Federal data-protection law inches forward

The Personal Data Privacy and Security Act was approved by the Senate Judiciary Committee

A sweeping new bill that would implement a national standard for data protection and breach notification got a boost of support today from the Senate Judiciary Committee.

The committee approved the Personal Data Privacy and Security Act of 2009 (S.1490) by a vote of 15-5. The bill is now headed to the full Senate for consideration.

If it becomes law, the bill, which was introduced by Sen. Patrick Leahy (D-Vt.), would require companies and government agencies to follow specific rules for protecting sensitive and personally identifiable data.

Under the proposed law, all private and government entities handling sensitive data would be required to implement specific risk assessment and vulnerability testing measures. They also would be required to deploy measures for controlling access to sensitive data, detecting and logging unauthorized accesses to the data, and protecting data while it is in transit and at rest.

The bill would introduce a federal breach-notification standard under which companies would be required to notify not just individuals affected by a data breach, but also, in some cases, credit reporting agencies and the U.S. Secret Service. It would establish a new Office of Federal Identity Protection within the Federal Trade Commission and stiffen penalties for identity theft and related fraud.

The law would also provide notification exemptions for companies that have taken adequate measures -- such as encryption -- to protect sensitive data. Companies would also not be required to immediately disclose a breach if it would hinder a criminal investigation. But such exemptions would need to be vetted by the Secret Service. The law provides for penalties against executives of companies that willfully conceal a data breach.

If approved, S.1490 would likely preempt similar data-protection laws that have already been passed in 46 states. Many security analysts have been calling for such a federal bill, arguing that it would be easier for companies to comply with one national law rather than a patchwork of 46 state laws.

Several attempts at passing similar federal legislation over the past three years have failed, however, and it remains unclear whether S.1490's fate will be any different. Growing concerns related to identity theft and the criminalization of cyberspace have added an element of urgency to the bill.

Even so, the bill includes provisions that are unnecessary and burdensome, said John Pescatore, an analyst at research firm Gartner Inc. in Stamford, Conn.

"A federal-level disclosure law to make sure affected individuals are notified would be a very good thing, mostly to stop the growth of individual state laws with differing requirements," he said. But the provisions in S.1490 that would require breached entities to report to the government "will create an entire new set of bureaucracy within the U.S. Secret Service and the FTC," Pescatore said.

The bill's overly prescriptive language on the security controls that companies need to institute in order to protect sensitive data is also likely to result in pushback from industry, he said. "I think we have started to already see in the health care bill a lot of pushback" over similar legislation, and the same thing is likely to happen with this bill, Pescatore said. Such concerns could once again derail data protection legislation, he added.

"Congress should really just focus on a national disclosure law that states cannot preempt," he said. "That would bring value to both the people whose identities are being stolen and the businesses which need to be driven harder to protect it."

Alan Paller, director of research at the SANS Institute in Bethesda, Md., said there was "very, very high probability" that the bill could pass muster in Congress this time.

What makes the bill fair is that it gives companies some discretion in deciding whether to publicly disclose a data breach. At the same time, companies that choose not to publicly announce a breach will first need to notify the Secret Service to ensure that companies don't invoke the exception without reason, Paller said. It's a "very cool way to keep the program balanced," he said.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies