Congress takes small steps on privacy legislation

While the U.S. Congress focuses on fighting spam e-mail, legislation aimed at protecting consumer privacy online has taken a back seat. The chance of passage of one privacy bill, which would require companies to notify consumers when a database containing private information has been compromised, is in doubt after some in the technology industry opposed the legislation.

Senator Diane Feinstein, a California Democrat, introduced her Notification of Risk to Personal Data Act in late June, but has no cosponsors for the legislation and has drawn the opposition of the Information Technology Association of America (ITAA). Feinstein's bill, modeled after a California law that went into effect July 1, would require companies to notify customers when they have a reasonable basis to believe they've been hacked and had customers' unencrypted personal information compromised. Encrypted data is exempted from the reporting requirement.

"This bill has a tough but fair enforcement regime, and will give ordinary Americans more control and confidence about the safety of their personal information," Feinstein said in a statement June 26. "Americans will have the security of knowing that should a breach occur, they will be notified and be able to take protective action."

A second bill in Congress has been criticized as too weak by privacy advocates such as the Center for Democracy and Technology (CDT). So while CDT and other groups called for comprehensive privacy legislation during privacy workshops at the U.S. Federal Trade Commission in May and June, Internet users will more likely get a piecemeal approach to privacy protection in this year's Congress.

One such consumer privacy-related action the U.S. Senate took this week was killing funding for a U.S. Department of Defense data-mining project that drew criticism from privacy advocates. Funding for the Terrorism Information Awareness project, formerly called the Total Information Awareness project, at the Defense Advanced Research Projects Agency was killed in an amendment to a defense appropriations bill. Privacy rights advocates had questioned how much information the project would collect on innocent U.S. residents.

Both the Feinstein bill and the California law, known as Senate Bill 1386, that it is modeled after have confused companies about what's a "reasonable basis" to conclude they've been hacked, said Greg Garcia, vice president for information policy at ITAA. The Feinstein bill also leaves open questions about what company should make the notification if an Internet retailer has its databases hosted by a Web services firm, Garcia added.

"I don't think this bill's time has come," Garcia said. "This bill is probably raising awareness on [Capitol] Hill, but I don't think it's ripe yet."

Instead of notifying customers right away when a company is unsure about a security leak, notifying law enforcement might be a better option, he added.

"I think you cause undue concern among consumers if nothing happened," Garcia said. "What we need ... is stronger cooperation between law enforcement and private industry in terms of information sharing."

Others disagree, saying the California bill takes important steps toward protecting consumer privacy. Bill Schroeder, president and chief executive officer of security vendor Vormetric, said more legislation is needed to protect victims of identity theft. "There really isn't a lot of legislation protecting those people," he said.