You are hereHome >
We Warn Congress: After Equifax, Firms Will Step Up Trojan Horse Efforts to Eliminate State Privacy Laws
I made several key points:
First, that the Equifax breach was among the worst ever because the firm lost your financial DNA. Your Social Security Number is the key to identity theft: it doesn't change and may become more valuable to thieves over time, unlike a merchant breach of a credit card number, which has a limited shelf life.
Second, that I am incredulous that Equifax, a data broker with only one job -- buying and selling consumer information -- had such an epic fail in protecting that information and then responding to its epic fail.
Third, I extensively explain the data broker and Big Data universes where consumers have no rights to control the collection and sale of their personal information. We are products, not customers.
Fourth, I point out out that while Equifax credit reports are highly regulated, its data security practices -- including financial DNA protection -- and its massive non-credit reporting data broker businesses are not.
But the bulk of my testimony explains that although the severity of the Equifax breach demands policymakers enact stronger, not weaker, consumer protections, Congress is considering industry-backed bills to preempt, or override, numerous stronger state data breach and data security protections. Worse, the bills have a kicker: most permanently take the states off the board as privacy first responders and innovators. From my testimony:
The other problem with enacting a preemptive federal breach notification law is that industry lobbyists will seek language that not only preempts state breach notification laws but also prevent states from enacting any future data security or privacy laws. This is the Trojan Horse problem. A small federal gain should not result in a big rollback of state authority. As one example of a Trojan Horse provision I call your attention to a bill approved by this committee in the last Congress. HR 2205, the Data Security Act of 2015 (Neugebauer), included sweeping preemption language that is unacceptable to consumer and privacy groups and likely also to most state attorneys general. While I note that this bill has numerous other objectionable provisions, which I am happy to discuss, its sweeping preemption language is illustrative of long-sought industry goals to take states off the board.
I pointed out that numerous critical provisions of California, Massachusetts, Illinois, Texas and other state breach notification laws would be eliminated as would 17 state laws that include a consumer private right of action to sue data breach notification law violators. I go on to associate my remarks opposing preemption with those of several consumer and state assistant attorney general colleagues who made similar points at a continuation of the Equifax hearing last week, which also featured my U.S. PIRG colleague Mike Litt's testimony on the need for a free national credit freeze right for all to restore some control to consumers. After all, we are not credit bureau customers; we are their product. Beware industry lobbyists bearing gifts.
Your donation supports Maryland PIRG's work to stand up for consumers on the issues that matter, especially when powerful interests are blocking progress.