U.S. PIRG's Ed Mierzwinski on "model" state ID theft, privacy laws [priv]

[Declan McCullagh <declan () well com>]

Previous Politech messages:
http://www.politechbot.com/2005/03/21/eric-grimm-debate/
http://www.politechbot.com/2005/03/18/catos-jim-harper/
http://www.politechbot.com/2005/03/11/request-for-critique/


-------- Original Message --------
Subject: Security breach laws and a reply to Jim Harper's reply to 
Hoofnagle and Solove.
Date: Sun, 20 Mar 2005 18:05:45 -0500
From: Ed Mierzwinski <edm () pirg org>
Reply-To: <edm () pirg org>
Organization: U.S. PIRG
To: <declan () well com>
CC: <hoofnagle () epic org>, <jharper () cato org>, <dsolove () law gwu edu>

Declan-- I thought Politech readers might be interested in these comments on
(1) your recent CNET article on state responses to Choicepoint and (2) in
reply to on Jim Harper's comments on state law preemption in his post on the
Hoofnagle/Solove paper.

First, I saw your article on state responses to the Choicepoint debacle on
CNET: "Navigating the law of unintended consequences."
http://news.com.com/Navigating+the+law+of+unintended+consequences/2010-7348_
3-5611746.html

I haven't had a chance to check with state PIRG staff to see which of these
specific state proposals we are supporting. You like some, but have concerns
with others. It is PIRG's position that breach notice requirements should be
strong, and not, as the recent guidance from bank regulators does, give
discretion to the breached firm to determine whether misuse is likely to
occur before informing data subjects.

Politech readers may be interested to know that PIRG and Consumers Union
(publishers of Consumer Reports) put together a 7 point model state identity
theft and credit reporting platform last fall,
http://www.pirg.org/consumer/credit/model.htm  building on what Congress
failed to do in the 2003 Fair and Accurate Credit Transactions Act (FACTA),
and of course, building on what little Congress allowed the states to
continue to do-- since FACTA was arrogantly preemptive of state authority.

The model state law includes security breach language based on CA law,
security freeze language, a ban on use of credit scoring for insurance
purposes and other reforms. Security freezes give consumers control over who
can access their credit report and have already been enacted in CA, TX, LA
and VT. A number of states are considering all or parts of the model law,
see this chart on credit reporting and id theft reforms.
http://www.pirg.org/consumer/credit/Statechart1facta.pdf It also shows that
the vast majority of 2003 federal FACTA reforms were first passed in the
states

Second, in his thoughtful post commenting on the recent paper by Chris
Hoofnagle and Daniel Solove discussed earlier in politech
http://www.politechbot.com/2005/03/11/request-for-critique/, Jim Harper of
Cato states essentially that Hoofnagle-Solove are biased toward giving
people privacy protection when they may not want it, because
Solove-Hoofnagle only support stronger state laws. Jim Harper says federal
law should be neither a floor nor a ceiling: "If there is to be legislation
(and I don't think it's needed), states should be fully able to innovate,
not just innovate in the federally preferred way."

I must disagree. First, I would point out that the "federally preferred way"
is usually to enact one weak uniform law, not to allow states to innovate
either upward OR downward, as Jim prefers (if regulation is needed at all).
[The notable exception is that where business has sought to create low
federal ceilings on legal damages available to victims of medical
malpractice or dangerous products, it wants the federal law to allow states
to be allowed to legislate only downward to create even lower damage limits
for their citizens.] The truth is: industry lobbyists actually prefer some
regulation. They would, however, rather have "one sleeping gorilla than 50
monkeys on steroids," to paraphrase federalism scholar John Kincaid, who was
I believe himself quoting industry lobbyists.

Second, the view of the vast number of privacy advocates and state attorneys
general is not the same as Jim's-- we believe that federal law should
establish floor protections, but that the states should continue to be able
to act upward only-- provided their laws are not inconsistent with the
federal law (that is, it cannot be impossible to comply with both).

