WASHINGTON -- In past few years, Congress has passed laws designed to protect the privacy of a patients' medical records and of accounts with financial institutions.
It has yet to decide on broad-reaching standards to regulate online privacy, though the issue is the leading IT question on Capitol Hill this year. Dozens of bills and proposals are circulating to protect various aspects of consumers' online activity, each of which would force changes in database and systems design, not to mention the business processes that underlie those designs.
For instance, if privacy rules are adopted that give customers the right to inspect and, if necessary, correct their personal data, corporate systems must be able to locate data that can be spread among multiple databases and business units. Restrictions on the sharing of data with third parties can also affect systems.
"A goal of a company is to have all its data as available as it can be, because it's going to try to get business value our of that," said Brian Tretick, a privacy and security specialist at Ernst & Young LLP. Integrating disparate systems "is a big challenge in and of itself without adding a new dimension ... tagging that data with something do with choice."
It's choice -- the difference between "opt-in" and "opt-out" -- that's at the heart of privacy debate in Congress. Opt-out requires a consumer to take action to remain outside of a data stream by removing a check mark from an online box or mailing back privacy preferences. Opt-in forces companies to get customer consent before data can be shared with other parties, which makes it less likely a customer will agree.
The stakes are high. High-tech and marketing groups have argued that privacy rules could impose compliance costs that run into the billions of dollars. Privacy groups have said they fear privacy abuses as personal data is aggregated and shared.
Congress has already begun to set ground rules by taking steps to regulate privacy in industries that deal with the most sensitive personal data: financial services, health providers and e-commerce companies that market to children. But lawmakers remain divided on how to approach the broader issue of online privacy.
More than 20 bills have been introduced in this session affecting privacy, but none of them is assured of passage. The same can be said for the some of other issues in front of lawmakers, such as spam, database protection, Internet taxation, critical infrastructure protection and electronic government initiatives.
The Senate Commerce Committee is the key committee on privacy because of the strong bipartisan support for privacy measures and the concentration of influential leaders that serve on it. But the outlook for any privacy bills passing is murky. The only bill making any progress, and in the House only, would create an 18-month study commission. If approved, this legislation would be an excuse for no action on privacy.
Sen. Fritz Hollings (D-S.C.), who emerged as the new Commerce Committee chairman in the recent leadership shakeup, said he believes consumers should give consent, or opt-in, to third-party sharing of personally identifiable information.
In a bill Hollings introduced in the last session and is expected to reintroduce this year, companies would be required to "establish and maintain reasonable procedures necessary" to protect the security of the data they collect. It's vague language, but some industry groups eye it warily.
Advocacy groups such as Washington-based Americans for Computer Privacy in Washington, which is opposing legislation in favor of industry self-regulation, say even innocent-sounding languages in bills -- such as "reasonable procedures" -- could be translated by regulators as specific rules.
"There is always concern that when Congress starts putting standards in federal legislation, even innocuous-sounding [ones], that it could open the door for further regulation down the road," said Bruce Heiman, executive director of Americans for Computer Privacy, which represents a coalition of companies, trade groups and individuals.
But if Hollings' effort doesn't fly, Sen. John McCain's (R-Ariz.) privacy effort might. The former Commerce Committee chairman is expected to reintroduce a privacy bill this year that has strong bipartisan backing, including that of Sen. John Kerry (D-Mass.) Unlike Hollings, McCain supports opt-out privacy rules.
Trade groups are divided on how to approach privacy. The Washington-based AEA, formerly the American Electronics Association, said it will back an online privacy bill that supports opt-out as long it includes provisions that limit the ability of states to adopt their own privacy laws.
Federal privacy, both in medical and financial privacy, sets a "floor" and not a "ceiling." That means companies must adhere to federal rules, but states could also adopt additional, more restrictive measures.
For instance, the threat of more stringent state regulations is a concern for companies that handle health care services in multiple states, said John Zimmerman, the health care data exchange manager at Siemens Medical Solutions Health Services Corp. in Malvern, Penn.
"If you practice in three states ... which of those three state security regulations should you follow?" said Zimmerman. "I can't imagine how [the state standards\[ will be the same."
The Information Technology Association of America, unlike the AEA, opposes any privacy legislation, state or federal, said Harris Miller, president of the Arlington, Va.-based group.
Instead, the ITAA is pushing Congress and the states to recognize the technological incentives, such as the Platform for Privacy Preferences (P3P), a set of standards that promises to give consumers more control over their own data online.
