Senate panel approves data-breach bill

It also sets rules for the U.S. government's use of private databases

The U.S. Senate Judiciary Committee yesterday approved a bill that would require companies with data breaches to notify affected customers and would set up rules for the U.S. government's use of private databases.

The Personal Data Privacy and Security Act, sponsored by committee Chairman Arlen Specter (R-Pa.) and Sen. Patrick Leahy (D-Vt.), would also require data brokers to allow U.S. residents to correct their personal data and require businesses holding the personal data of more than 10,000 U.S. residents to conduct risk assessments and implement data-protection policies.

Businesses that don't implement security plans could be fined up to $35,000 a day if found in violation of the requirement.

The bill would allow companies that suffer data breaches to avoid notifying consumers if they determine the breach poses "no significant risk" of identity theft or other data fraud. But, unlike some other data-breach bills in Congress, the Specter-Leahy bill would require companies that determine there is no risk from a data breach to report their findings to the U.S. Secret Service, which can then conduct its own investigation.

"This bill will ensure that our laws keep pace with technology," Leahy said in a statement. "In this information-saturated age, the use of personal data has significant consequences for every American. People have lost jobs, mortgages and control over their credit and identities because personal information has been mishandled or listed incorrectly."

The legislation is one of about 15 bills currently before Congress that require data-breach notification, most of them introduced after a series of data breaches earlier this year. It is the second data-breach notification bill to be approved by a full committee, with the next step a vote on the Senate floor. In July, the Senate Commerce, Science and Transportation Committee approved the Identity Theft Protection Act, but the full Senate has not taken action on it.

Like most data-breach bills now before Congress, the Specter-Leahy bill would preempt the more than 20 state laws now requiring data-breach notification. Some consumer and privacy advocates have expressed concern over weak data-breach laws preempting stronger state laws, but officials with the Center for Democracy and Technology (CDT), a privacy advocacy group, called the Specter-Leahy the most comprehensive data-breach notification bill now before Congress.

Several business groups have called for preemption of state notification laws, saying companies will have a hard time complying with a "patchwork quilt" of state rules. CDT supports the preemption of state laws when the federal law doesn't weaken consumer protection, Ari Schwartz, CDT's deputy director, said during a news briefing today. "We can't say we like preemption no matter what. It's got to be something that benefits consumers."

The bill is the only current legislation that includes rules for the government use of private databases to check on U.S. residents, said Nancy Libin, a staff counsel at CDT. The Privacy Act of 1974 set rules for the use of government-controlled databases, but some government agencies have gotten around restrictions by contracting with private data brokers, such as ChoicePoint Inc., which announced a data breach affecting about 145,000 U.S. residents in February.

The bill would require federal agencies to audit the security practices of commercial data brokers they contract with, and would require agencies to conduct privacy impact assessments when using commercial databases.

CDT officials said the bill offers a balance between overnotification of consumers and concerns by privacy advocates about legislation that lets companies avoid notifying consumers if they decide a breach doesn't pose a risk. Some congressional bills don't require companies to report their breach investigations to a federal agency for review.

Worries that consumers would be deluged with breach notifications haven't been justified, Schwartz said. "We haven't seen an overnotification of consumers to date."

Although the CDT praised the Specter-Leahy bill, officials with the group said the measure lacks provisions to restrict the use of Social Security numbers, which is covered in some other congressional bills, and it doesn't include a provision to allow consumers to freeze their credit reports when they suspect they've been victims of ID theft. The credit freeze provision is included in some state breach notification laws.

"We don't think any of [the bills] out there are perfect," Schwartz said.

Copyright © 2005 IDG Communications, Inc.

  
Shop Tech Products at Amazon