If Congress does a good enough job, industry need not worry about the 50
monkeys -- they've got other things to do than meddle with a problem
Congress has adequately solved. But if Congress doesn't do a good enough
job-- we need the states, which can act more quickly to address unsolved
problems and provide a solution. Most of them will enact nearly similar
laws-- industry can easily comply by complying nationally with whichever is
the strongest state law  -- those state ideas then provide models for new
federal laws as discussed in the FACTA chart above and a second one on other
privacy laws, http://www.pirg.org/consumer/credit/statechart2other.pdf .

The two state privacy law charts, also included with other links in the
Choicepoint box on the top of this page http://www.pirg.org/consumer/credit
show that nearly all the best privacy ideas first came from the states. The
FTC's "Do Not Call" list? At least 40 state DNC laws passed first.

Finally, also in that Choicepoint box, one link articulates our principles
for a federal Choicepoint response. A second, the letter to Markey and
Nelson, gives a history of the failure to regulate data brokers, which have
succeeded in creating what I call an "unregulated parallel universe." Also,
on this http://www.stopatmfees.com/occpirg.htm page, we archive a number of
recent PIRG reports, journal articles and other materials opposing state
preemption of consumer, environmental, banking and privacy laws.

Ed
--------------------------------------------------
Ed Mierzwinski, Consumer Program Director
U.S. Public Interest Research Group (U.S. PIRG), National Association of
State PIRGs
218 D St SE
Washington, DC 20003
v-202-546-9707x314 fax 202-546-2461 Note New Email edm () pirg org,
www.pirg.org/consumer (web and blog)






-------- Original Message --------
Subject: RE: Security breach laws and a reply to Jim Harper's reply to 
Hoofnagle and Solove.
Date: Mon, 21 Mar 2005 17:34:27 -0500
From: Jim Harper <jharper () cato org>
To: <edm () pirg org>, <declan () well com>
CC: <hoofnagle () epic org>, <dsolove () law gwu edu>

Replies to the Jim-relevant parts in text below, set off by ###.

-----Original Message-----
From: Ed Mierzwinski [mailto:edm () pirg org]
Sent: Sunday, March 20, 2005 6:06 PM
To: declan () well com
Cc: hoofnagle () epic org; Jim Harper; dsolove () law gwu edu
Subject: Security breach laws and a reply to Jim Harper's reply to 
Hoofnagle and Solove.

Declan-- I thought Politech readers might be interested in these comments on
(1) your recent CNET article on state responses to Choicepoint and (2) in
reply to on Jim Harper's comments on state law preemption in his post on the
Hoofnagle/Solove paper.

First, I saw your article on state responses to the Choicepoint debacle on
CNET: "Navigating the law of unintended consequences."
http://news.com.com/Navigating+the+law+of+unintended+consequences/2010-7348_
3-5611746.html

I haven't had a chance to check with state PIRG staff to see which of these
specific state proposals we are supporting. You like some, but have concerns
with others. It is PIRG's position that breach notice requirements should be
strong, and not, as the recent guidance from bank regulators does, give
discretion to the breached firm to determine whether misuse is likely to
occur before informing data subjects.

Politech readers may be interested to know that PIRG and Consumers Union
(publishers of Consumer Reports) put together a 7 point model state identity
theft and credit reporting platform last fall,
http://www.pirg.org/consumer/credit/model.htm  building on what Congress
failed to do in the 2003 Fair and Accurate Credit Transactions Act (FACTA),
and of course, building on what little Congress allowed the states to
continue to do-- since FACTA was arrogantly preemptive of state authority.

