Congress looks to pass data breach law

WASHINGTON - The U.S. Congress will look to pass consumer data protection legislation as it returns next week from its mid-year recess, but if Congress fails to act, a tough new state law will force interstate companies to disclose virtually all data breaches, no matter how small the risk.

A New York data breach law, signed by Governor George Pataki on Aug. 10, would take effect in mid-December. New York, the 19th state to pass a data breach notification law, would allow no exceptions for companies that have their own disclosure policies.

The New York law requires companies to disclose any unauthorized breach of databases that contain New York residents' personal information such as Social Security, drivers' license and credit card numbers, with a limited exception for some encrypted data. The New York law makes no exception for small data breaches or breaches unlikely to result in identity theft, despite concerns raised by groups such as the Information Technology Association of America (ITAA) that customers could be bombarded with too much notification in cases where there's little chance of harm.

Congress and about 35 state legislatures have considered data breach notification laws this year as more than 60 companies, complying with a 2003 California law, announced breaches affecting millions of U.S. residents this year. Although the California law requires that companies notify only California residents, it has become the de facto national standard, with companies sending out notices to all customers.

The New York law would replace the California breach notification law, which includes some notification exceptions, as national standard if Congress doesn't pass its own bill preempting state legislation, said Dan Burton, vice president of government affairs for Entrust Inc., a security software vendor. "If you're breached, you've got to notify," Burton said of the New York law.

Even data brokers have called for a national breach notification law to preempt what the ITAA and others call a "patchwork" of state laws, and a data breach bill is likely to be one of the top technology-related bills in Congress during the rest of 2005. While some industry groups have advocated a preemptive breach notification bill with few other regulations, consumer and privacy groups have called for sweeping ID theft protections.

With the 19 state laws already passed and Congress focusing on the issue, even enterprise customers normally opposed to regulations recognize that a national law is likely, said Kevin Brown, vice president of marketing for Decru Inc., a storage security vendor. "In today's legislative environment, I don't think you're going to get a bill that just cancels the state laws," Brown said. "They'd love to have less regulation in general, but in this case, I think everybody's fairly realistic. What enterprises are looking for is guidance."

Privacy advocates such as the Electronic Privacy Information Center and the Center for Democracy and Technology have called for Congress to regulate data brokers that sell personal data without the owners' knowledge. The owners of that data have a right to know how data brokers are profiting from their information, those groups have argued.