Rarely does a day go by without at least one company or organization having to report that personal and confidential consumer information has been stolen. The information is usually taken by a hacker compromising the company’s main network, a server, or by using information from a stolen laptop.
In July 2003, California was among the first states to take a stand against companies hiding behind a previously guaranteed veil of anonymity. The California Security Breach Information Act (SB 1386) specifies that information accessed by unauthorized parties requires mandatory and timely disclosure to the people whose information was affected. The law has been so soundly received by consumers that dozens of other states are taking it upon themselves to enact similar laws.
After the ChoicePoint debacle this year, the U.S. Congress decided to get involved. Congress was tired of companies not affected by California’s law getting away with not reporting lax security.
Finally, I thought, we will get some accountability.
Unfortunately, it appears highly likely that a weaker federal law -- which would invalidate stronger state laws like California’s -- will be passed. The Data Accountability and Trust Act, or DATA Act, defangs the primary intent of the California law and will ensure that the public will rarely be informed when their personal information has been compromised.
And the House Committee on Energy and Commerce is bragging about this.
Although the law has some new, welcome measures (such as requiring every covered company to appoint a specific person to be accountable for information security), it has three big problems:
1. It allows the company that suffers the security breach to determine, alone, if the breach will result in a significant risk of identity theft. That leaves foxes guarding the hen house.
2. It invalidates state laws allowing private citizens to sue companies that do not adequately protect their information, like the California law allows.
3. Enforcement of the law will be left up to the already underbudgeted and overworked FTC; and it specifically under-funds this initiative by providing only $1 million in additional monies. Would that even cover the paper costs of printing press releases about the new act?
The first point basically invalidates the central point of California’s law, and it doesn't make sense from a consumer standpoint. We don’t want the very same people who employed weak security in the first place and allowed our data to be compromised to be the ones who are trusted to determine if the threat is serious or not. Heck, if they could have made that determination in the first place, they wouldn’t have had such weak security.
What CEO in his or her right (business) mind would proactively notify consumers after significant damage has happened? The CEO might even be in danger of stockholder lawsuits if he or she did proactively warn consumers.