By ROBERT GEHRKE
Salt Lake Tribune
August 28, 2006
Now, Sen. Bob Bennett, R-Utah, is sponsoring legislation, written with input from ChoicePoint, a data-collection company, that privacy advocates say would override tougher state laws and could keep consumers from ever finding out about future security breaches.
"It's unacceptable to any privacy advocate, and it's unnecessary because we already have constructive compliance nationally with the strongest state laws," said Ed Mierzwinski, consumer program director at the Public Interest Research Group. "The only purpose in Congress going forward would be to please companies that don't like the strong state laws."
Bennett argues that his bill simply replaces an unworkable hodgepodge of state laws with a uniform standard that would enable businesses to deal with data security more efficiently.
"Obviously, I don't think it's a weak bill or I wouldn't be pushing it. You always get folks who want the perfect world, and I'm sympathetic with that," Bennett said. But it gets more complicated when "you get into the reality of how these records are kept, how they're managed, what the challenges are."
Bennett also has ties with lobbyist John Harmer, whom the senator said he has known since high school and has been hired by ChoicePoint and the credit-reporting agency Equifax to work on data-security issues. Harmer is treasurer of the Hatch/Bennett Political Action Committee, a fund-raising body created last year that raised $43,834 for Bennett and Sen. Orrin Hatch, R-Utah.
Harmer said he offered input on Bennett's data-security bill, mostly answering specific questions about how it would affect companies he represents.
Bennett said he doesn't recall ChoicePoint weighing in on the legislation, but it would make sense.
"A lot of people say, 'Gee, you should never talk to a lobbyist who has an interest in your bill.' That's a good way to write a bill that will do a lot of harm," he said. "You don't want to legislate in ignorance."
Data security has been a hot topic recently, particularly with growing public concern over identity theft and recent high-profile security breaches, including the loss and subsequent recovery of millions of Veterans Affairs records.
Identity theft is the top consumer complaint to the Federal Trade Commission and costs an estimated $53 billion each year.
Since the ChoicePoint security breach in 2004, nearly 90 million personal records have been compromised in various breaches, according to the Privacy Rights Clearinghouse. Thirty-one states have responded with data-security legislation, some requiring notification, credit freezes or penalties against companies.
But the result of the legislation, said Marc Rotenberg, executive director of the Electronic Privacy Information Center, is that, "Industry groups are running to Washington trying to get through bills that would leave them without any accountability or responsibility.
There are at least 17 data-security and privacy bills pending in the House and Senate.
Many of the bills, including Bennett's, would replace existing state laws with a uniform national standard on how to deal with security breaches. Consumers in states with a weak law or no data security law might get new protection, but those in states with strong laws would see their protections watered down.
In November, 48 state attorneys general, including Utah Attorney General Mark Shurtleff, sent a letter urging Congress to pass a strong data-protection and breach-notification law, without pre-empting existing state laws.
Bennett said his bill applies a sort of cost-benefit analysis, so companies don't have to spend the money notifying customers if there is no risk posed by the security breach.
Companies that suspect a breach would have to do an internal investigation and notify individuals if the information lost is "reasonably likely to result in substantial harm or inconvenience."
Bennett's bill would also prohibit
consumers from taking a company to court for not adequately securing
data or handling a breach, and would prevent state attorneys
general from filing charges against a company that failed to
comply with the law. Bennett's staff said outside legal action
wouldn't be needed because federal regulators would enforce the
Scripps Howard News Service, http://www.shns.com
Publish A Letter on SitNews Read Letters/Opinions