"I think we will see the momentum shift \[away from regulation] as we see the rollout of P3P technology," Miller said. This standard, developed by the World Wide Web Consortium, allows conversion of a company's privacy statements into a machine-readable format. The end user can then set privacy preferences.
The debate about privacy legislation also includes the following issues:
Security enforcement through litigation
Congress may also give companies incentive to improve security protections by make it easier for consumers to sue companies and the directors of companies that violate their privacy.
For instance, the Financial Institution Privacy Protection Act of 2001 sponsored by Sen. Bill Nelson (D-Fla.) would amend the Gramm-Leach-Bliley Act (GLBA) of 1999 to make officers and directors liable for up to $10,000 for each privacy violation.
The liability provisions of GLBA would hold financial institutions responsible for security of their Web sites, said Peggy Weigle, the CEO of Sanctum Inc., a security company in Santa Clara, Calif. With enforcement mechanisms such as those in the financial modernization bill, Weigle said she believes "the privacy policies [of individual sites] are completely moot."
Another financial services headache: Privacy groups as well as many lawmakers believe the privacy provisions of GLBA do little to protect consumers because they rely on the opt-out model. These critics now have an influential friend, Sen. Paul Sarbanes (D-Md.), the new chairman of the Senate Banking Committee thanks to the recent Senate leadership shakeup. Sarbanes' Financial Information Privacy Protection Act of 2001 would amend GLBA to include more opt-in provisions.
Spam
Despite the near-universal hatred among Internet users of unsolicited commercial e-mail, special-interest groups have been unable to agree on a bill to restrict spam. Direct marketing groups fear too restrictions that are too broad; antispam groups worry about limits that are unrealistic or unenforceable. The leading bill on this measure by U.S. Rep. Heather Wilson (R-N.M.) was recently stripped of a number of consumer-protection provisions by the House Judiciary Committee. It's possible, however, that a "lite" version of this legislation could win passage, requiring, for instance, that spammers provide legitimate return e-mail addresses to give consumers a way to reply.
Internet taxation
The 3-year moratorium on Internet access taxes expires in October. Discussion on the topic indicates lawmakers are inclined to extend it -- provided an agreement can be worked out on the broader issue of online sales-tax collections. About 30 states are involved in an effort to streamline and simplify sales taxes with the goal of reducing administrative burdens for e-commerce companies. This streamlining is seen as an essential first step to giving states the authority to collect sales taxes from companies that are now outside their jurisdiction. Backers of the states' effort want any moratorium extension to include provisions supporting expanded tax collections. Negotiations are under way.
Database protection
Lawmakers have been unable to agree on legal protections for databases that fall outside of copyright law. These are databases often assembled through public records, like agricultural crop reports, that could be easily copied by competitors. Opponents, including academic groups, say some of the protections are overly broad. Negotiations are continuing and the outcome is uncertain.
Critical infrastructure protection
This bipartisan issue is getting more legislative attention. House and Senate bills that would exempt security data shared with the government from disclosure under Freedom and Information Act requirements are expected before the August recess. U.S. Rep. Ike Skelton (D-Mo.), the ranking Democrat on the House Armed Services Committee, recently introduced the Homeland Security Strategy Act, which would require a national plan for dealing with national threats such as attacks over the Internet.
The Bush administration is developing a national plan for dealing with critical infrastructure issues, due out by year's end. So far, though, the White House isn't asking for regulation to force companies to improve security, but companies have also acknowledged that GLBA and medical-privacy rules are improving security.
Security Risk and Reward
Stories in this report:
- Want to Save Some Money? Automate Password Resets
- Knowldge Quest
- Companies Need Security Pros With More Varied Skills
- Finding Answers
- The Enemy Within
- The Threat of XML
- SOAP, Other Protocols Specify Security for XML
- The Problem With Power
- Top 10 Security Mistakes
- Playing By Europe's Rules
- False Alarm?
- An Ounce of Intrusion Prevention
- Deadly Pursuit
- IDS Products and Prices
- Should You Outsource IDS?
- Who He Is
- Manager Offers Primer On Computer Forensics
- Unlocking Secure Online Commerce
- Too Late For Digital Certificates?
- Giving Users Back Their Privacy
- Feeling Safe With IT Security Deals
- Finjan's Software Bolcks Active Content Threat
- Security Statistics
- The Guardian
- Congress Considers Slew of Bills That Will Affect IT, E-Commerce
- U.S. Legislators Ponder Masses of Bills; Outlook Remains Murky
- Rule Changes May Further Protect Company Security Data
- Getting Started in Computer Forensics
- PKI Carries the Mail for U.S. Postal Service
- Security by Syntax