Washington's tech-impaired politicians are again in the midst of a heated debate over a topic that can be better addressed elsewhere.
This time it's data breach legislation. Everyone in Washington seems to think the feds need to step in and knit together a blanket of regulations that deal with a string of embarrassing security breaches, starting with ChoicePoint and continuing through last month's debit card snafus.
Last week, the House Energy and Commerce Committee approved one version
of a data breach bill beloved by liberal groups. It's far more regulatory than another version approved earlier in the month by the House Financial Services Committee.
This is where I'd usually write about the politics of the internecine debate between two committees. One bill is more onerous and requires notification of data breaches in more cases (privacy advocacy groups prefer this one). The other is narrower and requires notification only if a data breach "may result in substantial harm or inconvenience" (businesses prefer this one).
But there's a more important question afoot: Why does Congress need to get involved, anyway?
My colleague Greg Sandoval described last week how 23 states already have enacted disclosure laws requiring various forms of notification of data breaches. Still more are in the works.
Some, like California's, don't require notification if the information was encrypted. Others, like one adopted in New York, say that any data compromise that exposes personal information must be disclosed.
In other words, it's not a one-size-fits-all centralized approach, which is what happens whenever Congress gets involved and pre-empts state laws. Rather, state legislators can adopt different ideas, and the best ones stand a good chance of being mirrored elsewhere.
Put another way, anyone who supports the idea of increasing competition between corporations should like the idea of competition among different legal systems.
We don't know the optimal wording for a breach notification law. Should it merely encourage encryption, or mandate it? Is the disclosure of a home address particularly worrisome, or just the leak of a Social Security number? Should companies be required to pay the cost of credit reports for 3 months, or half a year?
These are not easy questions to answer. Rep. Joe Barton, a Texas Republican who's backing the more-regulatory version of the bill, is a former consultant for Atlantic Richfield Oil and Gas, not a privacy specialist. Rep. Joe Baca, the California Democrat who amended the bill to include a study of race in ID theft, is a former corporate public relations officer.
A 2001 paper by Bruce Kobayashi and Larry Ribstein of the George Mason University School of Law argues that federalism would be good for privacy. They conclude that federal legislation "is unnecessary and may perversely impose rigid solutions that prevent the efficient evolution of state law."
So why not let state legislators continue their efforts? One objection comes from companies like RSA Security, whose chief executive told me in December that "it's very difficult to expect companies to sort through a myriad of state bills and see which ones they haven't complied with."
That's a reasonable point. I wrote in an earlier column that some state bills could create more problems than they solve.
But if a state is extraordinarily regulatory, companies have a better chance of pointing that out to a local legislator than politicians thousands of miles away in Washington. Or companies can vote with their feet and choose to set up new data centers or offices in a neighboring state instead.
This happened in the case of Mississippi, which had a legal system that was so out of control that the American Tort Reform Association dubbed certain parts "judicial hellholes" for their stunning medical malpractice damage awards. Insurance companies began fleeing the state, and others refused to write new policies. That had a dramatic effect: In 2004, the state fixed its laws, and business is getting back to normal.
A federal law that pre-empts state law would short-circuit this useful process. It happened in 2003 when President Bush signed the Can Spam Act, which gutted a California law that actually gave individuals the right to sue spammers. Anyone want to bet that the same thing won't happen again?
Biography Declan McCullagh is CNET News.com's chief political correspondent. He spent more than a decade in Washington, D.C., chronicling the busy intersection between technology and politics. Previously, he was the Washington bureau chief for Wired News, and a reporter for Time.com, Time magazine and HotWired. McCullagh has taught journalism at American University and been an adjunct professor at Case Western University.
Just institute a huge 'per person/file' fine on ANY personal data that is allowed to be misappropriated, stolen, or misued. The corporations that make huge money collecting same will surely close the holes and secure the info... problem solved... Right now it makes no good business sense to pay to protect the data... Or does that make too much sense for govt..??
Just institute a huge 'per person/file' fine on ANY personal data that is allowed to be misappropriated, stolen, or misued. The corporations that make huge money collecting same will surely close the holes and secure the info... problem solved... Right now it makes no good business sense to pay to protect the data... Or does that make too much sense for govt..??
