Data Security and Breach Notification Act of 2015
Transcription
Data Security and Breach Notification Act of 2015
World Privacy Forum April 14, 2015 The Honorable Lois Capps Committee on Energy and Commerce United States House of Representatives 2231 Rayburn House Office Building Washington, D.C. 20515 Re: Data Security and Breach Notification Act of 2015 Dear Representative Capps: We, the undersigned California privacy and consumer advocates, write in opposition to the Data Security and Breach Notification Act of 2015, currently under consideration by the House Energy and Commerce Committee. California was the first state to implement a data breach notice law in 2003, and has since amended the law several times to address changing threats. It is among the strongest such laws in the country, and offers Californians significant consumer protections. 1 As it is currently drafted, the Data Security and Breach Notification Act of 2015 would preempt California’s data breach notice law and take Californians several steps backward regarding data breach notice and identity theft prevention. We therefore strongly urge you to oppose it. 1. The bill contains a significantly narrower definition of personal information than existing California law. California law goes well beyond the bill’s definition of personal information. • • California law includes username or email address, in combination with a password or security question/answer that would permit access to an online account. This includes login information for non-financial accounts, such as social media. Some of the largest breaches in recent years have compromised this type of information. California law also includes medical and health insurance information that is not covered under HIPAA. As currently drafted, the bill does not cover these important categories of personal information. 2. The bill ties breach notification to a financial harm trigger which is much narrower and more subjective than California’s existing law. As currently drafted, the bill’s threshold for notification to consumers is “reasonable risk that the breach of security has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud….” Breached entities would, in effect, have the ability to subjectively make a best guess that compromised personal data will not end up in the hands of criminals who will use it to commit financial fraud. In reality, sensitive personal data might find its way to the databases of crime rings immediately, in the near future, many months hence, or not at all. By contrast, California law does not enable breached entities to play these kinds of guessing games with consumers’ personal information. Californians must be notified when their unencrypted data, very simply, “…was, or is reasonably believed to have been, acquired by an unauthorized person.” Depending on the type of data exposed, the risk of harm could go well beyond economic loss and financial fraud to medical identity theft, health insurance fraud, physical harm, and emotional harm. By weakening the trigger standard, this bill would cause Californians to receive notice about a significantly lower number of breaches than they do today. 3. The bill would not require breached entities to provide notice to the California Attorney General. California law requires breached entities to notify individuals in breaches affecting more than 500 California residents. In addition, it requires those breached entities to submit a sample 2 copy of the notification letter to the Attorney General where it is posted on the AG’s website. https://oag.ca.gov/ecrime/databreach/reporting The bill would not provide for such notification and would preempt this important California provision. 4. The bill contains no private right of action. California law provides that a person injured by a violation of the breach notification statute may institute a civil action to recover damages. The bill would not provide for a civil cause of action and would preempt this provision in California’s data breach notice law. 5. The bill does not provide for identity theft prevention and mitigation services. California law, effective January 2015, requires breached entities to provide one year of appropriate identity theft prevention and mitigation services at no cost for certain breaches. The bill does not contain such a requirement and would preempt this California provision. For the reasons listed above, the California consumer advocates named below urge you to oppose the Data Security and Breach Notification Act of 2015. Californians deserve the strong data breach notice and identity theft prevention protections that existing California law provides. Sincerely, /s/ Joe Ridout Consumer Action John Simpson Consumer Watchdog Mark Toney TURN Richard Holober Consumer Federation of California Beth Givens Privacy Rights Clearinghouse Pam Dixon World Privacy Forum This letter emailed to: [email protected] 3