MRA endorsed a draft federal data security bill today which will benefit consumers as well as the survey, opinion and marketing research profession. We explained MRA's support in a letter to the House Subcommittee on Commerce, Manufacturing and Trade, which we hope will take up the bill and pass it soon.

UPDATE: MRA sent another letter of endorsement to the full Energy & Commerce Committee on April 13, before a scheduled markup of the legislation.

The text of the letter follows:

Dear Chairman Burgess and Ranking Member Schakowsky,

On behalf of the Marketing Research Association (MRA),[1] I write to share our endorsement of the draft legislation from Reps. Marsha Blackburn (R-TN) and Peter Welch (D-VT), “The Data Security and Breach Notification Act of 2015.” This bipartisan bill will set a national standard to help protect consumers’ sensitive information from the ravages of identity theft, fraud, and other criminal abuse, without impeding the essential work of the survey, opinion and marketing research profession.

MRA is happy to endorse the Act because it:

  • Sets a national standard. Federal preemption of the mishmash of state data security laws is essential.
  • Concisely defines personally identifiable information (PII). This legislation carefully limits the data covered to that which is most likely to lead to criminal abuse in the wrong hands, and exempts encrypted or otherwise deidentified or unreadable data. Unlike the President’s draft bill, which included broad account access information (presenting potential privacy concerns, not necessarily security ones), the Blackburn/Welch limits that to identifiers and passwords “required for an individual to obtain money, or purchase goods, services, or any other thing of value.”
  • Explicitly establishes the FTC’s authority over data security, and provides regulatory flexibility. The FTC’s authority to regulate and enforce data security, which has been questioned in court by Wyndham Hotels and LabMD, is explicitly put into law with this Act. The Act also avoids setting specific requirements for data security programs, since the FTC will need flexibility. However, the Blackburn/Welch bill does well in NOT giving the FTC extraordinary APA rulemaking authority – the agency’s existing authority is sufficient. The gravest mistake would have been to follow the President’s lead and allow the FTC such extraordinary powers to alter the definition of PII. The agency would undoubtedly expand the definition radically, since FTC Commissioner Ramirez[2] and others at the agency have said that they consider almost any data to ultimately be personally identifiable. The FTC will still be able to modify the definition using its regular Magnuson-Moss rule-making authority, and that should be sufficient.
  • Requires consumer notification within a reasonable (and not arbitrary) timeframe. The Act demands that businesses notify consumers about a breach “as expeditiously as possible and without unreasonable delay,” but specifically no more than 30 days after having “taken the necessary measures to determine the scope of the breach of security and restore the reasonable integrity, security, and confidentiality of the data system.”

While a few specifics still need to be ironed out, especially the full extent of preemption of state laws, the Act will bring certainty for American businesses and companies, including survey, opinion and marketing researchers, whose livelihood depends on the legitimate and accurate collection and analysis of information provided by consumers. MRA looks forward to the Subcommittee’s hearing on March 18 and working with you to shuttle this bipartisan solution into law.

Sincerely,
Howard Fienberg
Director of Government Affairs
Marketing Research Association (MRA)

 

[1] MRA, a non-profit national membership association, represents the survey, opinion and marketing research profession and strives to improve research participation and quality. We keenly focus on data security and consumer privacy, since personal data is essential to the research process and our ability to deliver insights to clients.

[2] For example, at an Energy & Commerce CMT Subcommittee hearing on July 15, 2011: “I think that the touchstone here is information that can be uniquely tied to an individual... broader than the definition that is currently used in the draft bill.”