By Susan Grant, CFA Director of Consumer Protection and Privacy 12/8/15 Given the relentless news about data breaches, it’s not surprising that members of Congress are concerned and feel that federal legislation is needed. Unfortunately, H.R. 2205, which will be considered by the House Financial Services Committee today, would not help Americans much – in fact, it would actually weaken existing protections and make it harder to enact new ones. A last-minute substitute bill offered by Representative Neugebauer, which addresses some of the issues with the original legislation, still has serious drawbacks from the consumer perspective. Yesterday, CFA and other groups sent the committee a letter that describes some of the biggest problems with the bill. It would: ·
Knock out state laws that are in many cases more
comprehensive and stronger than the bill. ·
Leave it to breached entities to decide to
notify affected individuals or not based on their assessment of whether harm to
them is likely to occur. ·
Block consumers from taking legal action, as
they can in some states, to enforce their rights and get redress. ·
Prevent states from enacting new laws to require
better data security and update breach notification standards as needed. ·
Eliminate key protections under the federal
Communications Act for telecommunications, cable and satellite customer records
and undercut the authority of the Federal Communications Commission. There is one provision in the bill that I like. It would
require covered entities to create and implement internal data security
programs. If the bill had stopped there, it would have broad consumer support.
But since nearly every state has a data breach notice law, there is no need for
a federal data breach notice requirement, especially one that leaves out some
important categories of sensitive personal data, such as location information
and electronic communications, and that
preempts broader definitions of personal data at the state level. Understandably,
state Attorneys General have expressed their strong concerns about this legislation. Another problem with the bill is that it would not apply to
banks, which are not legally required to notify customers about breaches. This
is one of the reasons why more than 100 state retail associations wrote to the
committee yesterday to voice their opposition to H.R. 2205. They feel that it’s
unfair that their members would have to comply with it but financial institutions
would not. State and federal agencies would also be exempt from
coverage, which is ironic considering the fact that some of the biggest and
most serious data breaches have involved highly sensitive information about
individuals that was held by state and local governments. If House members want to take action that would really improve consumer protections and help cure the data breach blues, they should support H.R. 2977, a bill sponsored by Representative David Cicilline, which covers a broader range of personal data, includes good data security provisions, and does not preempt stronger state laws. H.R. 2205 would leave consumers worse off than they were before. |