NEW YORK — The question of whether data security breach legislation will pass this year was debated yesterday at a session here at the 2006 DM Days New York Conference & Expo.
“I think we are going to get away without too much trouble this year,” said Tony Hadley, vice president of government affairs at Experian, and the company’s chief lobbyist. “But that does not mean, by any means, that we should let our guard down.”
But, Emily Hackett, executive director of the Internet Alliance, which tracks state legislative bills affecting direct marketers, said that the fact there were so many data security breach bills introduced and passed in states this year means that a federal bill will likely follow.
Ms. Hackett said there were 168 data security breach bills introduced in 39 states this year following a California data breach law that says marketers must notify customers of security breaches that may have resulted in the unauthorized release of their computerized and unencrypted personal and financial information.
Nineteen of these bills have been enacted and 14 are pending. In addition, Ms. Hackett said that 38 bills in 12 states have been introduced that go beyond the California bill and expand the definition to go beyond computer records to include additional types of information and records such as paper records. Eleven of these bills have been enacted and 12 are pending.
“I think the dominoes are falling,” Ms. Hackett said. “It looks to me, from my state perspective, that there is enough of a patchwork of state laws being enacted that it would inspire federal action. But maybe not.”
Mr. Hadley also discussed the fact that there are currently six congressional committees considering legislation that would govern data security. But, “will [these bills] really help reduce identity theft? I’m not sure,” he said. “I think some of the bills coming forward could actually do more to facilitate identity theft than reduce it.”
Other legislative/regulatory issues Mr. Hadley said that the DMA is looking into this year include regulation of data brokers, marketing technologies, e-mail marketing, do-not-mail legislation and public records.
As for regulation of data brokers, Mr. Hadley said direct marketers got a bit of relief on Monday when a bill that would have regulated data brokers was withdrawn.
“Without a state moving forward, I don’t think a federal bill will move forward on this either,” Mr. Hadley said. “It’s not because there is not a will, there is just not a way.”
As for spyware, Mr. Hadley said a key point to remember is that DMers do not use spyware.
“Its not in our best interest to use deceptive downloadable technology that drives people, really, crazy,” he said. “There are many fine lines between legitimate, versus nuisance spyware. I am hoping the DMA brings some light to that. Getting the definition straight is very important to direct marketers.”
“We don’t think this is the right idea,” Mr. Hadley said. “In fact, we think the states don’t even have the authority to regulate the U.S. mail system.”
Mr. Hadley mentioned that state do-not-mail bills have been introduced in New York, Illinois and Missouri.
More importantly, Mr. Hadley said, the DMA is currently “acting right and responsibly by not hitting the panic button yet. The agency is working proactively to come up with some really good messages and research that we can use to communicate the fact that this would not be in the consumers’ best interest.”
