Another data security bill in the works

A new proposal expected this week would require businesses that handle sensitive info to secure their data.

Anne Broache
Anne Broache Staff Writer, CNET News.com
Anne Broache
covers Capitol Hill goings-on and technology policy from Washington, D.C.
2 min read
WASHINGTON--Yet another new piece of federal legislation aimed at cracking down on breaches of sensitive personal information could appear by week's end.

Rep. Mike Castle, a Delaware Republican, said at a Visa cardholder security conference here that he plans to introduce "in the next couple of days" a revised version of the bill that he has been working on since February with the U.S. House of Representatives financial-services subcommittee.

Castle said he expected to hold a hearing on the bill by the end of the month. "After that, it's anybody's guess," he said.

The measure would join a medley of proposals pending in the U.S. Senate, including one introduced by two Senate Committee on the Judiciary leaders that could go to a vote as soon as Thursday. A series of high-profile breaches this year has prompted the sharp congressional interest.

Castle said his legislation would require that all businesses handling sensitive information such as Social Security, driver's license or credit card numbers in combination with personal data such as names and addresses must "secure" that data. This requirement echoes those that many state governments have enacted.

The measure would also require "prompt investigation of breaches," in which sensitive data may have been compromised, and companies would have to "notify business partners, law enforcement and functional regulators right away," Castle said. Businesses that experience breaches would also be required to offer free credit-monitoring services at their expense.

"This data is valuable to you and to consumers," the Delaware congressman told the audience, which included representatives from the banking, retail, government, law enforcement and high-tech industries. "Treat it with care, and safeguard it from abuse or misuse."

Visa CEO John Philip Coghlan, speaking after Castle, backed the idea of federal legislation that would establish national rules and eradicate the "patchwork quilt" of state laws governing data protection standards and breach notification to consumers.

Coghlan, whose company found some of its cardholders affected by a wide-ranging breach in June, said existing rules should be broadened to cover not just financial companies but all entities that use sensitive personal information. He threw his support behind the heightening of criminal penalties for identity theft, proposed in a sweeping bill advanced by Sen. Arlen Specter and Sen. Patrick Leahy.

"Our rules are not enough, our procedures are not enough, and our protections are not enough," he said. "All of the technology in the world just isn't going to be good enough."