Another Weak Data Breach Notification Law Moving Through Congress

Yesterday, the House Energy and Commerce Committee voted 41 to 0 to move a new data breach notification bill to the full house for a vote. The bill, HR 4127, named the Data Accountability and Trust Act (DATA), would supposedly require companies that store consumer data in electronic form to notify consumers when their data is exposed without their permission. But once again, the special interests have managed to get the law written in such a way that it would usurp state laws. And among the 23 states with data breach notification laws on the books, at least eight of them set the bar significantly higher than DATA would.

The real issue with DATA is that the notification provision of the law specifies that companies would have to notify consumers about data exposure when there is "reasonable risk" of identity theft. While this is a significant improvement over the bills original language (which specified "significant risk"), it sill leaves a considerable amount of wiggle room for the companies that are storing consumer data.

The bill does not define "reasonable risk", and leaves it to individual companies to do so. This does not compare favorably to some state laws that require consumer notification for virtually any data breach, such as in California and New Jersey.

Another real problem with the law is that it would exempt companies that use data encryption from having to make notification to consumers. The bill automatically assumes that encrypted data would be safe. ACCESS considers this to be a very large loophole in the law and a big mistake by Congress.

The bill would also remove any right for individuals to file law suits to recover damages caused by a data breach. Likewise for class action law suits.

To be fair, the bill does have some improvements over other proposed laws. It would allow each of the country’s State Attorneys General to enforce the law. A number of proposals currently under consideration in Congress would remove the right of state enforcement.

The bill would also force data brokers like ChoicePoint and Lexis-Nexis to allow consumers to examine their data files once a year. And just as with credit reports, consumers would have a right to correct erroneous data.

DATA does not address the issue of credit freezes, as some other proposed laws do. This omission may very well benefit consumers since most of the credit freeze bills being considered by Congress set a particularly weak standard.

The bill would offer new protections to people in 27 states that don’t have data breach laws, but these protections would come at the expense of laws in other states. Unfortunately DATA joins a growing list of proposed legislation that is being heavily influenced by money from the financial services industry and from data brokers. These laws are being proposed with one particular goal in mind: Set a weak federal standard and at the same time make it illegal for the states to set higher standards.

As this year’s legislative drags on, it is becoming less likely that any federal bills will be passed into law for data breaches or credit freezes. And because next year is an election year, it may be more difficult for Congress to pass any law that is seen as weak on identity theft or non-consumer friendly.

There are currently seven bills in Congress that deal with various aspects of identity theft and which have passed out of committee for a vote. None of these bills are currently scheduled for a full floor vote. If any of them are passed by both houses, a compromise committee of Senators and House members would have to work out the differences in proposed legislation.

Technorati Tags : Congress, identity+theft, credit+freeze, consumer+credit, data+brokers, privacy