You know an editorial is going to be bad when a columnist suggests that having twenty-three different set of state law govern data security is a good thing. Perhaps we might be kind to McCullagh and assume that he is unaware that most companies that collect and manage personal information operate on an interstate (or even international) basis, including the "mom and pop" outfits that have discovered the Internet. Perhaps he failed high school math and hasn't quite computed the legal costs and logistical difficulties that a company -- of any size -- might incur in trying to figure out the state of the law in Mississippi and the twenty-two other states that have passed a patchwork of inconsistent laws on data breaches. Nor has he fathomed that such costs, ultimately, will be passed along to the consumer.
In the end, no one is served by multiple, inconsistent legal obligations like this. Not only does compliance general plummet (both due to cost, but also confusion), but consumers are likely to receive multiple and inconsistent notices that vary depending on whether a state has deemed one category of information to be private, whether that state imposes notice content and timing requirements, or -- indeed, as McCullagh himself points out, it factors in encryption into the data breach statutory (or regulatory) analysis. At a time when the world is trying to bring down the barriers to interstate and international commerce, throwing up a welter of confusing state laws is a recipe for disaster. And it's entirely unnecessary. This is a case where Congress, as guardian of interstate commerce and comity, needs to step in and create a single, understandable, and consistent set of rules that everyone -- no matter where you live -- can rely upon, even if they count themselves among the unfortunate ones that live in the 17 states that haven't even begun to address this question. And, as Congress did with CAN SPAM, the statute can empower enforcement at the state and federal level with significant, draconian penalties including jail time. That's what the most prominent of the federal bills provide, by the way.
It should come, then, as no surprise that McCullagh thinks CAN SPAM was a bad idea. He might as well be two-for-two in the silly department. Sure, CAN SPAM put the kibosh on class action lawsuits for emails that violate the often bizarre and inconsistent requirements of the welter of state e-mail laws that cropped up while Congress was asleep at the wheel. California's was a particularly egregious nightmare of over-regulation that had no hope of quashing the real spam culprits (the illegitimate overnight and overseas spammers) and created a "gotcha game" to snare honorable businesses that didn't dot all the "i's" and cross all the "t's." The only folks served by California's law, which thankfully died before becoming active, were the predatory class action trial lawyers.
CAN SPAM serves the vital function of giving legitimate email marketers clear rules of the road for commercial emails. Where they fail, stiff penalties can be imposed by states and the FTC, and ISP's are specifically empowered to bring suit for penalties as well (and they have). Of course, neither CAN SPAM nor any of the state laws have had much effect on the real spam perpetrators, who generally don't give a damn about the law, and are likely judgment-proof anyway.
And Mr. McCullogh's naive statement that companies can avoid the bad state laws by setting up shop in other states is, frankly, ridiculous and false. These state security laws do not apply based upon where a company is located, but, rather, based upon where the customer resides. So, if you have a customer in New York, New York's security breach law governs what happen in the event that your New York customer's data may be exposed. And so, if you got customers from all fifty states, as many of even the smallest Internet merchants do, god help you. You've got a lot of work to do. Although, given that he thinks its all so simple, maybe Mr. McCullagh can help. Give him a call and set him to work.
You know an editorial is going to be bad when a columnist suggests that having twenty-three different set of state law govern data security is a good thing. Perhaps we might be kind to McCullagh and assume that he is unaware that most companies that collect and manage personal information operate on an interstate (or even international) basis, including the "mom and pop" outfits that have discovered the Internet. Perhaps he failed high school math and hasn't quite computed the legal costs and logistical difficulties that a company -- of any size -- might incur in trying to figure out the state of the law in Mississippi and the twenty-two other states that have passed a patchwork of inconsistent laws on data breaches. Nor has he fathomed that such costs, ultimately, will be passed along to the consumer.
In the end, no one is served by multiple, inconsistent legal obligations like this. Not only does compliance general plummet (both due to cost, but also confusion), but consumers are likely to receive multiple and inconsistent notices that vary depending on whether a state has deemed one category of information to be private, whether that state imposes notice content and timing requirements, or -- indeed, as McCullagh himself points out, it factors in encryption into the data breach statutory (or regulatory) analysis. At a time when the world is trying to bring down the barriers to interstate and international commerce, throwing up a welter of confusing state laws is a recipe for disaster. And it's entirely unnecessary. This is a case where Congress, as guardian of interstate commerce and comity, needs to step in and create a single, understandable, and consistent set of rules that everyone -- no matter where you live -- can rely upon, even if they count themselves among the unfortunate ones that live in the 17 states that haven't even begun to address this question. And, as Congress did with CAN SPAM, the statute can empower enforcement at the state and federal level with significant, draconian penalties including jail time. That's what the most prominent of the federal bills provide, by the way.
