U.S. PIRG Consumer Blog: Cutting The Privacy Baby In Half

Despite heroic efforts by Reps. Jan Schakowsky (D-IL) and Ed Markey, (D-MA) privacy took a beating in a House Energy and Commerce subcommittee markup (vote) Thursday on the DATA Act (Stearns-R-FL) (here is HR 4127 as introduced, but it is now weaker). In addition to derogating existing privacy protections, the committee action exposed industry's strategy of cutting the privacy baby in half by doing a "data security" bill now and a "privacy" bill regulating data brokers and granting real privacy rights later. Much later.

If this weak bill were law today, we probably wouldn't know about any of the breaches of security that have occurred this year. Here's a post-vote news release from PIRG and Consumers Union. Here's our pre-vote letter to the committee.

Note to readers: [Both Bob Sullivan over at MSNBC's Red Tape Chronicles blog and Chris Hoofnagle over at EPIC West have blogs about this vote that raise concerns, especially about the committee inaction on data brokers. And David Lazarus at the SF Chronicle also talks about the vote, in his column on Sunday: "Data theft bill a step backward."]

The DATA Act started out this summer as a bi-partisan effort to enact strong legislation to respond to two (not one) problems we learned about this year:

Problem One (smaller problem, already largely solved by states): Banks, credit card processors, state agencies, universities and others are doing a sloppy job protecting confidential consumer data from breaches: they're losing it in airports, they're getting hacked, and they're even selling it to thieves.

Problem Two (bigger, needs Congressional attention): Turns out some of those "others" who lost (or sold) info are a shadow industry of unregulated data brokers, such as ChoicePoint and Lexis-Nexis, that are amassing and selling massive dossiers on consumers, largely outside of the Fair Credit Reporting Act or any other regulation.

There was great promise that this committee would do a better job protecting privacy than the Financial Services Committee might. After all, in 1999, it did.

Some history: The full committee is now chaired by Joe Barton (R-TX), a conservative privacy hawk who co-founded the bi-Partisan Congressional Privacy Caucus in 1999 with his liberal committee colleague Markey. Back then they fought to put some real privacy protections into what became the Gramm-Leach-Bliley Financial Services Modernization Act. We have some archives on GLB here. EPIC maintains a page on the committee meeting where Barton discussed his unhappiness at receiving Victoria's Secret catalogs because his credit union had shared his name with direct marketers.

Unfortunately, back then, after Barton and Markey did pass a strong privacy amendment, House leadership refused to allow it to be considered on the floor, and we ended up with the weak "financial industry approved" GLB privacy notice provisions of the Financial Services Committee, which will hold a hearing on its own weak data security bill, HR 3997, on Wednesday.

Back to today: unfortunately, the bi-partisan negotiations broke down and an unsatisfactory, non-consensus bill was introduced and immediately sent to this markup vote. The winner was industry, not privacy. Privacy took a beating. All meaningful amendments, including amendments to strike the bill's onerous preemption of stronger state laws, were defeated on party-line votes:

(1) Markey and Schakowsky tried two amendments to improve the bill's "significant risk of identity theft" trigger before notices are required. First, they attempted to substitute the strong California style trigger used by about ten states (if information is acquired by a third party, you must notify). Failing there, they then tried unsuccessfully to change "significant risk" to the lesser "reasonable risk." As I recently testified in the Senate:

“The best way to convince companies to keep data secure in the first place is to require notices whenever they do not. The fact that the company doesn’t yet know whether or how the information will be misused should not be enough to excuse notice. Companies that lose information should not get to decide whether consumers need to take further action to protect their privacy. Consumers should be warned."

(2) Markey and Schakowsky also tried to reinstate a provision that Chairman Stearns inexplicably deleted from his own original bill before the vote, in his so-called manager's amendment or committee substitute (the version of the bill actually debated and voted on). The provision would have required data brokers to give consumers some Fair Information Practice rights to look at and dispute their data broker files similar to those they have with credit bureau files. This amendment is where Mr. Stearns chose to cut the privacy baby in half and then opposed attempts to put it back together again.

(3) Gene Green (D-TX) and Tammy Baldwin (D-WI), allies of Markey and Schakowsky, then tried to add a modest provision allowing state attorneys general -- generally the toughest consumer cops around -- to enforce the new federal law. Not only did the committee vote this amendment down, it generally ignored all recommendations in a recent bi-partisan letter from 47 state and territorial Attorneys General.

Again, all these and other laudable amendments were shot down.

The markup vote essentially achieved three strategic goals for industry:

First: industry moved a limited scope, weak breach notification bill down the field (Full Committee Chairman Barton said during the vote he wants to be on the floor with a bill this year).

Second: industry obtained a bill with narrow coverage but broad limits on future state action. Not only will its weak breach notification test (significant risk of identity theft) preempt about ten state laws with California-style strong notification triggers, but the bill will prevent states from acting in other areas to prevent identity theft.

Third: industry successfully convinced Subcommittee Chairman Stearns to cut the privacy baby in half and delete (without a vote) one of the bill's better provisions-- its requirement that brokers give customers Fair Information Practice-based privacy rights (although Markey's HR 1080 would be better, the HR 4127 language was a start).

That decision to delete the data broker provision -- and the explanation Chairman Stearns made about it -- was a tough hit for privacy.

Removing the provision was wrong on both policy grounds and political grounds (if you are for privacy, that is). The notion of separating privacy from data security is an anti-privacy move; not only is it cutting the policy baby in half, it could doom the more important half politically.

