With all of the recent news involving large companies and consumer data, state legislators appear to be having knee-jerk reactions to the data industry’s problems. Recent data security breaches at Bank of America, T-Mobile, Lexis-Nexis, ChoicePoint, PayMaxx, DSW Shoe Warehouse, and others, have made consumer data collection and protection a very hot subject for legislators. News.com has a story about the state reactions to the data industry breaches. While the idea of legislation protecting consumer personal information is a good idea—the hasty, reactionary legislation being proposed may have very negative effects on the actual protection afforded the public.
Because of the nature of the data, state-level legislation may not be effective, as companies may not have a legal presence in some of the states where people whose information is breached live. Without a legal presence, in the state of the affected consumers, the company may not be bound by the state’s laws. The other major problem with state-level legislation is the uneven level of protection a consumer may receive, depending on what state they live in, and what state the company is located in.
Federal level legislation is the only effective way to deal with consumer data collection and protecting the collected data. Consumers deserve to have equal protections and rights with respect to the use of data collected about them, regardless of where they live, or where the companies collecting the data are located. The legislation should also address who is authorized to have access, what levels and types of consumer data can be accessed, as well as whose permissions are required for the different levels of access. The ability to correct errors in the data, and right to see what data has been collected about a consumer should also be addressed. Finally, requirements for notifying the consumer when their consumer data is accessed should be mandatory.
If federal legislation is not passed quickly, the economic damage, due to the fallout from wide-spread identity theft and fraud based on information gained in the recent breaches, will fall on the shoulders of the consumers, not the companies responsible for the data breaches. A previous story on this blog discusses why companies which collect and sell consumer data should be held responsible.