It should come, then, as no surprise that McCullagh thinks CAN SPAM was a bad idea. He might as well be two-for-two in the silly department. Sure, CAN SPAM put the kibosh on class action lawsuits for emails that violate the often bizarre and inconsistent requirements of the welter of state e-mail laws that cropped up while Congress was asleep at the wheel. California's was a particularly egregious nightmare of over-regulation that had no hope of quashing the real spam culprits (the illegitimate overnight and overseas spammers) and created a "gotcha game" to snare honorable businesses that didn't dot all the "i's" and cross all the "t's." The only folks served by California's law, which thankfully died before becoming active, were the predatory class action trial lawyers.
CAN SPAM serves the vital function of giving legitimate email marketers clear rules of the road for commercial emails. Where they fail, stiff penalties can be imposed by states and the FTC, and ISP's are specifically empowered to bring suit for penalties as well (and they have). Of course, neither CAN SPAM nor any of the state laws have had much effect on the real spam perpetrators, who generally don't give a damn about the law, and are likely judgment-proof anyway.
And Mr. McCullogh's naive statement that companies can avoid the bad state laws by setting up shop in other states is, frankly, ridiculous and false. These state security laws do not apply based upon where a company is located, but, rather, based upon where the customer resides. So, if you have a customer in New York, New York's security breach law governs what happen in the event that your New York customer's data may be exposed. And so, if you got customers from all fifty states, as many of even the smallest Internet merchants do, god help you. You've got a lot of work to do. Although, given that he thinks its all so simple, maybe Mr. McCullagh can help. Give him a call and set him to work.
Google creates an animated doodle that features a boy, a girl, Google's search engine, and a jump rope. But might there be darker, more analytical, more troubling interpretations to this tale?
The Silicon Valley online payments startup grew by 1,000 percent last year and is hopeful it can repeat that level of growth this year. To do that, it's had to move away from its early friends-and-family roots and embrace small businesses.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
The corporations that make huge money collecting same will surely close the holes and secure the info... problem solved...
Right now it makes no good business sense to pay to protect the data...
Or does that make too much sense for govt..??
The corporations that make huge money collecting same will surely close the holes and secure the info... problem solved...
Right now it makes no good business sense to pay to protect the data...
Or does that make too much sense for govt..??
suggests that having twenty-three different set of state law
govern data security is a good thing. Perhaps we might be kind
to McCullagh and assume that he is unaware that most
companies that collect and manage personal information
operate on an interstate (or even international) basis, including
the "mom and pop" outfits that have discovered the Internet.
Perhaps he failed high school math and hasn't quite computed
the legal costs and logistical difficulties that a company -- of
any size -- might incur in trying to figure out the state of the
law in Mississippi and the twenty-two other states that have
passed a patchwork of inconsistent laws on data breaches. Nor
has he fathomed that such costs, ultimately, will be passed
along to the consumer.
In the end, no one is served by multiple, inconsistent legal
obligations like this. Not only does compliance general plummet
(both due to cost, but also confusion), but consumers are likely
to receive multiple and inconsistent notices that vary depending
on whether a state has deemed one category of information to
be private, whether that state imposes notice content and timing
requirements, or -- indeed, as McCullagh himself points out, it
factors in encryption into the data breach statutory (or
regulatory) analysis. At a time when the world is trying to bring
down the barriers to interstate and international commerce,
throwing up a welter of confusing state laws is a recipe for
disaster. And it's entirely unnecessary. This is a case where
Congress, as guardian of interstate commerce and comity, needs
to step in and create a single, understandable, and consistent
set of rules that everyone -- no matter where you live -- can
rely upon, even if they count themselves among the unfortunate
ones that live in the 17 states that haven't even begun to
address this question. And, as Congress did with CAN SPAM,
the statute can empower enforcement at the state and federal
level with significant, draconian penalties including jail time.
That's what the most prominent of the federal bills provide, by
the way.
It should come, then, as no surprise that McCullagh thinks CAN
SPAM was a bad idea. He might as well be two-for-two in the
silly department. Sure, CAN SPAM put the kibosh on class action
lawsuits for emails that violate the often bizarre and inconsistent
requirements of the welter of state e-mail laws that cropped up
while Congress was asleep at the wheel. California's was a
particularly egregious nightmare of over-regulation that had no
hope of quashing the real spam culprits (the illegitimate
overnight and overseas spammers) and created a "gotcha game"
to snare honorable businesses that didn't dot all the "i's" and
cross all the "t's." The only folks served by California's law,
which thankfully died before becoming active, were the
predatory class action trial lawyers.
