Businesses and consumers need lawmakers to set clear federal rules to deter data breaches.

That was the consistent refrain from a chorus of witnesses in a Senate Commerce Committee hearing this week on data security. It was the second in a series of hearings examining consumer privacy and data security issues such as data breaches, Internet scams, ransomware assaults, and other harmful data abuses.

“The absence of federal standards in this area means that businesses lack clear rules to follow; consumers lack consistent and reliable protections, and remain confused and distrustful; and the FTC turns somersaults and faces legal challenges as it tries to fill the gaps,” said Jessica Rich, a former director of the FTC’s Bureau of Consumer Protection, now a counselor at Kelley Drye & Warren. “The U.S. urgently needs a federal standard that would bring stronger protections and greater clarity to the marketplace.”

Edward Felten, professor of computer science and public affairs emeritus at Princeton University, agreed that new legislation is needed to fix the limitations imposed on the FTC when holding companies accountable for data breaches.

“The public and the industry would benefit from a rulemaking that offered more specificity for companies and consumers, while retaining the flexibility needed to enable beneficial innovation in an evolving technological space,” said Felten, a former FTC chief technologist.

Felten emphasized how the FTC can play an important role in deterring data breaches by building up a technology workforce and enforcing stronger penalties. By doing so, he said companies would be more inclined to strengthen their data security.

Kate Tummarello, executive director of the technology-policy nonprofit Engine, stressed that start-ups may be particularly burdened by data breaches due to their limited resources and smaller user base. Tummarello suggested that Congress should take steps to ensure data security regulations are clear and that start-ups won’t face detrimental legal burdens should a breach occur.

“Start-ups are critical contributors to innovation and economic and job growth in the U.S. and have a unique perspective and need,” said Tummarello.

The hearing, titled “Enhancing Data Security,” took place on October 6. James Lee, COO of the Identity Theft Resource Center, also testified.