Today, Public Knowledge sent a letter to the House Financial Institutions and Consumer Credit Subcommittee of the House Financial Services Committee opposing the Data Acquisition and Technology Accountability and Security Act, which Subcommittee Chairman Blaine Luetkemeyer (R-MO) has indicated he plans to move imminently. In the letter, Public Knowledge urges Congress to pass strong consumer protection legislation and analyzes many concerns with this narrow bill.
Specifically, Public Knowledge asks Congress to broaden this bill’s definition of personal information, covered entities, and consumer harms to better protect consumers. Public Knowledge contends that the 5,000 customer threshold put in place with this bill is insufficient because it excludes the vast majority of data breaches. Public Knowledge also expresses concern over the bill’s “harm standard” for data breach notification. This bill’s harm standard focuses solely on financial harms — ignoring the very real harms that occur when an individual’s data are accessed in an unauthorized way. Public Knowledge contends that consumers should be notified any time data are accessed and disclosed without their consent.
Additionally, Public Knowledge encourages Congress to strengthen the bill’s enforcement measures so that state attorneys general can bring enforcement actions against financial institutions. Given that state AGs are the experienced, front-line enforcers for consumers in their states and given that the bill is primarily concerned with financial harms — and thus likely to disproportionately apply to financial institutions — this is a massive carve-out that leaves consumers vulnerable.
The following can be attributed to Allie Bohm, Policy Counsel at Public Knowledge:
“Given that it is no longer possible to participate in society without providing information to third parties that may, in and of itself, be personal, or that, when combined with other data and analyzed, reveals intimate personal information, it's good to see Members of Congress focusing on data security and breach notification.
“However, particularly in the wake of the Facebook/Cambridge Analytica scandal — which introduced consumers to additional, unanticipated types of problems associated with unauthorized access to data — the Data Acquisition and Technology Accountability and Security Act falls short and should not be approved by the Subcommittee without significant changes. We encourage bill sponsors to rethink the legislation, and we stand ready to assist sponsors or other interested lawmakers who wish to craft more consumer-protective legislation.”
You may view the full letter here.