Everyone agrees there are too many data breaches in our complicated, messy, modern world, so the Republican-controlled Congress has decided to do something about it by proposing weak legislation that would replace stronger laws already passed by California and dozens of other states.
H.R. 1770 (pdf) started out as bipartisany effort, co-written by Representatives Marsha Blackburn (R-Tennessee) and Peter Walsh (D-Vermont). But Walsh bailed on the bill and when the House Energy and Commerce Committee passed it 29-20 last week, he voted against it.
California has arguably the most effective data security laws in the country—and they’re not very good. Myriad important deficiencies surrounding data remain unacknowledged, much less addressed.
But H.R. 1770 would seriously undermine California’s effort in fundamental ways. The bill redefines what a data breach is by requiring action only when there is a potential for “financial harm,” a significantly narrower basis than the state uses. JD Supra says it would be narrower than the law in 33 states and the District of Columbia.
David Lazarus at the Los Angeles Times wonders if Anthem Blue Cross would have disclosed the database breach that exposed 80 million policyholders earlier in the year if federal rule reigned. “Anthem says it has no evidence that any of the hacked records have been used for fraudulent purposes,” he wrote. “Theoretically, the company thus could conclude there's no reasonable risk of financial losses.”
Anthem had no choice under California law, which simply says notification is required if there’s good reason to believe an “unauthorized person” has acquired them.
The federal bill would eliminate the California requirement that a breached entity notify the California Attorney General, and it would strip victims of the right to sue for damages, according to consumer rights advocates. Entities would have 30 days to notify consumers, while states have a range of times as low as 10 days.
A narrower definition of personal data could exclude some sensitive medical and health insurance information. A California requirement that victims receive identity-theft protection and mitigation services would be gone.
John Breyault at the National Consumers League said, “At a time when millions of consumers are increasingly at risk of identity theft due to massive data breaches, it boggles the mind that Congress is contemplating reducing data security protections. . . . No major consumer groups are supporting this bill.”
The “Data Security and Breach Notification Act of 2015” makes clear that its dual purpose is to protect the public “while minimizing State law burdens that may substantially affect interstate commerce.” It explicitly embraces federal hegemony over the states in a fashion once anathema to the GOP, back when it found federal policies were not to their liking.
And it does so under the false pretense of increasing security.
In the end, the bill passed along political lines. None of the amendments Democrats offered were approved. Republicans promised to negotiate improvements on the House floor.