I don't know how anyone expects any different from the Republican Congress, but that doesn't make it any less harmful what Cliff Stearns, Republican of Florida's 6th district (House site, campaign site) is about to do. Stearns, hillariously the Chairman of the Commerce, Trade and Consumer Protection Subcommittee, is pushing through HR 4127, named [ahem] the Data Accountability and Trust Act (DATA). This is a boondoggle for big business and eliminates consumer notification requirements that 19 states have put on in case of a security breach at, say a credit card company or an Internet service provider (such as Yahoo or Microsoft) or any company that stores consumer data. Microsoft, Yahoo, and Entrust are supporting this bill; the Consumers Union is strongly opposed. True to each political party's vision, Stearn's subcommittee passed this by a party-line 13-8 vote. Let me follow up about a California law that is the Gold Standard, the details and problems of HR 4127, and some measure of how to stop this (the usual yada yada about contacting the whole Energy and Commerce committee). I was first drawn to this particular story from a Security Watch email from CNet News.com, a respected technology news and software resource. Senior Editor Robert Vamosi wrote a great article, titled Congress Loves Identity Theves, outlining the threats posed by HR 4127, and pointing out that a much better and stronger senate version, S. 1789, appears to be stalled. Vamosi talks about a California law that Congressional action would override (Stearns is trying to establish national standards and eliminating state ones in order to get data mining companies on board), California SB 1386, that was enacted into law in 2003. I will let Vamosi describe it for you:
Passed in 2003, California law SB 1386 states that any organization conducting business with California residents must notify those individuals if files containing their names, addresses, and other personal information have been breached. Chances are very few of the customers contained within the breached data files have ever suffered actual identity thefts. The numbers, in the millions, are rough estimates of potential victims, not reported ID thefts... For the companies, California SB 1386 revelations have proved embarrassing and costly. For CardSystems, for example, American Express and Visa have pulled their relationship with the card company, and MasterCard is said to be considering similar action.So basically, the problem data companies have is when they carelessly lose your data, they are forced, in California, to disclose this to the consumers who are affected, and hence it gets in the media and causes them some headache and costs them business. And so they have a solution. Pass a federal law, eliminating that requirement and saving face while they continue to play frisby with your personal data. So what do they do? Again, Vamosi explains:
The House DATA bill would require companies to contact customers only when there is a "reasonable basis to conclude that there is a significant risk of identity theft." No longer would disclosure be automatic or compulsory (with some minor exceptions), as it is under California's SB 1386; instead, whenever a company feels there is a threat to its customers, the company will let you know... Under the DATA law, companies are required to have an individual responsible for personal privacy and to report breaches to the Federal Trade Commission, but public disclosure isn't required. If a tree falls in a forest and no one's around, does it still make a sound? It does if you're the one having your identity stolen. [emphases mine]David Lazarus of the San Francisco Chronicle agrees, along with California's premier consumer protection lawmaker, Debra Bowen:
"It's outrageous," said state Sen. Debra Bowen, D-Marina del Rey (Los Angeles County), a leading privacy advocate in Sacramento. "The California law is to enable people to protect themselves. If this bill passes, we'll lose that."...So much for states rights, huh? The Consumers Union, in a letter to Stearn's Subcommitee, explains the problem point by point:
First, its so-called breach trigger for notice to individual consumers is nearly insurmountable. We doubt whether any of the breaches affecting over 50 million Americans in 2005 alone would have required notice had this bill been law. The bill requires a “reasonable basis to conclude that there is a significant risk of identity theft” before individual notice is required. Several problems arise with this “don’t know, don’t tell” construct:
• First, identity thieves often wait for months after a breach before striking, making it difficult for anyone to evaluate the risk to individuals until their identities are already stolen. Stolen data may also be sold to multiple people, putting individuals at greater risk. • Second, if a risk assessment is inescapable, the “significant risk” of the present trigger is simply too high a threshold for notification. Individuals who are at some risk still need to be informed. • Third, the trigger leaves companies off the hook from notification when they do not know whether individuals are at risk. At the very least, companies should have to notify individuals unless they make a written certification to a government agency that individuals are not at risk • Fourth, a trigger that allows the breached entity to decide whether individuals are at risk will not work. The breached entity may have an incentive not to disclose the breach. • Fifth, there are harms other than identity theft that could result from a breach of information, for example, stalking and domestic violence. • Sixth, including a risk standard within the definition of “breach of security” undercuts the definition of a breach.
There you go. Consumers are left at the mercy of when companies believe there is a "reasonable basis to conclude significant risk of identity theft," and an FTC that's part of an administration that will sell out your country to the Chinese in order to benefit their corporate bosses.Now, is there a better bill in Congress? Yes, there is. It's Senate resolution 1789, sponsored by Sens. Specter, Feinstein, Leahy and Feingold. Vamosi of CNet tells us why 1789 is legislation with some teeth in it:
S 1789 would create one unified law for all 50 states, but it would allow potential ID theft victims to put a seven-year fraud alert on their credit report (currently this is available for actual ID theft victims only). The Senate bill also carries stiff penalties for companies and organizations that fail to inform potential victims of ID theft: the bill asks for $1,000 per individual, not to exceed $50,000 per day per company or organization.But of course, big business doesn't like it when consumers and the press raise a stink about them losing your data, so that bill is stalled. HR 4127 (the bad, anti-consumer, pro-data-loss bill) now goes before the full Energy and Commerce Committe of the House, chaired by Joe Barton of TX-6th. John Dingell of Michigan is the ranking member of that committee. You can send the full committee your comments, or look up all the members, and contact them individually (especially the Republican ones, as it seems that this is a party-line thing). Oh and if one of these members is your Congressperson, be sure to call their local office, too. I think it's important to let them know these points:
- YOU want to know whenever there is even a single letter lost from your data stored anywhere. It's YOUR data, and YOU want to know of even what the companies consider small or insignificant breach of your data. YOU get to decide what's significant, not them.
- Consumer protection and consumers' right to know when their data may be in geopardy trumps data wirehouse big business face-saving.
- The people's right to know (via the press) when a data company messes up trumps that data company's profit interests.
- Well intentioned businesses who are doing their best to be reputable with their customers are handicapped if they cannot find out which data companies are unreliable to handle their customers' data. Those businesses do not deserve to be penalized.
- Whatever law Congress passes, those should be minimum standards, and states must be allowed to impose additional ones as they see fit.