Posted by KM Das
Consumer Union, the U.S. Public Interest Research Group, the Consumer Federation of America, the Center for Democracy and Technology, Consumer Action, and the Privacy Rights Clearinghouse have joined together to write to the leadership of the U.S. House of Representatives to express their dissatisfaction with H.R. 3997—the Financial Data Protection Act. Although vote on H.R. 3997 has now been postponed until at least September and possibly until after the November elections, the letter from the consumer groups highlights yet again two things—Congress’s inability to pass a data breach notification and/or data security bill more than seventeen (17) months after ChoicePoint data breach and the concerns that consumers have about preemption of state laws that are seeing as offering stronger protections and rights to consumers.
Consumers and consumer groups have expressed concern that the House leadership is leaning towards adopting H.R. 3997 and not H.R. 4127—the Data Accountability and Trust Act (the “DATA Act”). Some of the complaints about H.R. 3997 include:
- the fact that companies are required to inform individuals about a data breach only if the company decides that the breach is “reasonably likely” to result in actual identity theft or account fraud. The consumer groups have dubbed this the “don’t know, don’t tell” policy; and
- the fact that H.R. 3997 preempts stronger state data breach notification laws.
In contrast, the DATA Act requires any entity that experiences a breach of security to notify consumers in the United States whose information was acquired by unauthorized persons as a result of the breach unless the entity can show that there is no reasonable risk of harm. The DATA Act also preempts state laws but only those laws that address information security practices similar to those required under the DATA Act. The Data Act also creates new consumer rights, including the right to review and dispute data held by data brokers such as ChoicePoint.
In reaction to Congressional inaction, Consumer Union and the Public Interest Research Groups have even drafted a Model State Clean Credit and Identity Theft Protection Act.
Although I believe that any federal data breach and data security law that is finally passed will have to preempt state laws to some extent to address the myriad and sometimes contradictory state laws (see, e.g., the CAN-SPAM law as a model of this form of preemption), it is clear that H.R. 3997 is not the answer. Hopefully Congress will pay attention to the concerns expressed by consumers and consumer groups and pass a data breach and data security bill that is closer to H.R. 4127 than H.R. 3997.