After years of bipartisan cooperation on laws to protect consumer privacy, debates in Congress over protecting Americans’ personal information are becoming more partisan and, thus, more controversial. As a result, the outcome of future privacy legislation is less certain, making it harder for CIOs to predict what they will have to do to comply with new rules.
In November, the House Energy and Commerce Committee voted along party lines to send a consumer privacy bill—the Data Accountability and Trust Act (DATA)—to the House floor. It was the first time any federal security or privacy legislation had caused such a divide, observes Behnam Dayanim, a privacy attorney with Paul, Hastings, Janofsky & Walker.
The bill, sponsored by Rep. Cliff Stearns (R-Fla.), would establish nationwide rules for companies when notifying customers of a data security breach that exposes their personal information such as names, addresses, credit card numbers and Social Security numbers. The Senate is considering a similar bill.
The law would preempt existing state laws and, according to privacy experts and Democrats, would weaken them. For example, unlike California’s notification law, which requires that companies tell customers of any security breach, DATA would require notification only if company executives determine there is “a significant risk” that information has been stolen. As such, scoffs Rep. John Dingell (D-Mich.), DATA’s notification provisions are actually “no notice” provisions.
Many companies, because they have customers in California, base their notification practices on the California law. Republicans say their bill will provide relief for these companies because it would cut down on notices about breaches that do not expose consumers’ data. But the bill could make work for CIOs because it requires companies that store consumers’ personal data to identify security vulnerabilities and a method to mitigate them, something state laws do not demand.
Lawmakers will continue to wrangle over the measure this year. Meanwhile, Dayanim says, companies that store data from individuals from multiple states need to err on the side of caution and consider any security breach as requiring notification.