When the Equifax data breach occurred, 240,000 Vermonters received notice that their information had been compromised. Equifax’s initial response—which among other things required people to waive their legal rights—did not inspire great confidence in the public. And legislators were justifiably angry.
But people make mistakes when they’re angry, and when the First Amendment is involved, those mistakes can be expensive. Not so long ago, the legislature was convinced that it could regulate information in the same way as “beef jerky.” Both liberal and conservative justices of the Supreme Court told them they were wrong. As a result, Vermont spent $4 million and was forced to pay approximately $2.22 million in attorneys’ fees.
History is about to repeat itself.
The Vermont Senate is now considering legislation that requires provocatively named “data brokers” to register with the state and comply with information security requirements. The legislation’s requirements are triggered by the sale of a single “name, address” or “other information that is linkable to the consumer,” if the Vermont consumer is not a customer of the data broker. That applies whether or not the information is a matter of public record, and even if the information belongs to a public figure.
For example, if a business were to sell the names of every person who bought medical alert devices, they have no obligations under the legislation. If the use of their app allows them to track consumers around the state and later sell those travelling habits, it has no obligations under this legislation. The state sales of all of its public record data are similarly unaffected, as is any other business that sells their customer lists.
But a person that compiles a database of Vermont legislators, their donation and voting records, and their email addresses has to register with the government, and comply with the bill’s security standard. The same is true of many of SIIA’s members who provide information about any number of fields.
One could argue that such an approach is pointless as a matter of public policy, but the legislation has deeper problems. The First Amendment prohibits content-discriminatory burdens on speech. If a law is content-discriminatory, it has to be narrowly tailored to a compelling state interest. The First Amendment’s legal tests exist for a reason: in the United States, we regulate speech as a last resort, not a first one.
The loopholes described above demonstrate that the legislation is guaranteed not to pass that kind of scrutiny. And when it fails, Vermont’s taxpayers will once again end up footing the bill.
With that said, the legislature is not toothless. It can (and did) prohibit the acquisition of personal information by fraudulent means. Similarly, the legislature can (and did) prohibits Vermonters from being charged when they put security freezes on their credit reports in the event that their information’s been compromised. If the information is misused in some way, the legislature can and should regulate the misuse.
What it cannot do is use a shotgun when the First Amendment requires a scalpel. One would have thought that the legislature had learned this lesson.