• United States



by Paul Kerstein

Senate Panel Approves Data-Breach Bill

Nov 21, 20054 mins
CSO and CISOData and Information Security

The U.S. Senate Judiciary Committee approved on Thursday a bill thatwould require companies with data breaches to notify affected customersand would set up rules for the U.S. government’s use of privatedatabases.

The Personal Data Privacy and Security Act, sponsored by committeeChairman Arlen Specter, a Pennsylvania Republican, and Senator PatrickLeahy, a Vermont Democrat, would also require data brokers to allowU.S. residents to correct their personal data, and it would requirebusinesses holding the personal data of more than 10,000 U.S. residentsto conduct risk assessments and implement data-protection policies.

Businesses that do not implement security plans could be fined up to US$35,000 a day if found in violation of the requirement.

The Judiciary bill would allow companies that suffer data breaches toavoid notifying consumers if they determine the breach poses “nosignificant risk” of identity theft or other data fraud. But, unlikesome other data-breach bills in Congress, the Specter-Leahy bill wouldrequire companies that determine there is no risk from a data breach toreport their findings to the U.S. Secret Service, which can thenconduct its own investigation.

“This bill will ensure that our laws keep pace with technology,” Leahysaid in a statement. “In this information-saturated age, the use ofpersonal data has significant consequences for every American. Peoplehave lost jobs, mortgages and control over their credit and identitiesbecause personal information has been mishandled or listed incorrectly.”

The Judiciary legislation is one of about 15 bills currently beforeCongress that require data-breach notification, most of them introducedafter a series of data breaches were reported earlier this year.

It is the second data-breach notification bill to be approved by a fullcommittee, with the next step a vote on the Senate floor. In July, theSenate Commerce, Science and Transportation Committee approved theIdentity Theft Protection Act, but the full Senate has not taken actionon it.

Like most data-breach bills now before Congress, the Specter-Leahy billwould preempt the more than 20 state laws that now require data-breachnotification. Some consumer and privacy advocates have expressedconcern over weak data-breach laws preempting stronger state laws, butofficials with the Center for Democracy and Technology (CDT), a privacyadvocacy group, called the Specter-Leahy the most comprehensive databreach notification bill now before Congress.

Several business groups have called for preemption of statenotification laws, saying companies will have a hard time complyingwith a “patchwork quilt” of state rules. CDT supports the preemption ofstate laws when the federal law doesn’t weaken consumer protection,said Ari Schwartz, CDT’s deputy director.

“We can’t say we like preemption no matter what,” he said during apress briefing Friday. “It’s got to be something that benefitsconsumers.”

The Judiciary bill is the only current legislation that includes rulesfor the government use of private databases to check on U.S. residents,said Nancy Libin, a staff counsel at CDT. The Privacy Act of 1974 setrules for the use of government-controlled databases, but somegovernment agencies have gotten around restrictions by contracting withprivate data brokers, such as ChoicePoint Inc., which announced a databreach affecting about 145,000 U.S. residents in February.

The Judiciary bill would require federal agencies to audit the securitypractices of commercial data brokers they contract with, and wouldrequire agencies to conduct privacy impact assessments when usingcommercial databases.

The Judiciary bill includes a balance between overnotification ofconsumers and privacy advocate concerns about some legislation allowingbreached companies avoid notifying consumers if they determine thebreaches don’t pose a risk, CDT officials said. Some congressionalbills don’t require companies to report their breach investigations toa federal agency for review.

Worries about bombarding consumers with too many breach notificationsso far haven’t been justified as affected companies comply with statenotification laws, Schwartz said. “We haven’t seen an overnotificationof consumers to date,” Schwartz said.

Although the CDT praised the Specter-Leahy bill, officials there saidit lacks provisions to restrict the use of Social Security numbers,covered in some other congressional bills, and it doesn’t include aprovision to allow consumers to freeze their credit reports when theysuspect they’ve been victims of ID theft. The credit freeze provisionis included in some state breach notification laws.

“We don’t think any of [the bills] out there are perfect,” Schwartz said.

By Grant Gross – IDG News Service (Washington Bureau)