Even as the federal government appears poised to create new consumer data protection laws in 2007, businesses and privacy advocates in the United States remain at odds over the parameters of such legislation and its potential impact.
Lawmakers on Capitol Hill are currently reviewing a handful of high-profile bills that seek to place stricter requirements on organizations that collect sensitive consumer information, and establish national guidelines for public disclosure of data breaches.
These bills include the Senate's Notification of Risk to Personal Data Act and PersonalData Privacy and Security Act, as well as the Data Accountability and Trust Act, Social Security Number Protection Act, and Prevention of Fraudulent Access to Phone Records Act -- all of which are under consideration in the House.
As with similar laws that failed to pass through Congress in 2006, the proposed legislation is meant to force organizations to better protect sensitive data and avoid incidents such as the computer systems intrusion recently experienced by discount retailer TJX Companies -- which resulted in the theft of 45.7 million customer records.
However, despite perceptions that many businesses are against stricter data-handling laws, based on their exacting terms and harsh penalties, and the belief that most privacy advocates are staunchly behind the creation of federal legislation, in many cases those positions of support are actually reversed.
Many business leaders say that stronger national information security laws will in fact help them create unified data management policies that cover operations across the entire country, therein making their lives easier.
And perhaps more surprisingly, privacy experts say that the passage of federal data handling legislation could actually end up damaging consumer protection, which they would prefer to see handled by individual states.
At present, companies must deal with a wide range of state laws that govern data management and incident reporting, making the process complex for the many businesses that operate from coast-to-coast.
To remain compliant with all the various state data-handling requirements, companies are forced to spend considerable time examining the minutia of regional laws and tailoring their systems and processes to each, business leaders contend.
To ease the process, some companies have crafted their existing policies around California's Security Breach Information Act -- also known by its bill number, California 1386 -- which was passed in 2003 and remains one of the earliest, and most demanding, data-handling mandates.
By tuning his company's data management operations to California 1386, Pat Lefemine, chief information security officer at Philadelphia-based Lincoln Financial Group, claims he's been able to guide his company over the past several years without a major incident.
The CISO would prefer, however, to see a national bill passed to help ensure that his company -- a massive financial services provider with 10,000 employees and $230 billion in managed assets -- hasn't missed some detail and left itself vulnerable to penalties and public embarrassment.
