RealTime IT News

New Data Breach, Privacy Bills in Congress

One year after trying unsuccessfully to introduce legislation on data breaches and protection of individual privacy, California Senator Dianne Feinstein (D-Calif.) is trying again.

This week, she introduced Bills S.139, the Notification of Risk to Personal Data Act and S.141, the Social Security Number Misuse Prevention Act.

Bill S.139 would require federal agencies or businesses to notify both the media and victims whose personal data has been breached without unreasonable delay, although limited exemptions are allowed for law enforcement and national security reasons.

It says the U.S. Secret Service must be notified if more than 10,000 individuals' records are breached, or the database breached contains more than one million entries, or is owned by the federal government, involves national security or law enforcement.

Paul Davie, founder and chief operating officer at database security vendor Secerno, thinks Bill S.139 is not stringent enough. "The 10,000 number is completely arbitrary," he told InternetNews.com by e-mail. "The threat of investigation should not be set at such a high hurdle."

Davie also objected to the provision about notification without unreasonable delay. "The speed element needs tight definition, which should reflect the victim's need to respond quickly when there is data lost, not the need of the company to develop a story or the authorities to investigate," he said.

"This sounds like a typical compromise proposal by apologists for those reluctant to invest in appropriate security to protect the true owners of sensitive data."

Bill S.131 has no co-sponsors, and has been read twice and referred to the Senate Committee on the Judiciary.

The move follows a huge increase in data breaches reported last year. According to the Identity Theft Resource Center, a non-profit corporation that battles identity theft nationwide, there were 656 reported breaches in 2008, 47 percent more than the 446 reported in 2007.

This figure is expected to increase in 2009 as cybercriminals step up their activities, taking advantage of governments' preoccupation with the recession.

SSNs are not public information

Bill S.141, co-sponsored by Senators Judd Gregg (R-N.H.) and Olympia Snowe (R-ME), seeks to amend Title 18 of the United States Code to limit the misuse of social security numbers, establish criminal penalties for such misuse, and for other purposes.

Title 18 is the federal criminal and penal code, and Feinstein's move to amend it may mean harsher penalties for abuse of social security numbers, in the same way that earlier legislation tabled by Senator Patrick Leahy (D-Vt.) made hacking a federal crime.

Bill S.141 prohibits federal, state and local governments from displaying social security numbers on public records posted on the Internet or printing them on government checks. It also seeks to prevent inmates from employment that would give them access to the social security numbers of others, and limit when businesses can ask customers for their social security numbers.

Like Feinstein's other bill, S.141 has been read twice and referred to the Senate Committee on the Judiciary.

"Victims of security breaches have the right to be informed promptly when their personal or financial information has been compromised so that they can take appropriate steps to protect themselves," Sen. Feinstein said in a statement.

"We must also ensure that government agencies and businesses do their utmost to protect Americans' Social Security numbers."

Feinstein's office did not respond to requests for comment by press time.