Want CNET to notify you of price drops and the latest stories?

Data breach bills resurface in Congress

Two bills take different approaches toward the tricky concept of how to regulate what happens if a company has a data leak.

Anne Broache Staff Writer, CNET News.com
Anne Broache
covers Capitol Hill goings-on and technology policy from Washington, D.C.
Anne Broache
4 min read
Concealing security breaches in which personal consumer information may have been swiped could carry prison time under a pair of sweeping proposals that resurfaced Tuesday in Congress.

In the U.S. Senate, Vermont Democrat Patrick Leahy and Pennsylvania Republican Arlen Specter revived a version of their Personal Data Privacy Act that was approved by the Senate Judiciary Committee last year but died before a floor vote. The senators first proposed an even broader version of the sweeping measure in 2005 after word of high-profile breaches at ChoicePoint and LexisNexis, two major collectors of consumer information.

"Americans live in a world where their most sensitive personal information can be accessed and sold to the highest bidder, with just a few keystrokes on a computer, yet our privacy laws haven't kept pace," Leahy said in a statement.

In a speech delivered before the new Congress was sworn in, the senator listed passage of new data security laws among his top priorities. A constellation of proposals in both chambers progressed last year but died before floor votes.

In the U.S. House of Representatives, Rep. Lamar Smith (R-Texas) reintroduced his Cybersecurity Enhancement and Consumer Data Protection Act as part of a package of bills marketed as "America's Law and Order Agenda."

The 14-page bill (click for PDF) would make it a crime, punishable by fines or up to five years in prison, to withhold information from the FBI and the U.S. Secret Service about a "major security breach."

In addition, the proposal would also require any stewards of information that experienced a breach to notify those investigative agencies within 14 days of discovering it--and before telling any consumers about the incident. Failure to meet those requirements would result in fines of up to $50,000 a day. The FBI and Secret Service, in turn, would also be allowed to delay notifying consumers if they decided such a practice would impede an investigation or threaten national security.

The bill goes broader than data breach notification. It would also expand the definition of computer fraud laws to penalize those who obtain personally identifiable information without authorization and those who "conspire" to gain illicit access to machines. It also attempts to outlaw illicit use of "botnets," which the bill defines as "the capability to gain access to or remotely control without authorization" computers that belong to financial institutions or are involved in commerce. Anyone convicted of those and other existing computer crimes could face up to 30 years in prison, as opposed to the current maximum of 10 to 20 years.

The Specter-Leahy bill focuses more squarely on regulating responses to security breaches than on broadening the criminal code. But it would impose fines, up to five years in prison, or both on those who intentionally conceal information related to a security breach that causes "economic damage to one or more persons." Federal agencies and businesses that discover breaches in personal data would generally be obligated to notify the data's owners of the incident "without unreasonable delay." Further delays would be allowed if federal law enforcement declared in writing that they were "necessary."

Entities could escape the notification requirements if they already have financial fraud protection schemes in place--as major credit card companies do--or if they have determined there was no "significant risk" of harm to individuals whose data was involved. The bill does not appear to define what constitutes that sort of risk.

The bill would also instruct businesses to employ a "comprehensive personal data privacy and security program" that includes implementing safeguards against unauthorized access and testing for vulnerabilities in their systems.

The Senate proposal would also place new requirements on so-called data brokers. They would have to allow consumers to view all records about themselves that are on file--albeit for a "reasonable fee"--and make corrections. Failure to comply would result in fines of up to $1,000 per violation.

Tuesday's actions mark the latest in a series of attempts by Congress this year to breathe life into leftover data security proposals. Early last month, Sen. Dianne Feinstein (D-Calif.) reintroduced two bills: one that similarly attempts to set national requirements for consumer notification in the event of data security breaches, and another that proposes restricting the sale, purchase and display of Social Security numbers.

Some consumer groups and privacy advocates, however, have been uneasy about the approaches taken by federal proponents of the bills, arguing they contain too many exceptions for entities that handle personal information. Because they would preempt a patchwork of existing state laws on the subject, the groups have said, they would weaken protections that some consumers already enjoy.