A bipartisan group of 32 state Attorneys General, led by Illinois AG Lisa Madigan, sent a joint letter last week to the House Financial Services Committee leadership against the draft (link includes opposition testimony of Massachusetts Attorney General's Office) “Data Acquisition and Technology Accountability and Security Act” that PIRG has also been opposing. The bill incorporates numerous aspects of previous Trojan Horse privacy laws pushed in Congress.
What has brought together 20 Democrats and 12 Republican state consumer cops against this bi-partisan proposal, co-sponsored by Congressman Blaine Luetkemeyer (MO-R) and Congresswoman Carolyn Maloney (NY-D)?
As the letter points out, the proposal “...appears to place Equifax and other reporting agencies and financial institutions out of states' enforcement reach. This bill totally preempts all state data breach and data security laws, including laws that require notice to consumers and state attorneys general of data breaches.”
The draft bill requires merchants, telecoms and some others to notify the public when they are hacked. But it exempts firms already covered under the Gramm-Leach-Bliley Act of 1999, which includes all banks and “other financial institutions”, including Equifax and the other big credit bureaus. Under GLBA, they do not have to provide breach notices, only breach response plans. It would also override and replace stronger requirements that many states already have in place.
More from the letter: “Consumers must know right away if their data has been compromised so that they can take pro-active steps to protect themselves from identity theft before it happens, not after the fact.” We agree!
In detailed testimony to the committee before the draft bill was circulated, U.S. PIRG outlined the numerous flaws in predecessor legislation. Privacy expert Laura Moy of the Georgetown University Law Center's Center on Privacy and Technology explained to the committee that states are securing more kinds of information (locational and biometric, e.g.) and protecting consumers from many more types of harms, including physical harms (a domestic abuser could track a previous victim after a data breach).
This bill is the worst of both worlds. If these industries want a uniform standard, which is often the selling point behind this and other bad federal data breach bills we’ve seen before, they could take the strongest state laws and apply them to all consumers across the country - they don’t need Congress for that. This is simply an attempt to set weaker federal laws as the ceiling for what states can do to protect consumers.