Network News

X My Profile
View More Activity

Federal Data Breach Bills Clear Senate Panel

Update, May 13: Please read the entire post, which has been updated.

Original post: A key Senate committee today approved two bills that would force businesses to notify consumers if their personal or financial data is lost or stolen.

The Personal Data Privacy and Security Act of 2007, sponsored chiefly by Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and the panel's ranking member, Arlen Specter (R-Pa.), would require entities that experience a data breach or loss that jeopardizes sensitive personal data on consumers to notify law enforcement, consumers and credit reporting agencies.

The Leahy-Specter bill also seeks to address the issue of data privacy and accountability, by "requiring data brokers to let individuals know what information they have about them, and where appropriate, allow individuals to correct demonstrated inaccuracies." There are several exceptions to this requirement for different types of businesses, but consumer advocates say this particular provision is likely to meet stiffer resistance as the bill advances to the Senate floor and to the House of Representatives.

The bill also would require companies that have databases with personal information on more than 10,000 Americans to put in place data privacy and security programs and to vet third-party contractors hired to process data. Here, again, there are exemptions, but this is a very important part of the bill, as contractors -- particular those who work for the federal government -- are frequently to blame for data breach incidents.

Much of the debate over the relative strength of the various data-breach notification proposals currently circulating on Capitol Hill centers around the precise trigger for notification. In the Leahy-Specter bill, an organization would be required to disclose a data breach or loss if it posed a "significant" risk of harm to the affected consumers.

Meanwhile, the "Notification of Risk to Personal Data Act of 2007," a bill introduced by Sen. Dianne Feinstein (D-Calif.), would require disclosure only in the event that the breach resulted in a "reasonable risk" of harm, a term of art that groups like Consumers Union say would leave companies more wiggle room in determining when to talk about a consumer data spill. The Identity Theft Prevention Act of 2007, a data breach bill approved by the Senate Commerce Committee last week, also takes this approach. Feinstein's bill was also approved by the committee today.

Update, May 13, 11:46 p.m. ET: Feinstein's office took issue with my characterization of their bill. While the bill clearly up front says that it requires entities to notify consumers "whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed, or acquired," they emphasize that wording later on in the bill makes it clear that companies would be required to notify consumers of a data breach by default unless they can show that the breach poses no significant risk of harm to the affected consumers.

Original post: It's worth noting that the bill approved by the Commerce Committee last week includes some very important aspects not found in other proposed federal data breach laws. For instance, it would require disclosures of data breaches whether or not the lost or stolen data was in digital form or on paper. Perhaps more importantly, the measure also is the only proposal that would give consumers the right to place a "freeze" on their credit file with each of the three major credit bureaus. It would also do nothing to interfere with state security freeze laws already on the books in at least 33 states.

For the millions of consumers who receive notice each year that their personal or financial data was lost or stolen, a security freeze can offer peace of mind. A security freeze blocks businesses and potential fraudsters from gaining access to a consumer's credit report and credit score, and from granting new lines of credit in the consumer's name. Consumers who have placed a freeze on their credit and want to get new credit can use a special PIN to unlock access to their credit file.

There is a strong argument to be made that consumers should not have to pay for credit freezes. After all, the credit bureaus profit by collecting and selling sensitive consumer data to thousands of businesses and data brokers. But both the Commerce bill and all of the state freeze laws already enacted require consumers to pay to activate a freeze (unless they are a confirmed ID theft victim and can produce a police report as proof of their misfortune, in which case the freeze is free).

Some states, like Montana, allow consumers to place or temporarily lift a freeze by paying as little as $3 to each of the three major bureaus. Others allow charges as much or more than what is proposed in the bill passed by the Commerce Committee, which envisions a $10 fee per bureau for credit freeze filers. While $60 per couple may seem like a fortune to keep your personal data private, a freeze can save ID theft victims the years of hassle and thousands of dollars in legal costs typically incurred as they seek to clear their names, according to the Federal Trade Commission. Still, that cost is likely to be prohibitive for some people, particularly low-income families and the elderly.

In other data breach news, Rep. Tom Davis (R-Va.) today reintroduced the Federal Agency Data Breach Protection Act, a bill that would require federal agencies to notify consumers if their data is lost or stolen. Davis originally floated the bill in the last Congress after a lost laptop belonging to a Department of Veterans Affairs worker jeopardized the personal data on more than 26 million veterans. That bill was approved by the House but never gained traction in the Senate.

By Brian Krebs  |  May 3, 2007; 4:55 PM ET
Categories:  Fraud , From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft to Issue Seven Security Updates
Next: AOL's Password Puzzler



Who enforces this law ? To be frank, the DOJ has some serious trust issues right now.

Might it be possible to require a bond to be posted to handle immediate costs of a breach and protection for affected parties ?

Posted by: GTexas | May 4, 2007 3:31 AM | Report abuse

It's terrible that consumers will be required to pay anything to have their credit frozen. Frankly, the freezing option should be the default, with creditors requiring a secure pin or password supplied by the consumer at time of credit inquiry. It is simply far too easy to acquire credit.

Identity theft only exists because of lax security enforcement and cavalier marketing techniques by financial institutions and credit bureaus, coupled with irresponsible use of social security numbers by the feds. Putting the onus on the consumer to protect himself in this case seems more like blame dodging by the financial institutions and the government.

Posted by: Matt | May 4, 2007 11:09 AM | Report abuse

Experian, Equifax, and TransUnion--don't seem to care much about the accuracy of their credit reports. In fact, they actually have a positive incentive to let ID theft flourish. Like mobsters offering "protection" to frightened store owners, credit-reporting agencies have been taking advantage of the identity-theft boom to offer information age protection to frightened consumers. For $9.95 a month, Equifax offers "Credit Watch Gold," a service that alerts you whenever changes am made to your credit report. Experian and TransUnion offer similar services. In effect, customers am being asked to pay credit agencies to protect them from the negligence of those same agencies.

I'm tired of being told what to do AFTER my information has been ripped off. ALL of our elected officials know what the answer is.

NATIONWIDE CREDIT FREEZES for ALL citizens, in every state.

Vote out those think its ok to accept kickbacks from the data brokers instead up upholding their fiduciary duties to their constituents.

Posted by: Anonymous | May 5, 2007 2:49 PM | Report abuse

well, all the US goverment dealing with infosec is problematic, a good post that describes how big problem security is can be found at:

Posted by: Guy | May 25, 2007 7:03 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company