Thank you for the opportunity to provide feedback on the recently-released draft data security and data breach legislation, the Data Acquisition and Technology Accountability and Security Act. Data security plays an increasingly important role in consumers’ everyday lives, and we strongly urge Congress to take action to update consumer protections to ensure that companies use reasonable precautions to protect sensitive personal information.
While we appreciate your leadership in this vital area, Consumers Union, the advocacy division of Consumer Reports, has significant concerns about this bill and is strongly opposed to it in its current form. This bill would replace strong data protections in many states with a weaker set of criteria, including an unworkably high bar to trigger data breach notification requirements. Furthermore, this legislation would exempt Equifax, whose lax data security practices led to one of the largest data
breaches in American history, along with the other credit bureaus that collect and sell sensitive personal information about consumers. The bill’s preemption provisions are so extreme that they would repeal and prohibit state laws that protect data not covered by this bill, such as online accounts and the Internet of Things. To better protect the privacy and security of consumers and businesses, Congress should pass legislation that sets strong baseline protections—with strong data security and notification requirements and substantial penalties for failure to comply—while allowing state protections to evolve over time to address an ever-changing array of threats.