"Hackers steal personal information about millions of Americans" has become a distressingly familiar headline in the 21st century, as online thieves have repeatedly siphoned off customer data from retailers, financial services firms and other corporations. Now, a House committee is advancing a bill to set national standards for how companies should defend themselves against intrusions and how they should respond to data breaches. Unfortunately, the current version's proposed standards would eliminate some important protections for consumers that other state and federal laws provide.
There have been more than 4,000 notable data breaches in the last decade, by the House Energy and Commerce Committee's count, and about 40 failed attempts in Congress to craft a legislative solution. Over roughly the same period, 14 states have passed laws requiring companies that collect sensitive personal information to meet minimum standards for deterring theft, and 47 states have enacted laws requiring companies to notify customers when their information is stolen. The Federal Trade Commission has also sued companies that failed to take “reasonable and appropriate” steps to protect customers' data.
The House bill by Reps. Marsha Blackburn (R-Tenn.) and Peter Welch (D-Vt.) that the Energy and Commerce Committee approved last week would confirm the FTC's enforcement authority, which has been under attack, and allow state attorneys general to bring their own claims against companies that don't adopt “reasonable and appropriate” data security measures. That's good. But it would also preempt the various state notification requirements in favor of a national one that would apply only to breaches that could lead to identity theft or economic loss. This narrower standard could leave consumers in the dark when personal but non-financial information is stolen, such as when health-related information is taken from a fitness chain or log-ins and passwords are taken from an email service. It also would wipe out the Federal Communications Commission's authority to set and enforce rules protecting the personal information collected by phone, cable TV and Internet services.
Considering how previous data security bills have fared, Blackburn and company may be trying not to doom their latest proposal by overreaching. But there's no point in a federal bill if it doesn't make consumers better off than they are under state law. If Congress is going to make the FTC the main enforcer of data security, it should give the agency the authority to adopt rules to guide companies and adapt to new threats, rather than confining it to bringing enforcement actions. And if it's going to take states out of the picture, its notification requirements should apply as broadly as the state laws do. Otherwise, the law will serve the interests only of the companies whose servers are raided by hackers, not the consumers whose data the hackers are stealing.