought 55 general security, from care to cameras and phones. all the principles apply equally to connected cars. >> so zero for cars so far? >> correct. >> okay. what is the commission's expertise with respect to the security of critical safety systems and vehicles? are there differences in how criminal safety system vehicles should be treated compared to other infrastructures? >> our focus has been on process. so all of our 55 cases stand for the lesson that companies need to implement processes up front to make sure to protect against security violations. for example, companies including car companies, need to hire people responsible for security. they need to conduct risk assessments, oversee their service providers, keep abreast of technologies surrounding them and emerging technologies that affect their areas. that's consistent with the cybersecurity framework approach. >> as dr. rosekind mentioned, be nimble because this chan