Today, at a Federal Trade Commission event, the President announced support for a variety of privacy protections, most of which are laudable. While we do not know the details yet, there is much to be said for enacting, for example, an enforceable "Consumer Privacy Bill of Rights." Unfortunately, industry lobbyists will likely block passage of any meaningful final Bill of Rights proposal, but teeing it up should at least rekindle a healthy debate on the impact of the abusive Big Data anti-privacy consumer information collection system that seems to be at the center of every firm’s business model these days.
The President also reiterated his important October Executive Order requiring that all new government credit and debit cards (and card readers) must be Chip and PIN compliant to prevent existing account fraud. The chip ensures that your card is not a clone and that merchants do not save your account number in their computer; the PIN ensures your card is not being used by an imposter.
However, it remains our view that Congressional consideration of a "uniform national breach notification standard" is unnecessary and, worse, as I told the Washington Post and Cleveland Plain Dealer, will give powerful special interests an opportunity to use the proposal as a Trojan Horse to enact sweeping preemptive limits on state privacy protections. What do I base this on? Over ten years of fighting such proposals.
First, it is highly unlikely that Congress will enact a federal law breach law as strong as the strongest state laws (probably California, New Jersey and Connecticut). These states do not require any proof of "risk of harm" before notifying consumers. Industry would prefer a bill with a "harm trigger;" this essentially means that the company that loses your information gets to decide whether to warn you! Industry also wants the threat of harm to be narrowly written to only include "financial" harm, not including, for example, harm to your good name or even harm caused by increased risk of stalking.
Unless firms are threatened by the loss of their own good name or reputation, they have very little incentive to protect your good name.
And as for the ridiculous arguments that it is just too hard for firms to comply with our current "patchwork quilt" of rules, why not comply nationwide with the best? That's not hard. The laws don't actually conflict; complying with the best means you are complying with all of them.
But the bigger problem with federal data breach legislation is that pursuit of what is essentially an extremely narrow uniform national breach notice goal becomes a legislative vehicle for enacting sweeping limits on any and all state privacy efforts. Effectively, federal breach law proposals provide a big Trojan Horse for the financial industry to hide its other preemption efforts inside.
Will industry support a federal “uniform” breach law based on the strongest state laws? Of course not. They will support a federal breach standard based only on the weakest parts of state laws, but with the broadest, most sweeping limits on future state privacy actions. Win for them, loss for privacy and federalism.
In my testimony (PDF) last year before both the House and Senate, I explained this problem based on language in one of the industry-supported bills, sponsored by Senator Tom Carper (DE). My testimony explains other key breach law considerations, but let's take a quick look at Senator Carper's preemption language in S.1927.
SEC. 7. RELATION TO STATE LAW.
No requirement or prohibition may be imposed under the laws of any State with respect to the
responsibilities of any person to—
(1) protect the security of information relating to consumers that is maintained or communicated
by, or on behalf of, the person;
(2) safeguard information relating to consumers from potential misuse;
(3) investigate or provide notice of the unauthorized access to information relating to consumers,
or the potential misuse of the information, for fraudulent, illegal, or other purposes; or
(4) mitigate any loss or harm resulting from the unauthorized access or misuse of information
relating to consumers.
So, in return for a "uniform data breach notice standard," powerful special interests want to take states completely off the privacy protection beat. That's too high a price to pay. More here on what should be done instead.