We Warn Congress: After Equifax, Firms Will Step Up Trojan Horse Efforts to Eliminate State Privacy Laws
Like clockwork, after any big data breach is disclosed, powerful special interests seek to turn the problem into a bigger problem for consumers by using it as an opportunity to enact some sort of narrow federal legislation that broadly eliminates state data breach notification, state data security and other privacy protections. I testified yesterday in the House Financial Services Committee (link to full hearing archive and video transcript) warning of their efforts. I warned in particular of their Trojan Horse efforts to hide their broader plans. They don’t simply want to create a “uniform national breach law.” Inside that Trojan Horse is their ultimate plan: to permanently take away all existing state data security laws and deny the states any authority to enact new privacy laws, even on new problems identified that Congress hasn’t yet or purposely didn’t solve.
I made several key points:
First, that the Equifax breach was among the worst ever because the firm lost your financial DNA. Your Social Security Number is the key to identity theft: it doesn’t change and may become more valuable to thieves over time, unlike a merchant breach of a credit card number, which has a limited shelf life.
Second, that I am incredulous that Equifax, a data broker with only one job — buying and selling consumer information — had such an epic fail in protecting that information and then responding to its epic fail.
Fourth, I point out out that while Equifax credit reports are highly regulated, its data security practices — including financial DNA protection — and its massive non-credit reporting data broker businesses are not.
But the bulk of my testimony explains that although the severity of the Equifax breach demands policymakers enact stronger, not weaker, consumer protections, Congress is considering industry-backed bills to preempt, or override, numerous stronger state data breach and data security protections. Worse, the bills have a kicker: most permanently take the states off the board as privacy first responders and innovators. From my testimony:
The other problem with enacting a preemptive federal breach notification law is that industry lobbyists will seek language that not only preempts state breach notification laws but also prevent states from enacting any future data security or privacy laws. This is the Trojan Horse problem. A small federal gain should not result in a big rollback of state authority. As one example of a Trojan Horse provision I call your attention to a bill approved by this committee in the last Congress. HR 2205, the Data Security Act of 2015 (Neugebauer), included sweeping preemption language that is unacceptable to consumer and privacy groups and likely also to most state attorneys general. While I note that this bill has numerous other objectionable provisions, which I am happy to discuss, its sweeping preemption language is illustrative of long-sought industry goals to take states off the board.
I pointed out that numerous critical provisions of California, Massachusetts, Illinois, Texas and other state breach notification laws would be eliminated as would 17 state laws that include a consumer private right of action to sue data breach notification law violators. I go on to associate my remarks opposing preemption with those of several consumer and state assistant attorney general colleagues who made similar points at a continuation of the Equifax hearing last week, which also featured my U.S. PIRG colleague Mike Litt’s testimony on the need for a free national credit freeze right for all to restore some control to consumers. After all, we are not credit bureau customers; we are their product. Beware industry lobbyists bearing gifts.
(Trojan Horse by Ashqtara is used under its Creative Commons 3.0 Attribution-No Derivatives license).