Data-security bill may move forward next week

Sweeping U.S. Senate measure to imprison those who cover up data breaches has been reintroduced and now awaits a vote.

Anne Broache
Anne Broache Staff Writer, CNET News.com
Anne Broache
covers Capitol Hill goings-on and technology policy from Washington, D.C.
2 min read
A sweeping U.S. Senate measure that would stiffen security requirements and penalties for so-called brokers of personal data may go up for a committee vote next week, a representative said Friday.

Sen. Arlen Specter, a Pennsylvania Republican, and Sen. Patrick Leahy, a Vermont Democrat, originally introduced the Personal Data Security and Privacy Act in June as part of a legislative outcry directed at a series of breaches by big-name companies such as ChoicePoint, Bank of America and Visa.

A number of related proposals also surfaced during this congressional term, including one approved by the Senate Committee on Commerce, Science & Transportation just before the summer recess that has yet to head to floor debate. And in the Senate Committee on the Judiciary, where Specter is chairman and Leahy is the highest ranking Democrat, action on the matter has been delayed for months because of other business, including the nomination of now-Chief Justice John Roberts to the Supreme Court.

On Wednesday, Specter and Leahy introduced an amended version of their June proposal. The new version omits a section that would have severely restricted the sale and use of social security numbers by businesses and other entities. According to a committee representative, the provision was dropped because another congressional committee has jurisdiction over such regulations.

Leahy said in a floor speech Wednesday that various stakeholders had come together to make the bill better balanced and focused. Certain terms--including "data broker," the initial definition of which prompted questions--appear to be defined more narrowly or in greater detail, though it remains unclear what the practical implications of those changes are.

Tough criminal penalties--including up to five years in prison for concealing security breaches involving sensitive personal information and economic damage to even one person--remain in the offing.

So do minimum security and privacy standards for companies that deal with electronic data records containing "sensitive personally identifiable information," defined in the newer bill as any information that uses an individual's name in combination with certain other elements, including Social Security number, medical history, mother's maiden name, account numbers and biometric data.

The amended bill also folds in notification requirements suggested by Sen. Dianne Feinstein, a California Democrat, who signed on as a co-sponsor of the new version.

Among other things, the bill would require that, on discovering a data breach, any agency or business entity that "uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information" notify any U.S. resident whose data was subject to the intrusion "without unreasonable delay." It also spells out methods of notification and describes situations where delays or exemptions would be permitted.

Feinstein introduced the provisions during the spring in a shorter, narrower measure, known as the Notification of Risk to Personal Data Act. She and Specter said at a business meeting Thursday that they'd pursue the larger bill first but, if they couldn't move it out of committee speedily, that they would attempt to advance Feinstein's shorter proposal.