X

Tougher data-leak law proposed

Update to ID theft bill aims to strengthen protections for consumers, after a slew of incidents where people's info was exposed.

Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
Matt Hines
2 min read
In the wake of several leaks of Americans' personal data, Sen. Dianne Feinstein introduced on Monday a beefed-up version of her bill to combat identity theft.

The update adds new guidelines on types of data covered and reporting policies to the ID Theft Notification Bill, proposed by the California Democrat in June 2003. The legislation would require organizations that collect the personal data of U.S. citizens to inform consumers when their information has been lost or stolen.

Lawmakers became focused on privacy protection after consumer data broker ChoicePoint gave criminals access to the confidential information of more than 35,000 Californians. Since that mishap was first reported in February, numerous other organizations, including hospitals, schools and businesses, have reported exposures of data.

"Every day, we learn that we are more and more at risk from identity theft--entire databases have been lost, stolen or hacked into," Feinstein said in a statement. "We desperately need a strong national standard that says whenever a data system is breached, everyone who is at risk of identity theft must be notified," she added.

Feinstein's bill, which requires organizations to inform people in writing or via e-mail when their data has been exposed, closely resembles California's Security Breach Information Act (SB 1386). Currently, California is the only state that has a law requiring consumer notification on its books.

The updated proposal adds details about the formats of information covered by the legislation. It now covers both electronic and nonelectronic data, as well as encrypted and nonencrypted information. The California law only includes unencrypted, electronic data.

Another new element is related to consumer credit reports. People will be allowed to put a seven-year fraud alert on their report when their personal information has been compromised. The bill also promises to close some perceived loopholes in SB 1386 by eliminating rules that allowed companies to follow less-stringent reporting policies and by creating an official template for the kinds of information that must be included in data-loss warnings.

Feinstein said she worked with representatives from the Consumers Union, the Privacy Rights Clearinghouse and other privacy-rights groups to strengthen the legislation. The Senate Judiciary Committee will hold a hearing to examine the bill on April 13.