Privacy has become a partisan issue in the U.S. In the past, billswritten to protect consumers’ private information typically got thebacking from both Republicans and Democrats. Last May, for example,the House passed an antispyware bill 395-1. But now Republicans andDemocrats are drawing clear lines on what they support.
At the center of the debate is the Data Accountability and TrustAct (DATA), which is at the House Energy and Commerce Committee. Ifpassed, the House bill would require companies nationwide to notifytheir customers if a security breach occurs that exposes storedpersonal information such as names, addresses, credit card numbersand Social Security numbers. But most privacy experts say it willhurt consumers because it will trigger fewer privacy breachalerts.
The Senate is considering two other major bills, all of which wouldpreempt state laws. That means undoing California’s SB 1386 law of2002, considered the nation’s toughest and de facto standard, sinceit requires companies doing business with any California residentto notify customers if a security breach exposes personalinformation–even if there is no evidence the personal informationwas stolen.
“There is huge pressure from industry to get Congress to preemptstate data breach notice laws,” says Chris Hoofnagle, counsel forthe Electronic Privacy Information Center. “It’s quite a messnow.”
In November the House Energy and Commerce Committee’s Subcommitteeon Commerce, Trade and Consumer Protection passed DATA by a strictparty-line vote, 13-8. This vote marked the first time any majorfederal data security legislation had created such a partisandivide, says Behnam Dayanim, of the international law firm of Paul,Hastings, Janofsky & Walker.
Democrats and privacy advocates argue that the House bill willeffectively gut the California law by lowering the breachnotification standard. DATA requires companies to notify customersonly if company executives determine there is “a significant risk”that data has been stolen, rules that Rep. John Dingell (D-Mich.),scoffed were actually “no notice” provisions.
Republicans say the bill will reduce frivolous notices. But becausethe House bill makes the Federal Trade Commission the enforcementagency, critics say its small staff–compared to various stateattorneys general–won’t be able to keep up with breachesnationwide.
Other bills pending do more for privacy than states do. Some filedbills, for example, require companies storing personal data toidentify security vulnerabilities and a method to mitigate them,whereas states do not require such work. It all adds up to a murkyfuture for federal privacy legislation.