Rarely does a day go by without at least one company or organization having to report that personal and confidential consumer information has been stolen. The information is usually taken by a hacker compromising the company’s main network, a server, or by using information from a stolen laptop.
In July 2003, California was among the first states to take a stand against companies hiding behind a previously guaranteed veil of anonymity. The California Security Breach Information Act (SB 1386) specifies that information accessed by unauthorized parties requires mandatory and timely disclosure to the people whose information was affected. The law has been so soundly received by consumers that dozens of other states are taking it upon themselves to enact similar laws.
After the ChoicePoint debacle this year, the U.S. Congress decided to get involved. Congress was tired of companies not affected by California’s law getting away with not reporting lax security.
Finally, I thought, we will get some accountability.
Unfortunately, it appears highly likely that a weaker federal law -- which would invalidate stronger state laws like California’s -- will be passed. The Data Accountability and Trust Act, or DATA Act, defangs the primary intent of the California law and will ensure that the public will rarely be informed when their personal information has been compromised.
And the House Committee on Energy and Commerce is bragging about this.
Although the law has some new, welcome measures (such as requiring every covered company to appoint a specific person to be accountable for information security), it has three big problems:
1. It allows the company that suffers the security breach to determine, alone, if the breach will result in a significant risk of identity theft. That leaves foxes guarding the hen house.
2. It invalidates state laws allowing private citizens to sue companies that do not adequately protect their information, like the California law allows.
3. Enforcement of the law will be left up to the already underbudgeted and overworked FTC; and it specifically under-funds this initiative by providing only $1 million in additional monies. Would that even cover the paper costs of printing press releases about the new act?
The first point basically invalidates the central point of California’s law, and it doesn't make sense from a consumer standpoint. We don’t want the very same people who employed weak security in the first place and allowed our data to be compromised to be the ones who are trusted to determine if the threat is serious or not. Heck, if they could have made that determination in the first place, they wouldn’t have had such weak security.
What CEO in his or her right (business) mind would proactively notify consumers after significant damage has happened? The CEO might even be in danger of stockholder lawsuits if he or she did proactively warn consumers.
And how would a corporation define a "serious" threat? In corporate accounting, fraudulent financial statements are not restated unless the previous misstatement is 5 percent or greater (the materiality rule). Applying that reasoning to a security breach, if only 4 percent of consumer accounts out of 20 million accounts stolen are used in identity theft, does the company have to report it?
The DATA Act reminds me of the CAN-SPAM act. When we heard that Congress was going to make spam illegal, we celebrated. Then, we cried as the true contents were revealed, and we watched bad politics and corporate influence destroy any opt-in law that could have done something about the problem.
Like the DATA Act, CAN-SPAM was written to “not overly burden corporations with undue restraint” and to “prohibit costly and disruptive lawsuits.” Politicians decided to appease corporate interests while making the generally unknowledgeable public feel as though something was being done about the problem. Instead, spam has increased since the act’s release.
Some proponents of the DATA Act say that requiring consumer announcements every time consumer information is stolen will result in consumers not paying attention to the alerts. What a bunch of imaginative crock! I might barely pay attention when I hear of some company or college I don’t belong to being hacked, but when it’s my credit card company, store, or bank, I want to know -- each time, every time.
It’s precisely the threat that companies must notify consumers each time that makes the California law so useful: It finally requires that the CEO and board of directors pay attention. And, notifying all consumers is costly -- one survey I read said that notifying customers after a security breach cost companies about $70 per notification, and that 40 percent of affected customers at least considered ending their affiliation with the breached company.
The mere fact that 40 percent of affected customers considered ending their relationship with an entity begs for full disclosure of security breaches. Forty percent of people, whether it impacted them or not, thought the information important enough to affect their lives. Congress, are you listening?
The information provided on the House Committee on Energy and Commerce’s Web site says the following: “The FTC says that over a one-year period, nearly 10 million people had discovered that they were victims of identity theft. Estimated losses translated into $48 billion for businesses and $5 billion to consumers.” How many of next year’s consumers will not by notified if the DATA Act passes?
Take 15 minutes tonight to e-mail your state representatives about the DATA Act's shortcomings (H.R. 4127). The poorly written bill was passed along party lines out of a House Energy and Commerce subcommittee on Nov. 3, and it will now go on to larger votes in the Energy and Commerce committee, then the House of Representatives and the Senate.
And there is another option available: as we go to press, the Senate is set to vote on a similar bill that passed out of subcommittee, the Personal Data Privacy and Security Act of 2005, S.1332, and the related S.1789 bill. Although any exceptions supercede state laws, this proposed law has hard and fast rules over materiality (more than 10,000 personal records compromised), imposes jail terms for those who willfully neglect to notify affected consumers, and contains a lot of other very welcome language. It's not perfect, but let's hope the Senate version is pushed to the House vs. the other way around.
Next week’s column will cover some tools that can help keep your company from being one of the entities required to do notification.