Data Security and Breach Notification Act of 2015

World Privacy Forum
April 14, 2015
The Honorable Lois Capps
Committee on Energy and Commerce
United States House of Representatives
2231 Rayburn House Office Building
Washington, D.C. 20515
Re: Data Security and Breach Notification Act of 2015
Dear Representative Capps:
We, the undersigned California privacy and consumer advocates, write in opposition to the
Data Security and Breach Notification Act of 2015, currently under consideration by the House
Energy and Commerce Committee.
California was the first state to implement a data breach notice law in 2003, and has since
amended the law several times to address changing threats. It is among the strongest such laws
in the country, and offers Californians significant consumer protections.
1
As it is currently drafted, the Data Security and Breach Notification Act of 2015 would preempt
California’s data breach notice law and take Californians several steps backward regarding data
breach notice and identity theft prevention. We therefore strongly urge you to oppose it.
1. The bill contains a significantly narrower definition of personal information than existing
California law.
California law goes well beyond the bill’s definition of personal information.
•
•
California law includes username or email address, in combination with a password or
security question/answer that would permit access to an online account. This includes
login information for non-financial accounts, such as social media. Some of the largest
breaches in recent years have compromised this type of information.
California law also includes medical and health insurance information that is not
covered under HIPAA.
As currently drafted, the bill does not cover these important categories of personal information.
2. The bill ties breach notification to a financial harm trigger which is much narrower and
more subjective than California’s existing law.
As currently drafted, the bill’s threshold for notification to consumers is “reasonable risk that
the breach of security has resulted in, or will result in, identity theft, economic loss or economic
harm, or financial fraud….”
Breached entities would, in effect, have the ability to subjectively make a best guess that
compromised personal data will not end up in the hands of criminals who will use it to commit
financial fraud. In reality, sensitive personal data might find its way to the databases of crime
rings immediately, in the near future, many months hence, or not at all.
By contrast, California law does not enable breached entities to play these kinds of guessing
games with consumers’ personal information. Californians must be notified when their
unencrypted data, very simply, “…was, or is reasonably believed to have been, acquired by an
unauthorized person.”
Depending on the type of data exposed, the risk of harm could go well beyond economic loss
and financial fraud to medical identity theft, health insurance fraud, physical harm, and
emotional harm. By weakening the trigger standard, this bill would cause Californians to
receive notice about a significantly lower number of breaches than they do today.
3. The bill would not require breached entities to provide notice to the California Attorney
General.
California law requires breached entities to notify individuals in breaches affecting more than
500 California residents. In addition, it requires those breached entities to submit a sample
2
copy of the notification letter to the Attorney General where it is posted on the AG’s website.
https://oag.ca.gov/ecrime/databreach/reporting
The bill would not provide for such notification and would preempt this important California
provision.
4. The bill contains no private right of action.
California law provides that a person injured by a violation of the breach notification statute
may institute a civil action to recover damages. The bill would not provide for a civil cause of
action and would preempt this provision in California’s data breach notice law.
5. The bill does not provide for identity theft prevention and mitigation services.
California law, effective January 2015, requires breached entities to provide one year of
appropriate identity theft prevention and mitigation services at no cost for certain breaches. The
bill does not contain such a requirement and would preempt this California provision.
For the reasons listed above, the California consumer advocates named below urge you to
oppose the Data Security and Breach Notification Act of 2015. Californians deserve the strong
data breach notice and identity theft prevention protections that existing California law provides.
Sincerely,
/s/ Joe Ridout
Consumer Action
John Simpson
Consumer Watchdog
Mark Toney
TURN
Richard Holober
Consumer Federation of California
Beth Givens
Privacy Rights Clearinghouse
Pam Dixon
World Privacy Forum
This letter emailed to:
Aaron.Shapiro@mail.house.gov
3