In the wake of a series of data breaches in early 2005, the U.S. Congress seemed ready to move quickly on legislation that
would require companies to notify customers when their personal information had been compromised.
Now, more than a year after data breaches at ChoicePoint and LexisNexis set off a national debate about identification theft and data security, time is running out for Congress to pass a law before it finishes business
this year. Some proponents of a national breach notification law say it's unlikely that Congress will be able to pass a law
by then.
Lawmakers have introduced more than 10 bills dealing with data breach notification since early 2005. The bills differ in several
ways, including varying requirements about when a breached company should notify customers and whether consumers should be
able to freeze their credit reports following a breach.
Beyond the confusion about the differences in the bills, five congressional committees have claimed jurisdiction over some
of the data breach bills. "It's certainly a popular and pro-consumer issue to tackle," said David Sohn, a staff counsel at
the Center for Democracy and Technology, a privacy and civil rights advocacy group. "It's difficult to see how Congress will
reconcile all the bills."
In late 2005, a data breach notification law seemed virtually assured; even data brokers such as ChoicePoint advocated a federal
law that would preempt state notification laws that were popping up across the U.S. About 23 states have passed their own
notification laws, and backers of a federal law say interstate businesses will have difficulty complying with dozens of state
laws.
Two data breach notification bills have passed through Senate committees and are awaiting action on the Senate floor, and
two other bills are awaiting action on the House floor. A spokesman for Senator Dianne Feinstein, a California Democrat and
early advocate for a national data breach notification law, said he's still hopeful a law will get through Congress this year,
but others are less optimistic.
Both the House and the Senate have targeted Oct. 6 to adjourn for the year, giving lawmakers about a month to campaign for
the November general elections. Both legislative chambers will be out of session for most of August, and national issues such
as immigration reform and gas prices are likely to dominate lawmakers' attention. When the new Congress takes office in January,
all bills that didn't pass before the election will have to be reintroduced.
Asked Wednesday if a data breach bill would pass this year, James Assey Jr. , a senior Democratic counsel in the Senate Commerce,
Science and Transportation Committee, said he's unsure, even though data breach notification bills have enjoyed bipartisan
support.
"It's unclear what Congress will do," he said during an Association for Computing Machinery (ACM) conference. "Going into
the next Congress, I feel certain these issues will return."
Last month, a group of executives from IT security vendors came to Washington, D.C., to push for a data breach bill, with
some worried that Congress was letting the issue die. Organized by the Cyber Security Industry Alliance, the trip left some
participants with continuing concerns that Congress has put the issue on the back burner.
Participants told lawmakers and staff, "You might want to poll your constituents and see if this is important," said Philip
Dunkelberger, president and chief executive officer of PGP Corp. "We're saying, 'You need to get the legislation out there
where people can have an open, public debate'."
One of the big debates about the legislation is what should trigger customer notification. Some of the bills allow data-holding
companies to decide when to report by requiring notification only when there's a "significant" risk of ID theft. Other bills
require reporting for virtually all data breaches, but critics say consumers could get "notification fatigue."
But if companies are allowed to determine when there's a significant risk, there's likely to be little notification, said
Daniel Solove, a privacy advocate and law professor at George Washington University in Washington, D.C. "Every company has
an incentive not to say, 'You really are at a big risk'," Solove said at the ACM conference.
Many of the notification bills in Congress would be weaker than some of the state laws already passed, Solove added. State
laws in California and New York, for example, require notification any time there's been a breach of unencrypted data and
don't allow companies to decide whether there's a significant risk.
Solove would rather see those state laws stand than see a national breach notification bill pass, he said. Most of the congressional
bills are "not very stringent," he said. "The state innovations here are really good."
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
