Data theft bill a step backward

David Lazarus
Sunday, November 6, 2005

There have been dozens of security breaches this year involving millions of people's personal info, and we know about most of them because of a California law requiring that consumers be notified any time data go astray. 

That could change if legislation that passed a preliminary hurdle in Congress the other day becomes law. 

The whimsically titled Data Accountability and Trust Act (H.R. 4127) would pre-empt all related state laws and basically allow the companies that lose our data to decide whether or not consumers need to be told of a security breach. 

The Republican-backed bill was approved in a 13-8 vote along party lines last week by the House Energy and Commerce Committee's Subcommittee on Commerce, Trade and Consumer Protection. It will go before the full committee next month. 

"It's outrageous," said state Sen. Debra Bowen, D-Marina del Rey (Los Angeles County), a leading privacy advocate in Sacramento. "The California law is to enable people to protect themselves. If this bill passes, we'll lose that." 

At first glance, H.R. 4127 appears to impose a much-needed national standard for regulation of so-called data brokers like ChoicePoint and LexisNexis, both of which have experienced security breaches involving information on thousands of consumers. 

The bill states high up that companies are obliged to notify "each individual of the United States whose personal information was acquired by an unauthorized person" as a result of a "breach of security" -- in essence, a national version of California's law. 

Companies also would have to inform the Federal Trade Commission that a breach has occurred. 

However, on Page 12 of the 16-page legislation, "breach of security" is defined as an incident "that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individual to whom the personal information relates." 

The bill contains no definition of what constitutes a "significant risk." It would be up to each company to determine when such a risk exists. 

Consumer advocates say this one passage in H.R. 4127 would hand data brokers and other info-rich companies like banks and brokerages the latitude to decide when, if ever, a breach should be reported to customers. 

"If the business concludes that there's no significant risk of identity theft, it doesn't have to notify you," said Gail Hillebrand, staff attorney at Consumers Union in San Francisco. 

Ed Mierzwinski, consumer program director for Washington's U.S. Public Interest Research Group, said the legislation would effectively undo the accountability required by California's notification law and similar statutes that have been adopted elsewhere. 

"Because of California, we know about ChoicePoint and all the other breaches," he said. "Industry players looked at the writing on the wall and saw the states giving people privacy rights. They figured their best bet was to get a watered-down law passed at the federal level." 

The Data Accountability and Trust Act is the brainchild of Rep. Cliff Stearns, a Florida Republican. He told me that it "sets forth flexible guidelines that ensure a minimum level of security for personal data." 

Stearns chairs the Subcommittee on Commerce, Trade and Consumer Protection. 

For her part, Rep. Jan Schakowsky of Illinois, the subcommittee's ranking Democrat, said the notion of "significant risk" virtually negates the bill's ability to protect consumers. 

"The significant risk standard is way too high," she said. "Under this standard, there would have been no notifications of any security breaches." 

According to the Privacy Rights Clearinghouse, a San Diego advocacy group, there have been at least 80 security breaches since February, involving the names, addresses and Social Security numbers of more than 50 million people. 

Nearly all these breaches came to light because of California's strict notification law. In many cases, companies were compelled to offer customers free credit-monitoring services and were subjected to considerable embarrassment when the data losses were reported in the press. 

Rep. Ed Markey, a Massachusetts Democrat who also sits on the subcommittee, said business interests have made clear to sympathetic politicians that they don't appreciate this level of scrutiny. 

"The Republicans are responding to their concerns," he said. 

Among companies and business groups submitting comments on H.R. 4127 are: 

-- Sunnyvale's Yahoo, which says sending out notifications of security breaches only in cases of a "substantial risk" of identity theft will prevent "over notice" of consumers. 

-- Media giant Time Warner, which favors notifications only if there's a "material risk" of identity theft or physical harm. 

-- Microsoft, which thinks notifications are only warranted when there's a "material chance of harm." 

-- The Direct Marketing Association, which believes notifications should only be required when there's a "significant risk" of identity theft. 

Then there's the American Bankers Association, representing Wells Fargo, Bank of America and other institutions that have experienced repeated security breaches affecting thousands of customers. 

The association told lawmakers that because banks are already tightly regulated, "banking institutions, their parent companies and their affiliates" should be exempt from "all the provisions" of the Data Accountability and Trust Act. 

Rep. Joe Barton, a Texas Republican who chairs the House Energy and Commerce Committee, welcomed the subcommittee's approval of the bill. 

He said in a statement that the legislation is "an important step toward establishing uniform national data security standards that will protect consumers by thwarting the illegal activity associated with the acquisition of people's personal information." 

Schakowsky, the Illinois Democrat, countered that the only thing the bill would do is strip consumers of a protection they now enjoy. 

"Companies would be able to decide for themselves if consumers are at risk," she said. "This really is a case of the fox guarding the hen house."