Federal Data Breach Bills Clear Senate Panel
Update, May 13: Please read the entire post, which has been updated.
Original post: A key Senate committee today approved two bills that would force businesses to notify consumers if their personal or financial data is lost or stolen.
The Personal Data Privacy and Security Act of 2007, sponsored chiefly by Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and the panel's ranking member, Arlen Specter (R-Pa.), would require entities that experience a data breach or loss that jeopardizes sensitive personal data on consumers to notify law enforcement, consumers and credit reporting agencies.
The Leahy-Specter bill also seeks to address the issue of data privacy and accountability, by "requiring data brokers to let individuals know what information they have about them, and where appropriate, allow individuals to correct demonstrated inaccuracies." There are several exceptions to this requirement for different types of businesses, but consumer advocates say this particular provision is likely to meet stiffer resistance as the bill advances to the Senate floor and to the House of Representatives.
The bill also would require companies that have databases with personal information on more than 10,000 Americans to put in place data privacy and security programs and to vet third-party contractors hired to process data. Here, again, there are exemptions, but this is a very important part of the bill, as contractors -- particular those who work for the federal government -- are frequently to blame for data breach incidents.
Much of the debate over the relative strength of the various data-breach notification proposals currently circulating on Capitol Hill centers around the precise trigger for notification. In the Leahy-Specter bill, an organization would be required to disclose a data breach or loss if it posed a "significant" risk of harm to the affected consumers.
Meanwhile, the "Notification of Risk to Personal Data Act of 2007," a bill introduced by Sen. Dianne Feinstein (D-Calif.), would require disclosure only in the event that the breach resulted in a "reasonable risk" of harm, a term of art that groups like Consumers Union say would leave companies more wiggle room in determining when to talk about a consumer data spill. The Identity Theft Prevention Act of 2007, a data breach bill approved by the Senate Commerce Committee last week, also takes this approach. Feinstein's bill was also approved by the committee today.
Update, May 13, 11:46 p.m. ET: Feinstein's office took issue with my characterization of their bill. While the bill clearly up front says that it requires entities to notify consumers "whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed, or acquired," they emphasize that wording later on in the bill makes it clear that companies would be required to notify consumers of a data breach by default unless they can show that the breach poses no significant risk of harm to the affected consumers.
Original post: It's worth noting that the bill approved by the Commerce Committee last week includes some very important aspects not found in other proposed federal data breach laws. For instance, it would require disclosures of data breaches whether or not the lost or stolen data was in digital form or on paper. Perhaps more importantly, the measure also is the only proposal that would give consumers the right to place a "freeze" on their credit file with each of the three major credit bureaus. It would also do nothing to interfere with state security freeze laws already on the books in at least 33 states.
For the millions of consumers who receive notice each year that their personal or financial data was lost or stolen, a security freeze can offer peace of mind. A security freeze blocks businesses and potential fraudsters from gaining access to a consumer's credit report and credit score, and from granting new lines of credit in the consumer's name. Consumers who have placed a freeze on their credit and want to get new credit can use a special PIN to unlock access to their credit file.
There is a strong argument to be made that consumers should not have to pay for credit freezes. After all, the credit bureaus profit by collecting and selling sensitive consumer data to thousands of businesses and data brokers. But both the Commerce bill and all of the state freeze laws already enacted require consumers to pay to activate a freeze (unless they are a confirmed ID theft victim and can produce a police report as proof of their misfortune, in which case the freeze is free).
Some states, like Montana, allow consumers to place or temporarily lift a freeze by paying as little as $3 to each of the three major bureaus. Others allow charges as much or more than what is proposed in the bill passed by the Commerce Committee, which envisions a $10 fee per bureau for credit freeze filers. While $60 per couple may seem like a fortune to keep your personal data private, a freeze can save ID theft victims the years of hassle and thousands of dollars in legal costs typically incurred as they seek to clear their names, according to the Federal Trade Commission. Still, that cost is likely to be prohibitive for some people, particularly low-income families and the elderly.
In other data breach news, Rep. Tom Davis (R-Va.) today reintroduced the Federal Agency Data Breach Protection Act, a bill that would require federal agencies to notify consumers if their data is lost or stolen. Davis originally floated the bill in the last Congress after a lost laptop belonging to a Department of Veterans Affairs worker jeopardized the personal data on more than 26 million veterans. That bill was approved by the House but never gained traction in the Senate.
Posted by: GTexas | May 4, 2007 3:31 AM | Report abuse
Posted by: Matt | May 4, 2007 11:09 AM | Report abuse
Posted by: Anonymous | May 5, 2007 2:49 PM | Report abuse
Posted by: Guy | May 25, 2007 7:03 AM | Report abuse
The comments to this entry are closed.