Lawmakers introduce breach notification bills

Members of the U.S. Congress introduced a flurry of new technology-related bills this week, including two bills that would require companies with data breaches to notify affected customers.

Senators Patrick Leahy, a Vermont Democrat, and Bernie Sanders, a Vermont independent, introduced the Personal Data Privacy and Security Act. In addition to requiring data breach notification, the bill would also require data brokers to disclose what information they hold on individuals. The bill would allow individuals to correct information held by data brokers, and it would require companies that have databases with personal information on more than 10,000 U.S. residents to implement data privacy and security programs.

Representatives Bobby Rush, a Illinois Democrat, and Cliff Stearns, a Florida Republican, introduced the Data Accountability and Trust Act this week. Their bill, with 24 co-sponsors, authorizes the U.S. Federal Trade Commission (FTC) to draw up data privacy requirements for businesses, including requirements that they have vulnerability assessments and policies for disposing of obsolete data.

After a company reports a data breach, the FTC would conduct an audit of its security practices, and, like the Leahy-Sanders bill, the bill would require data brokers to disclose the information they hold on individuals and allow individuals to correct wrong information.

Organizations have lost 100 million personal records belonging to U.S. residents in data breaches since 2005, Leahy said in a speech on the Senate floor. Leahy, chairman of the Senate Judiciary Committee, singled out data breaches at the U.S. Department of Veterans Affairs last May and retailer The TJX Companies, announced in January, in his speech.

"These data security breaches are compelling examples of why we need strong federal data privacy and security laws to protect Americans’ personal data and to address the ills of lax data security," he said. "In the information age, any company that wants to be trusted by the public must earn that trust by vigilantly protecting the databases they use and maintain."

Members of Congress introduced about a dozen bills requiring data breach notification after a series of breaches in early 2005, but legislation stalled largely over committee jurisdictional wrangling. About 30 states have passed breach notification laws, most of them since 2005.

The Cyber Security Industry Alliance, a trade group of IT security vendors, in January called on Congress to pass a comprehensive data protection bill, including breach notification. But some groups, including conservative think tank the Progress and Freedom Foundation, have questioned the need for a breach notification law, saying the cost to businesses may far outweigh the benefits to consumers.

Other tech-related bills introduced this week:

-- Two bills allowing the FTC to investigate the practice of pretexting, when an investigator assumes a false identity to gain access to a person's telephone records. President George Bush signed a bill creating penalties for pretexting in January, but the two new bills would give the FTC the authority to investigate and prosecute pretexters.

Many lawmakers became interested in the issue after Hewlett-Packard disclosed in September that investigators it had hired used pretexting in an attempt to gain access to board members' and reporters' phone records.

-- A bill targeted at spyware by establishing criminal penalties for a number of actions. The bill would prohibit keystroke logging, taking control of a computer without the user's consent, diverting Web browsers, using computers to create botnets and modifying a computer users' browser and security settings without permission.

Two spyware bills passed the House of Representatives by overwhelming majorities in March 2005, but the Senate didn't act on them.