RealTime IT News
Data Breach Bills Crowding Congress
By Roy Mark
May 12, 2006

WASHINGTON -- Seeking to make it a crime to conceal data breaches involving personal information, the U.S. House Judiciary Committee Thursday jumped into the data breach debate playing out on Capitol Hill.

The Cybersecurity Enhancement and Consumer Data Protection Act of 2006 (H.R. 5318) would require disclosure to the government for any breaches involving 10,000 or more individuals. The bill does not require notice to consumers.

The legislation, introduced by Judiciary Chairman James Sensenbrenner (R-Wis.), also makes it a crime to access certain "means of identification" contained in any computer that operates in interstate commerce.

"This bill creates strong deterrents and protects consumer personal information," Rep. Howard Coble (R-N.C.) said. "It also provides the Department of Justice with tools to enforce the law."

Democrat Robert Scott of Virginia called the bill "only part of the needed solution," referring to other House efforts to curb the type of data breaches characterized by ChoicePoint and LexisNexis.

The Judiciary Committee is the third House panel to propose data breach legislation.

The House Financial Services Committee in March approved the Financial Data Protection Act (H.R. 3997), which would allow data brokers to determine if notification to consumers is necessary.

Last month, the House Commerce Committee passed the Data Accountability and Trust Act (H.R. 4127) requiring data brokers to notify consumers of breaches unless there is "no reasonable…risk of identity theft, fraud or other unlawful conduct."

Both the House Commerce bill and the House Financial Services legislation also pre-exempt existing state data breach laws.

Testifying before a Judiciary subcommittee today, Susanna Montezemolo of the Consumers Union (CU) said her organization thinks Sensenbrenner's bill needs to be considered in the wider context of the other House bills.

"We are concerned that the bill, which is limited in scope, may be combined with another, broader vehicle," Montezemolo said.

Combined with the House Financial Services bill, consumers, she said, "would be worse off if such a bill becomes law than if Congress takes no action at all."

Montezemolo called efforts in the Senate at data breach disclosure "much more comprehensive than the Sensenbrenner bill."

In particular, she praised the Personal Data Privacy and Security Act (S. 1789) calling for breach notification unless a data broker submits a risk assessment to the federal government showing there is no significant risk of harm.

The bill, introduced by Senate Judiciary Chairman Arlen Specter (R-Pa.), passed the committee and awaits a full Senate vote.

Specter's bill is one of three bills approved at the Senate committee level.

A second Judiciary bill, the Notification of Risk to Personal Data Act (S. 1326) for disclosure only "when there is a reasonable basis to conclude that a significant risk of identity theft to an individual exists."

The Senate Commerce Committee is supporting the Identity Theft Protection Act (S. 1408) requiring notification when a "reasonable" risk of identity theft is involved in a data breach.