Overreaching data breach legislation punishes Illinois small businesses

By Carl Szabo | NetChoice

When Gov. Rauner was running for office, he talked a lot about his support for Illinois small businesses. He even used his inaugural address to describe how the state’s economic turnaround could begin with local businesses right here in Illinois.

In the coming weeks, Gov. Rauner will have a golden opportunity to make a meaningful impact in support of Prairie State small businesses. He should seize that chance and issue an Amendatory Veto of Senate Bill 1833.

Why? Because this proposed legislation expands the definition of data breaches to include ordinary sales and marketing information that threatens no one’s safety or security. In fact, it is so off the mark that not a single other state in the country would or has adopted a similarly overreaching measure – not even California. Illinois would be the outlier in erecting such a crushing barrier to small businesses seeking to expand online.

As we’ve seen, with more and more businesses going online, thieves are no longer only those who wear black clothing and sneak into a building under the cover of darkness. Valuable proprietary and financial information is increasingly stored electronically. And criminals are capable of hacking through the best of online defenses to grab everything from credit card numbers to what kind of toppings you like on your pizza.

But Attorney General Lisa Madigan and some members of the Illinois legislature are seeking to treat physical thefts differently than online ones. Whereas in the physical world, the focus is on apprehending the perpetrators and aiding the victims, in an online data breach, the focus seems to be on further punishing the victims.

We can all agree with Attorney General Madigan, who said in support of the bill: “Identity theft is an enormous problem. It’s sometimes very difficult to identify, very difficult to clean up, and it can have an enormous impact on somebody’s ability to function in our world.”

But in an attempt to address the real problem of data breaches, this bill treats the breach of healthcare data from my health insurance company the same as a breach that reveals the last time I ordered a pie at my local pizzeria.

The bill levies excessive and burdensome requirements on Illinois small businesses, uniquely forcing them to spend thousands of unnecessary dollars on legal fees to write privacy policies that are customized for Illinois just for the privilege of doing business over the Internet. Perplexingly, the law would treat an order collected through a website differently from an order taken in person or over the phone and then stored in the same database.

These policies will not make consumers safer. They will instead make it more difficult for small businesses in Illinois – to be created, to grow and to prosper.

We need laws that proactively prevent data breaches and strike at the criminal entities that perpetrate them – not those that impose penalties on the small businesses that are the backbone of our economy.

Gov. Rauner now has an opportunity before him to correct the overreaching aspects of this bill by keeping its focus upon actual threats to the consumer public rather than concocting nationally unprecedented barriers. He has a chance to provide clarity and focus so that law enforcement has the ability to protect victims and find and apprehend criminals. Whether I put cream or sugar in my coffee is not the same as having my credit card number stolen.

Over the past 30 years, traditional crime numbers have plummeted because law enforcement dedicates its resources to protecting victims and prosecuting criminals. The online world should be no different.

Carl Szabo is policy counsel for NetChoice, a trade association of eCommerce businesses and online consumers all of whom share the goal of promoting convenience, choice, and commerce on the net.

Leave a Reply