Some of the controversy yesterday over The SAFE Data Act, introduced by Rep. Mary Bono Mack, concerns the limited definition of “personal information” in terms of what would trigger a breach disclosure and notification. Although some of the arguments appeared to follow partisan lines, the issue is not a partisan one, so let’s look at how the bill defines personal information:
The term ‘‘personal information’’ means an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:
(i) Social Security number.
(ii) Driver’s license number, passport number, military identification number, or other similar number issued on a government document used to verify identity.
(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.
Keeping in mind that this bill, if enacted into law, would pre-empt state laws, I find myself in substantial agreement with those who have criticized the bill as being too limited in its definition.
The bill’s approach is to notify individuals if they might be at risk of identity theft, fraud, or other unlawful conduct. But there are other types of harm that may be more impactful and the bill would essentially eradicate any obligation to notify individuals in those situations. Consider this scenario:
The John Doe Medical Marijuana Dispensary is burglarized and its records of those who have purchased marijuana for medical use are stolen. The records contain the individuals’ names, dates of birth, addresses, the name of the prescribing physician, the amount purchased and date.
Under the SAFE Data Act, those individuals would not have to be notified that their information was stolen. And if you’re thinking that well, they’d be notified under HIPAA/HITECH, let me hasten to point out that while some medical marijuana dispensaries are HIPAA-covered entities, many are not, and are treated under their state’s business laws as just another business entity.
Now let’s make it worse. Suppose those who have stolen the records upload them to the Internet on a foreign server not under U.S. jurisdiction. There they remain, where anyone can read them and discover that their neighbors, relatives, employees, or co-workers are using marijuana for medical purposes.
Under the SAFE Data Act, the dispensary would still have no obligation to notify those affected.
Or consider the recent breach involving a database of porn star actors that was stolen and exposed on the Internet. That database not only contained the real names and contact details for approximately 15,000 actors, but it also contained personal details on their families. The firm that had generated the database – an HIV-testing facility – was not a HIPAA-covered entity.
Under the SAFE Data Act, they would have no obligation to notify those affected of the breach unless they believed there was a significant risk of unlawful conduct. Would they consider the possibility that people might receive harassing phone calls as sufficient to trigger the notification requirement? It’s not clear.
As one last example for now, consider many of the recent hacks where databases containing userIDs or usernames plus passwords were acquired and posted on the Internet. Usernames + passwords do not meet the criteria for “personal information” in the SAFE Data Act, even though such information could easily be used for unlawful conduct such as hacking email accounts or online banking accounts where the user may have reused that login information. Because the stolen data could be used for unlawful conduct, users need to be notified, but if there is no real first name or last name, would this breach require notification under the SAFE Data Act? It would not appear so. And can we expect entities to know whether userIDs or usernames contain real names? Wouldn’t it be simpler to have a rule that says if any name, username, or UserID in combination with a password is breached, notification is required?
Rep. Mack argues that the bill is a data breach bill and not a privacy bill and that privacy legislation is being considered in other bills. She also notes that the bill would give the FTC authority to expand the definition somewhat, but only to accomplish the purpose of the bill and if it doesn’t stifle commerce or innovation.
But we, the public, cannot protect our privacy if we are not informed of threats to, or compromises of, our privacy. Unless the definition of personal information is expanded, this bill would set consumers back in terms of protecting our privacy while giving businesses an escape hatch so that they do not have to notify us when our information has been stolen or acquired or accessed inappropriately.
Representative Mack has admirably tried to address the need for a uniform federal data breach notification law, but the law needs to be more inclusive when it comes to defining what types of information should trigger a breach disclosure and notification.
The bill now goes to full committee. Let’s hope that it is amended to address this significant weakness before it gets out of committee.