Home > 2015 > Identity Theft

How a Federal Data Breach Law Could Actually Hurt Some Consumers

Advertiser Disclosure Comments 0 Comments

With each passing brand name mega-breach—Home Depot, Target, JPMorgan Chase, Anthem—it becomes ever more urgent for government and industry to get on the same page about how to protect consumers.

Sadly, not all laws are created equal, and there are few better examples of this homespun truth than a would-be federal law currently wending its way through Congress. And not to put too fine a point on it, the Data Security and Breach Notification Act of 2015, in its current form, has a long way to go before it should become the law of the land.

The Data Security and Breach Notification Act of 2015, “aims to tackle the nation’s growing data security threats and challenges.” So far, that sounds pretty good to me. The bill was authored by Energy and Commerce Committee Vice Chairman Marsha Blackburn (R-TN) and Rep. Peter Welch (D-VT), making it a bipartisan effort. The goal: to implement “a comprehensive plan to help safeguard sensitive consumer information and shield Americans from the harmful consequences of cyber attacks.”

I’ve written elsewhere about the need for a federal breach notification law, so in theory I’m on board. A strong federal law that requires businesses and government entities to inform people that their personal information has been compromised in a data breach can absolutely be a good thing…if it’s done right.

The problem with this proposal is that there are far more effective laws already on the books in several states, and they could be preempted were the bill to pass. If that weren’t bad enough, the proposed bill could also supersede stronger rules already put in play by the FCC with regard to telephone, broadband Internet, cable and satellite user information.

The undermining of better laws is bad, but worse is the way the Data Security and Breach Notification Act of 2015 underscores a continuing failure of our leaders to fully understand the nature of the problems we face in the mare’s nest that is consumer privacy and data security. In a widely publicized survey conducted by the Pew Research Center, “91% of adults in the survey ‘agree’ or ‘strongly agree’ that consumers have lost control over how personal information is collected and used by companies.” Data breaches, and the identity theft that flows from them, have become the third certainty in life. We need a strong federal law, but as I argued in my op-ed about the Data Breach Disclosure Box, any proposed bill that threatens to weaken existing laws has to be challenged, quickly and without equivocation.

Why It’s an Issue

Senior Policy Counsel at New America’s Open Technology Institute Laura Moy eloquently outlined the problems this bill could create in her testimony last week before the House of Representatives.

In a wide-ranging discussion of the major concerns raised by the bill, Moy pointed out some of the laws that could be preempted. One was California’s Song-Beverly Credit Card Act, which made it illegal to record a credit card holder’s personal identification information during a transaction. Another law in Connecticut outlawing the public posting of any individual’s Social Security number was also named. Both state laws represent solid advances in the realm of data security, and both might be preempted were the bill moving through Congress to succeed.

And here’s the really bad news: they would be two of the less alarming casualties.

The problem with the bill hinges on the way that it tries to separate privacy from data security, but they are inextricably intertwined. This could weaken or even eliminate protections for the many kinds of information – like your email address, for one — that fall outside the bill’s narrow definition of the personal data that is covered. That’s why this matters so much.

As Moy argued during her testimony, “Many laws that protect consumers’ personal information [can] be thought of simultaneously in terms of both privacy and security.” I will go one step further and say that I do not believe it is possible to discuss data security until we have a worst-case scenario definition of what constitutes personally identifiable information in the eyes of an identity thief.

To give an example of the kinds of preemption that are possible here, Florida’s privacy law that includes email and a consumer’s username-password combination in its definition of personal information, the logic being that consumers use the same combination for many different login pages, including financial accounts. Seven states currently mandate the same standard—California, Missouri, New Hampshire, North Dakota, Texas, Virginia—and on July 1, Hawaii and Wyoming will join them. Under the currently proposed bill, a business would not have to notify you if your email and username-password combination were involved in a breach. Meanwhile, the above kinds of information continue to be highly exploitable data points in an identity thief’s toolkit.

