This year, 1 in 10 Americans received a letter saying a U.S. company had somehow lost their personal data. What could be worse than that? Not getting the letters. Never knowing the data was lost or leaked or exposed. That's one possible outcome of legislation being considered by Congress right now.
The Data Accountability and Trust Act, which was approved by the House Commerce, Trade, and Consumer Protection Committee on Thursday in a straight party line vote, would reduce both accountability and trust. It is the first privacy bill to reach this stage, but it still faces several hurdles before it becomes law.
Earlier this year, dozens of companies had to fess up that they'd leaked personal data, all because a California law forced their hands. For the first time, consumers got a glimpse at how fragile their privacy is. But federal legislation under consideration would undercut the California law, and other state laws like it. The fragility of our privacy would slip back into the shadows, and once again become a tightly guarded secret.
As it was written for Thursday's vote, the Data Accountability and Trust Act would grant consumers fewer privacy rights, not more. To explain the problem: If the bill were in effect earlier this year, it's possible consumers never would have found out about ChoicePoint, Lexis-Nexis, or the other 75 data breaches that exposed some 50 million identities.
At issue is the "trigger" that would force companies to disclose data breaches. Congress is considering a very high standard for that trigger. The mere discovery of lost data is not enough; the consumer must be deemed at "significant risk" of a crime. Who does the deeming? Whose finger is on the trigger? The company.
That's a much less consumer-friendly standard than California's state law – the one that shined the light on ChoicePoint data leak earlier this year. It's also a higher bar than laws passed this year by some 20 other states, in light of the ChoicePoint incident. But if Congress passes its version, it will trump all state laws, a tactic known as pre-emption.
Who knows what Lexus-Nexis, et al, would have done if such a law were in effect last year. But it's easy to imagine many of those firms would have decided the lost data tapes or computer hacks didn't pose a significant risk to consumers. No California law, no notices.
Few experts believe that there was a sudden lack of computer security this year. Rather, there was a sudden bout of truth, thanks to California state law. Were that law trumped, we would likely end up back in the dark.
There are two other bills working their way through Congressional committees, both on the Senate side. One, introduced by Sen. Arlen Spector, R-Pa., has a slightly better standard for disclosure notices. Firms don't necessarily have to tell consumers that their data has been lost. But, if they don't tell, they have to provide some proof to federal officials the missing data isn't being used to harm consumers. That's a start.
Who are the commercial data brokers?
But in other ways, all the legislation misses the point. The ChoicePoint data leak story was not really about identity theft. It was about this: "Who the hell is ChoicePoint, and why is it making money selling my personal information?" People who had never heard of ChoicePoint were furious when they discovered how much this company knew about them, and how much money it was making brokering the information. The nation suddenly woke up to the commercial data broker industry.
Now, consumer groups want explicit rights to check up on what ChoicePoint and other firms know about them – a free ChoicePoint report, to go along with that free credit report. And consumers want to know exactly who knows what about them.
To its credit, ChoicePoint does make much of its data available to consumers. But there are hundreds of little ChoicePoints in the world. Most, you've never heard of. New laws would give consumers the right to fix errors in their background reports, but how can you fix errors when you don't know which company has them?
Without a centralized list of companies to check, consumers have no idea who is buying and selling their information. The Data Accountability and Trust Act, doesn't deal with this critical problem.
Nothing is better than something
The DATA bill is also silent on overseas data handling. U.S. firms regularly send people's personal information to places like China, India, Mexico, Thailand, just to name a few. U.S. privacy regulations have no force there, and consumers have no rights and scant assurances of safety. Ignoring that crucial element of this issue is a serious oversight which would leave a gaping hole in any privacy rights legislation.
One side note: The bill as currently written exempts the federal government from any notification requirements. In other words, the government wouldn't have to tell consumers if it lost their data. A classic "Do as I say, not as I do," situation.
Of course, it's not clear any data bill will be passed this year. Congress is absorbed by a few other matters.
But for once, a distracted Congress might be a good thing. This is one case where nothing may be better than something. Any federal bill that erodes rights granted by California legislators, and more recently by dozens of other legislators around the country, would do more harm than good.