Previous Politech messages: http://www.politechbot.com/2005/03/21/eric-grimm-debate/ http://www.politechbot.com/2005/03/18/catos-jim-harper/ http://www.politechbot.com/2005/03/11/request-for-critique/ -------- Original Message -------- Subject: Security breach laws and a reply to Jim Harper's reply to Hoofnagle and Solove. Date: Sun, 20 Mar 2005 18:05:45 -0500 From: Ed Mierzwinski <edm@private> Reply-To: <edm@private> Organization: U.S. PIRG To: <declan@private> CC: <hoofnagle@private>, <jharper@private>, <dsolove@private> Declan-- I thought Politech readers might be interested in these comments on (1) your recent CNET article on state responses to Choicepoint and (2) in reply to on Jim Harper's comments on state law preemption in his post on the Hoofnagle/Solove paper. First, I saw your article on state responses to the Choicepoint debacle on CNET: "Navigating the law of unintended consequences." http://news.com.com/Navigating+the+law+of+unintended+consequences/2010-7348_ 3-5611746.html I haven't had a chance to check with state PIRG staff to see which of these specific state proposals we are supporting. You like some, but have concerns with others. It is PIRG's position that breach notice requirements should be strong, and not, as the recent guidance from bank regulators does, give discretion to the breached firm to determine whether misuse is likely to occur before informing data subjects. Politech readers may be interested to know that PIRG and Consumers Union (publishers of Consumer Reports) put together a 7 point model state identity theft and credit reporting platform last fall, http://www.pirg.org/consumer/credit/model.htm building on what Congress failed to do in the 2003 Fair and Accurate Credit Transactions Act (FACTA), and of course, building on what little Congress allowed the states to continue to do-- since FACTA was arrogantly preemptive of state authority. The model state law includes security breach language based on CA law, security freeze language, a ban on use of credit scoring for insurance purposes and other reforms. Security freezes give consumers control over who can access their credit report and have already been enacted in CA, TX, LA and VT. A number of states are considering all or parts of the model law, see this chart on credit reporting and id theft reforms. http://www.pirg.org/consumer/credit/Statechart1facta.pdf It also shows that the vast majority of 2003 federal FACTA reforms were first passed in the states Second, in his thoughtful post commenting on the recent paper by Chris Hoofnagle and Daniel Solove discussed earlier in politech http://www.politechbot.com/2005/03/11/request-for-critique/, Jim Harper of Cato states essentially that Hoofnagle-Solove are biased toward giving people privacy protection when they may not want it, because Solove-Hoofnagle only support stronger state laws. Jim Harper says federal law should be neither a floor nor a ceiling: "If there is to be legislation (and I don't think it's needed), states should be fully able to innovate, not just innovate in the federally preferred way." I must disagree. First, I would point out that the "federally preferred way" is usually to enact one weak uniform law, not to allow states to innovate either upward OR downward, as Jim prefers (if regulation is needed at all). [The notable exception is that where business has sought to create low federal ceilings on legal damages available to victims of medical malpractice or dangerous products, it wants the federal law to allow states to be allowed to legislate only downward to create even lower damage limits for their citizens.] The truth is: industry lobbyists actually prefer some regulation. They would, however, rather have "one sleeping gorilla than 50 monkeys on steroids," to paraphrase federalism scholar John Kincaid, who was I believe himself quoting industry lobbyists. Second, the view of the vast number of privacy advocates and state attorneys general is not the same as Jim's-- we believe that federal law should establish floor protections, but that the states should continue to be able to act upward only-- provided their laws are not inconsistent with the federal law (that is, it cannot be impossible to comply with both). If Congress does a good enough job, industry need not worry about the 50 monkeys -- they've got other things to do than meddle with a problem Congress has adequately solved. But if Congress doesn't do a good enough job-- we need the states, which can act more quickly to address unsolved problems and provide a solution. Most of them will enact nearly similar laws-- industry can easily comply by complying nationally with whichever is the strongest state law -- those state ideas then provide models for new federal laws as discussed in the FACTA chart above and a second one on other privacy laws, http://www.pirg.org/consumer/credit/statechart2other.pdf . The two state privacy law charts, also included with other links in the Choicepoint box on the top of this page http://www.pirg.org/consumer/credit show that nearly all the best privacy ideas first came from the states. The FTC's "Do Not Call" list? At least 40 state DNC laws passed first. Finally, also in that Choicepoint box, one link articulates our principles for a federal Choicepoint response. A second, the letter to Markey and Nelson, gives a history of the failure to regulate data brokers, which have succeeded in creating what I call an "unregulated parallel universe." Also, on this http://www.stopatmfees.com/occpirg.htm page, we archive a number of recent PIRG reports, journal articles and other materials opposing state preemption of consumer, environmental, banking and privacy laws. Ed -------------------------------------------------- Ed Mierzwinski, Consumer Program Director U.S. Public Interest Research Group (U.S. PIRG), National Association of State PIRGs 218 D St SE Washington, DC 20003 v-202-546-9707x314 fax 202-546-2461 Note New Email edm@private, www.pirg.org/consumer (web and blog) -------- Original Message -------- Subject: RE: Security breach laws and a reply to Jim Harper's reply to Hoofnagle and Solove. Date: Mon, 21 Mar 2005 17:34:27 -0500 From: Jim Harper <jharper@private> To: <edm@private>, <declan@private> CC: <hoofnagle@private>, <dsolove@private> Replies to the Jim-relevant parts in text below, set off by ###. -----Original Message----- From: Ed Mierzwinski [mailto:edm@private] Sent: Sunday, March 20, 2005 6:06 PM To: declan@private Cc: hoofnagle@private; Jim Harper; dsolove@private Subject: Security breach laws and a reply to Jim Harper's reply to Hoofnagle and Solove. Declan-- I