RealTime IT News

Senate Takes up Data Security Law

With growing evidence that Americans want new data privacy laws, the U.S. Senate opens a series of hearing today on legislative solutions to data breaches and identity theft.

Thursday's full Senate Commerce Committee hearing will not specifically address any of the several bills introduced in the 109th Congress, which combat identity theft and force data brokers to disclose breaches of personal information to consumers.

Instead, the panel will hear from all five members of the Federal Trade Commission, which most likely would be charged with enforcing any new data privacy laws. Vermont Attorney General William Sorrell will also be representing the National Association of Attorneys General.

The hearing comes just one day after the release of an Entrust survey showing 71 percent of Americans believe new laws are needed to protect consumer privacy on the Internet.

"The results of this survey should serve as a wake-up call to policy-makers and business leaders," Entrust CEO Bill Conner said in a statement. "Voters view identity theft as a white hot issue and want the government to protect them. In the interim, they are voting with their keyboards by curtailing their online transactions."

According to the survey of 1,003 likely U.S. voters, 97 percent of the respondents rate identity theft as a serious problem, with 48 percent saying they now avoid online purchases out of fear of their financial data being stolen.

Conner urged Congress to enact a uniform national breach notification law for unauthorized acquisition of unencrypted personal information.

Momentum is growing for a national data breach disclosure in the wake of numerous disclosures this year of data brokers, banks and universities losing or exposing the personal information of millions of consumers.

The disclosures would not have come to light except for a new California law that requires a business or government agency to notify an individual in writing or by e-mail when it is believed that unencrypted personal information has been compromised.

The success of the California law is prompting a number of states to pursue the legislation. In the face of the apparent inevitability of numerous state laws, technology lobbyists are now pursuing a national disclosure law that would pre-empt all state laws.

California Democrat Dianne Feinstein, a member of the Senate Commerce Committee, is expected to push her two-year-old legislation that goes beyond the requirements of the California state law.

Feinstein's bill seeks to force businesses and governments to disclose data breaches of both unencrypted and encrypted data. The legislation proposes a $1,000 per individual civil fine for failure to notify or not more than $50,000 per day while the failure to notify continues.

Feinstein's bill makes only two exceptions to notifying consumers of a data breach: by the written request of law enforcement for the purposes of a criminal investigation and for national security purposes.

"We desperately need a strong national standard that says whenever a data system is breached, everyone who is at risk of identity theft must be notified," Feinstein said in a statement. "The fact of the matter is that your buying habits, your bank accounts, your Social Security number, your driver's license -- all of your personal data -- today is being collected, collated, distributed, bought, sold, without your knowledge or consent."

Entrust's Conner said Wednesday private businesses should be as concerned as lawmakers.

"Organizations that depend on online transactions risk financial loss and brand erosion unless they act quickly to protect sensitive information both in transit and at rest," Conner said. "They must deploy blended security applications that make use of strong authentication and encryption technologies."