Jeff Gelles: Privacy advocates warn Obama data plan could sweep breaches under rug

Privacy advocates say they welcome the Obama administration's renewed emphasis on enhancing data security and protecting identity-theft victims, consumers who shop online, and children whose schools sell their personal information.

But they are worried by details emerging from the White House - especially by drafts of a proposed federal data-breach law that would preempt stronger state laws. Breach disclosures mandated by states such as California are a main reason why Americans know about major data-security lapses in the first place.

President Obama referred only briefly to data security during Tuesday's State of the Union address, which he delivered weeks after hackers turned a Sony computer breach into an international incident and days after a brief but embarrassing hijacking of the U.S. Central Command's Twitter and YouTube accounts.

Obama urged Congress "to finally pass the legislation we need to better meet the evolving threat of cyber attacks, combat identity theft, and protect our children's information" - goals that he added "should be a bipartisan effort."

Privacy advocates say they share Obama's aims but fear that the complexities of data security and pressure from companies that trade in data could lead to solutions that don't solve problems - or could even make them worse.

In a speech last week at the Federal Trade Commission, Obama announced a set of initiatives, including plans to "create a single, strong national standard so Americans know when their information has been stolen or misused."

Leaders of several groups that monitor data privacy said a federal law would only be welcome if it were as strong as state laws that last year forced companies such as eBay, Home Depot, and JPMorgan Chase to disclose breaches affecting tens of thousands of customers.

"Right now the companies are following the strongest state laws," said Pam Dixon of the World Privacy Forum. She said a draft of the proposal posted on the White House website "doesn't come close to the strongest state law, so the best thing would be to leave state protections in place."

Mark M. Jaycox of the Electronic Frontier Foundation warned that the White House language would strip states' attorneys general of the power to respond aggressively to data breaches. He also voiced concern that the bill would allow companies to avoid notifying customers simply by reporting breaches to the FTC.

Another concern is that the proposal would eliminate a consumer's right to take a company to court if lax data practices caused financial or other harm - a private right of action Dixon said was provided in at least 17 states.

Dixon also warned that the proposal appeared broad enough to "wipe out California's health data breach law," which she said helps protect against the poorly understood risk of medical-identity theft.

"Organized crime will purchase a clinic, or create a fraudulent billing operation. They will do fake bills for about a year and collect millions," she said.

Dixon said victims can suffer serious harm when records reflect "diseases you don't have" or prescription-drug addictions. "People have lost their kids over this," she said.

Privacy advocates said they also were concerned about language allowing companies to skip notifying customers whose information has been breached if they conclude "there is no reasonable risk of harm or fraud to such individual" - a standard the advocates warned could be open to abuse.

"There's no harm trigger in California," said Dixon, calling that "a great feature of the California law."

Susan Grant of the Consumer Federation of America said her bigger worries were about issues unaddressed in the draft, though they might be dealt with when Obama announces his promised "consumer privacy bill of rights" in late February: tighter data-handling standards, and more control for consumers over personal information that may be intrusive or even erroneous.

She said people can be harmed by inferences from data collected about them but "have no idea why they're being treated that way and no ability to change it."

Dixon echoed that concern, saying that consumers should have the right to opt out of having their information shared by data brokers, as the FTC has proposed. "That's probably the fundamental issue around data privacy," she said.