It’s my experience that the more fuss businesses kick up about consumer-related legislation, the more likely it is such a bill is needed and would be an effective deterrent to bad practices.
That seems to be the case with a bill scheduled to be heard this week in the California Senate, SB 1121, which would make it potentially very costly for businesses to play fast and loose with people’s personal information.
The bill would make it easier for consumers to sue companies that haven’t put adequate safeguards in place. If there’s a security breach, consumers could seek up to $1,000 “per consumer per incident or actual damages, whichever is greater.”
That’s some serious teeth, and would go a long way toward encouraging businesses to beef up efforts to keep people’s personal info under wraps — which they should be doing already but which, as can be seen in near-daily reports of breaches, clearly isn’t the case.
The California Chamber of Commerce wasted no time in branding SB 1121 a “job killer,” which it isn’t. If anything, the bill creates jobs by incentivizing companies to improve their data-security resources.
It’s also opposed by, among others, the California Bankers Assn., the California Cable and Telecommunications Assn., the California Hospital Assn., the California Retailers Assn., the Personal Insurance Federation of California, and the Securities Industry and Financial Markets Assn.
In other words, the bill has drawn the wrath of just about every business group that represents companies hoarding customers’ data and, in many cases, profiting from selling and sharing that information with marketers.
“The opposition is pretty fierce,” said state Sen. Bill Dodd (D-Napa), the bill’s author. “They’re putting everything into fighting it.”
But he told me the business world’s concern is misplaced. This isn’t about punishing companies. It’s about rewarding them for doing well.
“If you take reasonable steps to protect consumers’ data, this bill will not negatively affect you,” Dodd said. “If you don’t, it will.”
Backers of the legislation include the American Civil Liberties Union of California, the Congress of California Seniors, the Consumer Federation of California and the Privacy Rights Clearinghouse.
A key feature of the bill is to clarify that “consumers,” not just “customers,” are covered by state data-breach protections. This is significant. It vastly expands the scope of a company’s responsibility to the public.
The Equifax breach is a case in point. The credit agency has reported that Social Security numbers and other information related to about 148 million Americans were stolen by hackers. But hardly any of those people would be considered “customers” of the company.
SB 1121 clarifies that even in such circumstances, if you’re affected by a security breach, regardless of your relationship to the hacked entity, you have rights.
Among those rights under the bill is for “any consumer” to be able to “institute a civil action to recover damages.” That’s another biggie. It ensures a right to file a lawsuit and to join in class actions.
Damages could be sought if a company is found to have been lax in applying data-security measures or to have failed to notify consumers in a timely manner.
Moreover, a lawsuit could be filed as much as four years after a breach, giving consumers ample time to determine if the incident resulted in fraud, identity theft or damage to one’s credit score.
These all strike me as reasonable measures, creating greater accountability for businesses that, more often than not, simply assume they can do with people’s information whatever they please.
“I’m not asking for perfection from business,” Dodd said. “But there are never any consequences, so data breaches keep happening over and over and over. There need to be consequences.”
A spokeswoman for the California Chamber of Commerce declined to comment. But she shared with me a letter the organization, along with other opponents of the bill, recently sent to the Senate Appropriations Committee, which is scheduled to vote Friday on SB 1121.
As is typically the case when companies face a greater risk of litigation, the letter declares that “the only beneficiaries of SB 1121 would be consumer class-action attorneys — and they stand to benefit greatly if this bill is adopted.”
It’s a tiresome argument. Yes, there would be class-action lawyers seeking to profit. Routine corporate settlements of legal disputes encourage such behavior.
But the undeniable fact is that class actions represent consumers’ single most-powerful tool in holding businesses accountable for their actions (or non-actions, in the case of privacy safeguards).
The letter says “SB 1121 would unquestionably result in a barrage of ‘shakedown’ data breach cases in California,” and that the financial risk to businesses “would be staggering — enough to put companies out of business.”
In case you missed it the first few times, the letter then repeats that “SB 1121 would inevitably result in enormous payouts to consumer attorneys.”
Got that? Good for attorneys = bad for consumers.
Dodd had a simple answer to business’ concerns about an increased threat of litigation.
“If they do what they should be doing,” he said, “this shouldn’t be a problem.”
Dodd’s bill says that “a business that owns, licenses or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification or disclosure.”
Thus, a company that’s following industry best practices for data security can readily argue that it did everything reasonably expected of it to keep consumers’ information safe. A company that drops the ball, security-wise, is in trouble.
Again, look at Equifax. After the breach came to light, it turned out that the company had been using out-of-date software with known security weaknesses. The software vulnerability was first spotted in March 2017, and a coding patch was immediately made available for all systems running the software.
The breach of Equifax’s system occurred in mid-May, meaning that for two months the company, with files on nearly every American consumer, did nothing to protect itself from hackers. It said it didn’t discover the attack until July.
Dodd’s bill would hold such a company’s feet to the fire for failing to take reasonable precautions — and it would send a powerful message to other businesses with the sort of “staggering” financial repercussions that give the California Chamber of Commerce the heebie-jeebies.
And you know what? I have no doubt those other businesses would get the message but quick, and they’d do whatever’s necessary to clean up their own act.
That’s what Dodd’s bill is trying to accomplish.