Can Congress be trusted to secure data?
CNET News.com's Declan McCullagh explains why Washington is hell-bent on a data breach law that could lead to a train wreck.
This time it's data breach legislation. Everyone in Washington seems to think the feds need to step in and knit together a blanket of regulations that deal with a string of embarrassing security breaches, starting with ChoicePoint and continuing through last month's debit card snafus.
Last week, the House Energy and Commerce Committee approved one version of a data breach bill beloved by liberal groups. It's far more regulatory than another version approved earlier in the month by the House Financial Services Committee.
This is where I'd usually write about the politics of the internecine debate between two committees. One bill is more onerous and requires notification of data breaches in more cases (privacy advocacy groups prefer this one). The other is narrower and requires notification only if a data breach "may result in substantial harm or inconvenience" (businesses prefer this one).
But there's a more important question afoot: Why does Congress need to get involved, anyway?
My colleague Greg Sandoval described last week how 23 states already have enacted disclosure laws requiring various forms of notification of data breaches. Still more are in the works.
Some, like California's, don't require notification if the information was encrypted. Others, like one adopted in New York, say that any data compromise that exposes personal information must be disclosed.
In other words, it's not a one-size-fits-all centralized approach, which is what happens whenever Congress gets involved and pre-empts state laws. Rather, state legislators can adopt different ideas, and the best ones stand a good chance of being mirrored elsewhere.
Put another way, anyone who supports the idea of increasing competition between corporations should like the idea of competition among different legal systems.
We don't know the optimal wording for a breach notification law. Should it merely encourage encryption, or mandate it? Is the disclosure of a home address particularly worrisome, or just the leak of a Social Security number? Should companies be required to pay the cost of credit reports for 3 months, or half a year?
These are not easy questions to answer. Rep. Joe Barton, a Texas Republican who's backing the more-regulatory version of the bill, is a former consultant for Atlantic Richfield Oil and Gas, not a privacy specialist. Rep. Joe Baca, the California Democrat who amended the bill to include a study of race in ID theft, is a former corporate public relations officer.
A 2001 paper by Bruce Kobayashi and Larry Ribstein of the George Mason University School of Law argues that federalism would be good for privacy. They conclude that federal legislation "is unnecessary and may perversely impose rigid solutions that prevent the efficient evolution of state law."
So why not let state legislators continue their efforts? One objection comes from companies like RSA Security, whose chief executive told me in December that "it's very difficult to expect companies to sort through a myriad of state bills and see which ones they haven't complied with."
That's a reasonable point. I wrote in an earlier column that some state bills could create more problems than they solve.
But if a state is extraordinarily regulatory, companies have a better chance of pointing that out to a local legislator than politicians thousands of miles away in Washington. Or companies can vote with their feet and choose to set up new data centers or offices in a neighboring state instead.
This happened in the case of Mississippi, which had a legal system that was so out of control that the American Tort Reform Association dubbed certain parts "judicial hellholes" for their stunning medical malpractice damage awards. Insurance companies began fleeing the state, and others refused to write new policies. That had a dramatic effect: In 2004, the state fixed its laws, and business is getting back to normal.
A federal law that pre-empts state law would short-circuit this useful process. It happened in 2003 when President Bush signed the Can Spam Act, which gutted a California law that actually gave individuals the right to sue spammers. Anyone want to bet that the same thing won't happen again?