Senate committee OKs bills on personal data breaches

Overlapping measures prescribe new rules for government agencies and private firms that experience break-ins. Will they become law?
Written by Anne Broache, Contributor
A pair of overlapping U.S. Senate proposals aimed at reining in personal data use by the government and private sector earned approval from a key committee Thursday.

The Senate Judiciary Committee unanimously approved an amended version of the Personal Data Privacy and Security Act, chiefly sponsored by committee chairmen Patrick Leahy (D-Vt.) and Arlen Specter (R-Penn.), who ultimately bundled the bill with the Notification of Risk to Personal Data Act proposed by Sen. Dianne Feinstein, a Democrat from California.

The measures represent just two of several competing bills that both chambers of Congress have been trying to pass in recent years. They reflect continuing public outcry over a series of high-profile breaches at universities, corporations and federal agencies: among the more recent episodes was a cyberintrusion that compromised more than 45 million customer records at TJX Companies. A number of states already have laws addressing such incidents on their books, but politicians have said a uniform nationwide standard is necessary.

"Passing this comprehensive privacy legislation is a legislative priority," Leahy said in a statement delivered before Thursday's vote.

In the past, some consumer groups and privacy advocates have voiced uneasiness about the federal efforts, arguing that they carve out too many exceptions to the notification requirements. But according to Leahy, the amended bill now enjoys support from Microsoft, the Center for Democracy and Technology, Consumers Union, Cyber Security Industry Alliance and Consumer Federation of America.

"These bills will make companies who fail to keep sensitive personal information safe tell individuals about that failure," said Gail Hillebrand, a senior attorney with the advocacy group Consumers Union. "Businesses who know that they have to tell consumers about information security failures may try harder to protect sensitive information in the first place."

Leahy and Specter's effort is the more sweeping bill. A similar version was approved last year by the Senate Judiciary Committee but died before a floor vote. The Feinstein bill, which focuses primarily on notification requirements for entities that experience breaches, was amended Thursday so it mirrors the content of the Leahy-Specter bill. A Feinstein aide said both bills were passed separately to improve their chances of getting through, in the event that one gets stalled.

The updated Feinstein measure, which is incorporated into the larger Leahy-Specter bill, requires any federal agency or business that collects sensitive personally identifiable information to notify individuals whose information was reasonably believed to have been accessed or acquired. They're supposed to do so "without unreasonable delay."

But a number of exemptions exist. For instance, businesses generally can escape that requirement if they can certify that there is "no significant risk" of harm to the individual whose information was accessed would not be forced to notify the breach victims. Information that is encrypted or otherwise rendered indecipherable is presumed to pass that test.

Credit card companies and others that already employ "financial fraud" detection systems designed to block the use of personal information to carry out unauthorized transactions would also be exempt. But if more than just a person's credit card number--for example, a first and last name and a credit card number--was stolen, the business would have to follow the notification requirements.

Entities could be forced to delay notification if asked do to so in writing by law enforcement authorities for investigative or national security reasons. The bills would also require that larger scale breaches or those involving federal government databases be reported to the Secret Service, which would then notify other authorities.

Although the bills would override state laws, they would give state attorneys general the right to bring civil cases for alleged violations of the federal law and seek up to $1,000 per day per person whose information was improperly accessed.

The Specter-Leahy bill goes beyond just notification requirements. It would impose fines, up to five years in prison, or both on those who "intentionally and willfully" conceal information related to a security breach that causes "economic damage to one or more persons." The proposal would also place new requirements on so-called data brokers and instruct businesses to put into place a "comprehensive personal data privacy and security program."

It's unclear whether either of the bills will head to the Senate floor for a vote anytime soon. A number of competing measures exist, including the Identity Theft Prevention Act, which cleared the Senate Commerce Committee last week. That bill prescribes notification requirements, prohibits collection of fees for credit freezes on identity theft victims, and instructs entities that handle sensitive personal information to have minimum security standards in place.

Editorial standards