Senator revives data leak proposals

Democrat Dianne Feinstein reintroduced measures regarding data security breaches, but some worry her bills make too many exceptions.

Anne Broache
Anne Broache Staff Writer, CNET News.com
Anne Broache
covers Capitol Hill goings-on and technology policy from Washington, D.C.
4 min read
A pile of legislative proposals aimed at stiffening regulations on stewards of personal data died in Congress last year, but Sen. Dianne Feinstein has announced plans to try again.

Feinstein (D-Calif.) reintroduced on Wednesday a pair of bills that would attempt to set national requirements for consumer notification in the event of data security breaches, and to restrict the sale, purchase and display of Social Security numbers.

Dianne Feinstein Dianne Feinstein

The need for new legislation remains acute because of a rash of recent breaches involving personal data belonging to Boeing employees, University of California at Los Angeles students and staff, and others--and the fears of identity theft that accompany such incidents, Feinstein said in a statement.

One of her legislative efforts, the Notification of Risk to Personal Data Act, is billed as a reincarnation of an earlier proposal that was approved as part of a broader data breach package in November 2005 but received no further attention.

Under the 20-page proposal, any federal agency or business that "uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information" would be required to notify any U.S. resident whose data may have been compromised by a security breach "without unreasonable delay." The bill prescribes methods of notification and dictates what information those notices must contain.

But the measure includes a number of exceptions to those requirements that could prove controversial. For instance, law enforcement officials could unilaterally decide to delay notification--and would be immune from court challenges--if they believed divulging such information would harm a criminal investigation or national security.

Businesses could also be permitted to escape notification requirements entirely in two instances. First, they could determine through a "risk assessment," the findings of which they would be required to share with the U.S. Secret Service, that there is no "significant risk" that the breach will cause harm to individuals.

Second, they could avoid the federal notification rules if they employ a system that is "designed to block the use of sensitive personally identifiable information to initiate unauthorized financial transactions before they are charged to the account of the individual." They would only be required to notify individuals of breaches that led to unauthorized charges or financial fraud--as opposed to whenever there was a "significant risk" of such activity. The bill doesn't stipulate any time table for providing such notice.

That effectively means that "any time there is a breach of any financial account number, or a credit or debit card number, the exemption could apply even if the breach included the PIN, password or security code," said Gail Hillebrand, a senior attorney for Consumers Union, an advocacy group. "This is a loophole not only for credit cards, but for bank accounts, retirement accounts and mutual fund or brokerage accounts."

The current draft "contains too many exceptions and too few rights for Americans whose personal information has been improperly released," said Marc Rotenberg, director of the Electronic Privacy Information Center.

Given those flaws, it's especially troubling that the bill proposes preempting the few dozen existing state laws on the subject, said Beth Givens, director of the advocacy group Privacy Rights Clearinghouse. By her estimation, Feinstein's proposal marks "a step backward from the security breach notice laws in many states."

But the bill isn't all bad, said Hillebrand of Consumers Union, in part because it would still allow state attorneys general to enforce the law's obligations.

Restricting use of Social Security numbers
Feinstein's second bill, called the Social Security Misuse Prevention Act, follows pledges last spring by Democrats and Republicans alike to enact similar legislation aimed at reining in use of the ubiquitous identifiers by the end of the year.

"If a person's Social Security number is compromised, the path to identity theft is a short one," she said in a statement.

Co-sponsored by Sens. John Sununu (R-N.H.) and Judd Gregg (R-N.H.), the 36-page effort would prohibit the sale, purchase or "display"--defined as any intentional communications to the general public, including via the Internet--of the identifiers without "affirmatively expressed consent of the individual," either electronically or in writing.

Anyone who obtains Social Security numbers to locate individuals and do them harm could face criminal and civil penalties. The bill also seeks to limit the appearance of Social Security numbers on federal documents and in consumer transactions.

Like the data breach notification effort, a large number of exceptions would apply, including for public health, law enforcement, national security and any other federally mandated purposes, or for use by businesses in doing credit checks or fraud prevention.

The complex set-up could also encounter resistance from consumer protection advocates.

"This is a critical issue that is overdue for congressional action," Rotenberg said, adding that the best approach would involve a "simple but clear measure...that would require a legal basis before a government agency or a private sector organization could collect and make use of the SSN."