The Spokesman-Review Newspaper
The Spokesman-Review Newspaper The Spokesman-Review
Spokane, Washington  Est. May 19, 1883
Current Temperature
38°F
Current Conditions
Mist
View complete weather report

Color Scheme

Subscribe now

Federal data-breach bill weaker than many states’ laws

David Lazarus Los Angeles Times

It’s called the Data Security and Breach Notification Act of 2015, and, if passed into law, it would be the first federal rule requiring businesses to let consumers know that their personal information may be in the hands of hackers.

Sounds good, right?

It’s not.

Dozens of states, including California and Washington, already have similar laws on the books that are stronger and more comprehensive than the proposed federal law. But the federal law would pre-empt all state laws.

The bill would eliminate existing data-breach protections for pay-TV and Internet customers. Right now in California, for example, people must be notified if there’s any unauthorized access to information on shows or channels watched.

The bill also would require notifications only in instances of financial harm, rather than the broader requirements of many states, such as violations of personal privacy in the form of hacked emails or corporate databases.

“The last thing Congress should be doing is tying the hands of states,” said Emily Rusch, executive director of the California Public Interest Research Group.

The House Energy and Commerce Committee approved the bill last week. The 29-20 vote was along party lines, with Republicans advancing the legislation to the House floor.

The bill was written by Rep. Marsha Blackburn, R-Tenn., and Rep. Peter Welch, D-Vt. Its stated goal is to “replace the current patchwork of laws with a single, national standard for protection and notification.”

“It’s imperative that we take action to prevent hackers’ success and provide safeguards to consumers to protect their virtual selves if and when their data is compromised,” Blackburn said after the legislation was introduced last month.

Welch said at the time: “Most Americans would be shocked at how inadequate current laws are at safeguarding their sensitive financial information.”

Yet Welch voted against his own legislation last week.

Bob Rogan, Welch’s chief of staff, told me the congressman believed he had an understanding with Republicans that the bill would be strengthened before a committee vote, “particularly with respect to preserving in some fashion the authority of states to protect consumer health information.”

When no such changes were made, Rogan said, Welch pulled his support but still hopes to vote yes if the bill is strengthened on the House floor.

It’s hard to see how any amendments would bring the federal legislation on par with most state laws. They may be inconsistent, but they generally do a good job of ensuring that people receive timely warnings that their personal information may be in danger.

Take the case of the recent data breach experienced by health insurer Anthem. The personal information of nearly 80 million policyholders was endangered after hackers accessed a company database.

Under California’s notification law, Anthem had to disclose the breach. The state law requires that notification be made whenever the personal information of any resident is “acquired, or reasonably believed to have been acquired, by an unauthorized person.”

Anthem says it believes no medical records were accessed. But the hackers could have made off with people’s names, addresses, birth dates, Social Security numbers and employment data.

The federal bill, however, would require notification only if a business determines there’s “a reasonable risk” of “identity theft, economic loss or economic harm.”

However, the bill doesn’t specify what constitutes a reasonable risk, so it apparently would be up to each company to make that call.

Anthem says it has no evidence any of the hacked records have been used for fraudulent purposes. Theoretically, the company thus could conclude there’s no reasonable risk of financial losses.

Under the proposed federal law, therefore, Anthem possibly could have been justified in keeping word of the security breach to itself.

“That’s a big concern,” Rusch said. “You don’t want to leave it up to companies to define what’s a risk to consumers.”

The federal bill also would require that businesses “maintain reasonable security measures and practices to protect and secure personal information.”

Once again, it apparently would be up to individual businesses to determine reasonable security measures and practices. Nothing is spelled out in the bill.