The Washington PostDemocracy Dies in Darkness

Why this national data breach notification bill has privacy advocates worried

(AP Photo/Damian Dovarganes)

Nearly every state has its own law on when consumers must be told that their data has been stolen in a cyber breach -- but there's no single national standard that covers all intrusions. The patchwork of state laws has raised concerns, especially in the wake of breaches that have hit retailers and the medical field in recent years. Even President Obama has raised the alarm.

One proposal to address the situation, the Data Security and Breach Notification Act, being considered by the House Energy and Commerce Committee on Wednesday would try to change that.

[Obama proposes legislation on data breaches, student privacy]

But some privacy advocates are worried.

Why? Because the bill's current form, they say, would actually leave consumers worse off by undercutting stronger state laws and eliminating some national level protections they now enjoy.

"Fifty-one states or territories have some sort of data protection legislation on the books -- 38 would see the data protection breach notification diminished in some way because this is a preemption law," said Rep. Jan Schakowsky (D-Ill.).

Breach notification standards in the current form of the bill hinge on actual or potential financial harms, she said, although many states have laws with lower thresholds for notification, such as in the event of any unauthorized access or when there is a potential risk to consumers, even if it's not specifically financial.

Privacy advocates also have concerns that the bill, which would shift enforcement on some types of breaches from the Federal Communications Commission to the Federal Trade Commission, would cut out some current protections for consumer data held by cable and telephone companies.

Currently, those companies must notify consumers of any breach involving private information -- regardless of financial harms. Internet providers, too, may soon be subject to similar rules if a recent change to how the FCC regulates broadband providers withstands legal challenges.

[The real net neutrality lawsuits are finally here]

This is important because communications information can be particularly revealing -- and potentially used to inflict damage that goes beyond the financial sphere. “This bill would remove core protections and eliminate some of the FCC's authority to require data security, as it relates to things like order histories for cable or satellite video on demand services -- which can reveal potentially sensitive personal information, like sexual preferences," said Laura Moy, senior policy counsel at New America's Open Technology Institute. Other information, such as who consumers send text messages to and when, would also lose protections, she said.

Rep. Peter Welch (D-Vt.) -- one of the co-sponsors of the bill -- said there is "policy agreement" among the legislation's supporters to make sure there aren't any consumer gaps in coverage due to the jurisdictional change. "We have been constantly working on the language to make sure that doesn't happen," he said.

Rep. Marsha Blackburn (R-Tenn.), Welch's co-sponsor, did not directly address criticisms of the bill's breach notification aspects in response to a Post inquiry, and instead focused on data security aspects of the legislation. "Every American deserves to have their personal information protected, but right now only 12 states have data security requirements," she said in an e-mailed statement. "We want to provide strong protections to everyone, and we go even further than most of the states that do have security laws."

Welch argued that financial crime is the primary motivator for most data breaches and that the current patchwork of state level breach notification laws leaves consumers exposed. If a consumer in one state is affected by a breach in a company based in another state, he said, it's unclear how jurisdiction might apply.

"I am usually, almost uniformly opposed to preemption -- but this is an instance where unless you have a national standard you won't have protection," he said.

But Moy said the current system actually creates a sort of race to the top -- where most companies must comply with the strongest of state laws. "While there might be some cases where brick-and-mortar stores are just doing business in their own states and wouldn't be affected by laws elsewhere, the most sensitive electronic data is held by companies doing business online that are subject to the laws of many states."

It's not that privacy advocates have a problem with a uniform national standard on data breach notification, she said, "but the problem with this particular one is that it's actually weaker than the protections many consumers already have."