Breach notification proposals in Congress

By , May 18, 2007 3:25 pm

Senator Leahy is trying to round up support for S. 495, the Personal Data Privacy and Security Act of 2007, a bill that he and Arlen Specter co-sponsored. The bill’s stated purpose is

“To prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information. “

But would the bill — which only applies to digital or electronic records and would continue to leave paper records unprotected — do what it purports to do? And is it better than an alternative bill that has been proposed?

U.S. PIRG said this about S. 495:

Positively, the bill would regulate the virtually lawless data broker industry, requiring them to comply with most of the Fair Information Practices imposed on credit bureaus, such as the right to know of and look at your file, and, with the Cardin amendment, the right to an adverse action notice when your file is used to hurt your opportunities. Unfortunately, while the bill’s breach notice standard does not include a risk trigger, its notice standard is still too low.

In its letter of non-support [pdf], U.S. PIRG identifies three major concerns about the proposed legislation (emphasis in original):

… it unwisely would preempt the states from most actions to protect privacy in many areas covered by the bill, even though the states have demonstrated clear leadership on privacy and other matters. Increasingly, the Congress is acceding to the indefensible demands of regulated industries that the price of any federal regulation, no matter how modest, must be permanent restrictions on the state laboratories of democracy.

Second, while the bill generally requires companies to provide notice to consumers who are victims of breaches, it allows companies to avoid notice upon a finding of “no significant risk.” This exception standard, while better than the trigger standard in the Sessions bill (which does not require notice until and only if significant risk is first affirmatively shown), is weaker than the best state laws and would also preempt them all. The word “significant” should be deleted.

Third, the bill includes another exception to notice whenever companies are part of fraud prevention programs, even though these programs may not prevent all the money in a consumer’s checking account from being vacuumed out by a thief. Ideally, this section should be eliminated. If not, at the very least, such a safe harbor should be limited to situations involving credit cards, but not debit cards, which directly access customer savings, checking and other accounts. It is possible that were your language in effect, it might have immunized TJX (TJ Maxx and Marshalls) from notification in its recent 45 million credit and debit card number breach. The Sessions language is even broader and more unacceptable.

I agree with all three of the concerns U.S. PIRG has raised. S. 495 makes too many concessions to data brokers and businesses by barring states from imposing higher standards. The bill also bars any individual cause of action against businesses or data brokers for breaches.

Unlike an alternative proposed bill, S. 1178, the Identity Theft Prevention Act, proposed by Senator Inouye, the notification provisions of S. 495 apply if 10,000 or more are affected. In S. 1178, the number is 1,000. The U.S. PIRG noted, with respect to S. 1178:

Positively, the bill would establish a federal security freeze right, but allow states to enact stronger security freeze laws. [Only the security freeze can stop identity theft. Over-priced credit monitoring cannot; credit report fraud alerts cannot.] The bill’s data security and breach notice provisions, however, are weak and would preempt numerous better state laws.

In their letter of non-support for S. 1178 [pdf], U.S. PIRG notes:

We commend you for narrowing the scope of the bill’s limits on stronger state laws, for improving the security freeze provision and for making that security freeze provision an explicit federal floor that allows stronger state laws. However, because the bill includes a weak data breach notice “risk trigger” that undercuts existing state laws, and because it still imposes some preemption on the states, we cannot support the bill without further amendments.

[…]

We appreciate that the data breach notice applies to both computerized and non-computerized data. Yet, we oppose the risk trigger in that data breach notice section. The provision undercuts over a dozen stronger state laws that provide for notice upon “acquisition” of non-public personal information including Social Security Numbers.

This not only fails to hold companies to a high enough standard that they would take remedial steps to prevent data loss in the first place, it does not guarantee that consumers will learn of the theft early enough to fight back. Studies have shown that the sooner you find out, the easier it is to clear your name. As for the importance of an acquisition-based standard, many experts believe that establishing such a high standard as is included in your bill might result in no notification at all.

Not surprisingly, the National Retail Federation has significant concerns about S. 1178.

As the U.S. PIRG notes, however:

… industry’s allegations about compliance costs are without foundation; a firm can comply nationally simply by ensuring that its practices meet the standards of that one or several strongest state laws. (It should not be impossible to comply with both federal and state law. We do not, nor do other privacy or consumer groups, oppose any provision that would provide that a state law may not be inconsistent with the federal law, provided that it also says that a state law providing greater consumer protection is not inconsistent.)

There are other significant differences between S. 495 and S. 1178, if I am reading the bills correctly. Some of the differences appear to be:

  1. Unlike S. 1178, there is no provision in S. 495 for public compilation and posting of reported breaches. S. 1178 would have the FTC list breaches on one site, which would permit greater public scrutiny and analysis of the impact of breaches. S. 1178 even requires that breaches affecting less than 1,000 individuals be reported to the FTC, but if the covered entity determines that there is no “reasonable risk”of ID theft, the FTC would not report the breach on their web site.
  2. S. 495 provides a requirement that data brokers inform individuals what records they have on them, if requested, and that there be a mechanism to dispute or correct inaccurate or incorrect records.
  3. S. 495 strengthens the penalties for identity theft.
  4. S. 495 establishes requirements for a personal data privacy and security program.
  5. S. 1178 would establish an Information Security and Consumer Privacy Advisory Committee.

So each bill seems to have some decent features, some significant drawbacks, and too many concessions to businesses. Both bills also preempt stronger state laws.

The federal government should not be restricting our protections and rights as consumers. Federal laws generally set the minimal guarantee or “floor” of protections, but allow states to grant residents more rights or protections. To enact a federal notification law that would set a ceiling on protections is to usurp the rights of states to protect its citizens to placate businesses. Given the risk of individuals being liable for misuse of debit cards, we need a standard lower than “significant risk” unless the businesses and banks wish to indemnify consumers from any liability above the first $50.00 of fraudulent use on debit cards.

There is no reason to “settle” at this point — we need to push Congress to take the best of each of the bills and combine them into one decent bill.

Comments are closed

Panorama Theme by Themocracy