RealTime IT News

Data Breaches And Congress

As the Black Hat conference descends upon Las Vegas this week, internetnews.com presents a series of articles addressing security issues past and present.

Since the now infamous ChoicePoint data breach 17 months ago, Congress has angrily talked of holding data brokers accountable for the security of consumers' personal identifiable information.

So far, it's still just that: talk.

In the interim, The Privacy Rights Clearinghouse has documented data security breaches affecting almost 90 million people who have had their personal information potentially exposed by unauthorized access to their data.

The list of breaches is long, including Bank of America, LexisNexis, DSW, MCI, Ameritrade, Time Warner, Boeing, Ford Motor Company, Verizon, MasterCard, Wells Fargo, the American Red Cross and a host of colleges and government agencies.

The breaches run the gamut from lost backup tapes and laptops to inside jobs to hacking to just plain mishandling of data.

States have moved aggressively to protect their citizens, with at least 34 of them passing laws that require data brokers to notify individuals that their personal data has been compromised.

Most of those state laws also allow consumers to freeze their credit reports upon notification of a breach.

Congress, meanwhile, has held hearings and passed a handful of proposals out of committees. Neither the U.S. House nor Senate has yet to pass any law about data breaches and security.

With just 15 calendar days left on the 109th Congress' schedule, plus a seemingly inevitable lame-duck session after the November elections, federal lawmakers are still promising a data breach bill.

Just last week, the House Republican leadership almost decided to go with H.R. 3997, the Financial Data Protection Act.

Under the provisions of the legislation, data brokers would decide when a breach is serious enough to notify consumers.

It would also preempt all state laws, wiping out the protections afforded by mandatory disclosures and the ability to freeze credit reports.

"We believe this provision will result in many breaches not being disclosed to the affected individuals at all," the Privacy Rights Clearinghouse told its readers in a newsletter last week.

"We don't think companies that experience breaches, especially when Social Security numbers are involved, cannot foretell the future, at least not at this time."

The House leadership chose the Financial Data Protection Act, which passed out of the House Judiciary Committee in March, over H.R. 4127, the Data Accountability and Trust Act approved by the Energy and Commerce Committee in May.

The Data Accountability and Trust Act bill has received the lukewarm support of consumer groups and watchdogs if only because it's not the Financial Data Protection Act.

The trigger language for disclosure in H.R. 4127 requires companies to notify individuals of a breach unless it can show otherwise that there is no reasonable risk of harm. Encrypted data, for instance, would be a defense against disclosure.

It would also preempt state laws but on a much a narrower basis.

In addition, the bill gives consumers new rights to review and dispute information held by data brokers.

"The data warehouses of information broker companies contain profiles on virtually every American adult, consisting of information obtained from public records and from other sources that are publicly available," the Privacy Rights Clearinghouse states.

"It's long overdue for consumers to have access to their data files and to make sure the information is correct."

In the Senate, the Judiciary Committee has approved the Personal Data Privacy and Security Act, which would require data brokers holding the personal data of more than 10,000 U.S. residents to conduct risk assessments and implement data-protection policies.

The disclosure clause of the bill would allow data brokers to avoid disclosure if the breach, as determined by the data brokers, poses "no significant risk" to consumers.

However, the brokers must report the breach to the U.S. Secret Service, which could conduct its own investigation of the risk to consumers.

The Senate Commerce Committee has its own version of consumer protection in the Identity Theft Protection Act, which would require data brokers, government agencies and educational institutions to disclose security breaches to consumers within 45 days if there is a "reasonable risk" of identity theft involved in the breach.

Both Senate bills would preempt existing state laws.

In the rush of the closing days of the 109th Congress, lawmakers will have to make some hard decisions about which bills to support, if any.

If history is any indicator, they will take the easy way out.

Security Bills in Progress
Bill Sponsor Status
H.R. 4127
The Data Accountability and Trust Act
Requires any entity that experiences a breach of security to notify those in the U.S. whose information was acquired by an unauthorized person as a result of the breach. In addition, they must let them know that the chance of identity theft is "reasonably likely." Conspicuous notice on the breached entity's Web site is also required. The FTC must also be notified. Preempts state information security laws. Passed House Energy and Commerce Committee in June. Awaits House vote.
H.R. 3997
The Financial Data Protection Act
Gives companies discretion in deciding whether a breach was serious enough to inform consumers. Would preempt stronger state laws. And while extending the concept of the security freeze nationwide, the bill would allow only individuals who have been victims of identity theft to freeze their records. Passed the House Financial Services Committee in March. Awaits House vote.
H.R. 5318
Cyber-Security Enhancement and Consumer Data Protection Act
Establishes new federal crimes for improper use of personal electronic records and other criminal activity involving computers. Passed the House Judiciary Committee in June. Awaits House vote.
S. 1789
Personal Data Privacy and Security Act
Companies must report data breaches that have a "significant risk of harm" for identity theft. The bill also would require most government agencies to notify any individuals whose information has been unlawfully accessed. It would require data brokers to provide individuals with their personally identifiable information and to change the information if it is incorrect. Passed Senate Judiciary Committee in November 2005. Awaits Senate vote.
S. 1326
Notification of Risk to Personal Data Act
In the event of a security breach that creates a "significant risk of identity theft," companies would be required to notify all individuals whose personal information was compromised. The bill also would create civil penalties for entities that fail to provide notice of security breaches to affected individuals. Passed Senate Judiciary Committee in October 2005. Awaits Senate vote.
S. 1408
Identity Theft Protection Act
Requires data breach disclosure to consumers if there is a reasonable risk of identity theft. Preempts state laws related to security breach notification. Passed Senate Commerce Committee in December 2005. Awaits Senate vote.
Source: Previous internetnews.com coverage compiled by Roy Mark