Newsmaker: The politics of data security

A political spat is afoot in the halls of the U.S. Congress, where politicians say that consumers should be notified in the event of a data breach but are still arguing about the details.

On March 16, the House Committee on Financial Services voted 48-17 to approve a version of a data breach bill that's favored by many businesses. It would require consumer notification if a data breach "may result in substantial harm or inconvenience."

That's narrower than a California law, which requires notification whenever information is "reasonably believed to have been acquired by an unauthorized person." Because so many companies do business in California, that requirement has turned into something akin to a national standard.

More importantly, the House Financial Services bill would zap the California law, much as the federal Can Spam law pre-empted a more restrictive California spam law a few years ago.

Because so many states--more than 20 as of a year ago--have been considering data breach laws in response to a series of high-profile data mishaps by ChoicePoint and other companies, businesses have been warning about the difficulty of complying with a patchwork quilt of confusing and contradictory regulations.

We don't need a bill. I think we have constructive compliance on a national basis with the California law.

In an interview with CNET News.com in December, RSA Security CEO Art Coviello, for instance, said: "It's very difficult to expect companies to sort through a myriad of state bills and see which ones they haven't complied with."

On the other side are liberal advocacy groups that want to keep what they view as more protective state laws and are opposing the Financial Services bill.

CNET News.com spoke with Ed Mierzwinski, the consumer program director for the National Association of State Public Interest Research Groups (U.S. PIRG), at a conference in Brussels last week about his group's lobbying efforts. Founded in 1983, U.S. PIRG has pressed for more government regulations in areas such as toy safety, banking and the environment.

Q: What are your objections to the House Financial Services version of the bill?
Mierzwinski: The data breach notification trigger is so high that we don't think that there would be any notices.

California has an acquisition standard. If you lose the information, you provide notification. That provides an incentive first not to lose the information and second, to consumers to batten down the hatches and get ready for personal identity theft.

The Senate Commerce bill (S.1408) and the House Financial Services bill use a risk trigger. There must be a substantial risk or you don't need to notify.

What's the problem with notification only when there's a risk? Couldn't there be over-notification with consumers being deluged with paper when there's no reason?
Mierzwinski: The problem is how you define it. If you read the bill you'll find there's never going to be notification because the substantial risk is a shorthand for a three-paragraph definition. There must be this specific kind of risk that results in this specific kind of harm to these specific consumers. It's a very high standard.

As for the over-notification argument, we're over-notified by banks and other companies now whenever they want to market us something, whenever they want to sell us something. You can't be over-notified of a risk to your financial information. We also hope the final bill will require that the notice will be in English, clear English.

That would be a first: lawyers trying to convince government lawyers to write laws requiring lawyers to use clear English?
Mierzwinski: Exactly. Some of the notices we anticipate may not be good unless the final bill is good.

That's the first problem with the bill. The second problem is that it pre-empts stronger state laws.

So you'd rather see no bill than the House Financial Services bill?
Mierzwinski: I don't want a bill. We don't need a bill. I think we have constructive compliance on a national basis with the California law. Trying to pass a federal bill that's weaker results in no responsibilities. Companies have decided that Congress is the place to knock on the door (and excuse themselves from responsibilities).

Liberal groups such as U.S. PIRG have been agitating for more federal privacy legislation for decades. Now that it's happening, you sound a little like Federalist Paper-quoting, states-rights activists.
Mierzwinski: We don't want a form of pure federalism. We admit that. We're not purists in that regard. What we look for is for federal law to serve as a floor of protection and states to experiment with higher forms of regulation.

If the House Financial Services bill became law, would it gut the California notification law?
Mierzwinski: It would gut the California law and eight state laws (that require freezes on credit reports).

More Newsmakers

Let's LOSE This Lame Duck Congress

The time has come to take this matter in hand and put these ineffectual congressional leaders out to pasture. And with them, a second-rate President.

It is absurd to undercut California's data breach notification law, and the Congress knows this. I find it hard to understand why an intelligent, general population can't understand the current trend in Washington to favor business over the consumer's privacy.

It is also ridiculous to have fifty state laws under which business must operate, when one federal law could do the trick.

Maybe the time has come for an independent political party based on privacy. George Orwell's "1984" set the stage for what is happening in this country today, and if something isn't done, we will certainly be meeting Big Brother soon.

There is only one way to protect the use of consumers names and personal data. Pass federal legislation to give the individual control over their name and private information, and, while were at it, pay them when it is sold. You can read about it in my blog, The Dunning Letter at: <a class="jive-link-external" href="http://www.thedunningletter.blogspot.com" target="_newWindow">http://www.thedunningletter.blogspot.com</a>.

Jack E. Dunning
Cave Creek, AZ