The Weekly Breach Breakdown: Congressional Privacy Blues – ITRC Testifies on Proposed American Privacy Rights Act

• Last week, the House subcommittee of jurisdiction unanimously passed a version of the American Privacy Rights Act. It now goes to the full House committee. In the Senate, the Subcommittee on Consumer Protection, Product Safety, and Data Security also held a hearing.
• Identity Theft Resource Center (ITRC) Chief Operating Officer, James E. Lee, testified on behalf of the ITRC. Lee told senators that the best way to help identity crime victims is to prevent victimization in the first place. He also said minimum technical and non-technical standards are essential in a world driven by software and fueled by data.
• Lee offered one note of caution. Restricting the use of personal information for identity verification and fraud prevention as part of consumer control or data minimization would have the unintended effect of aiding identity criminals.
• To watch Lee’s full remarks at the Senate Commerce hearing and to learn more about the proposed American Privacy Rights Act, visit the website of the Senate Commerce Committee.
• To learn about the latest data compromises, consumers and businesses should visit the ITRC’s data breach tracking tool, notified.
• If you believe you are the victim of an identity crime, contact the ITRC. Call or text toll-free at 888.400.5530 or live chat on the company website, idtheftcenter.org.

Congressional Privacy Blues

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for May 31, 2024. Thanks to Sentilink for their support of the podcast and the ITRC. Each week, we look at the most recent events and trends related to data security and privacy. This week, we provide an update on the American Privacy Rights Act.

We started the month of May talking about the possibility of a national privacy and data security law after the leaders of the House and Senate Commerce Committees agreed to a draft American Privacy Rights Act. A lot has happened since then. However, there’s still a long way to go before any bill makes it to the president’s desk.

Johnny Cash wrote about a prisoner in Folsom Prison Blues. That’s why we’re calling this episode “The Congressional Privacy Blues”. You can hear the train a-comin’…but time is draggin’ on.

House Subcommittee Passes Version of American Privacy Rights Act

Both Committees have had hearings on the proposed legislation. Last week, the House subcommittee of jurisdiction unanimously passed a version of the American Privacy Rights Act. That now goes to the full House committee.

ITRC Testifies Before Senate Subcommittee

In the Senate, the Subcommittee on Consumer Protection, Product Safety, and Data Security also held a hearing where ITRC Chief Operating Officer, James E. Lee, testified on behalf of the ITRC. We don’t advocate for or against any particular legislation or regulation. However, we do provide objective information and analysis. Lee told the senators that the ITRC continues to believe as we did in 2021 – the last time there was a hearing on a national privacy law – that the best way to help identity crime victims is to prevent victimization in the first place. Lee shared many points with the subcommittee in keeping with the focus of the hearing – how to keep personal data safe.

• He shared the ITRC’s position on a uniform national standard for data protection and use. Minimum technical and non-technical standards are essential in a world driven by software and fueled by data.
• Compliance with comprehensive, but not prescriptive, effective minimum standards can reduce the risks of exploitation – thereby reducing instances of identity compromise and misuse.
• Minimum standards are more than just metrics. They are practices like data minimization. It’s a concept predicated on a simple truth: you cannot lose control of the information you do not have or that is secured.
• Routine risk assessments help ensure information and systems are secured in a manner equal to the risk an organization faces. Add two other complementary concepts – privacy by design and security by default – and you have the tools needed to keep privacy and security at the forefront of a company’s culture and in every stage of a product’s lifecycle.
• To be effective in reducing identity crimes, uniform standards need strong enforcement backed by routine audits. Defenders must continually measure their progress and constantly adjust to the new risks to keep pace with aggressive attackers.
• The need for strong enforcement actions also applies to data breach notices which are increasingly ineffective, if notices are even issued. For example:
  • In the first three months of 2024, only 32 percent of data breach notices linked to cyberattacks contained information about the cause of the attack compared to 100 percent in 2021 and prior years.
  • An average of nine new data breach notices were issued each day in 2023 in the United States. In the European Union, the daily rate of new breach notices was 335.

A Note of Caution

In a congressional hearing, you’re allowed five minutes to make an opening statement before Members ask you questions. Before the Q&A began, Lee offered one note of caution while discussing the proposed American Privacy Rights Act. Adopting data minimization and giving consumers more access and control over their personal information are vitally important parts of data protection. These practices can significantly reduce the amount of personal information at risk of a data breach and misuse by criminals.

However, personal information, used responsibly and transparently, is important for proving a person is who they claim to be in a wide variety of transactions – from opening bank accounts to applying for government benefits – effectively preventing someone from becoming a victim of identity fraud because of stolen personal information.

Restricting the use of personal information for identity verification and fraud prevention as part of consumer control or data minimization would have the unintended effect of aiding identity criminals and negatively impacting many communities that already are disproportionately affected by identity crimes.

Watch the Full Remarks

If you want to listen to Lee’s full remarks at the Senate Commerce hearing and to learn more about the proposed American Privacy Rights Act, visit the website of the Senate Commerce Committee. 

Contact the ITRC

If you want to know more about how to protect your business or personal information or think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, via text message, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for their support of the ITRC and this podcast. We will return next week with another episode of the Weekly Breach Breakdown.