Data Breach Bills Crowding Congress


WASHINGTON — Seeking to make it a crime to conceal data breaches involving
personal information, the U.S. House Judiciary Committee Thursday jumped
into the data breach debate playing out on Capitol Hill.


The Cybersecurity Enhancement and Consumer Data Protection Act of 2006 (H.R.
5318) would require disclosure to the government for any breaches involving
10,000 or more individuals. The bill does not require notice to consumers.


The legislation, introduced by Judiciary Chairman James Sensenbrenner
(R-Wis.), also makes it a crime to access certain “means of identification”
contained in any computer that operates in interstate commerce.


“This bill creates strong deterrents and protects consumer personal
information,” Rep. Howard Coble (R-N.C.) said. “It also provides the
Department of Justice with tools to enforce the law.”


Democrat Robert Scott of Virginia called the bill “only part of the needed
solution,” referring to other House efforts to curb the type of data
breaches characterized by ChoicePoint
and LexisNexis.


The Judiciary Committee is the third House panel to propose data breach
legislation.


The House Financial Services Committee in March approved the Financial Data
Protection Act (H.R. 3997), which would allow data brokers to determine if notification to consumers is necessary.


Last month, the House Commerce Committee passed the Data Accountability and
Trust Act (H.R. 4127) requiring data brokers to notify consumers of breaches unless there is “no reasonable…risk of identity theft, fraud or other unlawful
conduct.”


Both the House Commerce bill and the House Financial Services legislation
also pre-exempt existing state data breach laws.


Testifying before a Judiciary subcommittee today, Susanna Montezemolo of the
Consumers Union (CU) said her organization thinks Sensenbrenner’s bill needs
to be considered in the wider context of the other House bills.


“We are concerned that the bill, which is limited in scope, may be combined
with another, broader vehicle,” Montezemolo said.


Combined with the House Financial Services bill, consumers, she said, “would
be worse off if such a bill becomes law than if Congress takes no action at
all.”


Montezemolo called efforts in the Senate at data breach disclosure “much
more comprehensive than the Sensenbrenner bill.”


In particular, she praised the Personal Data Privacy and Security Act (S. 1789) calling for breach notification unless a data broker submits a risk assessment to the federal government showing there is no significant risk of harm.


The bill, introduced by Senate Judiciary Chairman Arlen Specter (R-Pa.),
passed the committee and awaits a full Senate vote.


Specter’s bill is one of three bills approved at the Senate committee level.


A second Judiciary bill, the Notification of Risk to Personal Data Act (S. 1326) for disclosure only “when there is a
reasonable basis to conclude that a significant risk of identity theft to an
individual exists.”


The Senate Commerce Committee is supporting the Identity Theft Protection
Act (S. 1408) requiring notification when a
“reasonable” risk of identity theft is involved in a data breach.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web