Letter on S. 1490, the Personal Data Privacy and Security Act of 2009
November 4, 2009
The Honorable Patrick Leahy
Chairman
Committee on the Judiciary
United States Senate
Washington, DC 20510
The Honorable Jeff Sessions
Ranking Member
Committee on the Judiciary
United States Senate
Washington, DC 20510
Dear Chairman Leahy and Ranking Member Sessions:
The undersigned trade associations and business groups, representing hundreds of thousands of U.S. companies from a wide variety of industry segments, write to express concerns with S. 1490, the Personal Data Privacy and Security Act of 2009.
We appreciate the work that was put into crafting this bill, as protecting individuals' sensitive personal information from theft or illegal uses has been and will continue to be a top priority for the business community. However, there are some issues in this legislation that we believe need to be addressed before we can support it:
Preemption and Enforcement
The U.S. has a national economy, and almost every state has enacted various data security and breach notification provisions, many of which differ from one another in material ways. A federal security breach notification standard that is not only inconsistent with these laws, but also with other federal laws would create regulatory uncertainty and require notification in circumstances where individuals face no risk of identity theft or financial harm.
Section 319 of the bill would "supersede any other provision of Federal law
relating to notification by a business entity engaged in interstate commerce or an agency of a security breach
" This provision could nullify the security breach notification provisions governing "protected health information", which were enacted pursuant to the American Recovery and Reinvestment Act of 2009. Additionally, Section 319 may potentially conflict with the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, which was issued under the auspices of the Gramm-Leach-Bliley Act (GLBA).
We believe that this legislation should exempt entities covered by other federal security breach and data security laws and that the preemption standards should explicitly preempt all state laws relating to any activity covered under this Act.
Further, with regards to enforcement, we believe that this legislation should be consistently enforced on a uniform basis across the country, and are concerned that enabling state attorneys general to impose 50 different enforcement regimes will undermine the uniformity of this Act, and will make compliance exceedingly difficult. If Congress declines to limit the enforcement authority of state attorneys general, they should at the very least curtail their ability to utilize private outside contingency fee lawyers to enforce this Act or to litigate claims on behalf of their constituents.
Definition of Sensitive Personally Identifiable Information
In the definition of Sensitive Personally Identifiable Information, subparagraph (ii) should be amended significantly to focus on that which is truly sensitive. We suggest a construct that ties name and address back to truly sensitive information including a full SSN, a driver's license number or a financial account number, including any PIN which is required to access the account. This would be consistent with most of the laws already enacted in the states – laws with which our members are already complying. Date of birth and mother's maiden name are not likely sensitive and should be excluded from this definition.
Definitions of Data Broker and Data Furnisher
We believe that the definitions of data broker and data furnishers pose some serious problems. The data broker definition is overly broad, and will interfere with the operation of current law, primarily the Fair Credit Reporting Act (FCRA) and GLBA. Such overlap will create inconsistent or even contradictory requirements for these companies, which is not a good policy outcome. By way of background, the FCRA, enacted in 1970, has been the focus of careful oversight by the Congress resulting in significant changes in both 1996 and again in 2003. There is no other law that is so current in ensuring that consumer rights and protections are adequate. Similarly, GLBA is a contemporary law enacted in 1999 and which led to the creation of data security standards for the financial services industry in 2001.
The bill could also sweep more businesses than intended into the definition of "data broker" and "data furnisher," and subject those entities to new complex restrictions and duties. For instance, a failure to fully and completely exempt tools and products used for fraud prevention and authentication services from the access and correction provisions could allow individuals to challenge the validity of carefully collected information that is used for legitimate business purposes such as fraud prevention, business planning, and marketing. Access and correction is a precarious tool and should only be allowed in appropriate and narrowly tailored circumstances. Even then, as we have seen with the cottage industry of credit repair, bad actors use such opportunities to purposefully skew or invalidate otherwise credible information. In fact, allowing such unprecedented access to data could actually provide a roadmap for criminals seeking to avoid detection.
Further, the broad definition of "data furnisher" could sweep newspapers and other publicly available data sources into the definition of "data broker," subjecting them to numerous additional requirements, and the failure to define "adverse action" could result in consumer confusion and significant burdens on advertisers and others.
Security Breach Notification
There are a couple of issues we would like to mention within Subtitle B – Security Breach Notification, of Title III. The language in this section specifies what constitutes a reasonable delay; however, a "risk assessment" as is required in the safe harbor does not appear to be one of these elements. We would encourage the Committee to correct this apparent contradiction in the language.
Additionally, the safe harbor seems to favor encryption over other technologies that are equally as effective. We strongly recommend that the safe harbor be broadened to include all technologies that render data unusable for the purposes of identity theft. Lastly, we believe that financial firms subject to GLBA and FCRA, as noted above, are unnecessarily placed under this Title.
Thank you for taking into consideration our concerns. We look forward to continued discussions with you, your committee colleagues and your staff on this very important topic.
Sincerely,
American Association of Advertising Agencies
American Financial Services Association
Consumer Data Industry Association
Financial Services Roundtable
Internet Commerce Coalition
National Automobile Dealers Association
National Business Coalition on E-Commerce and Privacy
National Retail Federation
Retail Industry Leaders Association
U.S. Chamber of Commerce
Cc: The Members of the Senate Committee on the Judiciary