Bill puts cops first in data leak notification

The 11-page House of Representatives bill aims to deter identity thieves and dismantle cybercrime operations, such as phishing scams, that swipe personal information. It was introduced this week by House Judiciary Committee Chairman James Sensenbrenner and backed by three Republicans and one Democrat.

The Republican-backed bill would require "whoever owns or possesses data in electronic form" that contains personally identifiable information--such as a person's name, Social Security number or date of birth--to inform the U.S. Secret Service or the FBI within two weeks of discovering a "major breach."

Those law enforcement agencies could then decide to delay notification to consumers by as much as 30 days, if they determine that disclosure would harm criminal investigations or national security.

The bill defines "major breach" as any incident that involves the personal information of 10,000 or more individuals, databases owned by the federal government or personal data about federal employees or contractors involved in "national security matters or law enforcement."

Refusing to comply with the rules could result in up to five years in prison or fines of $50,000 for each day that the intrusion is not reported--an idea endorsed by the Justice Department.

Because of inadequate enforcement tools, "the scope and frequency of cybercrime is growing rapidly and now includes many intentional criminal syndicates and is threatening our economy, safety and prosperity," said Rep. Howard Coble, the North Carolina Republican who presided over Thursday's hearing.

This measure, called the Cybersecurity Enhancement and Consumer Data Protection Act, is part of a constellation of proposals in Congress that seek to respond to a slew of high-profile data breaches that became public during the last year or two. Proposed solutions range from consumer notification of data breaches to restriction of some uses of Social Security numbers.

Balking at penalties
Critics have raised the question of whether criminal penalties are appropriate. In a letter to Coble, Ken Wasch, president of the Software & Information Industry Association, questioned whether the establishment of a new crime for failure to notify when a breach has occurred is "an appropriate response to combating the pernicious effects of identity theft." Such an approach inappropriately places the burden on companies and individuals hoping to safeguard data, not on the criminals looking to exploit it, Wasch said.

The bill differs from data security proposals pending in other House committees in that it does not specifically require consumers to be notified directly of breaches.

Susanna Montezemolo, a policy analyst for the Consumers Union, urged politicians to "tread carefully" on the latest proposal. The legislation does not address some of the broader consumer protection issues, such as requiring direct notification to consumers whose data has been compromised and letting them review and update their personal information periodically for accuracy, she said.

Those omissions also prompted a lukewarm response to the bill from Rep. Robert "Bobby" Scott, the senior Virginia Democrat on the Judiciary panel. "Some tweaking of bill is desirable to clarify intent and application of some of its provisions," he said.

Other data security bills already approved by House committees do contain more consumer-oriented requirements, and the Judiciary Committee's version appears likely to be combined with one or more of those proposals.

But some of those other bills, particularly one voted out of the House Financial Services Committee in March, have also encountered criticism from consumer groups. They've said they're concerned that bill's approval would water down identity theft protection by trumping arguably stronger laws already passed at the state level, particularly California.

The Judiciary proposal focuses more on the law enforcement angle of cybercrime. In addition to the notification requirements, it would also expand the legal definition of current computer fraud laws to penalize those who unlawfully obtain personally identifiable information.

It also attempts to outlaw illicit use of "botnets," defined in the bill as "the capability to gain access to or remotely control without authorization" computers belonging to financial institutions or involved in commerce.

For offenders of those crimes, the bill proposes beefing up penalties to as many as 30 years in prison--rather than the existing maximum of 10-year to 20-year sentences. That move received the Justice Department's endorsement but drew skepticism from Rep. Dan Lungren, the California Republican who heads a cybersecurity panel in the House Homeland Security committee.

Lungren said he's concerned the bill focuses too heavily on prosecuting crimes that have already been committed and not enough on the consumer side of combating the problem. "What I'm concerned about it the lack of knowledge among consumers of what they can do to protect themselves...and I am one of those consumers," he said.

The House hearing comes one day after President Bush met with identity theft victims at the White House and announced the creation of an identity theft "task force" chaired by the Attorney General and the chairman of the Federal Trade Commission. The FTC also launched its own identity theft education campaign, in which it planned to dispatch videos and literature to "victim advocate" organizations for distribution to the public.