The "21st Century Privacy Coalition" might sound like the name of a group fighting for stronger privacy protections in the Internet age. But, in fact, it represents some of the nation's largest cable and phone companies, and is working to help those companies escape regulations on how they have to handle customer data.
If the group gets its way, Congress would loosen regulations for how companies have to protect sensitive information—such as what phone numbers you've sent text messages to, what you've watched on television, and potentially even what websites you've visited.
The group is led by Mary Bono, a former Republican congresswoman from California, and Jon Leibowitz, a former Democratic chairman of the Federal Trade Commission. Funded by Comcast, AT&T, Verizon, Time Warner Cable, DirecTV, and industry trade associations, the coalition has spent nearly $2 million on lobbying, according to disclosure records. That money has gone to hire lobbyists from two firms: Mayer Brown and Ryan, MacKinnon, Vasapoli, and Berzok.
It has essentially one goal: pass the Data Security and Breach Notification Act. The bill, which cleared the House Energy and Commerce Committee last month, is intended to combat the kinds of massive hacks of personal information that have hit Target, Home Depot, and other companies in recent years. President Obama even urged Congress to act on the issue during this year's State of the Union address.
The House legislation, authored by Republican Rep. Marsha Blackburn of Tennessee and Democratic Rep. Peter Welch of Vermont, would require companies to have "reasonable" security and to notify their customers if their personal information is stolen. The bill generally just covers information that could be used for fraud, such as credit card or Social Security numbers.
But companies such as Comcast and Verizon already have to comply with more stringent data security and privacy regulations enforced by the Federal Communications Commission. FCC rules declare that the companies have a "duty to protect the confidentiality" of an array of phone and cable records. Those rules also will soon cover Internet records as part of the FCC's decision to expand its authority over broadband access in its net neutrality regulations.
The 21st Century Privacy Coalition argues that it doesn't make sense for the telecom companies to have to comply with a whole separate regulatory regime. So, at its urging, lawmakers included language in the bill that would exempt companies from FCC regulations related to protecting personal information. Like retailers and other businesses, the telecom companies would only have to comply with the "reasonable" security standard enforced by the FTC.
"The bipartisan legislation intelligently puts enforcement authority in the hands of America's top privacy cop," said Leibowitz, who served at the FTC from 2004 to 2013 and now is a partner with the law firm Davis Polk in addition to his role as the co-chairman of the 21st Century Privacy Coalition. The FTC, he said, has an impressive track record of cracking down on companies that put consumer information at risk.
Historically, the FTC has been more focused on data security issues than the FCC. But the FCC is beginning to become more aggressive. Just last month, the telecom regulator forced AT&T to pay $25 million for allowing employees in foreign call centers to steal private details about U.S. subscribers.
Leibowitz argued that the Data Security and Breach Notification Act would be good for consumers because it would simplify privacy protections. Consumers want their data protected, but they don't think there should be special rules depending on which company has that data, he said. "From a consumer perspective, it doesn't make sense that data would be treated differently based on who is doing the collecting and what statutory regime they're under," Leibowitz said.
But Laura Moy, a senior policy counsel for the New America Foundation's Open Technology Institute, warned that the data breach bill would leave consumers with weaker protections for their most sensitive information. The legislation really is focused on combating financial fraud, she argued, while the FCC regulations aim to protect a wide range of personal information to ensure people can trust communications networks. Unlike FCC rules, the bill wouldn't cover text message logs, cable TV viewing and ordering histories, Internet records, or certain kinds of location data.
"We want people to use these essential communications systems as platforms for free speech and free association," she said. "We want people to be able to visit the websites they need to visit to gather the information they need, for whatever it is, whether it's abortion, purchasing firearms, seeking medical help, or help for mental illness."
It's not just consumer advocates that are angry over how the bill treats telecom companies. Retailers also are lobbying for stricter regulations of the telecom industry.
Under the bill, if a telecom provider is transporting data for another company and gets hacked, it has no obligation to notify consumers. Instead, it only has to notify the other company, and only then if that company can be "reasonably identified." Supporters of the language say telecom providers should have lower notification burdens when they're just acting as conduits for other companies.
Mallory Duncan, the general counsel for the National Retail Federation, argued that this language creates a "notice hole" that could leave consumers unaware that their information has been hacked. When the consumers realize someone has stolen their identity, they might blame a retailer like Target, when it was really Verizon, carrying Target customer information, that got hacked.
"[The 21st Century Privacy Coalition] is aptly named because they want to keep the fact of their breaches to themselves," Duncan said.
With President Obama calling for data breach legislation, it seemed like it would be one of the few issues that could enjoy bipartisan support this year. But all of the Democrats on the House Energy and Commerce Committee, including Welch, voted against the version that passed the panel last month. In addition to opposing the telecom provisions, they argued that the new federal notification requirement shouldn't replace stronger state laws.
Republicans now are making tweaks in an attempt to get some Democrats on board, but they are unlikely to change the provisions on telecom companies. The Senate has been waiting for the House to reach an agreement before they move forward on legislation.
But still, the backers of the bill are confident it will pass. And Bono has some important historical perspective on the issue; she was the chairwoman of the House Commerce, Manufacturing, and Trade Subcommittee, and the chief author of a data breach bill that failed to pass during the most recent Congress.
"Just a handful of years ago, far fewer members were really interested in the topic or understood the severity of the threat," she said in an email. "Now every single member can probably speak to the problem of data security and probably have, at one point or another, discussed the threat with his or her businesses and constituents. It's no longer just a vague problem to any member but instead a real issue that needs to be addressed."