House eyes stronger data protection
Meanwhile, Nevada enacts first-of-its-kind encryption requirements for personal information
- By William Jackson
- Sep 29, 2008
A Sense of the Congress resolution introduced in the House last week sets a goal of passing meaningful legislation to protect sensitive data held by both government and the private sector by the end of the current Congress.
House Concurrent Resolution 425, introduced
by Republican Rep. Michael Burgess and Democrat Rep. Chuck Gonzalez of Texas cites a litany of losses, exposures and shortfalls in protecting personal information, and notes that 36 states already have taken the lead in passing their own data security legislation.
The resolution was introduced just one week before a Nevada law takes effect on Oct. 1, making it the first state to require that businesses encrypt all personal customer information sent electronically outside of their own systems.
Nevada law NRS 597.970 is tucked into miscellaneous trade regulations and practices of Title 52 of the state code. It says that, 'A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.' As used in the law, encryption means 'the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant,' to obscure data.
Although many states have passed data protection laws, usually requiring disclosure of breaches and often offering a safe harbor for data that has been protected by encryption, Nevada's is believed to be the first law flatly requiring encryption of transmitted data.
The House resolution also encourages provisions for encryption.
A number of data security bills have been stalled in Congress for several years. The resolution does not refer to any legislation and doe not propose specific provisions of a data security bill. It says that 'it is the sense of Congress' that it should pass 'meaningful legislation to protect commercial and government data, which includes a robust definition of encryption tied to National institute of Standards and Technology and requires leadership at the top levels of an organization to take an active role in ensuring that their systems are secure.'
The legislation also would 'encourage leaders of government agencies and private enterprises to take responsibility for the data collected and stored within their institutions by making data security a top priority within the institution.'
The resolution was referred to the House Oversight and Government Reform Committee. Because it is a concurrent resolution, if it is passed by the House it then would be referred to the Senate. It would not have the force of law and time for any action on the recommendations rapidly is running out, as the 111th Congress will be sworn into office in January. Between now and then, the 110th Congress is dealing with a financial crisis of historic proportions, a budget for fiscal 2009 and the distractions of a national election.
The resolution cites the fact that more than 8 million people were reported to be victims of identity fraud in 2007, as well as the loss or exposure of millions of personal records by several agencies 2006 and the loss of thousands of laptop computers since 2001. It notes that fiscal 2009 budget requests total $7.2 billion across government, an increase of $600 million over the current year, but that budget is not likely to be enacted before the next Congress takes office.
William Jackson is a Maryland-based freelance writer.