2 November 2005
Members of the Committee on the Judiciary
United States Senate
Washington, DC 20510
Consumers Union, the non-profit, independent publisher of Consumer Reports, urges you to vote in favor of S. 1789, the “Personal Data Privacy and Security Act of 2005.” The bill represents a reasonable bipartisan compromise that will provide consumers with some significant protections from the harms that can arise from data breaches, while setting reasonable limits on the responsibilities of businesses.
We are concerned, however, that several weakening amendments that have been filed would eliminate the important consumer protections in the bill. The legislation could be rendered virtually meaningless for individuals whose personal information has been compromised by (1) failing to inform people when their unsecured sensitive information has been compromised, (2) failing to enact criminal penalties for those who knowingly cover up a breach that leads to consumer harm, (3) failing to provide individuals with adequate access to their information broker files to ensure their accuracy, and (4) failing to enact reasonable guidelines on the government use of commercial data.
We urge you to oppose these amendments, which have been filed by Senator Sessions, or any similar amendments:
- Oppose worsening the bill’s “trigger” for notification. The manager’s amendment o S. 1789 already contains compromise trigger language in which a business can refrain from notifying individuals if they certify to the Secret Service that consumers are not at significant risk of harm. Under the proposed Sessions amendment, the company experiencing the breach – which may very well have a financial incentive not to make that breach public -- would decide whether individuals were at risk, without having to consult with the Secret Service and without having to put that decision in writing. This represents an inherent conflict-of-interest that we believe would lead to increased consumer harm.
- Oppose striking the criminal penalties for knowingly covering up a breach that leads to harm. This ensures that there are real consequences for knowingly covering up a breach, which gives an incentive for a company to accurately consider the potential impact of a breach on individuals.
- Oppose striking Title II on data broker regulations. S. 1789 is protective of consumers in large part because title II gives individuals the important right to review their data broker files. Currently, data brokers are unregulated when they act in areas outside of the Fair Credit Reporting Act (FCRA); they gather and sell personal information on almost all Americans in the form of detailed dossiers that, as we know from recent news reports, are vulnerable to security breaches. This information can directly affect individuals – for example, an individual could be incorrectly associated with a criminal suspect based on inaccurate information in his or her data broker file. It is critical that individuals be able to review their files and correct any inaccuracies, and striking section II would eliminate this critical consumer right.
- Oppose striking Title IV on government use of commercial data. The Privacy Act of 1974 was supposed to subject government agencies that collect personally identifiable information to certain safeguards, but the Act’s protections have failed to keep pace with the technological changes of the past thirty years. Today, the government can bypass the Act’s safeguards by accessing existing private sector databases, rather than collecting the information itself. For example, the government is not required to ensure (or even evaluate) the accuracy of data it obtains from commercial databases; it need not allow individuals to review and correct that data; and it is not limited in how it interprets or characterizes the data when making decisions about individuals.
S. 1789 represents a reasonable compromise that balances the interests of individuals and consumers. These amendments would roll back the bill and render it virtually meaningless. We urge you to oppose them.