Policy problem: Just as a requirement to protect data is a privacy-protective Fair Information Practice, so is giving consumers the right to control access to it or correct it. Both are privacy practices (sometimes called principles, see Privacy Rights Clearinghouse for a history of the FIPs). Neither is sufficient, both are necessary.

Political problem: Mr. Stearns claimed that "privacy" was something to protect in some future bill that was publicly promised by Mr. Barton, while HR 4127 was to be solely a narrow proposal about security breaches.

We are not disputing that Mr. Barton will introduce such a privacy bill and attempt to move it, but the myriad industry lobbyists urging the committee (and other committees) to pass a narrow-on-policy, broad-on-preemption, broad-on-exceptions data breach notice bill today are the same industry lobbyists who'll be earning their next paycheck killing that future promised data broker privacy bill tomorrow. We and other privacy groups certainly will work with Chairman Barton on giving Americans the privacy protections they deserve, but it would be politically easier, and more proper policy-wise, to solve our privacy problems in one bill, not several.

It isn't simply that data security and privacy rights are all part of the same Fair Information Practices.

It's that the breach problem isn't the major problem Congress needs to address (the states have already solved it). The problem of unregulated data brokers is a much larger unaddressed policy problem (there are of course others, including Social Security Number protection); but the political problem of passing a pro-privacy data broker reform gets exponentially harder if that reform must be considered separately, after Congress has already expended a lot of energy on the limited and relatively minor (comparatively) matter of data breaches. Again, we already have gained constructive compliance with California's breach notice law nationally. Yet, privacy advocates must argue against weak federal breach bills that broadly restrict future state identity theft reforms.

There is no policy reason to quickly move a national data breach notice bill that does nothing about brokers or other unsolved issues. Obviously, the data brokers would like that. They've been under the radar since 1997, when the FTC gave them the right to regulate themselves. Here's a memo I wrote to Mr. Markey this spring, which has a long section on the history of non-regulation of data brokers and the FTC's 1997 failure to rein them in.

Excerpt: As its second mistake, in the late 1990s, instead of calling for regulations or Congressional action, the FTC officially encouraged self-regulation of the rapidly growing information broker industry, then-organized as the (apparently now-defunct) Individual Reference Services Group. So, on the one hand, Congress in 1970 enacted the FCRA (Fair Credit Reporting Act), strictly regulating commercial and government use of credit reports, and strengthened that law in both 1996 and 2003. Yet, on the other hand, under advice from the FTC and pressure from the politically-powerful information broker companies, Congress declined to similarly regulate the growing parallel universe of data held by these so-called information brokers.

To go forward to pass a weak breach notice bill without reining in ChoicePoint serves ChoicePoint and its ilk, not privacy. ChoicePoint is a virtually unregulated data broker that sold 145,000 consumer dossiers to thieves. Choicepoint just happened to be the first company to comply nationwide with California's breach notification law after it sold records to thieves. Its failure to protect data helped shine light on an even bigger problem. HR 4127 ignores that larger, unsolved problem: that there is a hitherto relatively stealthy, under-the-radar (and they liked it that way) parallel universe of unregulated data brokers including ChoicePoint and Lexis-Nexis and others buying and selling millions of confidential consumer dossiers. Worse, under law, consumers have virtually no rights to access or correct their files.

Many Americans learned about these secretive unregulated data brokers because of California-ordered notices after the ChoicePoint and Lexis-Nexis breaches. Now this committee's leadership has effectively said, if I can paraphrase:

Let's pass an unnecessary and weak federal breach notification bill that does what the states have already done, only not as well, that coincidentally eliminates all those better state breach notification laws, but let's put off until another day the important problem of regulating data brokers. Let's make things worse for consumers everywhere (since some companies are already complying with those stronger state notice laws nationwide) while we'll ignore the more important problem of the unregulated data brokers.

That may not be the leaders' intent; but, that is the effect.

It remains to be seen whether the baby can be put back together and otherwise improved in the full committee process. We can only hope that Chairman Barton will support strengthening amendments in the full committee and will roll the inseparable issues of privacy and security back together again.

Putting data broker reform back into this bill is critical to achieving real privacy reform in the 109th Congress. Of course, it is not the only problem with this weak bill, which broadly preempts stronger state laws. Because HR 4127 could conceivably be sent toward the president after a conference committee with the similarly weakened-in-committee Senate Commerce Committee vehicle, S 1408, it needs to be turned into a real privacy bill first. Since it looks as if the commerce committees are outpacing other committees in moving their bills, improvements must be made now.

We also need to fix the industry-friendly notice triggers in both commerce committee bills and eliminate their sweeping preemption of stronger state laws. S 1408 laudably gives consumers a federal right to freeze access to their credit reports, but eliminates several stronger state security freeze laws, especially New Jersey's (previous blog).

In a post on a new Microsoft privacy proposal over at Concurringopinions.com, law professor Daniel Solove articulates why the door to state action must be left open. It's recommended reading. I will comment on the Microsoft proposal in a future post.

Some would say, "Why aren't you for incremental change? Breach notices today, more privacy protection tomorrow?" That's not the way the world works in consumer protection and industry knows it, so I am not telling them anything they don't already know. Their goal is always to strip real consumer protection and enforcement out of any bill that might move, insist on the weakest federal bill possible and still demand state preemption as if it is a birthright.

The only time Congress acts to protect consumers is when there is a big scandal (think Enron and Worldcom, as Enron wasn't enough) or when the states show the way.

HR 4127 perversely responds to the data broker scandal by ignoring it, while showing the states the door, so they can no longer show the way.