The SAFE Data Act does not ensure data security

Last week, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade held a markup on H.R. 2577, the SAFE Data Act.  

Unfortunately, the name of the bill is quite deceiving. Passage of the bill will not make consumer data safer. Instead, it preempts important state laws in this area and leaves a weak federal one in their place.

This bill does not even address the recent data breaches at Sony and Epsilon, the very data breaches that prompted the Committee to act in the first place. Both of those breaches involved email addresses; H.R. 2577 does not require companies to secure consumers’ email addresses or to inform them if they’re taken by hackers.

H.R. 2577 only requires that businesses secure an individual’s name, or address, or phone number, in combination with an identifying number such as Social Security number or driver’s license number; or a financial account number with any required security code or password.

This bill does NOT require businesses to secure the following types of personal and private information: medical or health-related, location, video and book rentals or purchases, or financial assets and obligations, including payroll and utility payments.  

Supporters of the SAFE Data bill now suggest it is only about identity theft and not about data security; if so, they have missed the mark three times over.  

First, if this is an identity theft prevention bill, where is the much needed legislation to protect the vast amount and types of personal information consumers place in the care of the companies with which they do business?  

Second, why preempt state breach notification laws that cover more types of personal information and more generally presume that a consumer deserves to know if their information has been taken?  

And third, why does a bill meant only to address identity theft not cover the very data elements that could be used to commit that crime?

Among the data elements that could be used for identity theft NOT covered by the SAFE Data bill: Social Security number on its own (rather than combined with one or more other data elements), mother’s maiden name, email address, IP address, Facebook User ID, and biometric data such as a fingerprints, voice prints, or retina or iris images.

H.R. 2577 is not sound policy; not even against the limited harm its defenders now purport is its primary aim. We should not preempt stronger state laws for the sake of uniformity. Any bill passed by Congress should at least address the types of breaches consumers were exposed to by Sony and Epsilon. H.R. 2577 fails that test.

---