The recent theft of the names, birth dates and Social Security numbers of 26.5 million veterans has given new urgency to congressional passage of data security legislation. One such bill would give the Justice Department an array of new criminal tools with which to prosecute hackers and botnet creators.
On May 25, the House Judiciary Committee passed the Cyber-Security Enhancement and Consumer Protection Act of 2006 (H.R. 5318), a day after the House Financial Services and Energy and Commerce Committees voted to substitute their own bills (H.R. 3997 and H.R. 4127) for the other's when the Financial Services bill came up for a vote in Energy and Commerce, and visa versa. Both committees had passed their own bills previously.
In all three pieces of legislation, consumer notification of identity theft is the big political issue. Both the Financial Services and Commerce bills require some consumer notification, the former more narrowly than the latter. The Financial Services bill mandates notification in the event of "financial fraud against consumers causing harm or inconvenience;" the Commerce bill requires consumer notification when a breach results in "a reasonable risk of identity theft, fraud or other unlawful conduct."
The flurry of activity was in part stimulated by the previous week's announcement by the U.S. Department of Veterans Affairs that a laptop taken home by an analyst was stolen in what appeared to be a routine burglary. The thieves apparently had no idea that they had in their possession millions of stolen identities.
The bill passed by the Judiciary Committee is more "law enforcement" focused than either of the other two House bills, which specify when businesses have to alert consumers to identity theft.
The Judiciary bill would delay consumer notification until after a company or the federal government notifies the Federal Bureau of Investigations (FBI) or Secret Service that more than 10,000 names have been stolen, either by a hacker or in a theft such as the one involving the VA data. Failure to notify could result in a maximum $1 million fine and five years in prison.
The FBI or Secret Service could delay notifying consumers affected by a breach for 30 days if notification would jeopardize the investigation, but the the attorneys general in affected states would have to be notified immediately.
It is also the only bill currently under consideration that would cover stolen federal data; the other two restrict their provisions to data accumulated by either financial institutions or companies involved in interstate commerce.
Joseph LaRocca, vice president of loss prevention for the Washington-based National Retail Federation, said the Veterans Affairs data theft illustrates why the Judiciary Committee's bill, sponsored by Chairman Rep. James Sensenbrenner (R-Wisc.), takes the preferred approach.
"By putting the story out there before the police and other law enforcement officials had time to investigate," LaRocca said, "the burglars have been alerted to the fact that what they have is not a $3,000 laptop but a $300,000 gold mine."
The other controversial provision in the bill would acknowledge that state laws on consumer notification would remain in force; they would not be pre-empted. Business groups support preemption because it is difficult for them to keep track of 28 state laws passed in the wake of California's SB 1386, which became effective July 1, 2003.
It is because of the California law that ChoicePoint Inc. and then LexisNexis Group had to make consumer notifications of large data thefts in 2005, actions that first stimulated congressional interest in this issue. Similar legislation is pending in 11 other states.
"Given the panoply of breach notification laws and information security requirements, I believe a federal law that would preempt similar state laws is critical," said Lisa Sotto, a partner at the Washington law firm of Hunton & Williams LLP and vice chairperson of the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee.
But consumer groups oppose a federal preemption, and the Judiciary Committee added language to that effect when it voted the bill out of committee on May 25.
All three bills have considerable bipartisan support. Energy and Commerce Committee spokesman Terry Lane cited his bill's 42-0 vote as a factor which will ostensibly convince Rep. Dennis Hastert (R-Ill.), the House speaker, to schedule the three bills for floor action not long after Congress returns from the Memorial Day recess on June 6.
Stephen Barlas is a freelance writer based in Washington D.C.