A bill before Congress would weaken protections for Massachusetts consumers when it comes to data-breach notifications, Massachusetts Attorney General Maura Healey said last week.
Assistant Attorney General Sara Cable testified before the House Subcommittee on Commerce, Manufacturing and Trade recently against the Data Security and Breach Notification Act of 2015. Under the bill, nationwide standards would be established on notification requirements for data-security breaches. The standards, Healey said, are “far weaker” than what the State of Massachusetts already has under its law.
“This bill will drastically undercut our data-security regulations that provide meaningful consumer protections for Massachusetts residents,” Healey said. “We are concerned that this legislation will scale back our state’s essential safeguards against cybercrime, identity theft and fraud that are already in place.”
Cable said the bill would set vague standards of security, leaving consumers' data vulnerable, and that it has no requirement that states be notified after most types of data breaches. Cable said the omission hinders any meaningful enforcement of consumer-protection laws.
Cable said the bill pre-empts state laws, infringes on states' consumer-protection enforcement authority, doesn't include tough-enough penalties and leaves consumers without a “meaningful remedy." Healey also said the notification obligations to consumers in the bill lack key safeguards and information.