States Take “One Step Forward”, Congress “Three Steps Back”
As a result of recent laws passed by several states, initially California, creditors and processors of consumer data must notify individuals if their data is compromised due to theft, loss or other means. Prior to these laws being passed, consumers were not made aware they may be at risk for identity theft due to their information being compromised.
Susanna Montezemolo, a policy analyst for the Consumers Union, which is lobbying Congress for tough[er] security and privacy standards, recently told FOXNews.com that, “We have millions of Americans who become victims of identity theft each year, and we need to do as much as possible to lower that number. States have been innovators in regard to identity security; we want to know that the state[s] will still be able to come out with effective solutions.”
Current legislative proposals in Congress will undercut the state laws and give companies the “authority” to “investigate” security breaches and determine for themselves whether or not consumers should be notified. This will effectively mitigate state legislation already in place around the country and we will be right back where we started—with those who manage the data and create the risk controlling the public’s knowledge of any breach.
The supporters of current Congressional proposals believe that the data handlers are capable of determining amongst themselves whether or not breached data could cause a consumer harm. They claim they don’t want to unduly alarm consumer’s by notifying them unnecessarily if they determine there is no risk to the individual. Their concern? Notification would be expensive for the businesses and possibly detrimental to their reputations.
Since most companies that traffick in consumer data do so at great profit, it is fairly apparent that they don’t want to be put in a position of liability or risk having the expense of notifying consumer’s everytime they experience a security breach. This position alone would clearly indicate that the frequency of security breaches and their lack of effort to prevent them is an inherent problem. They have obviously failed to effectively police themselves thus far, because if they had, identity theft wouldn’t be costing American citizens billions of dollars every year in out-of-pocket expenses.
If the companies traffickking in our personal data are allowed to “investigate and determine consumer risk” for themselves, we might as well accept that identity theft will simply become a greater threat to Americans than it is right now. If consumer’s are informed when their data is compromised and they have the right to pursue liability charges against the company that allowed the breach, then those companies might get serious about protecting our data.
Until then, we, as individuals, will pay for their lack of effort and Congress may just continue to let us do so!