Panel: Don't rush into new data security laws

"There is this perception that we really need to do something on the part of the political leadership, and I understand that," Orson Swindle, a former Federal Trade Commissioner, said on a panel organized by the Progress & Freedom Foundation. "But I think we need to step back."

Congress in recent months has made data security one of its pet issues, citing millions of consumers who have had personal data lost to breaches this year. On the U.S. House of Representatives side, Rep. Steven LaTourette, R-Ohio, and Rep. Deborah Pryce, R-Ohio, on Thursday each introduced bills tackling the matter, and Rep. Joe Barton, R-Texas, is also assembling a draft in the House Energy and Commerce committee.

Sen. Arlen Specter, R-Penn., and Sen. Patrick Leahy, D-Vt., introduced bipartisan legislation last month that would impose sweeping rules on corporations, responding to what Specter deemed "an evolving problem that is gigantic." The Senate judiciary committee, which Specter chairs, is still due to discuss months-old bills introduced by Sen. Dianne Feinstein, D-Calif., and Sen. Jeff Sessions, R-Ala.

The bills share three common points. They require companies to notify consumers nationwide if certain types of breaches occur, set minimum standards for security, and pre-empt current state laws that regulate the matter. The lawmakers are still debating several questions, ranging from what would trigger notices to how companies should go about sending them.

The government is overreacting, Paul Rubin, professor of law and economics at Emory University, suggested on the panel. Pointing to the results of a Federal Trade Commission-sponsored survey, he said the number of people facing identity theft has remained constant over the last two years. Other data suggests that the amount of money companies are losing to credit card fraud has been dropping over time, he added.

Rubin said any federal regulation should be limited and aimed largely at keeping states from passing their own, more strongly worded variations on the law.

"There are very strong market incentives for companies to provide security," he said.

By contrast, Marc Rotenberg, executive director of the Electronic Privacy Information Center, argued that any federal legislation should establish "baseline" regulations but leave the major decision-making up to individual states. He praised California, which in 2003 became the first of more than a dozen states to enact its own security breach notification requirements, for providing a "very modest" but "innovative" approach that helped bring national attention to the matter.

Any legislation, Rotenberg said, should focus on requiring "good notification" and creating incentives for better privacy and security standards in the private sector. He said he was particularly concerned about keeping tabs on companies like ChoicePoint and LexisNexis, which derive their business from selling personal data and have run into data security trouble this year.

With such companies, "the market doesn't operate as it normally would," Rotenberg said, "because the people whose personal information is at issue and the people who are most concerned about privacy regulations on that information are not the customers of those companies."

Besides, notification simply isn't good enough, though it might be the best solution for now, said J. Howard Beales III, former director of the FTC's Bureau of Consumer Protection. "We need to find ways to push the system to make it seamless for consumers," parallel to the way that individual bank clients don't lose any money--and may not even receive notification--when robberies take place, he said.

Said Swindle: "If we start notifying everybody for everything that looks like it might be harmful, we're going to cry wolf so much that we're going to move away from this great medium that we're working with."