Federal Data Breach Legislation: A Step Backward for Consumers

Federal Data Breach Legislation: A Step Backward for Consumers

Data breaches make the news almost daily, and it is highly likely you have been the victim of one or more.  In 2015, both the White House and Congress have responded to the attention surrounding data breaches.  The most recent effort is a draft bill in the House of Representatives by Rep. Blackburn (R-TN) and Rep. Welch (D-VT) called the “Data Security and Breach Notification Act of 2015.”  While all this attention sounds promising, the bill as written would reduce the protections most consumers already receive. 


UPDATE (April 14, 2015):  Six California privacy and consumer organizations sent a letter to the California members of the House Energy and Commerce Committee urging their “no” vote on the draft federal Data Security and Breach Notice Act of 2015.  To read the letter, visit: http://www.prnewswire.com/news-releases/california-privacy-advocates-urge-defeat-of-federal-data-breach-notice-bill-300065963.html


Data breach laws are not a new concept. The purpose of breach notification is to alert individuals to their personal information having been compromised in order to give them the opportunity to take steps to reduce their risk of identity theft.  


There are 47 state data breach notification laws.  There are also federal laws that address data security and breaches of certain health, financial, and communications information.  The draft bill, according to its authors, aims to reduce the burden on breached companies, who must comply with 47 separate laws, by creating a federal law that would do away with current state law, many of which are stronger than this draft bill.  It would also prevent states from passing new data breach notice laws in the future to protect their residents.


In addition, the draft bill would only require notice to consumers in situations when limited types of data are breached and where the breached company determines there would be a reasonable risk that the breach would result in identity theft, economic loss or economic harm, or financial harm.  In our opinion, breach victims often suffer harms that can’t be qualified as financial or economic in nature.  


For example, California law requires notice if a user name or email address in combination with password or security question and answer is breached.  The draft bill would not likely require notice in this situation.  While it isn’t a financial account, think about how much important information is contained in your email! 


As an organization that interacts directly with individuals, PRC is very concerned with the notion of reducing an individuals’ opportunity to protect their data and learn when it is compromised.  We find that when people receive notice of a data breach, they want to take action.  It also prompts them to learn more about personal data privacy and security.


This draft bill has many shortcomings beyond those mentioned in this post, and other public interest organizations have made statements, published analysis and guidance, and even testified before Congress.  If you are interested in more information, please contact us.