PD Editorial: Who gets protected by data bill?

If you didn’t receive this particular form letter, chances are you have gotten something similar:

“On January 29, 2015, Anthem Inc. (Anthem) discovered that cyber attackers executed a sophisticated attack to gain unauthorized access to Anthem’s IT system and obtained personal information relating to consumers …” More than 79 million people, including about 19 million who weren’t even Anthem customers, were affected.

Target. Home Depot. JPMorgan Chase. Anthem. Massive data thefts are getting so common it’s hard to keep track of them all. There have been at least 4,000 significant data breaches in the past decade, according to the House Energy and Commerce Committee.

Identity theft is a time-consuming nuisance for victims and something to fear for those who haven’t been targeted.

Congress is again considering security standards for data storage. Unfortunately, it’s not clear whether the primary goal is protecting individuals from data thieves or easing restrictions on companies that collect and store personal information.

Consumer and privacy advocates say the Data Security and Breach Notification Act of 2015 would undermine stricter rules already adopted in California and several other states.

The Privacy Rights Clearinghouse, which calls the House legislation “a step backward for consumers,” notes that it only requires notification when a company determines that “a reasonable risk” exists that a data breach would result in identity theft or economic harm.

California, by comparison, requires notification whenever a user name or email address and a password or a security question and answer is stolen.

“While it isn’t a financial account,” a Privacy Rights Clearinghouse statement says, “think about how much important information is contained in your email.”

Several other provisions of California’s cyber-theft law stand to be superseded, including a requirement to notify the state attorney general of data breaches, an individual right to sue for damages and a requirement to provide identity theft protection to victims.

The House bill also would strip the Federal Communications Commission of its authority to regulate the collection of personal information by Internet, telephone and cable TV companies.

About four dozen states have enacted laws dealing with data theft. With so many businesses operating in multiple states, there’s a good argument for adopting national standards for data security and consumer protection.

Past efforts to pass federal legislation have failed, and given the makeup of the present Congress, it’s unlikely to produce a bill that completely satisfies consumer and privacy advocates.

There’s still a long path ahead for this legislation. But unless the threshold for notifying people when their information has been stolen is tightened to something closer to California’s law, no bill may be better than the measure presently awaiting a vote on the House floor.