Three potential laws on data privacy
By some counts, more than two dozen bills have been introduced in the House and Senate to protect sensitive personal data held in commercial databases. Recent high-profile cases of data theft or loss have made it increasingly likely that some legislation will be passed.
Here is an overview of bills introduced, or soon to be introduced, by three members of the Senate Judiciary Committee. There is some overlap in their requirements, but each takes a different approach toward protecting personal data against exposure to ID theft.
The Notification of Risk to Personal Data Act (S.751), introduced by Sen. Dianne Feinstein (D-Calif.), is modeled on a 2003 California law that requires companies holding personal information to notify individuals if that information has been compromised. It would:
+ Require agencies or companies engaged in interstate commerce to notify individuals if identifying information, including Social Security, driver's license and account numbers, is stolen or improperly exposed.
+ Provide an exception in the case of criminal investigations or national security issues.
+ Impose civil penalties of up to $50,000 a day.
+ Be enforced by the Federal Trade Commission.
+ Pre-empt state laws
The Comprehensive Identity Theft Prevention Act (S.768), introduced by Sen. Charles E. Schumer (D-N.Y.), takes a broader approach. It would pre-empt state law and require notification of disclosures of unencrypted information, but also would regulate the data broker industry much like credit bureaus. It would:
+ Authorize $60 million over five years for an Office of Identity Theft within the FTC. The office would issue certificates to identity theft victims and assist consumers in restoring credit histories.
+ Require data brokers to register with the Office of Identity Theft and take reasonable steps to secure sensitive personal information.
+ Require data brokers to authenticate clients and require background checks on individuals with access to sensitive data, and to track that access.
+ Provide reports to consumers of access to their data.
+ Prohibit unnecessary use, display or sale of Social Security numbers.
+ Create an assistant secretary for cybersecurity in the Homeland Security Department.
The Data Mining Reporting Act first was introduced by Sen. Russ Feingold (D-Wis.) in 2003 and died in the Judiciary Committee. Feinstein said he would reintroduce the act to give Congress a tool for reviewing the costs and benefits of government data-mining programs. As originally introduced, it would:
+ Require any agency using or developing data-mining technologies to report on those activities to Congress.
+ Require reports to include assessments of the accuracy, the impact on privacy and civil liberties and the laws governing the information collected by the program.
+ Require agencies to discuss steps to protect the privacy of individuals and ensure that only accurate information is included, and to inform individuals whose personal information is being used.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.