October 5, 2005 9:54 AM PDT

Another data security bill in the works

WASHINGTON--Yet another new piece of federal legislation aimed at cracking down on breaches of sensitive personal information could appear by week's end.

Rep. Mike Castle, a Delaware Republican, said at a Visa cardholder security conference here that he plans to introduce "in the next couple of days" a revised version of the bill that he has been working on since February with the U.S. House of Representatives financial-services subcommittee.

Castle said he expected to hold a hearing on the bill by the end of the month. "After that, it's anybody's guess," he said.

The measure would join a medley of proposals pending in the U.S. Senate, including one introduced by two Senate Committee on the Judiciary leaders that could go to a vote as soon as Thursday. A series of high-profile breaches this year has prompted the sharp congressional interest.

Castle said his legislation would require that all businesses handling sensitive information such as Social Security, driver's license or credit card numbers in combination with personal data such as names and addresses must "secure" that data. This requirement echoes those that many state governments have enacted.

The measure would also require "prompt investigation of breaches," in which sensitive data may have been compromised, and companies would have to "notify business partners, law enforcement and functional regulators right away," Castle said. Businesses that experience breaches would also be required to offer free credit-monitoring services at their expense.

"This data is valuable to you and to consumers," the Delaware congressman told the audience, which included representatives from the banking, retail, government, law enforcement and high-tech industries. "Treat it with care, and safeguard it from abuse or misuse."

Visa CEO John Philip Coghlan, speaking after Castle, backed the idea of federal legislation that would establish national rules and eradicate the "patchwork quilt" of state laws governing data protection standards and breach notification to consumers.

Coghlan, whose company found some of its cardholders affected by a wide-ranging breach in June, said existing rules should be broadened to cover not just financial companies but all entities that use sensitive personal information. He threw his support behind the heightening of criminal penalties for identity theft, proposed in a sweeping bill advanced by Sen. Arlen Specter and Sen. Patrick Leahy.

"Our rules are not enough, our procedures are not enough, and our protections are not enough," he said. "All of the technology in the world just isn't going to be good enough."

2 comments

Join the conversation!
Add your comment
New Bills Are Great But Level 4 Needs Updating And Needs To Be Mandatory
New Bills Are Great But Level 4 Needs Updating And Needs To Be Mandatory

Ok, times are tough for ID theft protection and the US industry in it is far behind, say, the U.K. in implementing solutions. However, it is shameful the U.K., Germany, and even both Chinas and Japan have enforced standards on their banks for e-commerce that the U.S. merely says is, well, uh, suggested.

The U.S. National Institute of Science and Technology under the Department of Commerce came out with level 4 authentication saying multi-factor authentication with a token, meaning wireless device, or other offline device, left undefined is the highest level of encryption.

TThe NIST did this even knowing the Defcon conference in Las Vegas prominently reported that a group of hackers from California disproved tokens, wireless, devices were in any way effective.

Here the White House is preparing itself for another Hurricane Katrina level debacle since it first sets weak standards that are unclear and then it curries to the banks to make those weak standards voluntary.

The consumers in the U.K. boycotted banks forcing two-factor authentication with offline devices there and the consumers here often referred to as the sleeping lion will awaken and this will force after much name calling and blaming the same knee jerk consumer protection as what was done in the American Gulf after two hurricanes.

This is the time for the U.S. to take the lead and say, hey, by the way U.S. companies own the Patent on single use credit card number ID best used in ID theft protection networks and say we ordain or simple deem what everyone else is alreadky doing as the new American standard.

That way other countries can exhale and say hey they, meaning the U.S. jumped on board the world train and led it to victory.

It does not matter what the U.S. does ultimately since the world e-commerce is already going to do two-factor with offline device protection globally but it would help our patriotic self- esteem if we did not have to be dragged screaming and hollering to the dentist as it is time to fill another cavity caused by our sweet tooth.
Posted by (66 comments )
Reply Link Flag
New Bills Are Great But Level 4 Needs Updating And Needs To Be Mandatory
New Bills Are Great But Level 4 Needs Updating And Needs To Be Mandatory

Ok, times are tough for ID theft protection and the US industry in it is far behind, say, the U.K. in implementing solutions. However, it is shameful the U.K., Germany, and even both Chinas and Japan have enforced standards on their banks for e-commerce that the U.S. merely says is, well, uh, suggested.

The U.S. National Institute of Science and Technology under the Department of Commerce came out with level 4 authentication saying multi-factor authentication with a token, meaning wireless device, or other offline device, left undefined is the highest level of encryption.

TThe NIST did this even knowing the Defcon conference in Las Vegas prominently reported that a group of hackers from California disproved tokens, wireless, devices were in any way effective.

Here the White House is preparing itself for another Hurricane Katrina level debacle since it first sets weak standards that are unclear and then it curries to the banks to make those weak standards voluntary.

The consumers in the U.K. boycotted banks forcing two-factor authentication with offline devices there and the consumers here often referred to as the sleeping lion will awaken and this will force after much name calling and blaming the same knee jerk consumer protection as what was done in the American Gulf after two hurricanes.

This is the time for the U.S. to take the lead and say, hey, by the way U.S. companies own the Patent on single use credit card number ID best used in ID theft protection networks and say we ordain or simple deem what everyone else is alreadky doing as the new American standard.

That way other countries can exhale and say hey they, meaning the U.S. jumped on board the world train and led it to victory.

It does not matter what the U.S. does ultimately since the world e-commerce is already going to do two-factor with offline device protection globally but it would help our patriotic self- esteem if we did not have to be dragged screaming and hollering to the dentist as it is time to fill another cavity caused by our sweet tooth.
Posted by (66 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.