Senate moves toward new data security rules
Three congressional committees meet to work on new security breach laws, though their proposals aren't quite ready for final vote.
In a flurry of activity before Congress prepares to skip town for an August recess, three different congressional committees considered similar legislation at the same time on Thursday morning.
The Senate's Commerce Committee voted unanimously to accept a bill introduced earlier this month by Sen. Gordon Smith, R-Ore. It would give the Federal Trade Commission the power to create an information security program that provides "administrative, technical and physical safeguards," and set guidelines for notifying people threatened by a data security breach.
The committee adopted a package of about a dozen amendments, including a compromise suggested by Sen. Barbara Boxer, D-Calif., that would cut, from 90 days to 45 days, the maximum number of days a company has to notify individuals of a breach. But even those guidelines are just broad suggestions, Smith said. "As soon as they know, they need to notify."
Senators also voted to accept an amendment proposed by Sen. Bill Nelson, D-Fla.--which would prohibit the sale and display of Social Security numbers except in special circumstances--but indicated it might be tweaked before it is final. Also, the bill will not go to a floor vote until some of its provisions are negotiated with members of the Senate Banking Committee, said Sen. Ted Stevens, R-Alaska, who chairs the Commerce Committee.
Meanwhile, the Senate Judiciary Committee pushed back its plans Thursday to vote on a trio of personal data security bills.
The committee had been scheduled to vote on the lengthiest and most far-reaching proposal, titled the Personal Data Privacy and Security Act. Sen. Arlen Specter, R-Penn., and Sen. Patrick Leahy, D-Vt., introduced the measure in late June, shortly after MasterCard announced that an intruder may have pilfered information from 40 million credit card accounts.
At the same time on Thursday, a U.S. House of Representatives Energy and Commerce subcommittee convened a hearing about its own draft of data protection legislation.
Different details
All the proposed bills share common threads: requiring prompt notification when security breaches occur, awarding more regulatory power to the federal government, and setting minimum standards for data security.
The Specter-Leahy bill stands alone in setting criminal penalties, imposing up to five years in prison for those who intentionally conceal information related to a security breach and up to 10 years for breaking into systems maintained by "data brokers," companies in the business of selling personal information.
The proposed legislation would also restrict the sale and publication of Social Security numbers and compel companies and individuals acting as sole proprietors to send out notifications if a computer security breach affects more than 10,000 individuals. It also would limit the extent to which states can legislate on personal data protection.
The other Senate bills, by contrast, would bestow the bulk of enforcement and regulatory powers upon the Federal Trade Commission, overtly pre-empt any related state or local laws, and impose a range of monetary penalties on entities that don't provide notification of security breaches "without unreasonable delay." The guidelines for that notification, however, vary from measure to measure.
Federal regulations geared toward safeguarding personal information are nothing new. The Fair Credit Reporting Act, last updated in 2002, says credit report information can only be used for certain purposes. The Gramm-Leach-Billey Act of 1999 requires financial institutions to shield sensitive information and bars them from sharing their customers' information with third parties without giving them the option to say no. The FTC has urged Congress to broaden the law's provisions beyond financial institutions.
But former federal officials, academics and lawyers have cautioned lawmakers not to rush into new federal regulations. A former FTC commissioner warned that overly broad notification requirements could mean "we're going to cry wolf so much that we're going to move away from this great medium that we're working with." Also, courts have been invoking existing law to safeguard electronic privacy.