Breach Bill Still Too Weak, Consumer Groups Say

With the Data Security and Breach Notification Act headed to the floor of the U.S. House of Representatives for a full vote, some digital rights and privacy groups say the bill should be at least as strong as the state breach-notification laws it will replace — and it’s not.

The bill, which would require U.S. businesses to notify customers within 30 days after a confirmed data breach if their data might have been compromised by it, would pre-empt several states’ stronger breach notification laws, and would remove privacy protections of telephone company account records, the consumer rights groups said. The bill was approved by the full House Energy and Commerce Committee on Wednesday (April 15).

Laura Moy, senior policy counsel of the New America Foundation’s Open Technology Institute, told the IDG News Service that the bill is “weaker than the data security and breach notification standards that consumers currently enjoy under stronger state laws and existing federal law. We aren’t opposed to efforts to establish a uniform national standard for data security and breach notification, but the new standard shouldn’t be weaker than the status quo.”

Among the concerns: The bill would eliminate breach notification requirements for text message histories, cable and satellite viewing histories, and some health information, Moy said, adding that it would also stop the FCC from enforcing data security and breach notification requirements with telecom providers.

Concerns about the bill in its amended form were strong enough that one of its original sponsors, Democratic Rep. Peter Welch of Vermont, voted against it. Earlier this month, a dozen groups including Consumers Union, the Electronic Frontier Foundation and the Open Technology Institute outlined their concerns in a letter to the House Energy and Commerce Committee, saying the bill would “do more harm than good” to consumers whose information was stolen.

But committee Republicans said they’re still negotiating with critics on possible changes, and pointed out it had substantial input from Democrats and affected industries. Retailers and other business and tech groups have lobbied for years for a national standard for data breach notifications to replace a patchwork of state notification laws, some of which conflict with each other. In January, President Barack Obama called on Congress to pass a bill.