The politics of data security

Ed Mierzwinski of U.S. PIRG looks askance at business-friendly proposal to warn consumers of breaches.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
5 min read
A political spat is afoot in the halls of the U.S. Congress, where politicians say that consumers should be notified in the event of a data breach but are still arguing about the details.

On March 16, the House Committee on Financial Services voted 48-17 to approve a version of a data breach bill that's favored by many businesses. It would require consumer notification if a data breach "may result in substantial harm or inconvenience."

That's narrower than a California law, which requires notification whenever information is "reasonably believed to have been acquired by an unauthorized person." Because so many companies do business in California, that requirement has turned into something akin to a national standard.

More importantly, the House Financial Services bill would zap the California law, much as the federal Can Spam law pre-empted a more restrictive California spam law a few years ago.

Because so many states--more than 20 as of a year ago--have been considering data breach laws in response to a series of high-profile data mishaps by ChoicePoint and other companies, businesses have been warning about the difficulty of complying with a patchwork quilt of confusing and contradictory regulations.

We don't need a bill. I think we have constructive compliance on a national basis with the California law.

In an interview with CNET News.com in December, RSA Security CEO Art Coviello, for instance, said: "It's very difficult to expect companies to sort through a myriad of state bills and see which ones they haven't complied with."

On the other side are liberal advocacy groups that want to keep what they view as more protective state laws and are opposing the Financial Services bill.

CNET News.com spoke with Ed Mierzwinski, the consumer program director for the National Association of State Public Interest Research Groups (U.S. PIRG), at a conference in Brussels last week about his group's lobbying efforts. Founded in 1983, U.S. PIRG has pressed for more government regulations in areas such as toy safety, banking and the environment.

Q: What are your objections to the House Financial Services version of the bill?
Mierzwinski: The data breach notification trigger is so high that we don't think that there would be any notices.

California has an acquisition standard. If you lose the information, you provide notification. That provides an incentive first not to lose the information and second, to consumers to batten down the hatches and get ready for personal identity theft.

The Senate Commerce bill (S.1408) and the House Financial Services bill use a risk trigger. There must be a substantial risk or you don't need to notify.

What's the problem with notification only when there's a risk? Couldn't there be over-notification with consumers being deluged with paper when there's no reason?
Mierzwinski: The problem is how you define it. If you read the bill you'll find there's never going to be notification because the substantial risk is a shorthand for a three-paragraph definition. There must be this specific kind of risk that results in this specific kind of harm to these specific consumers. It's a very high standard.

As for the over-notification argument, we're over-notified by banks and other companies now whenever they want to market us something, whenever they want to sell us something. You can't be over-notified of a risk to your financial information. We also hope the final bill will require that the notice will be in English, clear English.

That would be a first: lawyers trying to convince government lawyers to write laws requiring lawyers to use clear English?
Mierzwinski: Exactly. Some of the notices we anticipate may not be good unless the final bill is good.

That's the first problem with the bill. The second problem is that it pre-empts stronger state laws.

So you'd rather see no bill than the House Financial Services bill?
Mierzwinski: I don't want a bill. We don't need a bill. I think we have constructive compliance on a national basis with the California law. Trying to pass a federal bill that's weaker results in no responsibilities. Companies have decided that Congress is the place to knock on the door (and excuse themselves from responsibilities).

Liberal groups such as U.S. PIRG have been agitating for more federal privacy legislation for decades. Now that it's happening, you sound a little like Federalist Paper-quoting, states-rights activists.
Mierzwinski: We don't want a form of pure federalism. We admit that. We're not purists in that regard. What we look for is for federal law to serve as a floor of protection and states to experiment with higher forms of regulation.

If the House Financial Services bill became law, would it gut the California notification law?
Mierzwinski: It would gut the California law and eight state laws (that require freezes on credit reports).

There are some bills that would require restrictions on the use of Social Security numbers (SSN), and one influential politician, Rep. Joe Barton, seems to like that idea. What are your views on that topic?
Mierzwinski: We'd support the strongest possible SSN regulation, whether it's (the legislation introduced by congressmen) Ron Paul or Clay Shaw. The problem with the bills is that they have a rough road ahead of them. That's because so many companies and government agencies are invested in the SSN.

Companies for simplicity and convenience rely on the SSN. I'm increasingly convinced that the FBI and Homeland Security rely on data brokers to provide them with dossiers based on SSNs as the link.

What are your predictions for what's going to happen in this area by the end of the year?
Mierzwinski: It's a tough call. If they do data breach legislation, I hope they do a narrow bill that's not pre-emptive.

I'm increasingly convinced that the FBI and Homeland Security rely on data brokers to provide them with dossiers based on SSNs as the link.

The prospects in a short legislative session depend on negotiating a jurisdictional jungle with so many committees wanting a piece of the bill. There's a lot of pressure by industry to force those committees to work together. Even the industry guys aren't sure they can do it.

What's U.S. PIRG doing on this front?
Mierzwinski: Our view is no bill. What we're doing is trying to reach out to other organizations and to try to pass bills in the states. New Jersey passed a strong law last year. Delaware is considering a fairly strong law, which is surprising.

That's our main thing. We're working in a coalition with Consumers Union and privacy organizations and state attorneys general. We wish we had the money for an (advertising or marketing) campaign.

Who are your friends and enemies on this topic?
Mierzwinski: The main consumer advocates on privacy are Ed Markey, Jan Schakowsky, Bernie Sanders, Barney Frank. On the senate side, Paul Sarbanes, Patrick Leahy, and Sen. Richard Shelby of course is a founder of the Congressional Privacy Caucus, and so is Joe Barton. That's why we have a chance to get a decent bill from them.

The industry would much prefer the floor bill that comes out of the House Financial Services Committee. We'd prefer the bill that Markey and Barton have something to do with. We'll see.