In addition to the exemption of breaches that “only” include email addresses or user login details, the bill is unclear about personal information related to telecommunications, cable and satellite customers, which hinge on a trigger of “authorized access,” and Moy believes it may supersede important protections created by the Communications Act. Most alarming is the prospect of less robust notifications regarding compromised customer proprietary network information (CPNI) – that includes texts, phone calls, every location where you were when you made this or that phone call, your location when you didn’t make a phone call and the location of all your network-connected devices. All this information could be breached and this proposed law says you don’t need to know about it. The same goes for what you watch on television, including any items you may have purchased on Pay-Per-View. All of it could, hypothetically, be out there open to public perusal. Every site you ever visited on line. Every call. Every text.

And what about your protected health information (PHI)? Critics note the bill doesn’t mention it, which at first blush seems like a four-alarm-fire level of non-comprehension. However, whether the product of partisan warfare or common sense, it’s actually a bit of good news. Because it has been entirely carved out here, most forms of PHI actually would still be covered by the notification requirements of the HIPPA/HITECH Act — with a few notable preemptions of existing state law affecting over-the-counter purchases and other health-related items

Defining Harm

According to the narrow logic of the proposed legislation, a breach of any of the above information will not result in financial damage, which is the reason it isn’t covered. It’s a position easily brushed aside with one mind-blowing word of refutation: Extortion. Scam artists have countless tricks up their sleeves, and the onus to anticipate the adaptive nature of crime falls on legislators. A single text or rented video could potentially ruin a person’s life, and fraudsters know that. If the wrong person has access to the above data points—and any of those bytes contain information that might harm you professionally or personally—they most certainly could be used against you for financial gain.

A recent Science study showed that with just a few data points (Instagram posts and tweets) it was possible to re-identify anonymized data about credit card purchases with the unique consumer who made them. While it may seem off the beaten path, the proposed bill, with its narrow definition of what should be covered, would not cover a glitch in Instagram’s code that revealed protected accounts to the public. For the end user unaware that their private posts were viewable, and that those posts could be used to re-identify data that is publicly available, the above hypothetical scenario featuring a “financially harmless” compromise (that revealed every purchase made on an individual’s credit card) could be a life changer—and not for the better.

What we really need in the federal government is someone in a position of authority with the expertise and knowledge to make sure anyone exposed in a breach knows about it, and is informed about the potential fallout as far as current intel permits as quickly as possible. Call this person a Breach Tzar, if you will. Since data-related crimes are often quite ingenious, isn’t it best to err on the side of caution? The fact is that any federal law aimed at protecting consumers from the danger of identity-related crime needs to be best-in-class, and far better than all the existing state laws combined, and, while it should go without saying, it must not supersede stronger existing protections afforded by non-state agencies.

There is still a yawning gulf between what’s been done so far and what needs to happen in the realm of cyber legislation. The protections we deserve are a work in progress, one that the entire constellation of consumer advocates and data-security experts must solve in concert. In the same way data-related crimes are constantly evolving, we need to get into the habit of responding to the very biggest picture we can imagine.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More on Identity Theft:

Image: iStock

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

Certain credit cards and other financial products mentioned in this and other articles on Credit.com News & Advice may also be offered through Credit.com product pages, and Credit.com will be compensated if our users apply for and ultimately sign up for any of these cards or products. However, this relationship does not result in any preferential editorial treatment.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Our Owners

Credit.com is owned by Progrexion Holdings Inc. which is the owner and administrator of a number of business related to credit and credit repair, including CreditRepair.com, and eFolks. In addition, Progrexion also provides services to Lexington Law Firm as a third party provider. Despite being owned by Progrexion, it is not the role of the Credit.com editorial team to advocate the use of the company’s other services. In articles, reporters may mention credit repair as an option, for example, but we’ll also be sure to note the various alternatives to that service. Furthermore, you may see ads for credit repair services on Credit.com, but the editorial team isn’t responsible for the creation or implementation of those ads, anymore than reporters for the New York Times or Washington Post are responsible for the ads on their sites.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team