On Thursday, 13 September, the House Financial Services Committee is to consider the latest in a long series of data security, privacy and data breach bills that Congress takes up annually at the request of the banks. These Trojan Horse bills come galloping in with few, if any, consumer protections riding in the saddle, but massive and permanent elimination of stronger state laws hidden in the belly of the beasts. Expect committee debate to feature much hand-wringing over "balkanization" and "patchwork quilts" and the need for a federal standard, goshdarnit, so long as it is one that doesn't do much (other than take away the state laws that do protect consumers).
The proposal, HR6743, the Consumer Information Notification Requirement Act (Luetkemeyer (MO)), might also be called the “Equifax Protection Act.” Why? The bill would protect banks and other "financial institutions" from stronger state privacy laws. That sweeping definition of "financial institutions" to be exempted from stronger state laws includes Equifax and the other credit bureaus, the payday lenders and the debt collectors. Yikes.
We've joined a letter from over 28 state and national consumer, civil rights, civil liberties and privacy organizations to oppose HR6743, the Consumer Information Notification Requirement Act, to be considered. The committee notice includes a reference to the bill as filed and an anticipated substitute (our letter refers to the sponsor's substitute). This substitute will be presented as narrow and perfected and necessary. Actually, it is cleverly written to weaken current federal breach notice requirements for banks and other "financial institutions" while simultaneously throwing all state data security, data breach and other data privacy laws under the bus.
Our letter points out that the bill is unnecessary since every state already has a breach notice requirement. Most are stronger than the federal scheme that the bill amends. More importantly, we point out that the bill is unacceptable because it reverses the longstanding federal provision know as the Senator Paul Sarbanes (MD) amendment to the Gramm Leach Bliley Act of 1999. The Sarbanes amendment has allowed new and innovative state privacy laws to flourish for 20 years now. We wouldn't have the 2018 free credit freeze if a freeze law hadn't been passed in nearly every state beginning in the early 2000s. Worse, HR6743's intent is not merely to have one national breach notice requirement for financial institutions, but to take away all other state data security and privacy harm laws, as well as eliminate any stronger breach notice laws.
The letter explains that the bill requires notice only when the company that failed to protect your information determines a breach is "reasonably likely" to result only in a specified “harm,” here defined narrowly to mean only “identity theft, fraud or economic loss.” Yet as the letter goes on to point out, states are innovating in recognizing that data breaches cause many more harms preempted from accountability and notice by HR 6743, than these limited financial harms:
"There are many non-financial harms that can result from a data breach, such as harm to dignity from the compromise of nude photos, or harm to reputation from the compromise of personal email. A breach could even lead to physical harm, such as if logs of a domestic violence victim’s calls to a support hotline were to fall into the wrong hands. By weakening the notice standard in the overwhelming majority of states, this law would cause consumers to stop receiving notifications about breaches that they currently have a right to hear about today— breaches that could lead to physical or emotional harm."
"Many states are innovating in these areas and also protecting more forms of information – not simply financial – from misuse. For example, several states have established biometric privacy and medical information privacy laws; others have protected log-in credentials for online accounts and electronic signatures. Further, states could more quickly respond to new or emerging harm threats than Congress, as they have numerous times in the past, if they are not preempted."
Of course, if Congress were really trying to improve the laws, it might consider holding Equifax and other firms accountable to their privacy victims. After, it was just over one year ago that Equifax finally announced to 145 million plus consumers that they'd been careless and, oops, failed to fix a known and well-publicized security vulnerability and then lost our financial DNA, also called the "keys to identity theft." Our release and new report "Equifax Breach: One Year Later" last week gave you tips on how to protect yourself. Don't wait for Congress to protect you. This anticipated vote is on a bill that says: we don't want to hold Equifax accountable; instead we want to immunize banks, debt collectors, payday lenders(!), Equifax and others from stronger state laws. At a time of rampant corporate mishandling of personal information, this bill will wrongly take state consumer cops off the privacy and data security beat.