CAN SPAM serves the vital function of giving legitimate email
marketers clear rules of the road for commercial emails. Where
they fail, stiff penalties can be imposed by states and the FTC,
and ISP's are specifically empowered to bring suit for penalties
as well (and they have). Of course, neither CAN SPAM nor any of
the state laws have had much effect on the real spam
perpetrators, who generally don't give a damn about the law,
and are likely judgment-proof anyway.
And Mr. McCullogh's naive statement that companies can avoid
the bad state laws by setting up shop in other states is, frankly,
ridiculous and false. These state security laws do not apply
based upon where a company is located, but, rather, based upon
where the customer resides. So, if you have a customer in New
York, New York's security breach law governs what happen in
the event that your New York customer's data may be exposed.
And so, if you got customers from all fifty states, as many of
even the smallest Internet merchants do, god help you. You've
got a lot of work to do. Although, given that he thinks its all so
simple, maybe Mr. McCullagh can help. Give him a call and set
him to work.
suggests that having twenty-three different set of state law
govern data security is a good thing. Perhaps we might be kind
to McCullagh and assume that he is unaware that most
companies that collect and manage personal information
operate on an interstate (or even international) basis, including
the "mom and pop" outfits that have discovered the Internet.
Perhaps he failed high school math and hasn't quite computed
the legal costs and logistical difficulties that a company -- of
any size -- might incur in trying to figure out the state of the
law in Mississippi and the twenty-two other states that have
passed a patchwork of inconsistent laws on data breaches. Nor
has he fathomed that such costs, ultimately, will be passed
along to the consumer.
In the end, no one is served by multiple, inconsistent legal
obligations like this. Not only does compliance general plummet
(both due to cost, but also confusion), but consumers are likely
to receive multiple and inconsistent notices that vary depending
on whether a state has deemed one category of information to
be private, whether that state imposes notice content and timing
requirements, or -- indeed, as McCullagh himself points out, it
factors in encryption into the data breach statutory (or
regulatory) analysis. At a time when the world is trying to bring
down the barriers to interstate and international commerce,
throwing up a welter of confusing state laws is a recipe for
disaster. And it's entirely unnecessary. This is a case where
Congress, as guardian of interstate commerce and comity, needs
to step in and create a single, understandable, and consistent
set of rules that everyone -- no matter where you live -- can
rely upon, even if they count themselves among the unfortunate
ones that live in the 17 states that haven't even begun to
address this question. And, as Congress did with CAN SPAM,
the statute can empower enforcement at the state and federal
level with significant, draconian penalties including jail time.
That's what the most prominent of the federal bills provide, by
the way.
It should come, then, as no surprise that McCullagh thinks CAN
SPAM was a bad idea. He might as well be two-for-two in the
silly department. Sure, CAN SPAM put the kibosh on class action
lawsuits for emails that violate the often bizarre and inconsistent
requirements of the welter of state e-mail laws that cropped up
while Congress was asleep at the wheel. California's was a
particularly egregious nightmare of over-regulation that had no
hope of quashing the real spam culprits (the illegitimate
overnight and overseas spammers) and created a "gotcha game"
to snare honorable businesses that didn't dot all the "i's" and
cross all the "t's." The only folks served by California's law,
which thankfully died before becoming active, were the
predatory class action trial lawyers.
CAN SPAM serves the vital function of giving legitimate email
marketers clear rules of the road for commercial emails. Where
they fail, stiff penalties can be imposed by states and the FTC,
and ISP's are specifically empowered to bring suit for penalties
as well (and they have). Of course, neither CAN SPAM nor any of
the state laws have had much effect on the real spam
perpetrators, who generally don't give a damn about the law,
and are likely judgment-proof anyway.
And Mr. McCullogh's naive statement that companies can avoid
the bad state laws by setting up shop in other states is, frankly,
ridiculous and false. These state security laws do not apply
based upon where a company is located, but, rather, based upon
where the customer resides. So, if you have a customer in New
York, New York's security breach law governs what happen in
the event that your New York customer's data may be exposed.
And so, if you got customers from all fifty states, as many of
even the smallest Internet merchants do, god help you. You've
got a lot of work to do. Although, given that he thinks its all so
simple, maybe Mr. McCullagh can help. Give him a call and set
him to work.