A false sense of security in bill
It’s called the Data Security and Breach Notification Act of 2015, and, if passed into law, it would be the first federal rule requiring businesses to let consumers know that their personal information may be in the hands of hackers. Sounds good, right? It’s not. Dozens of states, including California, already have similar laws on the books that are stronger and more comprehensive than the proposed federal law. But the federal law would preempt all state laws.
The bill would eliminate existing data-breach protections for pay-TV and Internet customers. Right now, for example, people must be notified if there’s any unauthorized access to information on shows or channels watched.
The bill also would require notifications only in instances of financial harm, rather than the broader requirements of many states, such as violations of personal privacy in the form of hacked emails or corporate databases.
“California has some of the strongest laws in the country protecting consumers from identity theft,” said Emily Rusch, executive director of the California Public Interest Research Group. “The last thing Congress should be doing is tying the hands of states.”
The House Energy and Commerce Committee approved the bill last week. The 29-20 vote was along party lines, with Republicans advancing the legisla-
tion to the House floor.
The bill was written by Rep. Marsha Blackburn (R-Tenn.) and Rep. Peter Welch (D-Vt.). Its stated goal is to “replace the current patchwork of laws with a single, national standard for protection and notification.”
“It’s imperative that we take action to prevent hackers’ success and provide safeguards to consumers to protect their virtual selves if and when their data is compromised,” Blackburn said after the legislation was introduced last month.
Welch said at the time: “Most Americans would be shocked at how inadequate current laws are at safeguarding their sensitive financial information.”
Yet Welch voted against his own legislation last week.
Bob Rogan, Welch’s chief of staff, told me that the congressman believed he had an understanding with Republicans that the bill would be strengthened before a committee vote, “particularly with respect to preserving in some fashion the authority of states to protect consumer health information.”
When no such changes were made, Rogan said, Welch pulled his support but still hopes to vote yes if the bill is strengthened on the House floor.
It’s hard to see how any amendments would bring the federal legislation on par with most state laws. They may be inconsistent, but they generally do a good job of ensuring that people receive a timely warning that their personal info may be in danger.
Take the case of the recent data breach experienced by health insurer Anthem. The personal information of nearly 80 million policyholders was endangered after hackers accessed a company database.
Under California’s notification law, Anthem had no choice but to disclose the breach. The state law requires that notification be made whenever the personal information of any resident is “acquired, or reasonably believed to have been acquired, by an unauthorized person.”
Anthem says it believes no medical records were accessed. But the hackers could have made off with people’s names, addresses, birth dates, Social Security numbers and employment data.
The federal bill, however, requires notification only if a business determines that there’s “a reasonable risk” of “identity theft, economic loss or economic harm.”
However, the bill doesn’t specify what constitutes a reasonable risk, so it apparently would be up to each company to make that call.
Anthem says it has no evidence that any of the hacked records have been used for fraudulent purposes. Theoretically, the company thus could conclude there’s no reasonable risk of financial losses.
Under the proposed federal law, therefore, Anthem possibly could have been justified in keeping word of the massive security breach to itself.
“That’s a big concern,” Rusch said. “You don’t want to leave it up to companies to define what’s a risk to consumers.”
The federal bill also would require that businesses “maintain reasonable security measures and practices to protect and secure personal information.”
Once again, it apparently would be up to individual businesses to determine reasonable security measures and practices. Nothing is spelled out in the bill.
Among other significant differences between the federal bill and the state’s notification law, according to the Consumer Federation of California:
The federal law would eliminate a state requirement that the California attorney general be given notice of any security breach.
It would allow the state attorney general to file a civil lawsuit but prevent individuals from suing over a data breach.
It would no longer require breached companies to provide free ID theft protection services, such as credit monitoring and fraud alerts.
“This is a rollback of strong state regulation of privacy and consumer protection,” said Ed Mierzwinski, consumer program director for the U.S. Public Interest Research Group. “It’s a giveaway to private interests.”
He said business lobbyists played an influential role in drafting the bill’s provisions, primarily its preemption of more comprehensive state laws and its limiting of people’s right to file lawsuits.
“Most of America already has a stronger law,” Mierzwinski said. “So if this passes, most of America loses.”