Lax standards for feds in data breach vote

After Veterans Affairs leak, a congressional panel votes on data security bill. But it may let federal agencies off the hook.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
5 min read
WASHINGTON--Days after a massive data leak potentially affecting more than 26 million American veterans became public, a U.S. House of Representatives committee approved a bill requiring written notice of information security breaches.

By a voice vote Thursday, the House Judiciary Committee adopted a bill that would require businesses to alert customers about security breaches. The panel also glued on a newly drafted amendment that would apply to federal agencies.

But in a bizarre twist, the legislation regulates the private sector far more stringently than government agencies--even though the Veterans Administration was responsible for one of the largest security breaches in history, one which officials now say could cost $500 million to clean up.

Feds' easy data breach rules

A House of Representatives panel approved on Thursday a data breach bill that regulates commercial companies more stringently than federal agencies--even though the Department of Veterans Affairs just lost a database of information on 26.5 million veterans.

RequirementCompaniesFederal agencies
Web-based notificationYesNo
Medical data breach must be reported to Secretary of Health and Human ServicesYesNo
Fines of up to $5 millionYesNo
Subject to state attorney general lawsuitsYesNo
Notify as "promptly as possible"YesNo
Must pay for credit reportsYesNo

R. James Nicholson, the Veterans Affairs secretary, said Thursday that: "I am outraged at the loss of this veterans' data and the fact an employee would put it at risk by taking it home in violation of VA policies." On May 3, the unnamed employee's home was broken into and the database was stolen, Nicholson said. No encryption was used to protect the data.

The bill, called the Data Accountability and Trust Act, or DATA, (click here for PDF) establishes strict standards for commercial companies to follow in the event of a data breach--including notifying customers "as quickly as possible," posting an alert on their Web sites and picking up the cost of credit reports for one year.

Not one of those requirements would apply to federal agencies.

Sonia Arrison, director of technology studies at the Pacific Research Institute, said the situation should be reversed--with the federal government subject to stiffer rules.

"People don't have a choice about whether they're going to give data to federal agencies--they just have to give it up," Arrison said. "The law should be harder on the federal government than on the companies. It should err on the side of being harder on the Feds, because of the fact that you don't have a choice."

The original DATA bill was part of a flurry of congressional activity that emerged in the wake of several high-profile data breaches last year, including an incident at information broker ChoicePoint, which has since agreed to pay record fines.

The Business Software Alliance praised the bill's approval, saying it would "help fill cyberloopholes in the criminal code, encourage early notification to law enforcement, and provide the necessary tools to find and prosecute online criminals."

David Sohn, staff counsel for the Center for Democracy and Technology, said the bill might be reconciled with a second proposal called the Cybersecurity Enhancement and Consumer Data Protection Act, or CECDPA.

CECDPA also was approved by the House Judiciary Committee on Thursday and would require anyone who possesses personally identifiable information, such as a person's Social Security number or date of birth, to notify the U.S. Secret Service or the FBI of any "major security breach" before telling the public. Refusing to comply would result in imprisonment or escalating fines.

Targeting online gambling
In addition to the two data breach bills, the panel approved Net neutrality rules and two bills related to Internet gambling (H.R. 4777) and (H.R. 4411).

Congress has tried--albeit unsuccessfully--to expand Internet gambling prohibitions before. Previous efforts failed because gambling lobbyists including Jack Abramoff managed to derail them, and because special interests won so many exceptions that religious conservatives eventually became disenchanted with the legislation. Meanwhile, offshore betting has proliferated and has become a million-dollar industry.

"During the time that has transpired (since the last time around), the amount of money going to these illegal, unregulated offshore enterprises has quadrupled to $12 million a year, with about $6 million coming out of the United States," said Rep. Bob Goodlatte, a Virginia Republican.

Goodlatte said updating the Federal Wire Wager Act was necessary to make sure the law prohibits all forms of Internet betting. "It does not adequately address modern technology nor is it completely clear it covers all forms of gambling," Goodlatte said. "This legislation makes it clear it covers all forms of gambling and all forms of technology."

Rep. Robert "Bobby" Scott, a Virginia Democrat, proposed an amendment--which failed--that would have targeted individual gamblers, not just businesses that run gambling operations. "If we would prosecute the individual gamblers, a few sting operations would get the word out that if you gamble over the Internet, you'll be at the mercy of law enforcement," Scott said.

Much of the debate on the proposal, which lasted about 90 minutes, came from a clearly vexed Rep. Robert Wexler, a Florida Democrat, who said Goodlatte's bill unfairly permitted betting on horse races online while excluding other related sports, such as dog racing. (Greyhound racing is popular in Florida.)

"If you pass this bill with this rule construction in it, you're saying horse tracks, go ahead and gamble away on the Internet and you've got an extraordinary advantage over your legal competitors," Wexler said with his voice raised.

Goodlatte replied that horse racing is treated differently because of a separate federal law called the Interstate Horseracing Act, on the books since 1978, which permits off-track betting on horses under certain conditions. One section of Goodlatte's bill says it "does not change which activities related to horse racing may or may not be allowed under federal law."