RealTime IT News

Senate Turns Attention to Data Privacy

The Senate Judiciary Committee expects to vote next week on legislation making it a crime for data brokers to conceal a security breach involving personal data and increasing penalties for computer fraud when the act involves personal data.

The bill adds a legal bite to legislation already approved by the Senate Commerce Committee in July requiring data brokers, government agencies and educational institutions to disclose security breaches to consumers within 45 days if there is a "reasonable risk" of identity theft involved in the breach.

The evidence of possible identity theft includes such factors as whether the data containing sensitive information is usable by an unauthorized third party and whether the data is in the possession of an unauthorized third party that is likely to commit identity theft.

Although several bills similar to the Senate legislation have been introduced in the House, that chamber has yet to get a bill through a committee vote.

The Senate Judiciary originally intended to vote on the data breach disclosure law earlier this week, but the panel postponed the vote to focus on the nomination of Judge John Roberts as Chief Justice of the Supreme Court.

Currently, only California requires data brokers to reveal their breaches to the public. Only because of that state law, brokers such as ChoicePoint began disclosing in January a series of breaches involving tens of millions of consumer files containing sensitive personal information.

Prior to the California disclosure law, data brokers admitted in testimony before Congress they simply did not inform consumers of data breaches and the resulting threat of identity theft.

Responding to the public outcry over the lack of disclosure imposed on data brokers, Congress promised swift action on national legislation following the California model. Although both the House and Senate held high profile hearings with much posturing for the voters back home, little has been accomplished in terms of actual legislation.

With lawmakers hoping to conclude their 2005 business by the end of October and another Supreme Court nomination soon to be before the Senate, time is running short for any sort of data breach disclosure law in the first session of the 109th Congress.

In addition to making it a crime to conceal a data breach, the legislation before the Judiciary Committee limits the buying, selling or displaying of a Social Security number without prior consumer consent. It also bars government agencies from posting on the Internet public records that contain Social Security numbers.

"Too many of my constituents feel they have lost control over their own information. Congress must return some power to individual Americans so that we can all better understand and manage what happens to our own personal data," Sen. Russell Feingold (D-Wis.) said when the bill was introduced.

Feingold noted the legislation also adds provisions to also regulate the federal government's use of commercial data.

"While I believe the government should be able to access commercial databases in appropriate circumstances, there are few existing rules or guidelines to ensure this information is used responsibly," he said. "There is a great deal we do not know about government use of commercial data, even in clearly appropriate circumstances such as when the agency's goal is simply to locate an individual already suspected of a crime."

The bill requires that federal agencies that subscribe to commercial data adopt standards governing its use.