Washington, D.C. – Yesterday Consumer Federation of America (CFA) and sixteen other consumer organizations sent a letter to the House Financial Services Committee opposing H.R. 2205, the Data Security Act of 2015, which the committee will vote on today. Noting that the substitute bill that has been offered by Representative Neugebauer addresses some of the concerns about the legislation that was initially introduced, the groups said that on balance it would still do consumers far more harm than good. “This bill is a step backwards,” said Susan Grant, CFA’s Director of Consumer Protection. “While some of the provisions, such as requiring covered entities to implement data security programs, are helpful, H.R 2205 fails to improve the level of protection that consumers already have under their state laws and would prevent states from enforcing those laws and from enacting new protections as needed.”
In the letter, CFA and other groups described the key problems with the substitute bill as currently written:
- R. 2205 would eliminate stronger existing state protections and prevent future state innovation. The Data Security Act of 2015 would supersede all state laws on data security and breach notification—including those protecting personal information not covered by this bill. For example, the legislation would squelch new and developing laws in several states extending data security and breach notification protections to online account login information, including email accounts and cloud photo storage. The bill does not cover information about an individual’s geographic location or electronic communications. Biometric data is covered but only to the extent that it can be used to gain access to financial accounts. It is unclear whether “medical information” would include the broad range of data that is collected about individuals’ physical or mental health through websites and wearable devices.
- R. 2205 would eliminate means of redress currently available to consumers in many states. Not only would this bill eliminate stronger existing state protections, but it would also eliminate virtually all avenues of redress for consumers. For example, the law in some states currently provides consumers with a private right of action, and enables state attorneys general to seek restitution on behalf of consumers harmed by data breaches. But if this bill were to pass, state attorneys general would be limited to seeking civil penalties and injunctive relief, even in cases where consumers suffer extensive harm as a result of a breach of highly sensitive information. This would provide harmed consumers with no relief.
- R. 2205 would eliminate critical flexibility to adapt data security and breach notification standards to address shifting threats. The bill would prevent states from innovating to protect their citizens as new security threats evolve by passing notification requirements for new data sets or developing other, non-breach related, data security rules. It also does not include a compensating mechanism, such as agency rulemaking, that would provide a streamlined process by which data security and breach notification protections could be extended to types of information that become the basis for widespread attacks in the future. In the era of the Internet of Things and ever-expanding cloud services, it would be a crucial mistake to hamstring states’ ability to quickly innovate new protections for their citizens.
- R. 2205 would eliminate key protections under the Communications Act for telecommunications, cable, and satellite records. The Communications Act contains very strong data security and breach notification protections for information about customers’ use of telecommunications services, such as phone call histories and location data. It also protects cable and satellite subscribers’ information, including their viewing histories. But as with email login information and photos, this bill is too narrow to cover that information. It would simply eliminate crucial federal data security and breach notification protections for telecommunications usage information and cable and satellite viewing histories.
- R. 2205 would tie breach notification to a “harm trigger” that is much narrower than existing laws in the majority of states. The trigger standard set forth in the bill is weaker than the laws in seven states and the District of Columbia—which it would invalidate. There are many negative consequences that can result from a data breach, such as harm to dignity from the compromise of nude photos, damage to one’s reputation from the compromise of personal email, or harm to family integrity by the publication of private conversations between parents and children. A breach could even lead to physical danger, such as if logs of a domestic violence victim’s calls to a support hotline were to fall into the wrong hands. While there should be reasonable exceptions to a notification duty in situations where the data has been rendered unusable, such as when it has been encrypted, it should not otherwise be up to the breached entity to decide if harm is likely to occur. By creating a national trigger standard, this law would cause some consumers to stop receiving notifications about breaches that they currently have a right to hear about today.
Rather than replacing state laws with a weaker standard and preventing states from taking stronger measures, the groups said that a federal bill should offer greater protections than exist under the law today, such as expanding the definition of personal information meriting breach notification, imposing data access requirements that would enable consumers to check the accuracy of the information collected about them, and comprehensive privacy legislation. In addition to CFA, the letter was signed by the Center for Democracy & Technology, Center for Digital Democracy, Center for Economic Justice, Common Sense Kids Action, Consumer Action, Consumer Watchdog, Consumers Union, National Association of Consumer Advocates, National Consumer Law Center (on behalf of its low-income clients), New America’s Open Technology Institute, National Consumers League, Privacy Rights Clearinghouse, Public Citizen, Public Knowledge, U.S. PIRG and World Privacy Forum. “We appreciate the fact that House members are concerned about the epidemic of data breaches,” said Ms. Grant. “This legislation is not the right cure, however, and will leave consumers worse off than they were before.”
Contact: Susan Grant, 202-939-1003
CFA is an association of more than 250 nonprofit consumer groups that was founded in 1968 to advance the consumer interest through research, advocacy and education.