Data Breaches And Congress
Page 1 of 1
As the Black Hat conference descends upon Las Vegas this week, internetnews.com presents a series of articles addressing security issues past and present.
Since the now infamous ChoicePoint data breach 17 months ago, Congress has angrily talked of holding data brokers accountable for the security of consumers' personal identifiable information.
So far, it's still just that: talk.
In the interim, The Privacy Rights Clearinghouse has documented data security breaches affecting almost 90 million people who have had their personal information potentially exposed by unauthorized access to their data.
The list of breaches is long, including Bank of America, LexisNexis, DSW, MCI, Ameritrade, Time Warner, Boeing, Ford Motor Company, Verizon, MasterCard, Wells Fargo, the American Red Cross and a host of colleges and government agencies.
The breaches run the gamut from lost backup tapes and laptops to inside jobs to hacking to just plain mishandling of data.
States have moved aggressively to protect their citizens, with at least 34 of them passing laws that require data brokers to notify individuals that their personal data has been compromised.
Most of those state laws also allow consumers to freeze their credit reports upon notification of a breach.
Congress, meanwhile, has held hearings and passed a handful of proposals out of committees. Neither the U.S. House nor Senate has yet to pass any law about data breaches and security.
With just 15 calendar days left on the 109th Congress' schedule, plus a seemingly inevitable lame-duck session after the November elections, federal lawmakers are still promising a data breach bill.
Just last week, the House Republican leadership almost decided to go with H.R. 3997, the Financial Data Protection Act.
Under the provisions of the legislation, data brokers would decide when a breach is serious enough to notify consumers.
It would also preempt all state laws, wiping out the protections afforded by mandatory disclosures and the ability to freeze credit reports.
"We believe this provision will result in many breaches not being disclosed to the affected individuals at all," the Privacy Rights Clearinghouse told its readers in a newsletter last week.
"We don't think companies that experience breaches, especially when Social Security numbers are involved, cannot foretell the future, at least not at this time."
The House leadership chose the Financial Data Protection Act, which passed out of the House Judiciary Committee in March, over H.R. 4127, the Data Accountability and Trust Act approved by the Energy and Commerce Committee in May.
The Data Accountability and Trust Act bill has received the lukewarm support of consumer groups and watchdogs if only because it's not the Financial Data Protection Act.
The trigger language for disclosure in H.R. 4127 requires companies to notify individuals of a breach unless it can show otherwise that there is no reasonable risk of harm. Encrypted data, for instance, would be a defense against disclosure.
It would also preempt state laws but on a much a narrower basis.
In addition, the bill gives consumers new rights to review and dispute information held by data brokers.
"The data warehouses of information broker companies contain profiles on virtually every American adult, consisting of information obtained from public records and from other sources that are publicly available," the Privacy Rights Clearinghouse states.
"It's long overdue for consumers to have access to their data files and to make sure the information is correct."
In the Senate, the Judiciary Committee has approved the Personal Data Privacy and Security Act, which would require data brokers holding the personal data of more than 10,000 U.S. residents to conduct risk assessments and implement data-protection policies.
The disclosure clause of the bill would allow data brokers to avoid disclosure if the breach, as determined by the data brokers, poses "no significant risk" to consumers.
However, the brokers must report the breach to the U.S. Secret Service, which could conduct its own investigation of the risk to consumers.
The Senate Commerce Committee has its own version of consumer protection in the Identity Theft Protection Act, which would require data brokers, government agencies and educational institutions to disclose security breaches to consumers within 45 days if there is a "reasonable risk" of identity theft involved in the breach.
Both Senate bills would preempt existing state laws.
In the rush of the closing days of the 109th Congress, lawmakers will have to make some hard decisions about which bills to support, if any.
If history is any indicator, they will take the easy way out.
|Source: Previous internetnews.com coverage compiled by Roy Mark|