On December 18, 2013, the US Senate Committee on Commerce, Science and Transportation held a hearing titled, “What Information Do Data Brokers Have on Consumers, and How Do They Use It?”
Following up, Committee Chair Senator Rockefeller has now sent requests for information to six data brokers.
As described in a press release from the Committee (referencing the December 18, 2013 hearing):
Rockefeller sent letters today to six companies, including two – NextMark, Inc. and MEDbase200 – that were highlighted in testimony presented at the hearing as data brokers that produce lists of consumers exhibiting certain financial and health characteristics, such as “Empty Wallets,” “African American Pay Day Loan Responders,” and “Dementia Sufferers”. Four other letters were issued to Acxiom, Epsilon, Experian, and Lexis Nexis – companies that were part of Rockefeller’s initial inquiry into data brokers that sell products focused on consumers’ financial circumstances.
This might sound familiar. You might have seen the recent incident when a man received some junk mail from OfficeMax that was addressed to “Mike Seay, Daughter Killed in Car Crash.” Mike Sheay’s daughter was in fact killed in a car crash. (To make things worse, the letter was also addressed to “Or Current Business.”)
Hope for Privacy and Data Security Legislation?
There are rumors of momentum toward something getting done this year on data privacy and security legislation.
According to The Hill:
Several lawmakers in Congress are optimistic that a new law to protect consumers’ data from being stolen can be passed quickly, weeks after major hacks dominated the headlines.
So it appears that the interest is there in data privacy issues in Congress.
On the other hand, in the very next sentence in the same article, The Hill notes:
The retail and banking industries have begun to face off over potential new legislation, with each worried that new provisions could unduly affect their businesses.
It’s always something.
Strangely though, The Hill brings hope in the form of Republican Congressman Joe Barton:
“It’s one of the few issues in the next 10 months that the House and the Senate can work with the president on,” he said. “I’ll go out on a limb here and predict that we’ll actually do that.”
Can those three work together on anything though? Certainly it seems that data privacy hasn’t been one of those “few issues” they can get resolved. For evidence, I note the failure to enact bills for:
Data Security and Breach Notification Act of 2011
Data Security and Breach Notification Act of 2012
Data Security and Breach Notification Act of 2013
A definite pattern.
But that was before the Target incident. Maybe that’s enough to get things moving. Already this year we have proposals for:
Personal Data Privacy and Security Act of 2014
Data Security Act of 2014
Data Security and Breach Notification Act of 2014
Commercial Privacy Bill of Rights
That’s just the Senate stuff, and that’s just as of this writing.
So maybe something can happen. But then ….
The Problems are the Problem
As we know, there are a lot of privacy and data security problems to solve. Data breach notification is a problem. It’s a pretty simple problem though, as privacy and data security problems go. No doubt that simplicity will make data breach notification a focus (probably the focus) of any successful privacy and data security legislation.
What about all the other data privacy problems? Here at Big Data and the Law, we’re betting those problems are too hard for Congress to deal with.
Look at the 2011, 2012 and 2013 bills (below). Note how simple (and similar) they are, and ask yourself why such simple legislation couldn’t get passed. Then ask yourself whether anything more complex could possibly get passed.
Additional Information on the Senate Data Broker Investigation
You can see an archived webcast of December 18, 2013 hearing.
This is the Majority Report presented at the hearing:
This is Senator Rockefeller’s letter to Acxiom:
In a post here at Big Data and the Law you can see an example of the scope of personal information that data brokers collect. In this case, at Versium Analytics – a company with “…billions of records with billions of real life attributes on consumers and businesses.”
Background on the Privacy and Data Breach Legislation
2011, 2012 and 2013 bills