Even by Washington standards, Thursday’s scheduled Senate Judiciary Committee vote on a data breach disclosure law is clouded by uncertainty. There’s the small matter of a Chief Justice of the Supreme Court nomination.
If the Judiciary Committee decides this morning to send Judge John Roberts nomination to the full Senate, the panel may have enough time to consider the Personal Data Privacy and Security Act of 2005. Then again, it might not.
“It’s just too soon to tell,” an aide to bill sponsor Sen. Arlen Specter (R-Pa.) told internetnews.com less than 24 hours before the scheduled vote.
The proposed legislation makes it a crime to intentionally or willfully conceal a security breach involving personal data and increases penalties for computer fraud when the fraud involves personal data.
The bill also limits the buying, selling or displaying of a Social Security number without the consent of the owner of the number and bars government agencies from posting on the Internet public records that contain Social Security numbers.
Introduced in June by Specter, chairman of the Judiciary Committee, and Sen. Patrick Leahy (D-Vt.), the panel’s ranking member, the legislation follows months of hearings on the data breaches at ChoicePoint, LexusNexus and CardSystems.
In February, ChoicePoint revealed it had been duped into releasing the personal data on approximately 145,000 Americans. In April, LexisNexis, a division of publisher Reed Elsevier, admitted it had been tricked into exposing the personal data of more than 300,000 consumers.
Both of those breaches paled in comparison to CardSystems, a credit card processor for both Visa and Mastercard, which said in May it had exposed the records of more than 40 million consumers.
“These security breaches are a window on a broader, more challenging trend,” Leahy said when introducing the legislation in June. “Private data about Americans has become a hot commodity. This personal and financial information about each of us suddenly is a treasure trove, valuable and vulnerable, but our privacy and security laws have not kept pace.”
If the Judiciary Committee finds time Thursday to approve the Specter-Leahy legislation, the bill will join the Identity Theft Protection Act passed by the Senate Commerce Committee in July.
The bill requires data brokers, government agencies and educational institutions to disclose security breaches to consumers within 45 days if there is a “reasonable risk” of identity theft involved in the breach.
“Our legislation deserve to become a key part of this year’s domestic agenda so that we can achieve some positive changes in areas that affect the everyday lives of Americans,” Leahy said.