Recent large-scale data security snafus and thefts haven't gone unnoticed by lawmakers. Passage of data privacy legislation by two House committees in March increases the likelihood that Congress will approve a bill this year imposing new requirements on data brokers such as ChoicePoint Inc.,
Both the Financial Data Protection Act of 2005 (H.R. 3997) and the Data Accountability and Trust Act (H.R. 4127) passed through committee by whopping, bipartisan margins of 48-17 and 41-0, respectively.
House bill 4127, which derives from the House Energy & Commerce Committee version and was passed in March, requires notification only if the theft or loss of consumer data is judged to pose a "reasonable risk of identity theft to the individual to whom the personal information relates." The committee approved the "reasonable risk" standard after toughening language in a subcommittee bill that had a higher threshold of "significant risk."
Data brokers prefer the "significant risk" tripwire. Deborah Platt Majoras, chairman of the Federal Trade Commission, told the Senate Judiciary Committee in 2005, "We are grappling with the issue of over-notification. We have learned that consumers become numb to too many notifications."
House bill 3997, approved by the House Committee on Financial Services, requires data brokers to notify law enforcement agencies and businesses in the transaction chain if a data security breach "may result in harm or inconvenience to any consumer." If the potential breach may result in financial fraud against consumers causing harm or inconvenience, then the consumers must be notified through a uniform mailing.
The bills have significant differences, but both address problems highlighted early in 2005 when California's Security Breach Information Act (SB-1386) forced ChoicePoint and LexisNexis to disclose that identity thieves had pilfered data on more than 450,000 customers combined.
Already in play are two additional bills passed last year by Senate committees that are intended to shore up corporate data security: the Personal Data Privacy and Security Act (S. 1789), and the Identity Theft Protection Act (S. 1408).
All four congressional bills contain a notification requirement based on a risk analysis. The California bill -- and many of the 20-plus state bills which have followed in its wake -- define a security breach requiring the company holding the data to alert the state, businesses and consumers, as "unauthorized acquisition of or access to computerized or other data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business."
There are no finite risk thresholds in the bills, meaning it's uncertain how much data would have to be leaked or stolen before an organization would be obligated to issue notifications. But David Sohn, staff counsel to the Washington D.C.-based Center for Democracy & Technology, noted that the existing California law has an exemption for theft of encrypted data. No notification is required in that instance.
All four bills also require data brokers to adopt security standards that would be, in some cases, be dictated by federal agencies. The Energy & Commerce bill requires data brokers to establish "reasonable procedures" to verify the accuracy of information that they collect and maintain.
In addition to the common elements on notification and security standards in all four bills, each contain a variety of other provisions, including:
David Kurt, a LexisNexis spokesman, declined to comment on the notification provisions in the various congressional bills. Spokesmen at ChoicePoint Inc. and Acxiom Corp. did not respond to inquiries.
Scot Montrey, communications director for the Cyber Security Industry Alliance (CSIA) in Arlington, Va., said his group has not endorsed either of those two House bills, nor the Senate bills.
"All the bills generally are headed in close enough to the right direction," Montrey said. "We want a bill passed into law much more than we want to insist on one particular piece of legislation."
In fact, few proposed bills have as much bipartisan congressional support and as little significant interest group opposition as the data privacy bills, suggesting that a single, compromise version would be likely to land on President Bush's desk this year.
"Our biggest opposition is the shrinking legislative calendar," noted Montrey, referring to the extra time spent campaigning in home states by senators and representatives during an election year, and the early anticipated close of the session in October.
Stephen Barlas is a freelance writer based in Washington D.C.