In the wake of a series of data breaches in early 2005, the U.S. Congress seemed ready to move quickly on legislation that would require companies to notify customers when their personal information had been compromised.
Now, more than a year after data breaches at ChoicePoint and LexisNexis set off a national debate about identification theft and data security, time is running out for Congress to pass a law before it finishes business this year. Some proponents of a national breach notification law say it's unlikely that Congress will be able to pass a law by then.
Lawmakers have introduced more than 10 bills dealing with data breach notification since early 2005. The bills differ in several ways, including varying requirements about when a breached company should notify customers and whether consumers should be able to freeze their credit reports following a breach.
Beyond the confusion about the differences in the bills, five congressional committees have claimed jurisdiction over some of the data breach bills. "It's certainly a popular and pro-consumer issue to tackle," said David Sohn, a staff counsel at the Center for Democracy and Technology, a privacy and civil rights advocacy group. "It's difficult to see how Congress will reconcile all the bills."
In late 2005, a data breach notification law seemed virtually assured; even data brokers such as ChoicePoint advocated a federal law that would preempt state notification laws that were popping up across the U.S. About 23 states have passed their own notification laws, and backers of a federal law say interstate businesses will have difficulty complying with dozens of state laws.
Two data breach notification bills have passed through Senate committees and are awaiting action on the Senate floor, and two other bills are awaiting action on the House floor. A spokesman for Senator Dianne Feinstein, a California Democrat and early advocate for a national data breach notification law, said he's still hopeful a law will get through Congress this year, but others are less optimistic.
Both the House and the Senate have targeted Oct. 6 to adjourn for the year, giving lawmakers about a month to campaign for the November general elections. Both legislative chambers will be out of session for most of August, and national issues such as immigration reform and gas prices are likely to dominate lawmakers' attention. When the new Congress takes office in January, all bills that didn't pass before the election will have to be reintroduced.
Asked Wednesday if a data breach bill would pass this year, James Assey Jr. , a senior Democratic counsel in the Senate Commerce, Science and Transportation Committee, said he's unsure, even though data breach notification bills have enjoyed bipartisan support.
"It's unclear what Congress will do," he said during an Association for Computing Machinery (ACM) conference. "Going into the next Congress, I feel certain these issues will return."
Last month, a group of executives from IT security vendors came to Washington, D.C., to push for a data breach bill, with some worried that Congress was letting the issue die. Organized by the Cyber Security Industry Alliance, the trip left some participants with continuing concerns that Congress has put the issue on the back burner.
Participants told lawmakers and staff, "You might want to poll your constituents and see if this is important," said Philip Dunkelberger, president and chief executive officer of PGP Corp. "We're saying, 'You need to get the legislation out there where people can have an open, public debate'."
One of the big debates about the legislation is what should trigger customer notification. Some of the bills allow data-holding companies to decide when to report by requiring notification only when there's a "significant" risk of ID theft. Other bills require reporting for virtually all data breaches, but critics say consumers could get "notification fatigue."
But if companies are allowed to determine when there's a significant risk, there's likely to be little notification, said Daniel Solove, a privacy advocate and law professor at George Washington University in Washington, D.C. "Every company has an incentive not to say, 'You really are at a big risk'," Solove said at the ACM conference.
Many of the notification bills in Congress would be weaker than some of the state laws already passed, Solove added. State laws in California and New York, for example, require notification any time there's been a breach of unencrypted data and don't allow companies to decide whether there's a significant risk.
Solove would rather see those state laws stand than see a national breach notification bill pass, he said. Most of the congressional bills are "not very stringent," he said. "The state innovations here are really good."