Rancor over federal bill requiring companies tell customers about hackings
A new cyber security bill that would require companies that gather personal data to notify their customers within 30 days of any data breach took one step closer to becoming law Wednesday when the House Energy and Commerce Committee approved a draft of the legislation. However, the proposed bill might ironically lead to weaker security standards, according to some privacy advocates and consumer groups.
There’s no doubt that information security is a hot topic now with companies like Sony Pictures Entertainment (SNE) and JPMorgan (JPM) reeling from recent data breaches. The new bill, dubbed the Data Security and Breach Notification Act, is intended to address this problem by ensuring that consumers are told when a data breach occurs, echoing comments by President Obama in January.
But because the bill imposes a single national standard on businesses that collect customer data, privacy advocates are worried that existing state laws requiring notification will be thrown to the wayside as companies switch to any new federal regulations.
On Tuesday, six California privacy and consumer groups urged the House Energy and Commerce Committee to oppose the bill by citing California’s existing data-breach notification law from 2003 that they say is among the strongest in the country. Clearly, their argument failed to persuade the committee members, who passed the bill by a vote of 29 to 20.
Part of the problem with the new bill, according to consumer advocates, is language that says businesses won’t have to disclose breaches to customers if they discover that “there is no reasonable risk of identity theft, economic loss, economic harm, or financial fraud.”
This could provide companies with an excuse to decide against disclosing breaches that they unilaterally deem financially insignificant to their business. Indeed, many companies that have been hacked haven’t had their finances and bottom line impacted much at all.
Laura Moy, a senior policy counsel at the Open Technology Institute, a part of the New America Foundation public policy think tank, reportedly told the Washington Post in response to the bill that the federal bill essentially weakens breach-notification standards for some states with tougher laws.
For example, companies operating under stringent state breach-notification laws are required to tell consumers when their information was compromised, regardless of any financial implication. This type of data covered might include “things like order histories for cable or satellite video on demand services,” Moy said. Although there’s no real financial harm caused on the consumer if the information were to leak, the data could “reveal potentially sensitive personal information, like sexual preferences,” she added.
Additionally, the new bill has its share of Congressional critics including some Democrats who believe that the bill is moving too fast.
“All of these things need a lot of time and work … I would like to see the process slowed down,” said Congressman Frank Pallone, according to The Hill.
For more about hacking, watch this Fortune video: