CDT’s Justin Brookman testifies before the House Energy & Commerce Subcommittee on Commerce, Manufacturing, and Trade
Last week, Justin Brookman, Director of CDT’s Consumer Privacy Project, testified on data breach issues before the House Energy & Commerce Subcommittee on Commerce, Manufacturing, and Trade. Brookman’s testimony discussed what elements good data breach and security legislation ought to include, but emphasized that data breach and security are discrete issues that should be wrapped into broader consumer privacy legislation.
The hearing, entitled The Threat of Data Theft to American Consumers, came in the wake of two massive data breaches. In April, Sony Corp.’s PlayStation and Sony Online Entertainment networks were hacked, compromising approximately 100 million accounts. Also in April, Epsilon – a major email marketing firm with numerous high profile corporate clients – suffered a cyber attack that likely exposed more than 60 million email addresses. At the hearing, Rep. Mary Bono Mack, chair of the Commerce, Manufacturing, and Trade Subcommittee, said Sony’s security measures and manner of notifying consumers of the breach were unacceptable. Rep. Bono Mack called for legislation establishing a national standard for data security and breach notification.
Brookman’s testimony acknowledges that data breach is an appropriate issue to address, but also that many states already have laws requiring some data security and notification measures. Given that the legal incentive for protecting data and notifying consumers is already in place to some extent, federal legislation on data breach should establish a floor of uniform standards on which states can build. Such legislation should also include a requirement that breached entities notify consumers unless there is an affirmative determination that there exists no serious risk that the breached information can be misused. Such legislation should also provide for strong enforcement by the FTC and state attorneys general. Perhaps more importantly, rules focused on data security and breach notification would likely only tackle part of the overall problem. Transparency and data security are critical safeguards, but so are clear “data minimization” policies under which companies minimize their holdings of consumer data that is no longer necessary for a specific, legitimate purpose. This would be best addressed as one part of comprehensive baseline consumer privacy legislation.
At the hearing, Rep. Marsha Blackburn wondered aloud whether the Internet should have some sort of “erase” functionality that enables consumers to delete information companies hold about them. CDT is interested in this idea as well and supports it in concept. However, as CDT pointed out in our comments to the European Commission’s consultation on the EU Data Protection Directive, the “right to be forgotten” would be difficult to implement across the Internet and should not stifle innovation or overburden information intermediaries. For now, CDT recommends focusing discussion of a right to “erase” or “forget” on information users themselves actively disseminate on the Internet, rather than the passive, transactional data sharing that routinely occurs in the context of commercial transactions.
CDT is encouraged to see bipartisan interest on privacy issues in both the Senate and the House. Addressing these issues should not be limited to an isolated bill to apply encryption to data or to quickly notify consumers of a data breach. Rather, the law should provide companies with a range of incentives and requirements that encourage them to establish internal privacy policies that seamlessly protect data throughout the data’s lifecycle. Bipartisanship will be crucial to crafting strong privacy protections for American consumers. To get it right, this effort will also take time and careful planning. But, as Rep. Bono Mack declared, it is time for Congress to take decisive action.