Jeff Gelles: Is Congress taking wrong direction on data privacy?

How should Congress address the steady stream of data breaches that often expose lax practices in handling your personal data?

I'd bet you wouldn't reply: by making it easier for companies to sweep breaches under the rug, or by weakening protections for sensitive data such as your cable-TV viewing history. But that's just what a coalition of consumer, privacy, and technology groups warn would happen under a bill backed Wednesday by a House committee.

Called the Data Security and Breach Notification Act of 2015, the bill is supported by businesses - particularly the 21st Century Privacy Coalition, whose founders include cable and telecom companies such as AT&T, Comcast, and Verizon. Supporters say it would set the first national standard for data security.

To opponents, the bill might better be named the "Data Insecurity and Breach Hiding Act." Beth Givens, executive director of the Privacy Rights Clearinghouse, says its passage "would be a giant step backward for consumer protection."

Even more emphatic is John Breyault of the National Consumers League.

"Only in Washington would they think about actually reducing existing data-security protections at a time when tens of millions of consumers are being hurt by these massive data breaches at companies like Target, Home Depot, and Anthem," Breyault told me Wednesday after the bill was passed by the Energy and Commerce Committee on a party-line vote.

A dozen groups joined in a recent letter warning Congress that the proposal would do far more harm than good in coping with data breaches, which Givens says have fueled about 13 million annual cases of identity theft in each of the last three years.

They say the bill:

Would preempt state laws, including groundbreaking statutes such as California's that are the main reason we have learned about lax data practices.

Would end the Federal Communications Commission's authority to enforce key privacy protections, including rules governing data such as texting records and the shows customers view.

Would set a "financial harm" trigger, allowing companies to refrain from notifying customers of a data breach if they can argue that the risk of monetary loss is unclear.

Turn over some authority to the Federal Trade Commission, a smaller, less-well-funded agency that generally lacks rule-making authority.

Laura Moy, senior policy counsel at New America's Open Technology Institute, says the financial-harm trigger would undermine protections in at least 33 states, including Pennsylvania and New Jersey, that have stronger laws, and could expose consumers to new risks. For instance, she says, the proposed federal law would not cover breaches of call records at domestic-violence or suicide-prevention hotlines.

"That information isn't going to lead to financial harm, but it certainly could lead to serious emotional harm or even physical harm," Moy says.

Jon Leibowitz, a 2004 Democratic Bush appointee chosen by President Obama to head the agency in 2009, co-chairs the 21st Century Privacy Coalition. In testimony last month, he defended giving the FTC a larger role, calling it the "pre-eminent federal agency policing data security."

Moy says the proposal - coauthored by Reps. Marsha Blackburn (R., Tenn.) and Peter Welch (D., Vt.), but not backed by Welch in Wednesday's vote - "has been mischaracterized as moving authority" to the FTC. "In fact, it would only move a portion of the authority, and would eliminate the rest of it," she says. For instance, TV viewing records "would no longer be protected," and breaches would no longer have to be publicized.

Moy says Congress is wrong to see data breaches as only a financial threat. At the heart of the FCC's authority is protecting phone and cable networks "as a safe space for free speech and communications." Why backtrack at all on that?

215-854-2776 @jeffgelles

www.philly.com/consumer