S. 1207 - Data Security and Breach Notification Act

in
Share this

See the 1-page pdf

Surreptitious computer users, errors and other factors have lead to high-profile security breaches of consumer’s personal information susceptible to criminal abuse like identity theft and fraud.

Points to appreciate in S. 1207
S. 1207 has provisions that MRA supports and appreciates, such as:

  • the inclusion of both for-profits and not-for-profits (data breaches do not recognize the difference);
  • exemption from notification for breach of encrypted data;
  • a national standard, preempting the confusing and costly patchwork of state laws; and
  • forbidding private rights of action.

Concerns: Defining personal information
MRA supports the Act’s definition of personal information and the exclusion of “public record information”. Other types of data and combinations are not broadly recognized as posing a threat of criminal abuse. Beyond that common standard lies a slippery slope where most every piece of data could be included.

Thus, MRA strongly opposes giving the Federal Trade Commission (FTC) any APA rulemaking authority to alter the definition, since the agency would undoubtedly radically expand it, as FTC Commissioner Edith Ramirez has testified. At an Energy & Commerce Subcommittee hearing on July 15, Commissioner Ramirez said, “I think that the touchstone here is information that can be uniquely tied to an individual... broader than the definition that is currently used in the draft bill.”

The Act’s definition is fine and should rightfully be set by Congress, not an unelected and unaccountable regulatory body like the FTC. Proponents for more FTC bureaucracy and control have not clearly identified the harms to justify this expansion of power.

Moreover, such radical expansion would result in more uncertainty for American employers, including survey and opinion research organizations, whose livelihood depends on the legitimate and accurate collection and analysis of information provided by consumers.

The FTC would still be able to modify the definition using its regular Magnuson-Moss rule-making authority and we feel that should be sufficient to grapple with any major modifications to the definition that might be necessary over time.

Concerns: Data broker regulations
With APA rulemaking authority, the FTC will rapidly expand S. 1207’s definition of “personal information” to include most survey research data, so most survey and opinion research companies and organizations would then be considered “information brokers”. S. 1207 would require “information brokers” to: allow consumers access to data about them and an opportunity to correct inaccuracies; and, following a security breach, submit their security policies to the FTC and submit to an FTC audit.

MRA seeks an exclusion for bona fide survey and opinion research from these regulations. The use of data should matter, not just existence, and consumer concern focuses on commercial data brokerage for marketing and credit purposes, not on research purposes.

MORE: MRA’s Consumer Access/Correction position paper.

Concerns: “Reasonable” v. “significant” risk
The threshold for breach notification -- “reasonable” risk of criminal abuse -- would work better if changed to “significant”, since that is the most common standard at the state level.