The model state law includes security breach language based on CA law,
security freeze language, a ban on use of credit scoring for insurance
purposes and other reforms. Security freezes give consumers control over who
can access their credit report and have already been enacted in CA, TX, LA
and VT. A number of states are considering all or parts of the model law,
see this chart on credit reporting and id theft reforms.
http://www.pirg.org/consumer/credit/Statechart1facta.pdf It also shows that
the vast majority of 2003 federal FACTA reforms were first passed in the
states

Second, in his thoughtful post commenting on the recent paper by Chris
Hoofnagle and Daniel Solove discussed earlier in politech
http://www.politechbot.com/2005/03/11/request-for-critique/, Jim Harper of
Cato states essentially that Hoofnagle-Solove are biased toward giving
people privacy protection when they may not want it, because
Solove-Hoofnagle only support stronger state laws. Jim Harper says federal
law should be neither a floor nor a ceiling: "If there is to be legislation
(and I don't think it's needed), states should be fully able to innovate,
not just innovate in the federally preferred way."

### Many people said that my comments were thoughtful, so I have pledged 
to use more bombast, sarcasm, etc. in future. ###

I must disagree. First, I would point out that the "federally preferred way"
is usually to enact one weak uniform law, not to allow states to innovate
either upward OR downward, as Jim prefers (if regulation is needed at all).
[The notable exception is that where business has sought to create low
federal ceilings on legal damages available to victims of medical
malpractice or dangerous products, it wants the federal law to allow states
to be allowed to legislate only downward to create even lower damage limits
for their citizens.] The truth is: industry lobbyists actually prefer some
regulation. They would, however, rather have "one sleeping gorilla than 50
monkeys on steroids," to paraphrase federalism scholar John Kincaid, who was
I believe himself quoting industry lobbyists.

### I'm not sure I understand. You disagree with my point that states 
should be able to regulate up or down (if they act at all - not a given) 
because . . . there's usually weak federal law and industry likes it 
that way. I understand the observation, but I don't see it as a 
counter-argument. ###

Second, the view of the vast number of privacy advocates and state attorneys
general is not the same as Jim's-- we believe that federal law should
establish floor protections, but that the states should continue to be able
to act upward only-- provided their laws are not inconsistent with the
federal law (that is, it cannot be impossible to comply with both).

### You also disagree with me because privacy advocates and state 
Attorneys General do. Um, OK, but that's a little light on substance. 
(See? As promised, sarcasm - though martini-dry in this case.)  ###

If Congress does a good enough job, industry need not worry about the 50
monkeys -- they've got other things to do than meddle with a problem
Congress has adequately solved. But if Congress doesn't do a good enough
job-- we need the states, which can act more quickly to address unsolved
problems and provide a solution. Most of them will enact nearly similar
laws-- industry can easily comply by complying nationally with whichever is
the strongest state law  -- those state ideas then provide models for new
federal laws as discussed in the FACTA chart above and a second one on other
privacy laws, http://www.pirg.org/consumer/credit/statechart2other.pdf .

### Federalism and separation of powers have traditionally been seen as 
a bulwark of liberty because these structures put different levels and 
branches of government in a contest for power, rather than uniting them 
against the civil and economic liberties of the people.  The version of 
federalism you've articulated here seems to do the opposite, joining 
states and the federal government in a system devised simply to increase 
regulation. ###

### If one of the 50 states thinks Congress has not done "a good enough 
job," it passes greater regulation, driving entire industries (in 
national markets) to comply. This heaviest-regulating state then 
provides the model for federal law and the process begins all over again 
with outlier, heavy-regulating states driving ever more burdensome 
regulation for everyone else. ###

### If you assume that more regulation is always better, this is a 
really, really good idea. But if you actually care about what benefits 
consumers, you would parse issues based on their substance. I don't see 
how any regulation, state or federal, would improve the lot of consumers 
over a recognition of tort liability for harmful carelessness like 
ChoicePoint appears to have practiced. ###

### Should states be able to select the level of protections for people 
in their states, or should the most regulatory state choose for the 
whole country? This latter version of federalism would create a 
political economy that's sick and out of whack. People would suffer 
under it in terms of both freedom and economic well-being. ###
_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)