H.R. 2205 is No Cure for the Data Breach Blues
Print

By Susan Grant, CFA Director of Consumer Protection and Privacy

12/8/15

Given the relentless news about data breaches, it’s not surprising that members of Congress are concerned and feel that federal legislation is needed. Unfortunately, H.R. 2205, which will be considered by the House Financial Services Committee today, would not help Americans much – in fact, it would actually weaken existing protections and make it harder to enact new ones. A last-minute substitute bill offered by Representative Neugebauer, which addresses some of the issues with the original legislation, still has serious drawbacks from the consumer perspective. Yesterday, CFA and other groups sent the committee a letter that describes some of the biggest problems with the bill. It would:

·         Knock out state laws that are in many cases more comprehensive and stronger than the bill.

·         Leave it to breached entities to decide to notify affected individuals or not based on their assessment of whether harm to them is likely to occur.   

·         Block consumers from taking legal action, as they can in some states, to enforce their rights and get redress.

·         Prevent states from enacting new laws to require better data security and update breach notification standards as needed.

·         Eliminate key protections under the federal Communications Act for telecommunications, cable and satellite customer records and undercut the authority of the Federal Communications Commission.

There is one provision in the bill that I like. It would require covered entities to create and implement internal data security programs. If the bill had stopped there, it would have broad consumer support. But since nearly every state has a data breach notice law, there is no need for a federal data breach notice requirement, especially one that leaves out some important categories of sensitive personal data, such as location information and electronic communications, and that preempts broader definitions of personal data at the state level. Understandably, state Attorneys General have expressed their strong concerns about this legislation.

Another problem with the bill is that it would not apply to banks, which are not legally required to notify customers about breaches. This is one of the reasons why more than 100 state retail associations wrote to the committee yesterday to voice their opposition to H.R. 2205. They feel that it’s unfair that their members would have to comply with it but financial institutions would not.

State and federal agencies would also be exempt from coverage, which is ironic considering the fact that some of the biggest and most serious data breaches have involved highly sensitive information about individuals that was held by state and local governments.

If House members want to take action that would really improve consumer protections and help cure the data breach blues, they should support H.R. 2977, a bill sponsored by Representative David Cicilline, which covers a broader range of personal data, includes good data security provisions, and does not preempt stronger state laws. H.R. 2205 would leave consumers worse off than they were before.