Posted by Randy Gainer
Many businesses favor a federal data breach law. Businesses need to respond to the perception among consumers that, if consumers provide sensitive private data to businesses, the data are at risk of being misused for fraud and identity theft. That perception has apparently contributed to a decrease in the number of consumers who are willing to provide their information, for example, to on-line businesses.
There are currently more than 20 state laws that require consumers to be notified when sensitive data are disclosed. They include several different standards for when such notices must be sent. This generally requires businesses with consumers from multiple states to apply the most restrictive standard, which is to notify consumers when there is any unauthorized disclosure. Many business officials would like to see a uniform national standard regarding the circumstances in which they must notify consumers. Because notifying consumers is expensive, may trigger class action lawsuits against a business, and causes harm to businesses' reputations and goodwill, many businesses a favor a notification standard that requires that consumers be notified only when consumers are likely to be exposed to fraud or identity theft as a result of a data breach.
Issues for consumers. Consumer advocates, on the other hand, do not want businesses to be able to decide when data breaches should and should not be disclosed. They want consumers to be notified whenever there is an unauthorized disclosure so that consumers can decide whether to take steps to protect against fraud and identity theft. Raising the threshold for when notice is required effectively lets a businessperson decide when there is sufficient risk to consumers to justify notice and thereby enable consumers to take defensive actions.
Consumer advocates also want to leave the states free to pass and enforce state laws that may provide better remedies than a federal law. For example, some states' data breach laws permit consumers to file private lawsuits against companies if the company suffers a data breach. Consumer advocates claim this not only leads to more complete relief but will also motivate companies to improve data security more effectively than the threat of possible actions by federal agencies.
H.R. 3997. The bill passed this week by the House Financial Services Committee resolves all the controversial issues related to data breach notice laws in favor of businesses.
Notice: The new Section 630(e) that the bill would add to the Fair Credit Reporting Act requires notice only when it is "reasonably likely" that the disclosed data will cause "substantial hard or inconvenience" to consumers by being used to commit identity theft or fraud. Section 630(k)(11) further restricts when such notices are required by excluding from "substantial hard or inconvenience" the need to change a financial account number or close a financial account. Reading these two provisions together, no notice would be required if a consumer could avoid harm by closing accounts or changing account numbers. How consumers will know to take such steps without being notified of the exposure of their data is not addressed in the bill.
Enforcement: Sections 630(h)-(j) would give powers to enforce the bills standards to the various federal agencies that already oversee federally regulated businesses. E.g., the Comptroller of the Currency would enforce the standards as they apply to national banks, the Director of the Office of Thrift Supervision would enforce them as to savings associations, and the FTC would enforce them as to businesses not listed in one of the seven other categories in section 630(j)(1).
Preemption: Section 630(l) states that no state may impose a requirement under state law in four areas: the responsibility to protect the security and confidentiality of consumer information; the responsibility to safeguard such information; the responsibility to provide notices of unauthorized access to such consumer information; and the duty to mitigate any loss resulting from such unauthorized access. This sweeping preemption section would nullify not only all of the 20+ state laws requiring notice of data breaches but also state laws that require businesses to have reasonable security to protect consumer data.