In Brief

Data Accountability and Trust Act: Privacy Gets Partisan

Consumer data privacy, once a consensus topic for the political parties, has become another brick in the partisan wall

By Allan Holmes

February 01, 2006 — CSO —

Privacy has become a partisan issue. In the past, bills written to protect consumers' private information typically got the backing from both Republicans and Democrats. Last May, for example, the House passed an antispyware bill 395-1. But now Republicans and Democrats are drawing clear lines on what they support.

At the center of the debate is the Data Accountability and Trust Act (DATA), which is at the House Energy and Commerce Committee. If passed, the House bill would require companies nationwide to notify their customers if a security breach occurs that exposes stored personal information such as names, addresses, credit card numbers and Social Security numbers. But most privacy experts say it will hurt consumers because it will trigger fewer privacy breach alerts.

The Senate is considering two other major bills, all of which would preempt state laws. That means undoing California's SB 1386 law of 2002, considered the nation's toughest and de facto standard, since it requires companies doing business with any California resident to notify customers if a security breach exposes personal informationâ¬even if there is no evidence the personal information was stolen.

"There is huge pressure from industry to get Congress to preempt state data breach notice laws," says Chris Hoofnagle, counsel for the Electronic Privacy Information Center. "It's quite a mess now."

In November the House Energy and Commerce Committee's Subcommittee on Commerce, Trade and Consumer Protection passed DATA by a strict party-line vote, 13-8. This vote marked the first time any major federal data security legislation had created such a partisan divide, says Behnam Dayanim, of the international law firm of Paul, Hastings, Janofsky & Walker.

Democrats and privacy advocates argue that the House bill will effectively gut the California law by lowering the breach notification standard. DATA requires companies to notify customers only if company executives determine there is "a significant risk" that data has been stolen, rules that Rep. John Dingell (D-Mich.), scoffed were actually "no notice" provisions.

Republicans say the bill will reduce frivolous notices. But because the House bill makes the Federal Trade Commission the enforcement agency, critics say its small staffâ¬compared to various state attorneys generalâ¬won't be able to keep up with breaches nationwide.

Other bills pending do more for privacy than states do. Some filed bills, for example, require companies storing personal data to identify security vulnerabilities and a method to mitigate them, whereas states do not require such work. It all adds up to a murky future for federal privacy legislation.