This week, the IRS admitted (WashPost story) that thieves accessed the personal information -- enough to allow them to take your tax refund -- of an additional 220,000 taxpayers, on top of the 114,000 first reported in May. Also this week, papers are reporting that Target has agreed to spend $67 million to settle Visa and bank claims over its well-publicized 2013 breach.
Breaches are everywhere. Yet, the more we hear about breaches, the more we remain concerned that powerful special interests will take advantage of the clamor to convince Congress to pass dangerous data security legislation. Dangerous? Yes, because the bills with the most traction would only barely protect against some, limited financial identity theft harms, and then only some of the time, but would eliminate stronger state data security and privacy protections against both identity theft and the more significant harms posed by the IRS breach, the health insurance breaches and the OPM breach.
As we explained in June about the OPM breach, which involved millions of security clearance records, the harms consumers face in data breaches are potentially much worse than fraud on your existing accounts or even new account fraud (financial identity theft). The OPM breach exposed information that could lead to a variety of reputational or emotional or even physical (stalking) harms, since the information breached included information about you, your spouse or partner and even your references (friends and co-workers) and possibly contained information about drug treatment or extra-marital affairs or arrest records (whether or not charged or convicted).
In her comments on a recent enforcement action against data brokers selling consumer files to wrongdoers, Federal Trade Commission Bureau of Consumer Protection director Jessica Rich told the New York Times:
“There is a debate about whether invasions of privacy harm consumers,” Jessica Rich, the director of the the agency’s Bureau of Consumer Protection, said in a phone interview. “This is a clear-cut example where the sale of sensitive data caused considerable harm to consumers.”
We agree with Jessica Rich. Privacy harms are real. As we said in June: Instead of narrowing the scope of consumer harms that are actionable in privacy breaches, as nearly very breach notice proposal before Congress would, any legislation, if it is passed nationally, must recognize the broader panoply of harms that federal employees, their friends, partners and co-workers, taxpayers and health insurance customers are already facing. If Congress can't do something that actually benefits the public, it should do nothing.
Our recent data breach testimony to Congress is here. Our group letter opposing weak federal data breach and data security proposals that also override stronger state laws is here. Our recent blog offering tips to victims of any breach -- including information on your best protection against financial identity theft, the security freeze -- is here.
In July, after a medical data breach, Indiana attorney general Greg Zoeller urged all "Hoosiers" to place a security freeze. In Indiana, a security freeze is free by law for anyone at any time; in many states, it is only free for identity theft (not breach) victims. If Congress really wanted to get ahead of the curve and protect consumers, it too would pass a law providing free security freezes at any time, nationwide. We have more explanation of the security freeze here. It's your best protection, unlike over-rated, under-performing credit monitoring.