State Preemption Problems Posed by Data Security Bill

Attorneys gen. from 47 states and the Hawaii Office of Consumer Protection wrote to House leaders, telling them Rep. LaTourette’s (R-O.) legislation fails to meet standards they have for a strong national law. The group wants consumers to get notice anytime a breach occurs, without proof of potential for actual harm, Vt. Assistant Attorney Gen. Julie Brill said. Banks and credit card firms claim mailboxes would be stuffed with notices, causing consumers to ignore an important notice about their data being hacked.

A breached entity doesn’t know what use will be made of data lost, Brill said. “The benefit of the doubt should be given to the consumer,” she said, saying HR-3997 imposes “complex and high barriers to consumer notice.” The claim that consumers would ignore crucial mailings come to fruition “in the trenches of the ID theft war,” where Brill said a profusion of alerts has been an important educational tool.

Attorneys gen. also want the ability to enforce any U.S. law, but HR-3997 doesn’t give them that right, Brill said. This is “rather inexplicable” since the bill is based on the Fair Credit Reporting Act (FACTA), parts of which attorneys gen. can enforce. FACTA also lets states enact security freezes when necessary, a provision LaTourette’s bill also would preempt, she said. “In the event that this law is not strong, we think we'd be better off without any law,” Brill told lawmakers.

Privacy Times Publisher Evan Hendricks said HR-3997 would be a major step backwards in the fight against ID theft and securing consumer privacy. If Congress acts, it should be with thorough, thoughtful legislation, he said. Passing what he called “the Titanic Deck Chair Reorganization Act” won’t make consumers more secure in the long run.

Other witnesses endorsed the bill. The U.S. Chamber of Commerce said it offers “a sound framework for development of stronger consumer protection.” Above all, Congress should set a uniform national standard on data security, customer notice and related issues, attorney Karl Kaufmann said on behalf of the Chamber. Such a standard should be enforced “solely by the appropriate federal agencies,” he said. Witnesses from America’s Community Bankers (ACB), the American Financial Services Assn. and the Financial Services Coordinating Council also lauded HR-3997.

But the cost of protecting consumers from risks from a breach worried ACB’s Josie Callari, senior vp-Astoria Federal Savings & Loan. The committee has taken the right first step, proposing to require the party responsible for the breach bear the cost of sending notices, but notices are only a small part of the cost, she said. Reissuing credit and debit cards is a huge cost, as is closing accounts at risk, Callari said. For a community bank with thousands of cards affected, those costs can mount quickly, and fall upon in the institution, she said.

ACB members worry about the lack of a limit on how long an inquiry into a possible data breach can take. Without guidance, investigations could ramble on, leaving consumers at risk, Callari said. But legislating a hard inquiry period isn’t wise because each instance is unique and requires a different response, so regulators should give guidance on the appropriate length of an investigation, she advised.

Lawmakers’ Varying Reactions

The relative rarity and limited scope of data breaches doesn’t keep them from sapping consumer confidence and hurting online commerce, said Financial Institutions & Consumer Credit Subcommittee Chmn. Bachus (R-Ala.). No data protection program is perfect, but Congress has to make sure firms take reasonable steps to protect consumers, he said.

Rep. Sanders (I-Vt.) voiced grave concern about the bill. He said the bill would preempt state notification laws, now on the books in 21 states, and overturn consumer credit report freeze provisions in 12 states. States are “laboratories for democracy” and if they want to pass laws stronger than the federal standard, they should have that right, Sanders said. He favors the Consumer Data Security & Notification Act (HR-3140), introduced in June by Reps. Bean (D-Ill.) and Davis (D-Ala.), which wouldn’t preempt state consumer protection laws.

HR-3997’s most vocal critic may have been Rep. Frank (D-Mass.), an HR-3140 cosponsor who cited the state attorneys gen. letter and a kindred petition by the National Assn. of Insurance Commissioners as evidence that the bill needs work. The bill could weaken the Gramm-Leach-Bliley Act, leaving consumers “worse off than before,” Frank said. On the other hand, HR-3140 closely mirrors the approach urged by numerous state attorneys gen., Frank said.

Since data insecurity doesn’t recognize state lines, the country needs a national solution, Rep. Moore (D-Kan.) said. But he warned colleagues to “react to this very real problem without overreacting.” Rep. Green (D-Tex.) raised questions he said hadn’t been answered fully: Who should decide if the harm threshold has been met -- consumers or breached entities? Should harm trigger consumer notice or should consumers always get notice unless there’s no risk of harm?

Whatever the outcome, it must be reached swiftly, said Rep. Hooley (D-Ore.). “ID theft represents a fundamental threat to e-commerce, the overall economy and homeland security,” she said. Those who steal consumer data online are “no longer just hobbyist hackers. ID theft is big business,” Hooley said. Rep. Beane added that by considering multiple approaches, including her HR- 3140, “we'll arrive at a stronger final product.” The full committee plans to mark up HR-3997 in Jan. or Feb.