"Senate Data Protection Bill Shows More Consumer Emphasis" by Bill Swindell, Congress Daily 4-24-07

Congress Daily AM 4/24/07

JUDICIARY
Senate Data Protection Bill Shows More Consumer Emphasis
     Signaling a more consumer bent under Democratic control, the Senate Commerce Committee will mark up data protection legislation Wednesday that will include a narrower state pre-emption clause than advocated by the business community.
     The bill, by Commerce Chairman Inouye, would set a national standard for data security requiring companies to notify consumers when there is a "reasonable risk" of identity theft.

    The bill, co-sponsored by Commerce ranking member Ted Stevens, R-Alaska, and Sen. Mark Pryor, D-Ark., would only pre-empt state laws on the data breach threshold and the standard over which companies develop and maintain information security programs. In all other areas, states could offer greater protection.
     "The issue of pre-emption is a major, major concern of the consumer groups. And the situation is that virtually all privacy advancements in this country has come from state leadership. The reason why companies want federal pre-emption is because the federal government is a weak regulator," said Ed Mierzwinski, consumer program director for the U.S. Public Interest Research Group.
     His group said that at least 25 states have passed laws to give consumers a right to freeze access to their credit reports -- a provision contained in Inouye's bill -- and at least 28 states have required companies or government agencies to notify their residents when they are subject to a breach.
     Business groups contend that a weak state pre-emption standard would solve little and that companies would be forced to continue to adhere to a confusing array of state standards.
     "It's pretty inconsistent with some sections not being pre-empted and other sections being pre-empted ... It's more of a floor rather than a ceiling," said Chris Merida, director of congressional relations for the U.S. Chamber of Commerce. "I would definitely say we have some reservations with the bill in its current form."
     Merida said his group also was disappointed the bill does not contain provisions to prohibit a private right of legal action for breaches, which was contained in a bill the Commerce panel approved in the 109th Congress.
     The pro-consumer bent of data protection legislation likely will creep into other committees that have jurisdiction over the issue now with Democrats in charge. House Financial Services Chairman Frank has said he would change a provision in last year's Financial Services bill that would pre-empt state laws to allow consumers to freeze their credit files.
     "If the industry wants a bill, they have to play nice. They can't demand all of the stuff they always demand," Mierzwinski said.
     Congress is under pressure to set a national standard for data security in response to high-profile breaches. Last month, TJX Cos. announced that information from more than 45 million credit and debit cards for TJ Maxx and Marshalls stores was stolen by hackers over the past few years. TJX Cos. recently hired the Podesta Group Inc. to lobby on the issue.
     The same day Inouye's panel marks up his bill, the Senate Judiciary Committee is scheduled to mark up its measure, sponsored by Judiciary Chairman Leahy and ranking member Arlen Specter, R-Pa.
     That legislation would require companies to report data breaches when they "reasonably believed" to have been accessed or acquired.
     The measure also would regulate data brokers -- which sell a wide range of information about consumers, such as arrest, health and employment records -- allowing consumers a right to access and correct such data. The FTC and Secret Service would oversee enforcement.    By Bill Swindell