Two leading bills intending to dictate when and how companies notify customers about data breaches are more pro-business than pro-consumer, some critics say.
The Data Security and Breach Notification Act and the Data Security Act, both U.S. House of Representatives bills designed to override communications network security rules currently enforced by the U.S. Federal Communications Commission, as well as data breach notification laws in more than 45 states, would let businesses opt out of sending customers notifications about breaches they determine aren’t likely to cause substantial harm.
They could also prevent states from passing laws to protect consumers against new security threats, contend several groups, including Consumers Union, the Center for Democracy & Technology, and the Privacy Rights Clearinghouse.
These bills “broadly pre-empt all state laws on breach notification and data security.” — Laura Moy, senior policy counsel, Open Technology Institute
The FCC “protections are so much stronger than what’s allowed in these bills,” said Chris Lewis, vice president of government affairs at Public Knowledge.
But “the No. 1 problem,” said Laura Moy, senior policy counsel at the New America Foundation’s Open Technology Institute, is that “there are some very strong state laws on the books.” These bills “broadly pre-empt all state laws on breach notification and data security.”
The Data Security Act, approved by the House’s Financial Services Committee this month, “does not improve the level of protection for consumers,” 18 consumer and privacy groups said in a letter to the committee. “On balance, [the bill] would do consumers far more harm than good.”
A House Energy and Commerce subcommittee approved the Data Security and Breach Notification Act in March, but the bill has stalled since then.
Congress has been trying to pass a data breach notification law since 2005, after a rash of high-profile data breaches. Arguments over which categories of breached information must be reported and whether a federal law should pre-empt state laws have sidelined federal efforts.
Data breach laws could become weaker
In the absence of congressional action, more than 45 states have passed their own data breach notification regulations, and recent efforts have focused more on deregulation—replacing the inconsistent state laws with overarching federal policy—than on consumer protection.
Sponsors of the two bills say Congress needs to pass a nationwide breach notification bill to protect consumers and to eliminate conflicting state laws for businesses. With a continuous flood of data breaches, the legislation is needed, Rep. Marsha Blackburn, R-Tenn., said earlier this year.
“Consumers want assurances that their data and their virtual [identities] will be protected in cyberspace,” said Blackburn, sponsor of the Data Security and Breach Notification Act. “The American people are asking Congress to take some action and provide some clarity.”
Critics say the bills, in addition to pre-empting strong state laws and moving data breach enforcement for communications providers from the FCC to the Federal Trade Commission, would eliminate protections for cable-viewing records, text messages, and other information, Moy said.
Consolidating data security regulations at the FTC, which has brought more than 50 data breach complaints against U.S. companies in the last 15 years makes sense, former FTC Chairman Jon Leibowitz counters.
Both of the leading House bills protect consumers by obligating businesses to implement data security programs, added Leibowitz, now co-chairman of the 21st Century Privacy Coalition, a group of communications providers. Blackburn’s bill also gives the FTC, which Leibowitz characterized as the country’s “principal privacy enforcement agency,” new authority to impose fines for data breaches.
“Data inherently moves as interstate commerce,” Leibowitz said. “If you look at the FTC’s body of work, I think you can make a pretty strong case that the FTC is the right agency to do this.”