"“One place where we could start would be with a uniform and robust data breach notification standard that’s not watered down and has penalties,” said Danielle Citron, a law professor at the University of Maryland who specializes in internet privacy and free speech online. Such a law would require that consumers and the government be swiftly alerted when their data has been stolen in a hack or landed somewhere without users’ consent. Citron emphasized that any new data breach law shouldn’t be weaker than current state data breach notification laws, since any new federal requirements would likely pre-empt them. Laws vary from state to state, but most require private companies and government agencies that experience a security breach that includes any personally identifiable information to notify those affected within some set amount of time. Penalties would be important here, too. “If you make companies liable in some way and they have to internalize some of the costs,” Citron said, “they’re going to take security more seriously.”"
"The Federal Trade Commission, which is supposed to act as a consumer protection watchdog, could also do more to proactively investigate how well companies are protecting consumers, according to Ryan Calo, a law professor at the University of Washington who specializes in online privacy. “The FTC has the authority to really look behind the digital veil and figure out what these companies are doing, but the FTC really doesn’t do that,” said Calo. And when the agency does find a problem, “they could issue fines and pass consent decrees,” like the one that Facebook might be in violation of. Laws aren’t easy to pass and pressuring the FTC to use the full extent of its oversight authority may well be a faster avenue toward regulating companies in the business of overbroad data collection, like Facebook."