Senate Panel Approved Data-Breach Bill

The U.S. Senate Judiciary Committee approved on Thursday a bill that would require companies with data breaches to notify affected customers and would set up rules for the U.S. government’s use of private databases.

The Personal Data Privacy and Security Act, sponsored by committee Chairman Arlen Specter, a Pennsylvania Republican, and Senator Patrick Leahy, a Vermont Democrat, would also require data brokers to allow U.S. residents to correct their personal data, and it would require businesses holding the personal data of more than 10,000 U.S. residents to conduct risk assessments and implement data-protection policies.

Businesses that do not implement security plans could be fined up to US$35,000 a day if found in violation of the requirement.

The Judiciary bill would allow companies that suffer data breaches to avoid notifying consumers if they determine the breach poses “no significant risk” of identity theft or other data fraud. But, unlike some other data-breach bills in Congress, the Specter-Leahy bill would require companies that determine there is no risk from a data breach to report their findings to the U.S. Secret Service, which can then conduct its own investigation.

“This bill will ensure that our laws keep pace with technology,” Leahy said in a statement. “In this information-saturated age, the use of personal data has significant consequences for every American. People have lost jobs, mortgages and control over their credit and identities because personal information has been mishandled or listed incorrectly.”

The Judiciary legislation is one of about 15 bills currently before Congress that require data-breach notification, most of them introduced after a series of data breaches were reported earlier this year.

It is the second data-breach notification bill to be approved by a full committee, with the next step a vote on the Senate floor. In July, the Senate Commerce, Science and Transportation Committee approved the Identity Theft Protection Act, but the full Senate has not taken action on it.

Like most data-breach bills now before Congress, the Specter-Leahy bill would preempt the more than 20 state laws that now require data-breach notification. Some consumer and privacy advocates have expressed concern over weak data-breach laws preempting stronger state laws, but officials with the Center for Democracy and Technology (CDT), a privacy advocacy group, called the Specter-Leahy the most comprehensive data breach notification bill now before Congress.

Several business groups have called for preemption of state notification laws, saying companies will have a hard time complying with a “patchwork quilt” of state rules. CDT supports the preemption of state laws when the federal law doesn’t weaken consumer protection, said Ari Schwartz, CDT’s deputy director.

“We can’t say we like preemption no matter what,” he said during a press briefing Friday. “It’s got to be something that benefits consumers.”

The Judiciary bill is the only current legislation that includes rules for the government use of private databases to check on U.S. residents, said Nancy Libin, a staff counsel at CDT. The Privacy Act of 1974 set rules for the use of government-controlled databases, but some government agencies have gotten around restrictions by contracting with private data brokers, such as ChoicePoint Inc., which announced a data breach affecting about 145,000 U.S. residents in February.

The Judiciary bill would require federal agencies to audit the security practices of commercial data brokers they contract with, and would require agencies to conduct privacy impact assessments when using commercial databases.

The Judiciary bill includes a balance between overnotification of consumers and privacy advocate concerns about some legislation allowing breached companies avoid notifying consumers if they determine the breaches don’t pose a risk, CDT officials said. Some congressional bills don’t require companies to report their breach investigations to a federal agency for review.

Worries about bombarding consumers with too many breach notifications so far haven’t been justified as affected companies comply with state notification laws, Schwartz said. “We haven’t seen an overnotification of consumers to date,” Schwartz said.

Although the CDT praised the Specter-Leahy bill, officials there said it lacks provisions to restrict the use of Social Security numbers, covered in some other congressional bills, and it doesn’t include a provision to allow consumers to freeze their credit reports when they suspect they’ve been victims of ID theft. The credit freeze provision is included in some state breach notification laws.

“We don’t think any of [the bills] out there are perfect,” Schwartz said.

By Grant Gross, IDG News Service