Trojan Horse Hidden In Data Breach Bill
On Tuesday, 8 December 2015, the U.S. House Financial Services Committee is expected to vote in favor of a data breach notice bill, HR2205, which is opposed by consumer and privacy groups and many state attorneys general because its breach provisions are not only weaker than those of most states, but the bill includes a Trojan Horse provision to broadly preempt strong state privacy laws. Here is an excerpt from our attached letter, co-signed by 16 other groups, explaining why the bill is a bad idea.
“On balance, H.R. 2205 would do consumers far more harm than good, and we therefore must urge you to oppose it.
First and foremost, H.R. 2205 would eliminate stronger existing state protections and prevent future state innovation. The Data Security Act of 2015 would supersede all state laws on data security and breach notification—including those protecting personal information not covered by this bill. For example, the legislation would squelch new and developing laws in several states extending data security and breach notification protections to online account login information, including email accounts and cloud photo storage. The bill does not cover information about an individual’s geographic location or electronic communications. Biometric data is covered but only to the extent that it can be used to gain access to financial accounts. It is unclear whether “medical information” would include the broad range of data that is collected about individuals’ physical or mental health through websites and wearable devices.”
Merchants and retailers also oppose the bill because it imposes harsh rules on them, but lets banks off softly.