Far-reaching legislation that would establish new privacy and security protections for U.S. consumers has been introduced in Congress by a group of Democratic senators, including Patrick Leahy of Vermont and Elizabeth Warren of Massachusetts.
The Consumer Privacy Protection Act goes further than other federal data protection proposals by establishing stricter standards for notifying customers when their personal information is lost or stolen. It would cover private information beyond financial data that is typically already covered by state laws, such as social security, driver’s license or phone numbers.
- Expands the definition of “personally identifying information,” and creates seven classes of protected information: Social Security numbers and government-issued identification numbers; financial account information, including credit card and bank account details; online information, including usernames, passwords and email addresses; biometric data such as fingerprints; physical and mental health information; information about a person’s geolocation; and access to private digital videos and photos.
- Limits federal preemption, so that states can enact stricter safeguards and notification requirements than in the federal language to counter emerging threats.
- Requires companies to always notify consumers or employees of a security breach, instead of letting companies decide whether to tell them, based on their estimate of the likelihood of identity theft or other harm.
For consumer advocates, the broad protections are welcome at a time when hardly a week goes by without reports of a massive hack of personal information. But the bill faces likely opposition from companies that don’t agree with having to notify consumers when information is stolen from a business’s computers if, for example, a threat has been contained.
Susan Grant, director of consumer protection and privacy at the Consumer Federation of America, said it’s hard to size up the chances for the Consumer Privacy Protection Act and other privacy-related bills in Congress.
“My hope is that we can at least make some incremental progress on issues that should garner bi-partisan support,” Grant said, “such as children’s privacy and student privacy.”
Capitol Hill observers say the Leahy-Warren legislation is missing a vital element that could spell its doom: It lacks a single Republican co-sponsor.
GovTrack.us, which tracks legislation in Congress, gives the bill a 1% chance of making it out of committee. (To put those miniscule odds in perspective, GovTrack says only 15% of bills made it past committee and only about 3% were enacted in 2013–2015).
So should companies with responsibility for guarding consumer data conclude that Congress will leave protections against data breaches to private sector remedies?
Probably not. Consider that 2014 began with repercussions from the 2013 Target credit breach, in which more than 100 million people had their credit, debit or other personal data stolen. The year unfolded with hackers executing a massive Home Depot breach, breaking into the computers of beauty products chain Sally Beauty and stealing terabytes of confidential data from Sony Pictures Entertainment. Companies in virtually every industry sector had internal files stolen or leaked. There were so many hacks that cyber-security writers dubbed 2014 “the year of the breach.”
2015 has been no less susceptible. As of September 8, the Identity Theft Resource Center, which aggregates information on U.S. data breaches, had reported 541 breaches, potentially exposing the personal information of more than 140 million individuals. The center’s 116-page list is here.
With the ingenuity of malware attacks seemingly boundless, look for private-sector mandates to remain front and center to lawmakers even if the Leahy-Warren bill dies. Odds are on that Congress, sooner rather than later, will act on a tougher security breach law that will apply to businesses and organizations nationwide.