Earlier this year, I wrote about several major data breaches at ChoicePoint, then LexisNexis. Headlines screamed how thousands--and in the case of CardSystems, millions--of individuals had their names, social security numbers, and other personal information exposed to god-knows-who. These revelations came only because of a California law, SB 1386, which requires companies to inform California residents if any data breaches occur. The Senate is currently considering a national version of the California law, but a weaker House of Representatives bill is rapidly gaining influence in Congress. If the House bill passes and becomes law first, future data breach revelations will be silenced, and data thieves will be free to run amok.
California SB 1386 is the gold standard
Passed in 2003, California law SB 1386 states that any organization conducting business with California residents must notify those individuals if files containing their names, addresses, and other personal information have been breached. Chances are very few of the customers contained within the breached data files have ever suffered actual identity thefts. The numbers, in the millions, are rough estimates of potential victims, not reported ID thefts. But they're an important insight into the unregulated data warehouse industry, where your purchases at Wal-Mart, combined with your driving history and online newsgroup postings, could someday determine whether you get a job or get that promotion you've long deserved.
For the companies, California SB 1386 revelations have proved embarrassing and costly. For CardSystems, for example, American Express and Visa have pulled their relationship with the card company, and MasterCard is said to be considering similar action. In the case of CardSystems, it was probably an outside attacker, using a root kit, but with LexisNexis and ChoicePoint, the breaches occurred because customers or employees manipulated the rules. According to the FTC, data breaches such as the above examples cost businesses about 48 billion dollars last year. And it's the cost to businesses, not individuals, that appears to have motivated Congressman Cliff Stearns (R-Florida) to push through his recent changes to HR 4127, the Data Accountability and Trust Act (DATA).
Here comes HR 4127
According to Stearns's press release, "This bill will help ensure that personal data are accounted for, secured, and actively protected against breaches by empowering consumers and businesses to promote the notion that security sells." On the surface, HR 4127 DATA sounds good, but let's dig a little deeper, since any new federal law would automatically replace California's SB 1386.
The House DATA bill would require companies to contact customers only when there is a 'reasonable basis to conclude that there is a significant risk of identity theft.'
The House DATA bill would require companies to contact customers only when there is a "reasonable basis to conclude that there is a significant risk of identity theft." No longer would disclosure be automatic or compulsory (with some minor exceptions), as it is under California's SB 1386; instead, whenever a company feels there is a threat to its customers, the company will let you know. No more pesky headlines of millions of people affected by data loss. No more mass mailings of "your personal data may be at risk."
There are two dangerous consequences. One, you won't know that your data was compromised unless you've requested your free annual credit report or you find yourself turned down inexplicably for a loan or a job. Two, we will have no metric to understand how serious the problem is. Under the DATA law, companies are required to have an individual responsible for personal privacy and to report breaches to the Federal Trade Commission, but public disclosure isn't required. If a tree falls in a forest and no one's around, does it still make a sound? It does if you're the one having your identity stolen.
A dangerous course is set
On November 3, 2005, a House subcommittee heard a number of amendments, some of which were designed to strengthen the federal legislation. But the House Commerce Subcommittee on Commerce, Trade, and Consumer Protection rejected a provision that allowed customers to view, verify, and correct their personal data. It also rejected provisions that required the companies that leaked your personal information to either pay to monitor your credit report for one year or pay to have your credit report locked.
Senate Bill 1789 would also create one unified law for all 50 states, but it would allow potential ID theft victims to put a seven-year fraud alert on their credit report.
What did make it into the bill is scandalous. For example, should you become an ID theft victim because of a data breach, you could always sue the company that leaked that information, right? Not so. Congressman Stearns recently passed legislation banning lawsuits against firearms manufacturers. So it is not surprising that the Stearns-amended DATA bill prohibits you from suing data warehouse companies, such as LexisNexis, should they accidentally allow thieves to obtain your personal information.
And the winner is...not you
"This bill will help ensure that personal data are accounted for, secured, and actively protected against breaches by empowering consumers and businesses to promote the notion that security sells," stated Representative Cliff Stearns in a recent press release. Big business agrees. HR 4127 DATA is endorsed by Microsoft and Entrust. They like the fact that DATA would give all 50 states the same law. Time Warner and the Direct Marketing Association also favor the bill for similar reasons. And according to David Lazarus in the San Francisco Chronicle, Yahoo endorses the bill, saying it would prevent an "overnotice" of customers.
HR 4127 has already cleared its initial House subcommittee by a straight party-line 13-to-8 vote. A full committee vote has not yet been scheduled, but Representative Joe Barton (R-Texas), chairman of the House Committee on Energy and Commerce, says he hopes to push the legislation through soon.
Senate version AWOL
While the House rushes through its law, where's the significantly better Senate version that I first wrote about last April? Sponsored by senators Arlen Specter (R-Pennsylvania), Dianne Feinstein (D-California), Patrick Leahy (D-Vermont), and Russ Feingold (D-Wisconsin), S 1789 would create one unified law for all 50 states, but it would allow potential ID theft victims to put a seven-year fraud alert on their credit report (currently this is available for actual ID theft victims only). The Senate bill also carries stiff penalties for companies and organizations that fail to inform potential victims of ID theft: the bill asks for $1,000 per individual, not to exceed $50,000 per day per company or organization. Like the California law, the Senate bill would exempt companies that contact law enforcement immediately after discovering a database breach until the investigation is complete. But while Judiciary Committee chairman Specter promised action on S 1789 by the end of the year, that seems unlikely now that his committee will soon be holding Senate hearings on a new associate justice to the Supreme Court. Of the two bills, I would much rather see the Senate bill made into law.
Let's stop HR 4127
Let's stop HR 4127 in its current form. Asking unregulated data warehouse companies to decide when and if they should inform you of any breaches is absurd. How many identities must be stolen before the U.S. government steps in and protects consumers and their right to privacy? Consumers Union opposes this bill, and at least 47 states' attorney generals have indicated they plan to oppose the bill, as well. The choice is clear. Let's stop HR 4127 and urge the Senate to pass S 1789 instead.
Should you be notified whenever your personal data is stolen from a data warehouse? Talk back to me.