thought Politech readers might be interested in these comments on (1) your recent CNET article on state responses to Choicepoint and (2) in reply to on Jim Harper's comments on state law preemption in his post on the Hoofnagle/Solove paper. First, I saw your article on state responses to the Choicepoint debacle on CNET: "Navigating the law of unintended consequences." http://news.com.com/Navigating+the+law+of+unintended+consequences/2010-7348_ 3-5611746.html I haven't had a chance to check with state PIRG staff to see which of these specific state proposals we are supporting. You like some, but have concerns with others. It is PIRG's position that breach notice requirements should be strong, and not, as the recent guidance from bank regulators does, give discretion to the breached firm to determine whether misuse is likely to occur before informing data subjects. Politech readers may be interested to know that PIRG and Consumers Union (publishers of Consumer Reports) put together a 7 point model state identity theft and credit reporting platform last fall, http://www.pirg.org/consumer/credit/model.htm building on what Congress failed to do in the 2003 Fair and Accurate Credit Transactions Act (FACTA), and of course, building on what little Congress allowed the states to continue to do-- since FACTA was arrogantly preemptive of state authority. The model state law includes security breach language based on CA law, security freeze language, a ban on use of credit scoring for insurance purposes and other reforms. Security freezes give consumers control over who can access their credit report and have already been enacted in CA, TX, LA and VT. A number of states are considering all or parts of the model law, see this chart on credit reporting and id theft reforms. http://www.pirg.org/consumer/credit/Statechart1facta.pdf It also shows that the vast majority of 2003 federal FACTA reforms were first passed in the states Second, in his thoughtful post commenting on the recent paper by Chris Hoofnagle and Daniel Solove discussed earlier in politech http://www.politechbot.com/2005/03/11/request-for-critique/, Jim Harper of Cato states essentially that Hoofnagle-Solove are biased toward giving people privacy protection when they may not want it, because Solove-Hoofnagle only support stronger state laws. Jim Harper says federal law should be neither a floor nor a ceiling: "If there is to be legislation (and I don't think it's needed), states should be fully able to innovate, not just innovate in the federally preferred way." ### Many people said that my comments were thoughtful, so I have pledged to use more bombast, sarcasm, etc. in future. ### I must disagree. First, I would point out that the "federally preferred way" is usually to enact one weak uniform law, not to allow states to innovate either upward OR downward, as Jim prefers (if regulation is needed at all). [The notable exception is that where business has sought to create low federal ceilings on legal damages available to victims of medical malpractice or dangerous products, it wants the federal law to allow states to be allowed to legislate only downward to create even lower damage limits for their citizens.] The truth is: industry lobbyists actually prefer some regulation. They would, however, rather have "one sleeping gorilla than 50 monkeys on steroids," to paraphrase federalism scholar John Kincaid, who was I believe himself quoting industry lobbyists. ### I'm not sure I understand. You disagree with my point that states should be able to regulate up or down (if they act at all - not a given) because . . . there's usually weak federal law and industry likes it that way. I understand the observation, but I don't see it as a counter-argument. ### Second, the view of the vast number of privacy advocates and state attorneys general is not the same as Jim's-- we believe that federal law should establish floor protections, but that the states should continue to be able to act upward only-- provided their laws are not inconsistent with the federal law (that is, it cannot be impossible to comply with both). ### You also disagree with me because privacy advocates and state Attorneys General do. Um, OK, but that's a little light on substance. (See? As promised, sarcasm - though martini-dry in this case.) ### If Congress does a good enough job, industry need not worry about the 50 monkeys -- they've got other things to do than meddle with a problem Congress has adequately solved. But if Congress doesn't do a good enough job-- we need the states, which can act more quickly to address unsolved problems and provide a solution. Most of them will enact nearly similar laws-- industry can easily comply by complying nationally with whichever is the strongest state law -- those state ideas then provide models for new federal laws as discussed in the FACTA chart above and a second one on other privacy laws, http://www.pirg.org/consumer/credit/statechart2other.pdf . ### Federalism and separation of powers have traditionally been seen as a bulwark of liberty because these structures put different levels and branches of government in a contest for power, rather than uniting them against the civil and economic liberties of the people. The version of federalism you've articulated here seems to do the opposite, joining states and the federal government in a system devised simply to increase regulation. ### ### If one of the 50 states thinks Congress has not done "a good enough job," it passes greater regulation, driving entire industries (in national markets) to comply. This heaviest-regulating state then provides the model for federal law and the process begins all over again with outlier, heavy-regulating states driving ever more burdensome regulation for everyone else. ### ### If you assume that more regulation is always better, this is a really, really good idea. But if you actually care about what benefits consumers, you would parse issues based on their substance. I don't see how any regulation, state or federal, would improve the lot of consumers over a recognition of tort liability for harmful carelessness like ChoicePoint appears to have practiced. ### ### Should states be able to select the level of protections for people in their states, or should the most regulatory state choose for the whole country? This latter version of federalism would create a political economy that's sick and out of whack. People would suffer under it in terms of both freedom and economic well-being. ### _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2.1.3 : Mon Mar 21 2005 - 21:00:57 PST