Parties Split on Data-Protection Bill
Washington Post - November 4, 2005
House Democrats and Republicans split sharply yesterday over how to best protect consumers' personal data, as legislation to curb the persistent scourge of identity theft and fraud began to move on a fast track on Capitol Hill. In a 13 to 8 vote along party lines, a subcommittee of the House Energy and Commerce Committee approved a bill that would require information brokers to submit plans for safeguarding private data to the Federal Trade Commission for monitoring and review.
The Chapell View
Right now, we often hear about data breaches because of California's SB 1386, which requires all companies that do business the in state to disclose -- at least to residents of California -- when stored consumer information has been potentially compromised.
The California law uses a pretty broad determination for when notification is required. Companies need to disclose the data breach whether or not there is any demonstrated harm to consumers. The breach itself is enough to warrant disclosure. And this is good: when companies are required to declare data breaches, then they have incentive not to allow them to happen - so the California law, at least in theory, should be preventative (as companies won't want to be shamed by a data breach) as well as helpful to consumers.
It probably makes sense to enact federal legislation, since the California law doesn't cover all companies. But the proposed legislation in the house isn't exactly ideal.
It does, to its credit, require companies to alert consumers when their data has been compromised. But only when it's truly compromised, or when there's a "significant risk" of this having happened. We can probably expect this to be only when a company knows that a specific consumer has, in fact, had their sensitive information breached.
One of the positive aspects of the California law is that it requires companies to inform the public in general when a specific breach occurs. The proposed Federal bill would seem to require disclosure only when there's "significant risk" of identity theft or fraud. I'm not convinced that this standard is in the best interests of consumers.
House Democrats and Republicans split sharply yesterday over how to best protect consumers' personal data, as legislation to curb the persistent scourge of identity theft and fraud began to move on a fast track on Capitol Hill. In a 13 to 8 vote along party lines, a subcommittee of the House Energy and Commerce Committee approved a bill that would require information brokers to submit plans for safeguarding private data to the Federal Trade Commission for monitoring and review.
The Chapell View
Right now, we often hear about data breaches because of California's SB 1386, which requires all companies that do business the in state to disclose -- at least to residents of California -- when stored consumer information has been potentially compromised.
The California law uses a pretty broad determination for when notification is required. Companies need to disclose the data breach whether or not there is any demonstrated harm to consumers. The breach itself is enough to warrant disclosure. And this is good: when companies are required to declare data breaches, then they have incentive not to allow them to happen - so the California law, at least in theory, should be preventative (as companies won't want to be shamed by a data breach) as well as helpful to consumers.
It probably makes sense to enact federal legislation, since the California law doesn't cover all companies. But the proposed legislation in the house isn't exactly ideal.
It does, to its credit, require companies to alert consumers when their data has been compromised. But only when it's truly compromised, or when there's a "significant risk" of this having happened. We can probably expect this to be only when a company knows that a specific consumer has, in fact, had their sensitive information breached.
One of the positive aspects of the California law is that it requires companies to inform the public in general when a specific breach occurs. The proposed Federal bill would seem to require disclosure only when there's "significant risk" of identity theft or fraud. I'm not convinced that this standard is in the best interests of consumers.
