It started with ChoicePoint, and really hasn’t slowed down. Over the last year and a half or so, a string of highly publicized data security incidents raised serious questions about how well companies (and universities, government agencies, etc.) are safeguarding personal data from potential access by thieves and hackers. These breaches of data security became public mainly because California passed a law requiring consumers to be notified when their personal information has been accessed without authorization. Many other states have since followed suit.

Congress has been working on breach notification legislation as well, though a tangle of different proposals in different committees has slowed its progress on the issue. Virtually all of the proposals seek to replace the different state laws with a single, federal notification standard — which could be fine, so long as the federal standard is strong enough to play the same important role.

Unfortunately, there have been reports that the House leadership is considering taking up a weak bill produced by the Financial Services Committee. There hasn’t been any official announcement, and it now appears that nothing will happen until at least September, contrary to rumors last week that action could be imminent. But if the bill were adopted, it would substantially roll back the obligation to notify individuals about security breaches. Specifically, notification would be required only if the company whose system is breached knows that the breach is “reasonably likely” to result in identity theft or account fraud.

What does “reasonably likely” mean? That a reasonable estimate of the chance that identity theft actually will occur is 51 percent? Hackers don’t usually announce their intentions. Even for data breaches that occur under suspicious circumstances, a company might well conclude that (as best it can tell) the chance that the hacker intends identity theft is less than 50-50.

The truth is, this is a bill written to protect financial services companies from the consequences of data security breaches — not to protect the public. Understandably, the companies don’t like having to notify their customers about data breaches, don’t like having to comply with lots of different state laws, and don’t like pesky state A.G.s calling them to account for their data security lapses. But in the end, it’s all about incentives. One of the main benefits of the notification laws passed by California and other states is that they create strong incentives for companies to take whatever measures are necessary to reduce the likelihood of data breaches occurring in the first place. By curtailing notification requirements and eliminating any prospect of state-level enforcement, this bill would reduce those positive incentives.

That doesn’t mean that every low-grade incident warrants full-scale notification. If the risk is truly low, notifying individuals is not productive — and in fact may be counterproductive, since repeated false alarms can lead to “boy who cried wolf” problems. But the House has an alternative bill from the Energy and Commerce Committee that takes a sensible approach: it would require consumer notification unless a breach does not entail significant risk. That seems quite different from requiring that ID theft be “likely.”

So there is a better bill out there. Hopefully, the House won’t choose the wrong one.

This entry was posted on Monday, July 24th, 2006 at 4:50 pm and is filed under Consumer Privacy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.