US Privacy Bill Battles

Just in case anyone is curious, here’s some background on the current battle in America over regulating privacy and identity information:

Schwarzenegger just vetoed AB 1656, the Consumer Data Protection Act. The bill passed by 34-3 in the Senate, and 74-1 in the Assembly. Here are his main arguments from the veto statement:

  1. notification requirement too broad, which will cost business
  2. too static, best practices change
  3. distraction/confusing with more comprehensive industry standards
  4. penalty laws already exist and should be modified if necessary, instead of replaced

Basically he said (again) the Payment Card Industry is ok self-regulating:

In a statement explaining his reasons for refusing to sign the bill last fall, Schwarzenegger in fact appeared to agree with such arguments. The bill – which was known as AB 779 in its previous incarnation – “attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers,” Schwarzenegger said.

The point of the bill was to give the public more pressure to coax payment card entities into compliance, especially retailers and merchants, but merchants argued it was too much in the favor of financial entities (true, and the reason consumer advocates liked it).

Incidentally, Avivah Litan at Gartner is completely 100% wrong on this and her quotes in the above article are awful.

It’s also a bad idea for states to legislate data security issues in the first place, according to Litan. “Governments should stay out of the security business,” she said.

No, no, no. I cringe when I read her analysis, and am happy to explain how/why, but I’ll leave it alone for now.

The Governor also vetoed SB 364, “Personal information: privacy” because “this bill could lead consumers to believe that all data breaches result in identity theft. Further, this would place an additional unnecessary cost on businesses without a corresponding consumer benefit”

On the other hand, following disclosure that Schwarzenegger and his wife had their personal health records exposed in a UCLA breach, the Governor signed new legislation issuing fines:

“Repeated violations of patient confidentiality are potentially harmful to Californians, which is why financial penalties are needed to ensure employees and facilities do not breach confidential medical information,” Schwarzenegger said in a statement.Assemblyman Dave Jones (D-Sacramento), the author of one of the bills, AB 211, emphasized that they protect all patients, not just famous ones. “Your private medical information shouldn’t be flapping in the breeze like an open hospital gown,” he said. The other measure, SB 541, was written by Sen. Elaine Alquist (D-Santa Clara).

Similarly, President Bush just signed the Identity Theft Enforcement and Restitution Act of 2008 into law, which allows courts to prosecute across state lines, lowers the bar for damages that can be used to bring charges (used to be $5K minimum), and aims restitution money more toward victims.

So in conclusion, the California Governor and American President have agreed to stronger penalties and fines in some cases but not others and they remain weak on detection and prevention guidance for public safety.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.